Some tips for choosing a password manager

Regularly people ask me which password manager to use.

I decided to do a short write-up to explain how I selected a password manager. I hope it gives other people some insights as well. I use 1Password because it fits my requirements, but that doesn't mean it's necessarily the best choice for you. To be 100% clear, I'm not incentivized by 1Password in any way. Also note that I only compared some commercial password managers, there are many open source alternatives you can look at.

Security

It's needless to say but when you choose a password manager it's important that you feel confident about the security of the tool. All password managers I know work in a similar way. You need to choose a strong master password to protect your password manager account.

One of the important criteria for me is that this master password isn't stored on the servers of the vendor. Because if they suffer a data breach the data protected by that account are at risk.

You could say it doesn't matter if the password manager offers two-factor authentication. Just enable it, and even in case of a data breach chances are quite small that criminals get access to your account.

But this is just not enough for protecting an account that gives access to all your online secrets and thus to your entire digital life. These are high value targets and they need better protection.

One of the main reasons I've chosen 1Password is because they protect your account with both a master password and a 128 bit secret key, which are both not stored on 1Password's servers and thus can't be stolen when 1Password would be hacked.

This is what 1Password has to say about the secret key.

This secret key has multiple functions. Combined with the master password it encrypts your data and it also serves as a sort of second factor. On a unknown device you must enter the secret key at login.

Sean Wright investigated these claims and indeed both the master password and secret key is not sent to 1Password and 1Password does not have access to a user's data without this secret key.

1Password - like most password managers - offers 2FA. So if you enable it as well, you have a solid protection in my opinion.

Also something worth looking at is if the vendor is transparent about the implemented security measures. 1Password for instance has a very detailed security whitepaper. Their bug bounty program also gave me confidence they care about security.

Usability

Except security, a good password manager should be easy to use. I wanted a password manager that integrates nicely in the browser and - to a lesser extent - offers mobile apps for Android and iOS. The password managers I tested, e.g, Dashlane, Lastpass, 1Password all did a comparable job. An extra benefit of 1Password is their feature called Watchtower. This is a set of security tools that integrate with Have I Been Pwned to detect weak, reused, vulnerable or compromised passwords.

Price

1Password only has a paid plan. The reason I find it worth paying for is because security and usability are the primary requirements for me. But like I said before, there are many free alternatives that might fit your requirements.

Conclusion

If you have other requirements than me or you don't want to use a paid password manager there are a lot of alternatives. Just make sure that you do some research upfront. But remember that using a password manager is (almost) always better than not using one.

John Opdenakker

John Opdenakker

Blogger | #Infosec | #AppSec | Security awareness | Occasional Public Speaker | Cycling | Running | Enjoying life