Operating and managing a remote server located in a data centre is often carried out by using a secure network connection provided by the SSH protocol. The necessary registration on the server is preceded by an authentication process. Usually this occurs in the form of the username and password. Alternative methods such as the public key authentication used by SSH, do have their advantages. But...
Generating a truly secure password is no easy task. Finely tuned software can make short work out of simple patterns, granting hackers access to your most sensitive data within a matter of seconds. The first line of defense for any password protection scheme lies in the ability of password generators to create complex codes from a jumble of mixed and matched letters, numbers, and symbols. Such codes are difficult to crack – and often just as difficult to remember. Password managers are valuable tools that aid in administering and saving such cumbersome passwords.
- What is a password manager?
- Why should you use a password manager?
- Password managers – comparing the available options
- The best password managers
- Password manager: comparing 5 of the best options
- Risks still remain
- “Homemade” passwords: A viable alternative?
What is a password manager?
Password managers are tools with which you can store and manage passwords and pin numbers in encrypted form. This makes the day to day use of applications with differing passwords much easier. Furthermore, these programs not only act as storage, they also usually function as generators for secure passwords. This means that you can use it to create randomised passwords so that you don’t have to come up with comprehensive, secure passwords yourself.
While a password manager database grows with the addition of each new password, the only thing that you require is the master password in order to be able to log in and use the various services. However, the individual login passwords aren’t just protected by this main keyword. They are also additionally encrypted in various ways that require completely different algorithms. Users often have the option of storing the master password on a USB stick or on a different storage medium. It is advisable to work with another password in order to protect yourself in case you lose this storage medium or device.
Why should you use a password manager?
Whenever a bank, mail, or cloud account is hacked, the most common cause is nearly always the failure of the user to select a secure password to protect their most private information. It happens far too often that people select ‘123456’ or even ‘password’ which makes everything unimaginably easy for hackers. Another mistake that quickly leads to individuals’ downfall is the fact that they use the same password for everything in order to make life easier for themselves. The reason for such mistakes is the same in both cases – creating a secure password as well as managing a large number of passwords both require quite a bit of effort.
Password manager tools solve these problems and have the potential to be an essential tool for people who use a lot of services that require registration and also wish to remain on the safe side. The automatic encryption of the passwords and database mean that your information is protected by the password manager, even if a hacker manages to gain access to your system.
Password managers – comparing the available options
A password manager is a tool that has the potential to make your day to day online transactions and general activities much more secure. If you are using a lot of applications that require a login and are also working with sensitive and classified information, then you will benefit from the protection offered by these practical safety programs and from the ease of the registration process. However, before you create a password system that is suitably tailored to all your needs, you first need to find the password manager that is right for you. Given the huge choice of options – both from the proprietary as well as the open source sector – this is something that is easier said than done.
In order to be able to find the right tool, you first need to consider which requirements the software needs to fulfill. An important factor to consider is whether the desired manager will run on a local computer or whether they will be used on a foreign device via the use of a mobile storage device (e.g. a USB stick). Another decisive factor is whether the program should also contain password generating function or not. The differences between the individual password managers also come down to the various algorithms that are used. Here is where personal preferences come into play – in any case, you should definitely make sure that an up-to-date encryption process is in use.
At the end of the day, the storage location of the password database is a crucial criterion. Some programs file the passwords automatically in the supplier’s cloud. This means that they are constantly available. Maximum control over your own passwords can only come about if you use software that permits you to save locally on your own respective system.
The best password managers
The various criteria outlined above clearly demonstrate how necessary it is to inform yourself, in advance, about the password managers that are suitable for you. For example, an individual or business might go ahead and choose a proprietary program prematurely before subsequently finding out that it is not possible to use the supplier’s cloud. This will mean that you will have incurred the costs for a tool that you really have no use for anymore and have no intention of actually using. On the other hand, blindly using an open source product is also not without its own risks, as using an unreliable provider could very quickly put your passwords and what they protect in jeopardy.
In order to assist you with the search for a suitable password manager, we have done some research on several interesting programs. We have focused on factors like cost, licence model, flexibility, and additional features in particular.
One highly recommended password manager is the open source solution KeePass, which was released in 2003 by Dominik Reichl. Since then, this GPL licensed program has been continuously developed by the very active community. Nowadays there are over 45 different language packs as well as countless plugins with which you can add to the KeePass base model. In addition to the official versions for Windows, macOS, and Linux, there are other different ports for mobile operating systems like Windows Phone (e.g. WinPass, WinKee, 7Pass), iOS (e.g. iKeePass, MiniKeePass, MyKeePass) and Android (e.g. KeePassDroid, KeePass2Android, KeepShare). In order to be able to use the password manager tool, you either need to install it onto the desired system or else copy it as a portable version onto a USB stick.
KeePass makes it possible to encrypt the entire password database. For this the AES or the Twofish algorithm are available. When it comes to the protection of individual passwords, the hash algorithm SHA-256 is used. As a user you have three possibilities for accessing the database: a classic master password, using a Windows account, or else the key file variable. According to the developer, the last of those options is the safest of the three solutions – although you will need to always have the key file with you, e.g. on a USB stick or a CD. Furthermore, it is also possible to have a combination of the main password and a key file. Other features of this particular password manager are as follows:
- Various export formats like TXT, HTML, XML, or CSV
- Over 35 import formats
- Categorisation of passwords possible
- Time specifications for the following: the time of creation, the last modification, the last login, and the expiry of the password(s)
- Search and filter function
- Personal plugin framework available
KeePass leaves a good impression and not just because of its comprehensive database functions. Its integrated password generator allows you to quickly create secure passwords for logins. In the settings, you can determine the length of the generated passwords along with the underlying character set (uppercase letters, lowercase letters, numbers, special characters, etc.). Alternatively, you can also select a pattern or your own algorithm as a basis for these.
|All data is on your own computer||Very complex controls|
|Two-factor authentication possible||Not all plugins are verified by the developer|
|A lot of potential for expansion||With the manual creation of passwords, KeePass also accepts weak passwords|
Password Safe (MATESO)
The software Password Safe, released in 1998, is available in different fee-based editions. It’s primarily aimed at businesses (small, medium, and large). However, the smaller ‘Personal’ and ‘Standard’ packages are efforts by the developer MATESO to cater to the private user – these smaller packages are available to use for free, albeit it in a restricted form (‘Personal Edition Free’). According to the developer, over 10,000 companies around the world are working with this very functional password manager. The program works across all Microsoft operating systems (from Windows 7 onwards) and is also available as an app for iOS, Windows Phone, and Android. With all of the fee-based versions, you have the choice of using Password Safe as an installed software or as a USB stick version.
Password Safe is business-orientated software, something which is made clear by the diverse multi-use features that can be found in all of the professional versions of the software. In this case, we are talking about a centralised team database for which you can establish access controls based on someone’s role within the team or company. It is also possible to allow access to passwords only for the adequate reasons. AES-256 and RSA-4096 encryptions (for long-term locks) look after the safety of the database and passwords. The database connection can be done either by entering a master password or with the help of a key file. The more advanced professional packet allows you to combine the two processes with each other and subsequently increase the overall security levels. Here are a few of the other features that this password manager tool has to offer:
- Cloud-enabled via end to end encryption
- Database Firewall (only ‘Enterprise’ and ‘Enterprise Plus’)
- Adaptable dashboard
- Intelligent search and filter functions
- Virtual keyboard for keylogger protection
- Automatic live backups
The free version of Password Safe has various limitations (e.g. you can only enter 20 data sets including a maximum of one bank/TAN lists) meaning that it is not recommended forlarger operations and undertakings. However, with this edition of the software, it is possible to generate new passwords. Compared to many other solutions, this password manager requires that passwords comply with predefined or self-configured policies.
|Various different multi-use features mean that it is optimal team collaboration that is secure and protected||Password database is stored on the server of the supplier|
|Dashboard and interface design can be personally adjusted||Free edition is very limited in terms of features|
|Automatic password entry and virtual keyboard|
LastPass has been around since 2008, but in 2015 was purchased by the American software company LogMeIn, who paid around 125 million dollars for the web-based application. LastPass is designed for the storage and administration of all passwords that you might require for all of your day-to-day online activities. In order to do this, the password manager tool runs via the various browsers like Google Chrome, Firefox, Opera, or Microsoft Edge. Alternatively, it can also be integrated as an extension to the action bar of an internet browser. There are also variants for mobile devices like Windows Phone, Android, and iOS. Use of the web application is free of charge. And for a small monthly fee, you can get access to the premium package for private users as well as two business packages with further additional features.
The password database, which in LastPass is known as the ‚Vault‘, can be reached at any time and on each of your devices – either via the button in the browser bar or the web application. The encryption algorithm AES-256 and the hash function (PBKDF2 SHA-256) look after the protection of your passwords. The encryption always takes place at the level of the individual device. This means that the master password and coding/decoding key is always saved locally and is never sent to the LastPass server. On top of this, there is a choice of several solutions in order to implement multi-factor authentication – e.g. an SMS code or additional hardware components. And there are even more features offered by this online vault:
- Automatic password entry
- Support for fingerprint authentication
- Secure release of passwords
- Password vault synchronises automatically with all devices
- Integrated password generator
- 1 GB encrypted file storage space (Premium edition)
The business package for companies makes LastPass gives you additional and centralised administrative tools for the management of various employee access rights. Each employee will also get their own individual password vault, which they manage for themselves. For larger firms, the Enterprise version also offers things like individual customer support along with other features. Additionally, it’s possible to configure your own security guidelines and get access to the password manager’s API.
|Encryption takes place on the individual device level||Browser plugins do not always work 100% smoothly|
|Automatic synchronisation with all devices||Expandable password generator|
|Plugins available for all major browsers|
After AgileBits was founded in 2006 with the intention of developing innovative web products for businesses, the people behind the software soon realised that, with their internal tool for the management of passwords and formula information, they already had a great idea right in front of them. Since then millions of happy users have worked with this password manager, which has since adopted the name OS X before moving onto its current one, 1Password. The fee-based application is available for the desktop systems macOS and Windows, as well as the mobile systems Android and iOS. Thanks to the browser extensions for Google Chrome, Opera, Firefox, and Safari, it is also possible to use 1Password across other platforms.
The developers of 1Password rely on end-to-end encryption (AES-256): all contact information and passwords that you import into the program are encoded before they can leave the device in question. The keys for the encoding process are also protected at all times through the master password, which is further strengthened by a locally stored 128 bite security key. You will automatically receive this access key to the supplier’s server as soon as you finish registering for the password manager. Even if hackers manage to make it onto this server, which like the web application itself is hosted on the Amazon Web Services (AWS), your data will still remain encrypted. There are also several other features which make 1Password stand out as a password manager tool:
- Offline access available
- Automatic synchronisation with all devices in use
- Automatic evaluation of the security level of all passwords
- Easy integration of existing logins
- Personalised shortcuts for automatic registration
- Grouping of passwords possible (file or day system)
- 1 GB storage space for documents
This password manager tool offers its own generator for creating secure passwords. It is possible to adjust the settings in relation to length, pronounceability, and even the desired characters and symbols. The generator can also be used to create new passwords for accounts that are already in existence. It’s possible to purchase different licences for 1Password. Private users should be well looked after with the basic version (for one person) or the family package (for up to 5 people). Agencies and businesses will have the choice between three business plans; ‘Standard’ (for smaller teams), ‘Pro’ (for SMEs), and ‘Enterprise’ (for large companies). Naturally, these business packages come with a range of additional features like an administrator console, extended access control, as well as a personal account manager.
|Usable across many platforms||No support for multi-factor authentication|
|Extensions available for all major browsers|
|Storage of detailed account information possible|
In 2012 the American company Dashlane released the proprietary tool of the same name, which today is seen as being one of the most successful solutions available on the market. After a 30 day trial, you can either opt for the free version with a limited range of functions or else opt for the fee-based premium version of the software. Additionally, Dashlane also offers the business edition, which features functions for communal use, e.g. a centralised administrative console and an option for releasing passwords. In addition to the desktop version for Windows and macOS, as well as apps for iOS and Android, there are also plugins for Chrome, Firefox, Safari, Opera, and Edge. All of these can be used to integrate Dashlane into the respective internet browsers.
The Dashlane user interface is divided up into three sections. Under the heading ‘Password Manager’ you will find the registered passwords (AES-256 encrypted) and the software also automatically implements already existing login data. One notable feature, in particular, is the password changer, which makes the automatic change of a password possible for any supported websites. In this case, Dashlane logs into the desired web project independently and takes over the exchange. It is also possible to access the security dashboard and create personal, password-protected notes. Under the menu heading ‘Wallet’ you can save personal contact information, payment receipts, and document copies (e.g. IDs or driving licences). The ‘Contacts’ section then contains all functions that are required for communal use of the password manager tool. Other features include:
- Automatic completion of forms and login sections
- Security warnings for unsafe passwords
- Categorisation of the passwords
- Various interfaces for importing passwords (this includes for browsers like Chrome and Firefox, but also for other tools like KeePass, LastPass, or 1Password)
- Data exporting (Excel or CSV format as well as in your own dashboard format)
- Password expiry
As with many of its password manager counterparts, Dashlane has an integrated generator with which you can create passwords up to 28 characters in length. You can also choose whether letters, numbers, symbols, upper case or lower case letters (or both) are to be used. Furthermore, each user of the fee-based edition can synchronise the various data and passwords that have been entered – and this synchronisation can occur across all devices with the aim of having the information available and ready at all times. As part of its paid packages, Dashlane also offers the possibility of two-factor authentication. In this case, the standard master password is combined with a U2F YubiKey, which is found on an external storage device or medium.
|Clear and visually appealing user interface||Only one two-factor authentication available (none at all in the free version)|
|Plugins available for all major browsers||Windows Phone not supported|
|Security warnings for unsafe passwords|
Password manager: comparing 5 of the best options
|Developer||Year of release||Special feature|
|1Password||Agile Bits||2006||Locally stored access key|
|Dashlane||Dashlane||2012||Security warnings and dashboard|
|KeePass||Dominik Reichl||2003||Open Source|
|LastPass||LogMeIn||2008||Supports fingerprint registration|
|Password Safe||MATESO||1998||RSA-4096 encryption for long-term key|
Risks still remain
Password managers are helpful tools for generating or managing secure solutions to your most clandestine codes. Shortcomings, however, can arise if the master key is forgotten or lost. In such cases, users will find themselves “locked out” and unable to access their secured applications. Further challenges include a certain dependency on already-prepared databases as well as the fact that local installations only allow password managers to be used on private computers. Options involving cloud functions are also associated with higher risk. In short, no solution can provide a user with a full-proof security solution.
“Homemade” passwords: A viable alternative?
Those who wish to remain completely independent of databanks and other programs will have to rely on their own memory. One reasonable option involves developing a password system that predetermines different variants of a common password scheme based on the visited site. Common memory tricks are also helpful when attempting to memorise master passwords.