Password managers should not only be secure, they should also be easy to use and intuitive. I have been using Roboform for many years and now wanted to see how it compares to other tools that have entered the market in the last few years. Security matters to me – therefore, test candidates must support cloud storage for easy synchronization and 2FA/MFA (multifactor authentication).
If you do not have a photographic memory, you will eventually forget passwords – especially if you do not use them every day and they are also somewhat complex. For example, for the account, you have with the water utility that you use once a year or the account you have with a gym membership that you never log into because it is all set to autopilot for payments and email notifications. Remedies promise password managers, i.e. programs and applications that remember everything that you have ever entered as user names and passwords into the web browser over the course of time.
Please note, the reviews below are my own opinion, these are not paid reviews.
An obvious question is why you should install a password manager for this: Almost every browser has its own function for storing passwords – including encryption, and most web browsers can also synchronize the data with other devices via a cloud-based user account. That may be true, but it becomes complicated when passwords are to be made available across platforms and browsers or if you do not really trust Google or Firefox with full access to your digital life. In addition, a password manager should support password management on Android or Apple smartphones and be available while on the go. This is where 4rd party password managers come into play and shine.
There are many apps to choose from and the selection is huge and hard to oversee, which is why we selected products that meet a few basic requirements. The software should be available with mobile apps for Android and iOS, and there must also be the ability to synchronize the passwords across different devices without having to manually export data records on one device and on the other need to import (cloud support).
In addition, a must-have requirement is multi-factor authentication to protect access to the password store with a second authentication factor in the event that criminals somehow manage to steal the master password, i.e. the master key, which enables access to all other stored passwords. As a rule, manufacturers solve this with time-based one-time passwords (TOTP), which come from an app such as Google Authenticator, Microsoft Authenticator or Authy. Codes and access verification should also be available by email or SMS as an alternative.
The second factor (MFA) is asked for by password managers, especially when logging-in from unknown devices, and protects authentication on the synchronization server. For example, using MFA (multi-factor authentication) will make some attack methods significantly more difficult, such as those in which an attacker uses phishing or a keylogger to steal your master password, intercepts your master password by monitoring your network traffic as a man in the middle, or simply look over your shoulder while you type the master password on your laptop while at Starbucks. Without the second factor as part of the authentication, he could easily log into your password vault from another device – and read out all stored data in plain text.
We have collected 4 products that meet the requirements described above. This editorial selection is not claiming to be complete; there may well be other password managers who meet the criteria. The fact that they have not been tested here does not allow any conclusions to be drawn about their qualities. If you happen to use another product not listed here, please leave a comment.
Password management
Most providers assume that the user wants their passwords to be synchronized across all of their devices and therefore stores the data in their own cloud. This serves almost automatically as a backup: If the computer is broken or lost, the user only has to re-install the password manager on a new device and log in, and all the stored passwords are available again. Some providers have not even planned to operate without synchronization. And as consumers that is something to be aware of – cloud-based services are becoming the norm even if you prefer to keep and maintain your data locally on your home computer or home network.
There are two players in the market that deviate from the cloud-based approach: KeePass and Steganos choose a different approach: They come from the developer without the need for cloud storage or better the need to use a cloud service. If you need synchronization to multiple devices, you have to do it yourself. That is why there are no subscription fees for these products: KeePass is open source and can be set very flexibly anyway; Steganos sells its software as a permanent license. However, both tools cater to a smaller and smaller pool of consumers.
The most common method for two-factor authentication is to use an authenticator app on a mobile device; Exceptions to this are Avira, Cyclonis and McAfee, which rely on codes sent by SMS or email. KeePass also does not support Authenticator apps in its standard configuration. In addition, some providers also support other methods such as security keys, fingerprint readers or business solutions such as Cisco Duo – sometimes depending on the selected pricing model. This can be quite confusing for consumers and personally I would recommend to use an authenticator app or SMS text messages over email or other methods.
Most of the applications tested even provide a rough security assessment of the saved passwords that only apps like Blur and Steganos are missing. Super helpful as well is a password generator that creates secure passwords in adjustable length and complexity: All 4 test candidates offer this feature. Worth mentioning is the password generator from 1Password, which can not only throw letters, numbers and special characters together, but also random strings of words – unfortunately only in English. Why would I consider this as unfortunate? The reason is that if you are bi-lingual you can actually make passwords more secure that way as it throws off a lot of hacking tools that use the english dictionary for attacks and password cracking.
Additional Features
Most programs not only manage passwords, but also data for other input fields, for example for personal data such as name, address, and telephone number, but also credit card data. This was not a requirement for our test candidates; it is obvious that most of them can do it anyway because this is also about saving personal data and entering them in input fields on websites if desired. All password managers tested here can also save payment information, and all except for Avira and Avanquest can also enter fields for address data. A storage area for personal notes is an almost equally widespread feature. Some products come with other categories, such as Dashlane that can also collect digital proof of online purchases.
A feature that is not widely used is the integration with commercial online storage services such as Dropbox and Google Drive in order to store the password database there instead of in the manufacturer’s own cloud. Only Cyclonis and Steganos support direct integration via the APIs of the respective providers; For KeePass, such a function can be retrofitted via plug-ins that are contributed by a very active open source community. 1Password also has official support for synchronization via Dropbox, but does not solve this via API access, but simply requires an installed Dropbox client and stores the password databases in the local Dropbox folder. I do not really see the need for this feature as it adds an additional component that needs to be managed. I do prefer the native integration with what the software maker has developed and rather see independently verified security and encryption.
Another interesting feature is the ability to share individual passwords with other users of the respective password manager (think family). This is supported by around half of the products tested. For example, passwords for certain streaming services or online shops can be passed on to friends, family or partners – whoever does this, of course, not only needs the necessary trust but should also ensure that all relevant services allow account sharing in one way or the other.
The different applications vary significantly in price. Most of them can also be used free of charge – but some then have extremely restricted functions and features: While some providers only limit the number of entries that can be saved to their free product versions, others switch off all synchronization functions. Only the open-source KeePass is completely free, although you can argue that you don’t pay for it with money, but with a certain amount of training and some effort needed for the more manual configuration and manual need to sync across devices or for backup purposes.
Most products from this test also offer a trial that can vary from 7 to 40 days. We recommend that you take advantage of these trial offers and test out those apps that are most interesting to you. These review results are to be considered a guideline but might not necessarily meet your day to day usage requirements.
Master Password
For all test candidates it is critical to create a master password – something easy enough to remember, but difficult and secure enough to withstand hacking attempts. I recommend to use a passphrase as your master password and to combine it with special characters and numbers, but in a way that you will remember it at all times. I will refer to the master password individually in the test description, but not go into individual detail for each.
1Password
In addition to the master password, it is required to set up a 1Password user account. During the account creation you will also be asked to create a 42-digit Secret Key, which you will be guidedwhen the account is opened. This makes some attacks more difficult, although strictly speaking it is not a second authentication factor. Apps and plug-ins are easy to use.
Instead of the 1Passwort account, you can also store your password safe locally or in Dropbox. However, this is not a shortcut for free use: password safes remain write-protected until the user either logs in with a 1Password account with a subscription (starting at $46/year)or acquires a permanently valid single-user software license for around $70 each (not actively advertised on their website).
Avira Password Manager
Avira’s password manager is rather simple in terms of functionality, but apart from that it is also easy to use. Sometimes you run into products that look simple and should be easy to use, but they aren’t. Avira however is actually easy to use. Available are browser extensions for the most common browsers and mobile apps, but no desktop software – passwords, notes and credit card details are managed via a web interface.
Multifactor Authentication is available with two main options – SMS text messages (being the second option) are sent to your phone, but the mobile app itself can also be used as an authenticator app and that is the preferred method for MFA on Avira. Paying customers get a check for data leaks and insecure webpages, assessment of their chosen passwords for quality and complexity as well as do paying customers enjoy support via telephone and email. One limitation in case it matters to you – there is no password sharing option. Cloud sync can be switched off, but an Avira account is still required for use. An annually paid subscription is available for $31.99, but monthly payment options are available as well if you are not ready to fully commit to Avira.
https://www.avira.com/en/password-manager
Bitwarden Password Manager
Bitwarden is an Open Source, free for personal use password manager. Bitwarden proves to be extremely comfortable and easy to use and does not lose relevant functionality compared to the fee-based business/pro versions. A family would need to buy a pro version though. All in all, we only missed little things, such as the de-authorization of mobile devices from afar and the option to completely do without synchronization.
Password sharing is free in a two-person team, families and larger teams have to pay. Depending on the price model, the fee-based pricing options offer features such as two-factor authentication using a security key, 1 GB of cloud storage and prioritization for customer service, as well as the option of hosting the Bitwarden server yourself if you feel geeky. For the latter, the manufacturer offers ready-made Docker images for download (if you are really geeky or an enterprise customer).
If you want to use Bitwarden for your family of more than 2 people, Bitwarden offers a $5/month paid version that covers up to 5 people. Additional users are $2/month each. This account is also a great option for smaller teams.
KeePass Password Manager
KeePass is a phenomenon in a way: On the one hand, it is an insanely popular open source project, available for many platforms and can be expanded and adapted almost as desired with plug-ins that come with support from a very active user community. On the other hand, the software is a pure disaster from a usability point of view. There are no assistant functions; Even changing the language requires the download of a language pack file that has to be copied manually into a specific program folder. Keepass is truly an old school password manager to be used offline by design. And this can be a good thing if storing your passwords offline is a critical factor to be considered.
Those who are ready to familiarize themselves and are not afraid of the 90s look of the software will be rewarded with a password manager who does exactly what you expect from him. It is easy and functional and best of all – it is free even for commercial use.
This is a limited review of 4 popular password manager applications. The list of competitors is long and the list of features is often equal. Personally, I am using a password manager called Roboform, but will provide a more detailed product review in the future.