DFischer Blog

+1 to Reading

Daniel Fischer's Picture

You've done it. You've found my blog. Here you will find my thoughts, technical know-how, and various ramblings that I wish to share. If this is your cup of tea, then please, drink up. Otherwise, you may want to return to www.danielfischer.com.

It's Time to Start Using a Password Manager

May 12th, 2011

Password Managers, and Security

Password Managers and Security go hand in hand in this day of age. Due to my Google Account recently getting compromised, I’ve put in quite a bit of research in the solutions you can implement to secure yourself on the Internet. As a plus, these solutions also add an extra level of usability while browsing the net.

The solutions I’ll share my research over:

  1. 1Password
  2. Lastpass
  3. Keepass
  4. Passpack
  5. Your mind

The two main questions I test these solutions against:

  1. How secure is it?
  2. How usable is it?

What’s a Password Manager?

Not sure what a password manager is? Here’s a quick summary:

A password manager should generate highly complex passwords that will take a couple thousand years to trillions of years to crack on modern technology for each separate site/application you use. 1

This password manager depends upon you knowing one master password which should be at least 15 characters long and contain a few symbols in it.

In my opinion one super strong password is easier to maintain than a few junk ones.

The password manager should encourage generating a unique, and complex password for each separate site you visit. On top of that it should be able to automatically fill in your credentials intelligently based on the site you’re visiting. This should happen either automatically or through a hot-key combination.

This feature alone is amazing. Now that I’ve used it I could never imagine having to type all my things manually. Automatic login is really sweet and speeds up my flow on a hourly basis now.

A password manager can also store secure notes (social security, credit cards, etc for ease of remembering).

“Wow” you may be thinking. “Why would you ever put all that sensitive information in one place if one master can unlock them all?”

There’s a solution to that question, and that’s Two-factor Authentication (or Multi-factor).

Daniel, you’re borderline losing me. Can you bring me back up to speed and help me out here? Multi 2 step what? I don’t know how to dance 2 step. Just ask my wife! What’s that have to do with passwords?

Essentially it’s just using something else with your master password to prove that it is you. In my perspective that’s anything physical that only YOU would have. Here’s an example that is being used by Google right now:

You sign into Google with your master password and if the computer hasn’t been authenticated recently it will ask you to verify a security code off of your phone to ensure that you are in fact you. Your phone serves as your extra layer of protection that only you should have.

This “2 step” authentication is exactly the extra level of security you need if you’re using a password manager otherwise you’re overly susceptible to handing over the keys to everything you have access to at a reasonable level of ease. No bueno.

I want all the features I described above, but do all the solutions I mention solve it? Let’s find out.

1. In reality it’s not that hard to create a password that would take a trillion years to crack. You just need to create something that’s around 15 characters long and add a couple symbols in the password like “!@#$” doing so raises the time to crack it exponentially. The difficulty is trying to create a unique password like this for every site you use which is basically impossible without a password manager.

1Password

First off, I just want to start off and say 1Password is a beautiful piece of software. Out of all the solutions I mentioned 1Password definitely satisfies my eye candy level of attraction. It is beautiful and easy to use in every way.

1Password platform support is limited: OS X, iOS, Windows, Android.

1) How secure is 1Password? Not secure enough.

It 100% fails at the “master password” problem. If someone somehow finds your master password (probably through malware and or a key-logger) then they most likely will have access to your master password “encrypted” file and you’re pretty much screwed. They just attained the keys to every password you ever added (which can easily be up to 200+ sites including all your bank accounts, etc) perhaps your SSN and credit cards too if you save them in there.

This is really bad. Just because of how possible this is without any other precaution you’re able to take I have to say “BIG NO!” to 1Password. It’s 100% not secure enough in this day of age. It’s too easy to fall victim to malware that can key-log your password and steal your local files. In the case of physical access and someone wanting to get these things? You’re even more screwed.

I really wish 1Password allowed a form of multi-factor authentication but it fails that in every way.

  1. Support for 2-Step Authentication (Yubikey or others)? NO.
  2. Support for a USB mounted encrypted volume? NO.

What bothers me the most about this problem is that given the issues and the discussion of it on their forums, they seem to wiggle out of how serious this problem actually is and convince users that this isn’t a problem. This makes me have the opinion that 1Password is an entry-level application but less secure than simple non-dictionary based password remembering.

Without either a 2-Step solution or a USB encrypted volume you’re pretty much SOL if someone gets your master password. You should assume that someone will get it, because if they really want to, they will. If someone attains your master password and you use 1Password, consider yourself in a world of pain.

The first rule of security is always assume the worst. 1Password fails utterly at the worst.

2) How usable is 1Password? Extremely. This is where this baby shines. I wish it was as beautifully secure as it is visually beautiful.

It’s best in usability hands down. Sync through Dropbox for multi-platform support. Intuitively helps you generate unique passwords for every site. Naturally enables automatic login through a common keystroke “cmd + \” on OSX. Very usable and the best out of all the candidates.

Did I mention how beautifully designed the application is? It’s wonderful. One of the best looking applications I’ve ever seen on OSX. I know it’s lacking on Windows, and in general I don’t think Windows applications look that great, but I think they’ll work on creating something really nice on Windows too.

Verdict: Not a secure solution if you really care about security. It’s practically “faux-security” but hey, as long as it’s encouraging you to not use dictionary passwords I guess it’s a step up. I really wish 1Password supported a multi-factor authentication mechanism because it would make it hands down the best solution available due to it’s usability and beauty.

Resources for 1Password:

  1. 1Password Homepage
  2. Multi-factor discussion which says they have no support and not planning anytime soon to do so.

LastPass

LastPass is good all around and solves multi-factor security problem well. My problem with it is that it feels and looks like a early 2000 Windows based application. It’s far from pretty but not the worst. They need a complete design and usability overhaul. I would consider it very beneficial to them to start spending money on their UI and design because if they did that they’d be an almost perfect solution.

LastPass is multi-platform due to a combination of being web-based and having browser based extensions across common operating systems.

1) How secure is Lastpass? Very secure. Lastpass offers 2-Step solutions through Yubikey. Which means that even if someone got a hold of your master password, they’d still need your physical “yubikey” to verify that it’s you. Which means if some hacker tried to get access to your LastPass account half way across the world when they keylogged your password you’d still be safe. They’d need your yubikey which you have at home or on your keychain to log in.

To those that are afraid of your “passwords” residing on another server, I wouldn’t be. Even if their databases were compromised it’d be practically impossible to correlate it to your data with your encryption keys. The way it works on a technical level is VERY awesome and VERY secure.

The company recently had an “odd” log of data being sent and the way they dealt with it publicly is very reputable and in the end you had nothing to worry about it at all.

2) How usable is LastPass? Meh. It’s usable.

It does the auto-login for you and all that jazz. The application itself for the Safari browser seemed a bit buggy to me. I couldn’t define my hot-keys for “auto fill.” I think they need a LOT of improvement on their UI/Usability/design front. Their online interface is so horribly ugly to me that I cringe having to use it. I almost want to donate my time to them and help them out to design a nice interface.

Not only is their online interface horrid, but their browser extension smells about the same way. The process of entering notes and the design of the overall flow of the application is just not attractive. It feels like they just coded up a quick solution without any designer interaction.

I like pretty things and as superficial as that may be, it’s a major factor in my decision process for anything I use.

I really, really, really hope that LastPass is using part of their success on giving a design overhaul to their product and the implementations for the both site and browser.

Verdict: Very secure. Satisfies all my security scenarios. I wish it looked better. It is quite ugly, but at least it isn’t the ugliest of them all.

LastPass resources:

  1. Hacker News Discussion
  2. LassPass Yubikey
  3. 2 Yubikey’s + 1 year subscription to LastPass for $45

KeePass

KeePass is just as secure as LastPass. It can suffer more or excel more depending on the user technical competency level. It’s an open-source solution so it depends upon the community to thoroughly check that the application has no back-doors in it (rare in the open-source community but possible), and in this case like a lot of open-source solutions the usability lacks because there’s a heavy developer-centric time investment vs. designer investment.

KeePass is multi-platform in pretty much every respect due to the open-source nature. Windows/Linux/OSX/Android/iPhone, you name it.

1) How Secure is KeePass? Like I mentioned in the summary, it’s as secure as you want it to be. It can be as secure as 1Password, or it can be as secure as LastPass or probably even further. I haven’t done all the research besides a multi-factor solution but since it’s open-source I’m sure some security obsessed person has gone the extra mile to make it as secure as needing to triangulate a star position with a telescope connected to the computer via USB to “unlock” the master password list.

2) How usable is it? It’s double meh. It can be pretty usable on the auto enter credentials front just as much as LastPass or 1Password however you have to know how to configure certain variables for it to work. It definitely requires an extra level of technical competency that will go over a regular users head and when you’re dealing with security you want things to be very simple. If something requires you to do more work you’re probably going to be lazy and therefore less secure and that doesn’t help anyone but the ultra paranoid technical know-how zealots. Touching on that, the design is the worst of them all. It cries of horrible UI design in practically every respect. I don’t even want to list them it’s so bad.

Verdict: The most secure solution if you put work into it, and also the ugliest solution.

Resources for KeePass:

  1. Keepass for Windows/Linux/Etc
  2. KeepassX for OS X
  3. Auto-Type

Passpack

I actually ran across this while writing this article and I think this little guy may be a winner. It seems to be very secure all around. Pretty much just as secure as LastPass, I wouldn’t say it’s any more or any less.

Usability and design wise? It seems like it’s right up there. It’s a nice balance between LastPass and 1Password. I think I like this solution a lot. It has room for growth, but it also seems to boast a level of versatility and quickness to change that the others don’t have. I feel that the developers for Passpack are pretty open to suggestions and community feedback.

To handle the auto-login all I did was drag their “bookmarklet” into bookmark position 2 in safari and then anytime I want to automatically log in or generate an entry I just pressed “cmd + 2” and a very intuitive popup shows on the screen related to the site you’re browsing. Since it’s a bookmark, it’s as cross-browser and multi-platform as you can get.

It has a couple ways of doing multi-factor authentication which is also a bonus. Yubikey support included as my requirement.

Verdict: Very interesting and maybe the best of all the worlds. Has cool unique features that others don’t. It has overall good usability and an okay polish on the design. I recommend this solution the most in terms of balance.

Passpack resources:

  1. Passpack Homepage
  2. Passpack Security
  3. Why it’s so secure
  4. Passpack FAQ

Your Mind

So this one is obvious. You use your head. There’s a simple strategy in how to do this which I’ll outline. It has the bonus of being very secure. However, it’s not very usable and you’re pretty much screwed if you forget even a little bit. Do you really want to type out passwords that have to be 15+ characters long? Remember a different password for every site? It’s a tiresome and lengthy process but can ultimately be very secure if you have the patience and mind for it.

Security tips: Have three types of passwords.

  1. Your throw away to sites you don’t care about. Any password will do for ease of logging into sites you don’t care about.
  2. Your “general” password that will be a passphrase + unique to every site. This is a passphrase + unique key for every site. Example “mysupersecretpassword+reddit.com”
  3. Your ultimate most precious password that should only be related to your financial information and above. Long pass phrase with many symbols.

Because it requires a bit of manual labor work it’s prone to laziness and that means a breach in security if you don’t take the extra effort. The other solutions are more ideal because they help automate security itself which is why we’re doing this in the first place.

Verdict: It works well, but you need to be a very dedicated person that isn’t prone to laziness. Worst usability.

TL;DR

1Password Vs. LastPass Vs. KeePass vs. PassPack vs. Your Mind

From least advanced and to most advanced:

  1. 1Password – Simple, gets the job done at a simple level. Prone to security Breaches. Best UI & Usability
  2. LastPass – Simple to Advanced Technicality. Works as advertised. Very secure. Mediocre UI & Usability.
  3. PassPack – Moderate to Advanced Technicality. Very secure. Nice UI & Usability.
  4. Your Mind – Advanced Technicality. Very Secure. Bad usability.
  5. KeePass – Most advanced. Can be extremely secure. Bad usability.

In closing

Please share your thoughts and criticism. Questions and answers from a community always helps strength decisions. Comments from the products in question are always recommended. I’ll send a ping to each product to see if they want to include official feedback.

Like what you read? Follow @DFischer on Twitter and let's +1.

Twitter is still cool, right? Well, it's a good way to stay in touch and talk. I love to expand my network with other people in the industry. Say "hi!" and I'll follow back.