As previously discussed in Part 1, a password manager can assist in maintaining secure and unique passwords for every site you access while only having to remember one master password. However, which is there right one to use? LifeHacker reviewed six in their article which I used as a starting point in my decisions. If you’re really paranoid you may also want to look at Clipperz which was not reviewed by LifeHacker. It appears very secure, however, only accepts Bitcoin as payment so that made me look at more easily available solutions for the current time.
Before picking a password manager a few things need to be looked at:
- Is it for local computer only or will it need to sync to other computers?
- What about use on mobile devices?
- The level of security offered and required to meet your needs?
- Costs of software?
For the past 10 years I had been using RoboForm as a local only password manager. If I was to continue or start using a new local only password manager I’d look at KeePass instead for being free and open source. However, with more things online and spending more time away from my computer and on mobile devices, it was time to find a new product with better mutli-device, mobile support and cloud synchronization.
While looking at cloud options I found that RoboForm does offer cloud sync for about $20/year ($10 for the first year), but after having already spent close to $100 over 10 years to maintain desktop and portable licenses I was hesitant to throw more money at it without doing more research of the other options and verification of security.
In that regard I chose to switch to LastPass for being cross platform with could synchronization but also looked at a number of other factors.
Interface: RoboForm has the much more refined and well laid out user interface with menus that respond to hover over. Unfortunately, LastPass is a bit lacking on it’s interface in comparison with require a click to navigate through menu choices, but makes up for it with other features.
Security: Most password managers use encryption and with a strong master password should be suitable for local usage. Both RoboForm and LastPass uses AES-256 encryption for the password database. As for online cloud sync I would not settle for less than two-factor authentication. Unfortunately for RoboForm this is still a beta feature and only supports email One Time Passwords (OTP). LastPass supports many methods of two-factor authentication ranging from multiple implementations of OTP or hardware tokens. Additionally, LastPass specifies that all encryption/decryption is done locally before being transmitted to their servers and has been audited by a 3rd party. I could not find out about audits for RoboForm.
Cross Platform: Both RoboForm and LastPass support multiple platforms and mobile devices. However, without adequate multi-factor security I was unable to test RoboForm with cloud sync. LastPass easily synchronizes my data and I can use the logins from dolphin browser on my Android with the LastPass plugin to automatically login to websites just like on the PC.
Password Generator: Both LastPass and RoboForm have built in password generators for generating secure random passwords. A neat feature about the RoboForm generator is it lets you specify which special characters to use and gives an approximate password bit strength. LastPass just has a checkbox to enable or disable special characters, but does maintain a temporary list of the generated passwords and it can be used to generate directly on a website password form and then update the corresponding login information.
Security Analysis: RoboForm is lacking in this area with no utility to check for duplicate or weak passwords. LastPass will run an analysis and provide a security score of the passwords being used, reporting on weak and duplicate passwords. It also checks account emails used to see if there have been any know leaks, and checks sites to see if they were know to be vulnerable to the heartbleed bug.
Costs: RoboForm costs $29.95 for each desktop and portable license if you want to keep your data off the cloud or $19.95 per year for RoboForm Everywhere after the first year where it is only $9.95. LastPass is only $12 per year for premium which allows the use of hardware tokens and mobile sync, otherwise most features are available free. Roboform is only free if used with less than 10 logins.