Review: 8 password managers for Windows, Mac OS X, iOS, and Android

I hate passwords. I hate coming up with them. I hate remembering them. I hate mistyping them four times in a row. And I hate getting locked out of whatever I’m trying to log into in the process.

That said, I hate being hacked only slightly more, so I’ve done my part to use passwords that aren’t “password123” or something equally foolish. The hard part is keeping them straight, which I could do by writing them down — but isn’t that a security hole all over again? Heck, I’ve known that since I was a kid. I saw “WarGames.”

Password vaults, aka password safes or password managers, help solve this problem. They give you a central spot to store all your passwords, encrypted and protected by a passphrase or token you provide. This way, you have to memorize a single password: the one for your password vault. All the other passwords you use can be as long and complex as possible, even randomly generated, and you don’t have to worry about remembering them.

If having your passwords in a single encrypted store were all you needed, then a password-protected Microsoft Word document would do the trick. There has to be an easier way. One of the reasons I looked at these password vaults was to see how easy it was to work with them over an extended period of time. If they didn’t provide much more convenience over simply copying and pasting passwords from a text file, they’d hardly be worth using.

So here are eight of the leading password managers available, ranging from services designed to be used mainly on the Web to client-side apps with a slew of incarnations. With each, we tested the Web incarnation (where applicable), the Windows client, and the Android version, the latter a Samsung Galaxy Note 6 running Android 5.1.1 with fingerprint reader support.

In the long run, passwords are on the way out — theoretically, anyway. For the foreseeable future, passwords are here to stay. As long as we’re stuck with them, we should use strong ones that aren’t likely to be hacked and protect them as best we can. The applications reviewed here make those objectives far easier to meet and can spare you a huge amount of typing tedium.

1Password 4.6

1Password feels in many ways like a commercial version of KeePass. Many of 1Password’s behaviors and UI choices will remind you of KeePass, but 1Password has been packaged and presented with more polish.

The similarities extend to the way data is organized. Like KeePass, 1Password lets you store username/password pairs in user-defined folders (Banking, Online Shopping, and so on), and it allows entries to contain custom text fields, attachments, or other metadata. The username/password pairs can be autotyped into an application or used to autofill a Web form. All passwords are protected in a single vault file, secured by a master password of your choice.

Where 1Password improves on KeePass is by making all of this functionality more straightforward. KeePass doesn’t natively support automatic form filling in a Web browser, so you must add plug-ins to both KeePass and your Web browser if you want to do that. By contrast, 1Password automatically detects browsers in use, installs the necessary form-filling plug-ins, and even lets you manage these plug-ins from a central UI within 1Password. It’s also easier in 1Password, when manually editing a password entry, to specify which items go in which form fields. With KeePass, that process is less straightforward.

A number of features in 1Password have been polished significantly. With KeePass, autotype can be directed only to the window that last had focus or to a window with a title manually specified in a given password entry. 1Password lets you choose the currently open window to which to send an autotype sequence, with the previous window as the default.

Another good 1Password feature not found natively in KeePass is auditing of duplicate and weak passwords. In the View menu, select Duplicate Passwords or Weak Passwords, and you’ll see lists of passwords that don’t pass muster. The mobile app handily supports auto form-filling. Unlocking by way of a fingerprint is supported on Android, but only on devices running Marshmallow.

Most password managers now offer ways to store structured forms of sensitive personal information. In 1Password you’ll find preformatted templates not only for credit cards, but for bank accounts, loyalty programs, passports, driver’s licenses, software licenses, common types of online accounts, and so on. (The Secure Notes features in 1Password, akin to the one in LastPass, is a simple text-entry template.) You can also attach arbitrary metadata to such entries, such as images or text fields. One feature the developers might want to add is the ability to take a scanned copy of a document in a common format, such as a driver’s license, and have the application automatically capture the text from the relevant fields without having to type it in.

Price: $49.99 per user; the full-featured trial version of 1Password is free to use for 30 days. Platforms: Windows, Mac OS X, iOS, Android.

Dashlane 4.0.1

Dashlane comes outfitted with features common to many other commercial password managers. Aside from keeping username/password pairs, Dashlane can store freeform text notes (and optionally secure them with your master password), keep copies of personal information such as credit cards and bank accounts, and save pertinent details for personal documents such as passports or driver’s licenses.

Dashlane scores major points for making it easy to get started with the program. That applies whether you’re coming from another password manager or using a password manager for the first time. LastPass users, for instance, are invited to export their existing passwords to a CSV and import them into Dashlane. (You can likewise import from other common password managers, many of which are listed here.)

Other nice features in Dashlane are reminiscent of features in LastPass, such as the ability to share passwords in a controlled fashion with a few trustees. Sharing allows you to grant either limited rights (read, use) or full rights (read, use, edit) to the recipient. Another LastPass-like feature is the ability to automatically grant emergency access to your password database. The mechanism is the same, too. If the trustee places a request for emergency access, you have a predefined period of time (typically two days) to decline it; otherwise, it’s automatically approved.

Another good feature, the Security Dashboard, is reminiscent of 1Password. At a glance, you can see high-level statistics about your password usage — how many are weak or reused, how many are old or potentially compromised — along with specific steps you can take to up your score. You still have to change problematic passwords on your own, though.

Most password managers support form-filling for online purchases, but Dashlane will also capture receipts of transactions with many common online retailers. Once a purchase is complete, a modal dialog pops up in the Web page where you performed the transaction, and you’re invited to save a copy of the receipt to your vault. I tried this with an Amazon.com purchase and found it to be relatively painless.

Dashlane’s mobile app is nicely designed, too. It offers nearly all the functionality of the main app, and it makes use of fingerprint readers on Android and iOS. Devices without a fingerprint reader can use a four-digit PIN instead.

The most significant benefits you get with Dashlane Premium, for $39.99 a year, are expanded versions of features included in the free version. You can access your password vault through a Web interface, as opposed to the desktop app or a browser plug-in. You can share more than five items at a time from your vault with other users. And you can sync Dashlane across an unlimited number of devices. An enterprise-level offering, Dashlane for Teams, essentially lets you buy Premium-level accounts in bulk at a discount.

Price: Free; Premium version (adds sync across devices, sharing, backup, and Web access) costs $39.99 per year; Enterprise version starts at $24 per user per year (100 users). Platforms: Windows, Mac, iOS, Android.

KeePass 2.31

It’s not hard to see why Dominik Reich’s open source, cross-platform password manager remains in wide use after 13 years. KeePass is dependable, it gets the job done, and it (or one of its many ports) can run almost any platform you could name. Plus, KeePass has been outfitted with more add-ons than you can shake the mouse cursor at. Its main drawback: Its best features require some work to figure out. Novices won’t enjoy pawing through all the plug-ins and configuration options.

KeePass stores username/password combinations for websites or applications, all protected by a master password that can be changed at any time. Instead of your copying and pasting the data from KeePass, the app can automatically type username/password combos into form fields via system-wide hotkeys. The actual typing process is obfuscated, so keyloggers will not be able to intercept the results.

By default, KeePass uses heuristics — such as by inspecting the title of the window currently in focus — to figure out which password to paste. You can override autodetection for individual entries or whole classes of entries.

The database, or “vault,” used by KeePass is a single file, so it can be stored anywhere and easily synchronized between computers, by way of a Dropbox folder or BitTorrent Sync share, for example. The basic unit of storage in a vault is a user/password combination, but you can add any number of pieces of metadata (such as a recovery passphrase) to a given entry.

To make password databases harder to crack by brute force, KeePass lets you designate a minimum time delay with each unlock attempt, by requiring that the master key be transformed a number of times before being used. A handy tool built into KeePass calculates how many rounds to apply for a one-second delay, although that calculation only applies to the platform you’re currently running on. Note that a one-second delay on a desktop machine may translate to several seconds on your phone, so be sure to pick a delay that’s acceptable for all platforms.

When you create a new password entry or edit an existing one, you’ll see an assessment of the password’s strength — the longer, the better. KeePass can generate passwords automatically, using a rule set you can define. This is useful for passwords that require, for instance, a letter and a number and a symbol. Third-party plug-ins can also be used to generate passwords for KeePass. For example, the Readable Passphrase Generator plug-in assembles random phrases into memorable combinations.

Plug-ins are also used to integrate KeePass with third-party programs, such as the Google Chrome Web browser. The quality and manner of those integrations depend on the plug-in in question. Hooking up Chrome and KeePass, for instance, requires two plug-ins: one for KeePass, one for Chrome. In this case, setup requires several steps, so some may find it a chore.

Making use of the most powerful features of KeePass requires reading the manual, but it’s worth the effort. The Triggers feature lets you automate actions when certain conditions come true, such as uploading a copy of the password database to your Dropbox or OneDrive whenever it has been saved. Even more powerful, albeit harder to implement for most people, is the XML Replace feature, which allows the database’s contents to be modified programmatically — say, to automatically update entries according to certain rules.

Other editions of KeePass, both official and unofficial, have sprung up on nearly every computing platform, so it’s easy to use the same KeePass database across different devices. Many ports have platform-specific features. Keepass2Android, for instance, can paste passwords by way of a custom keyboard.

Price: Free. Platforms: Windows 98 through Windows 10; Mono (Linux, Mac OS X, BSD); iOS, Android, BlackBerry, Windows Phone, and other mobile platforms supported through unofficial ports. 

Keeper Password Manager 8.3

Keeper Password Manager may not be as impressive to look at as others in this roundup, and it doesn’t sport as broad a range of functionality, but it gets the job done. It also has a few smart features I haven’t seen anywhere else, such as the self-destruct function.

The core functionality for Keeper is in line with that of the competition. User/password pairs can be stored in a folder hierarchy, and password entries can include user-specified fields or file attachments. Installing the desktop client automatically sets up browser plug-ins that perform automated sign-ins on websites. The app is basic and straightforward, but not very flexible. For instance, while there’s a random password generator, there doesn’t appear to be a way to customize it to meet your organization’s password length or complexity requirements. Some of this may be by design to deliberately reduce the application’s potential bug count or attack surface.

If you’re importing data from another password manager, Keeper is quite strict about the format you use. A CSV I exported from KeePass was rejected because it had line breaks in the imported notes column. However, a little search-and-replace made all well.

Keeper’s self-destruct feature protects you if your device is lost or stolen. After five unsuccessful password entry attempts, Keeper records will be deleted from the device in question. (The cloud-synced copy is kept safe, though.) A product like KeePass wouldn’t be able to implement this, because one could always swap in an alternate KeePass client that didn’t honor a self-destruct restriction.

The mobile version of Keeper is excellent. It’s so good it makes the desktop client look like an afterthought. For one, the mobile app has a much more elegant and native look and feel; the desktop app is a cross-platform Java concoction, with all the UI clunkiness that implies. The mobile app can use a smartphone’s fingerprint reader for authentication (provided you’re using the for-pay service) or verify identity through an external wearable device. I also liked an optional feature that blocks screenshots of the app, although I suspect that could be defeated on phones with custom ROMs.

Price: Free for one device; Backup Unlimited version (adds multiple device support, cloud sync, fingerprint-based log-ins, sharing, Web app), $29.99 per year; Enterprise plans begin at $750 per year plus $48 per user per year, and include AD/LDAP integrations, auditing/policy management tools, and shared folders. Platforms: Windows, Mac, Linux, iOS, Android, Windows Phone, Kindle Fire, Nook.

LastPass 4.0.0

LastPass is browser-centric. It installs as a Web browser extension on Windows, Mac, and Linux, and users access it through a toolbar button in any or all of their browsers, with all data automatically synchronized to LastPass’s servers. Open a Web page with a sign-in form, and LastPass automatically fills in the username and password fields for you.

If you open a form field on a site that LastPass doesn’t have an entry for, it offers to create a new entry and (optionally) generate a password for it. Form fields that are recognized by LastPass have a distinct asterisk icon next to them. Clicking that asterisk brings up a context menu, allowing you to generate passwords, manually select what to paste, and more.

Click the LastPass toolbar button to bring up a nicely organized drop-down menu with fast access to the app’s most commonly used functions. Best of all is a search box at the top of the menu, allowing keyboard jockeys to bring up a password entry by typing a couple of letters from its name.

LastPass checks the strength of new passwords, and it can audit the strength of existing ones. The Security Challenge function checks all of your stored passwords — including the master password — and identifies those that are weak or duplicates. Problematic passwords can be replaced with newly generated ones, although LastPass can’t change the passwords on the sites where they are actually used. You’ll have to do that on your own.

Username/password combinations aren’t the only details LastPass is designed to manage. It also provides form-filling functions to automate the entry of addresses, phone numbers, credit card data, and other personal information commonly typed into a Web form. LastPass attempts to autodetect which data goes into which form fields, and it generally does a pretty good job, although it has a few limitations. For example, I found that LastPass had some trouble automatically selecting the correct expiration date for my credit card from drop-down menus.

LastPass also provides a way to store Secure Notes, which are essentially free-form texts not associated with a given password entry. Secure Notes can be individually secured by requiring the reader to re-enter the master password, but they can’t be individually password-protected.

The smartest feature by far is Emergency Access, which allows a trusted contact to gain access to the vault. The way it works is ingenious. The trusted user requests emergency access, and if after a predetermined length of time (say, a week) you haven’t explicitly declined them access, they can open your vault as if it were their own.

The mobile app version of LastPass — available for iOS, Android, and Windows Phone — is loaded with impressive convenience features. Like KeePass on the desktop, the mobile app can autofill login and password fields not only in Web browsers but in mobile apps generally. Setting up this feature requires some initial fiddling, but once running, it worked reliably. If your phone has a fingerprint reader, LastPass automatically detects it and uses it to authenticate — no need to type a master password. There’s also support for third-party two-factor authentication products like Yubikey.

Services always look for new kinds of premium functionality to charge for. With LastPass, Premium accounts ($12 per year) come with additional multifactor authentication, a shared-folder system that can support up to five users, and the ability to save passwords for desktop applications. KeePass includes this last feature by default, one of its advantages as a native desktop app.

Finally, LastPass offers an enterprise edition with single-sign-on support, policy and reporting mechanisms, and a central admin console.

Price: Free; Premium version (adds sync across devices, multifactor authentication, shared folders) costs $12 per year; Enterprise version starts at $24 per user per year (100 users). Platforms: Web browsers on Windows, Mac OS X, Linux; mobile apps for iOS, Android, Windows Phone; desktop app for Mac OS X. 

Password Safe 3.38

Security expert Bruce Schneier decided to do more than write about password insecurity issues. He designed Password Safe, a simple open source application that allows individuals to store passwords securely, type them automatically when needed, and require only a single password to access them all.

If that description reminds you of KeePass, you’re spot-on: Password Safe is like a bare-bones KeePass. That’s not necessarily a bad thing, since a simpler program is by definition a more easily secured one.

Password Safe’s user interface and behaviors echo KeePass. You browse username/password entries via a hierarchical tree view, and you can use hotkeys to automatically type passwords into any application, not only Web pages. One KeePass feature Password Safe lacks is a systemwide autotype hotkey, where a username/password combo can be selected and typed into a window based on its title.

Password Safe may not have the breadth of features seen in many of the password managers here, but the included features are smart and useful. A “password policies” function allows you to create rules for how passwords are generated. You can specify how many characters, what kind, whether or not to use characters that can be mistaken for each other (the digit “1” versus the lowercase letter “l”), and so on. Database backups are automatically generated whenever you save new entries, so older versions of the database (and its entries) are retained. Password Safe has built-in support for YubiKey security devices, too.

The biggest downside to Password Safe is that it’s not very flexible. For one, there’s no plug-in architecture, so any expansions to the program’s feature set are entirely up to the developers. For two, Password Safe is missing (albeit perhaps by design) direct integration with Web browsers by way of plug-ins on the browser side.

Price: Free. Platforms: Windows; beta available for Linux; third-party ports available for iOS, Android, BlackBerry, Java, Python, and other platforms.

RoboForm 7.9

RoboForm is one of the longest-lived programs of its kind, originally created as a general form-filling solution for Web browsers and stand-alone applications. Like KeePass and 1Password, it’s useful for more than password storage and management. And like 1Password, it comes outfitted with a bevy of good, smart features that work with minimal tinkering.

On installation, RoboForm autodetects the browsers in use and integrates with them via plug-ins. From then on, password submissions in forms are automatically saved to the database. The password-capture process has some smarts to it: When RoboForm offers to save passwords from a Web page, it makes a few guesses as to how to label the resulting password capture — by URL, by the page’s title, by the username plus the URL, and so on. Thus, entries for multiple subdomains of the same site are automatically kept separate and aren’t likely to stomp on each other.

Unfortunately, RoboForm doesn’t deal well with detecting the contents of form submissions where the form is automatically obscured upon submission. However, RoboForm isn’t alone in this flaw. This is a common problem with password managers that try to autodetect form submissions on Web pages.

If your PC or notebook has a fingerprint reader or smart card slot, RoboForm can use it as an authentication mechanism instead of a master password. The master password can be kept in “system-protected storage,” so logged-in users automatically have access to the password vault. Note that if you reinstall Windows or delete the user account, this system-protected storage will be erased, but you can still access a backup of the RoboForm vault with your master password. (KeePass has a version of this feature, except that losing the user account also means losing access to the vault, period.)

Previous versions of RoboForm used a toolbar that would pop up below or above the browser window. For Chrome, at least, the toolbar has been replaced by a native in-browser plug-in, but the external toolbar is still available if you want it. I found the browser-native plug-ins to be far more elegant. They’re certainly more consistent with the other applications in this vein. RoboForm’s original toolbar and native program interface look a little clunkier than the competition. They’re the most prominent signs of the program’s age.

Aside from username/password pairs for websites, RoboForm also stores browser bookmarks, personal identity data, and free-form text notes (Safenotes) in the same manner as 1Password and LastPass. Custom fields can be added to many kinds of entries in RoboForm’s database, but not all of them. Safenotes, for instance, restrict you to a single freeform text field.

No modern password-management app would be complete without a mobile version, and RoboForm does have such an incarnation. It doesn’t yet support a smartphone’s fingerprint reader — a major omission in today’s mobile world — although it allows quick-unlock by way of a four-digit PIN.

RoboForm also comes with a Web-based edition, named RoboForm Anywhere, where the contents of one’s vault can be edited and audited. Security-conscious users will like how RoboForm activity from all devices is logged and can be perused either through the Web interface or downloaded as a CSV file. The cost-plus version of RoboForm, RoboForm Everywhere, allows integrated syncing of one’s password database across all devices for $9.95 a year.

Price: RoboForm Desktop, $29.95; RoboForm2Go, $39.95; RoboForm Everywhere, $9.95 per year. Platforms: Windows, Mac OS X, iOS, Android, Windows Phone.

SplashID Safe 8.0.9

SplashID Safe isn’t a bad program, but it’s limited in frustrating ways, and its competitors offer more at their basic tiers.

SplashID Safe is akin to LastPass in that its free tier is mainly consumed as a Web app. If you want to use the PC and smartphone versions and sync them against your SplashID cloud account, you’ll need to purchase a Pro account starting at $1.99 per month or $20 per year. For those who want to use the desktop app to manage passwords across a variety of applications, this is irksome, especially given the array of competing services with desktop apps that cost nothing.

Some good ideas have been sprinkled through SplashID Safe. When you first create an account, your vault is optionally populated with sample data of various kinds to give you an idea of how to use the service. Another nice touch: A “pattern log-in” function, akin to the kind used in smartphones, can be used to unlock the Web version or the desktop edition. I also liked how devices could be synced peer-to-peer over Wi-Fi rather than through the cloud. SplashID’s mobile app is functionally similar to the desktop app, although it doesn’t support the use of a fingerprint reader to unlock one’s vault on Android, only on iOS.

On the downside, a bevy of little issues kept throwing me off. When I attempted to import a CSV generated by KeePass into SplashID’s Web vault, it misinterpreted which columns mapped to which fields; the title of the field ended up being the password, among other problems. Because I wasn’t allowed to remap the columns on import, I needed to download a sample CSV to determine the proper format and reorganize my CSV file to get it to import correctly.

That was only the start of my trouble with SplashID Safe. The desktop app refused to install, due to the installer not being signed properly. SplashData technical support was able to provide me with a fixed copy. And because the advertised browser plug-in for Chrome was not available from the Chrome Web Store, I wasn’t able to test any of its autofill functions. (I was informed this will be corrected.)

The Web interface, used for the free tier of the product, has issues of its own. Its formatting sometimes rendered incorrectly when the browser was resized, with side effects like buttons vanishing behind each other. Finally, I was surprised that the Web app attempted to use a Flash plug-in, given how Adobe Flash has been implicated in countless security issues, although the site seemed to work normally without it.

Price: Free for one device; Pro version (supports multiple devices, sync across devices, backup, sharing), $19.99 per year; Teams version, $5 per user per month. Platforms: Windows, Mac, iOS, Android, Windows Phone, BlackBerry, Web.

One password to rule them all

Which of these password managers should you choose? Clearly, you have a number of great options.

KeePass, despite its occasional complexity, still tops the list of free and open source solutions, thanks to the breadth of plug-ins and its broad platform support. For those who want a free and open source solution, but in an implementation with fewer frills and less fuss, consider Password Safe. (That it comes with the imprimatur of a renowned security expert doesn’t hurt either.)

1Password takes the basic idea behind KeePass and lays on a veneer of commercial polish, making a good thing even better and easier to use, albeit at a cost. Dashlane is even sleeker, with a handy security auditing function, but unlike many competitors its Web version is available only as part of the for-pay package.

RoboForm, an app with a faithful following, has kept pace nicely with the competition over the years (by adding browser plug-ins, fingerprint authentication, and so on), and it offers a lot of functionality in the free version. The best part of Keeper is its mobile incarnation. Keeper is a product aimed mainly at business users, but it nonetheless provides plenty of utility for everyone else.

Finally, for those who want to tame a welter of website passwords, LastPass is an excellent place to start, considering its basic incarnation is a browser plug-in and a well-designed mobile app. SplashID is similarly designed, but much of what it does is executed better elsewhere.