Top password managers compared

Unless you're living off the grid in a cabin in the woods -- and, if you're reading this, you're probably not -- you have more passwords than you can manage. They're all supposed to be long, complicated, unique, and difficult to guess. Oh, and you're supposed to change them all every three to six months.

The simple answer is to use a password management program. And, as the options below illustrate, there's a password manager out there for you regardless of your level of paranoia.

Plus, the leading options are getting pretty business-friendly, so if your company doesn't have a password management solution in place already, or is too small for one, then one of these password managers could do the job.


The best password manager on the market right now because of its ability to change most of your passwords with a single click, its support for-two factor authentication, and its business-friendly team functionality which allows password sharing with team members.

"Dashlane is a more recent arrival on the scene, but it gets a lot of praise in the SMB community for the user-friendliness of its interface," said Daniel Humphries, researcher at Software Advice, Inc., a Gartner company.

Dashlane costs $40 per year per user, but there's also a free version which works on one device.

"There are lots of options when it comes to password managers, and SMBs can decide whether they want to shell out major bucks for the deluxe versions or keep it free according to their own needs and priorities," said Humphries. "The good news is that you can do a lot with the free versions."

Dashlane's free version, for example, lets you try out its interface, including the password manager and the form auto-fill, and lets you share up to five logins.

Dashlane also has an emergency contact feature, so that someone you trust can step in and access all your accounts if something happens to you, plus a form filler so you don't have to type in your address all the time.

The ability to change all passwords with one click is currently unique to Dashlane, and covers more than 160 of the most popular sites, including Facebook, Twitter, LinkedIn, Pinterest, Amazon, Dropbox, and Evernote -- a useful feature if you think your accounts may have been compromised.

Password sharing allows you to control who has access to shared accounts, and revoke that access when needed. This is useful if there are multiple people with access to your company's social media accounts, for example.

Auto login works even with multi-page websites, such as bank sites. All passwords, auto-fill information, and notes are securely encrypted and saved where you choose -- locally or to the cloud.

The one thing missing is the ability to use Dashlane to log into standalone iPhone and iPad apps, though that is a problem for all password managers.

In fact, Apple only recently allowed third-party extensions to its mobile Safari app to allow password managers to fill in online passwords. Previously, iOS users had to open up their password manager apps, look up their passwords and copy-and-paste them into the form fields.


LastPass used to be my top recommendation, and is the system I currently use.

The company has an enterprise version, with Active Directory sync, configurable management policies, onboarding, offboarding and provisioning, and single sign-on for many popular cloud applications, including Office 365, Google Apps, Salesforce, Wordpress, and others.

It supports both software and hardware multifactor authentication, such as the YubiKey USB keyfob, toopher, and Duo Security.

Plus, LastPass throws in free credit monitoring, will generate one-time passwords for use at untrusted computers or networks, and will change your passwords for you.

LastPass has more than 10,000 corporate customers ranging in size all the way up to the Fortune 500, according to spokeswoman Cid Ferrara.

Prices range from $24 per user per year down to $18 with a volume discount.

Like Dashlane, LastPass offers to save passwords as you log into new sites. This could be an issue if the password management software is provided by the employer, and the employees are logging into personal sites.

"Care must be taken that users do not enter private personal information, such as banking logins as the company may face increased legal liability," said Randy Abrams, research director at Austin, Texas-based NSS Labs, Inc.

LastPass has a solution to this.

It offers a unique feature, the ability for employees to link their personal and company LastPass accounts, allowing easy access to both, but letting the company manage only the corporate ones.

When the employees leave their jobs, the company can wipe all the work logins -- and the personal passwords stay untouched.

I use the personal version, and find the interface clunky and uncomfortable to use and will probably be switching to Dashlane once my annual subscription expires later this spring.

For example, in LastPass, the feature to change your passwords requires that you edit each site's entry, individually, and ask LastPass generate a new password for it. It still saves a little bit of time compared to having to log into each site and navigate around to change its password, but is not as convenient as DashLane's one-click that resets all passwords at once.

For corporate deployments, however, LastPass is the strongest contender.


Many of our readers, however, will probably prefer KeePass for individual use.

"I prefer KeePass because it's free, open source, integrated with Windows User Account Control, and it is not a browser plug-in," said Jason Fossen, an instructor at Bethesda, MD-based SANS Institute. "It's not ideal for security to take many of your most important secrets -- your passwords and credit card numbers -- and incorporate them into the one application most likely to become infected with malware -- the browser."

KeePass is a separate utility, not a browser plug-in, he said.

"KeePass also supports PowerShell scripting for custom solutions," he added.

This is a minimalist option for those willing to give up convenience and functionality for extra security.


Another password management system that allows credential sharing is 1Password.

One user is Steve Hultquist, chief evangelist at Sunnyvale, Cal.-based RedSeal, Inc.

"I strongly recommend password generation applications that provide a secure vault for all your passwords," he said. "They allow you to automatically generate completely random strings of characters and to use unique passwords for every site, while the application allows you to automatically fill in those passwords when you visit the sites on your computer, mobile device, and apps."

Like Dashlane and LastPass, 1Password supports all major browsers, auto-fills forms, and has apps for both iOS and Android devices.


Blur's unique feature is that it doesn't just generate a long, completely random password -- it will also generate disposable email addresses for you that mask your real address.

Like the other commercial password managers, the basic version is free and the company makes money selling a premium version. With Blur, the $40 premium version also generates one-time credit card numbers with built-in spending limits to protect users against hidden charges or data breaches, and masked phone numbers for even more privacy.

"Everyone that uses the Internet should also use a password manager," said Abine CEO Rob Shavell. "Password managers are more convenient so you are guaranteed to save time each week and they help consumers be far more secure. Businesses both small and large need to start encouraging or mandating password manager use."

In addition to his own product, Blur, Shavell also recommends LastPass, 1Password and Dashlane, as well as PasswordBox, listed below.

"The top password managers now work well enough everywhere -- on your browser and on your phone and on almost all web sites -- that there is no longer any excuse not to use them, unless you want to be hacked," he said.


Recently acquired by Intel, the PasswordBox premium version is temporarily free for all customers.

Plus, the service plans to roll out something they call "True Key" functionality later on this year, which will replace the master password with biometrics such as facial recognition.

Most password managers rely on a master password -- a single password which unlocks access to the entire vault. The idea is that it's easier to remember one password, and make it a super-long, super-secure passphrase, than to try to memorize dozens, or hundreds, of individual passwords.

But a super-long passphrase is also inconvenient to type in, especially if you have your password manager set up to lock you out whenever you step away from your computer or shut down your mobile device. Which, of course, you should.

Plus, any application that relies solely on a user name and password combination is vulnerable to keystroke loggers. This is where biometrics and other multifactor authentication methods come in.

"Multifactor support is critical," said Andre Boysen, chief identity officer at North York, ON-based SecureKey Technologies Inc. "Password managers are a target because of the honeypot of access credentials."

PasswordBox claims to be the most trusted password manager, with more than 14 million downloads. By comparison, LastPass claims to have about 6 million individual users.

PasswordBox also offers the option to name an emergency contact who is allowed to use the app if something happens to you, and to securely share logins with co-workers or family members.


The oldest of all the password managers on this list, RoboForm was first released at the end of 1999.

One unique feature is that it allows users to log into several sites at once -- useful for people who log into the same set of services every day. It also has a portable version, called RoboForm2Go, that you can install on a USB key.

Like other password managers, it supports all major browsers and devices and offers a choice of cloud storage for syncing across all devices, or desktop mode for storing all data locally on a single computer. But, again, you give up the convenience of being able to access your password on mobile devices and other computers.

It made this list because it has an enterprise version, with group policies, active directory integration, master password recovery, shared logins with multiple users, automatically created credentials for user or groups, and the ability to create limited-time logins.


StickyPassword's unique feature is that you can avoid the cloud, yet still sync across all your devices, by using your local Wi-Fi network to keep everything up to date.

It also works from a portable USB device, supports biometrics, fills in forms, and works on all major platforms, browsers, and devices.

The premium version is the one that supports Wi-Fi sync, is just $20 a year, making this one of the less expensive commercial products on this list.

The company currently claims to have 2 million users. In addition, StickyPassword is the technology behind VIPRE Password Vault from ThreatTrack Security and powers the Kaspersky Password Manager.

The lack of an enterprise version might make it less suitable for business use.

"If a company is going to use a password manager they need to make sure they have the level of remote manageability that is appropriate for their environment," said Randy Abrams, research director at Austin, Texas-based NSS Labs, Inc.

Join the CSO newsletter!

Error: Please check your email address.

Tags password managersGartnersecurityAccess control and authenticationDashlaneIdentity & Access

More about AppleDropboxEvernoteFacebookGartnerGoogleInc.IntelKasperskySANS InstituteThreatTrack Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place