Password Managers
There are literally hundreds of hosts, usernames, and password combinations that I have to keep track of. Having some piece of malware find and upload the Excel file that I used to keep my passwords in was simply an unacceptable risk. I needed something better. Here are my requirements:
Requirements
Must-Haves
- Secure, encrypting the file and requiring a password each time the file is opened
- Copy-and-paste to populate the username and password.
- Multiple accounts at a single URI
- Searchable by URI or username
- Cross-platform, covering at least Windows 7, iOS, and Android.
- Exportable in a common format such as plain text, CSV, or XML
Nice To Haves
- Cross-platform supporting Linux
- Structured storage, where related accounts can be grouped in a folder or similar
- Password generator, so I can generate a new password right in the tool when a site requires a new password.
Options Explored
Browser Password Management
Native browser managed passwords fail on:
- Secure
- Copy-and-Paste
- Searchable
- Password Generator
In some implementations, they also fail on:
- Multiple Accounts
- Structured Storage
Having the browser “save” the password for me is sometimes useful but creates a security risk because the user is never asked to enter the password again. This mechanism for saving passwords also does not work where the account is not a web site, e.g. SSH to a remote host.
Turn Off Saving Password in the Browser
You can turn off having the browser save your password:
LastPass Browser Plugin
At first, LastPass seemed to be the answer I was looking for. It required a password to access the stored credentials, it would auto-fill password forms, and it was stored with my Chrome profile so that any machine on which I had Chrome (my primary browser) I also had LastPass and my passwords. Alas, Eden was short-lived.
LastPass gets hopelessly confused by multiple accounts at the same URI. If you use LastPass’ auto-fill feature on URLs where you have more than one account, be prepared for that account to be locked – LastPass valiantly continues to retry the last password that worked regardless of errors.
LastPass fails on
- Copy-and-Past
- Multiple Accounts
- Searchable
- Structured Storage
Note that it has been more than a year since I used LastPass and there is a new release since that time.
KeePass2
KeePass2 is what I use.
Secure
It requires a password each time the application is opened. Also, it supports Copy-and-Paste, but with a 10 second timer before the past buffer is cleared.
Copy-and-Paste
Simply by double-clicking on the User Name or Password, the paste buffer is populated with that value. For security reasons, once populated, there is a 10 second timer before the paste buffer is cleared.
Multiple Accounts and Structured
KeePass2 easily handles multiple accounts at a single URI. Part of what makes this easy is the folder structure user to categorize and store credentials.
Searchable
There is a search field at the top of the application. You must enter what you are searching for and then hit Enter; it is not an incremental search.
Password Generator
KeePass2 has a particularly nice set of password generation tools. It has a simple generator accessible from the key icon under Add/Edit Entry. I particularly like Derive from previous password, which generates a new password with the at least as many characters in each character class (upper, lower, numbers, punctuation, etc.) as the password you had. For me complex password generation, select Open Password Generator.
I particularly like the ability to show the password. I understand that potentially creates an “over-the-shoulder” security issue, but there are sites/hosts where it is not possible to paste in your password, e.g. Windows Remote Desktop on Server 2003 and earlier.
Opening the Password Generator provides as rich a set of password generation tools as I have ever needed.
My Choice: KeePass2
KeePass2 has served me well for about a year now. It works well for me. The few complaints I have revolve around the upgrade process.