How to evaluate password managers

word cloud of frequent logins and passwords
Scott Erven/Mark Collao

All password managers have as many as four separate products for storing passwords: a desktop and mobile app, a browser extension, or a pure Web-based service that doesn’t require any other software beyond a regular browser. There are various use cases that demand having this array of mechanisms. Not all tools support all four mechanisms.

Most tools on the market have a separate Windows desktop app and most can handle Windows 7 and newer versions. TeamsID, Keeper and LogMeOnce have only browser-based versions. Dashlane limits to 32-bit OS or 32-bit browsers. Others add Mac and Linux desktop apps. In addition to traditional desktops, most of the products support iOS and Android devices. Keeper, LastPass, and StickyPassword also have versions that work on Kindles, BlackBerries and Windows Phone mobiles. Browser extensions for some of the major vendors (Firefox, Chrome, IE and Safari) are supported in most products. And half of them have direct Web-based SaaS portal pages that you can login in and obtain your password in a pinch without having to install any software.

Second, how these tools automate the login process differs. There are subtle differences in how each tool completes the login process, and they also differ across the operating systems. For example, on the desktop or with a browser extension, most tools will automatically fill in the login information (except for TeamsID) and then (if you select this option) perform an auto-login to the site. On mobile phones, the products will bring up a protected browser session (1Password), auto-fill the information (Keeper), or make you cut and paste the details manually (LastPass). The behavior on mobile devices is important, particularly as more of your users migrate to doing more work there and want better password management tools. Note that SingleID has a very different process.

Third, can you motivate your users to have better password hygiene with these tools? Maybe. The temptation to reuse passwords, and use ones that are simple (and therefore easy to crack) is great, but these products all try to move the needle towards better password usage. They all have some feature that will produce a random complex password of many digits using symbols and upper and lower case: at least you have a more secure login than something that you could come up with on your own.

Several of the products (including Manage Engine, Dashlane and LogMeOnce) can do a one-button quick password replace across your entire vault, which is useful if you are either ultra-paranoid or have been compromised. Many of the products offer dashboards or graphical displays that show you a summary of your entire password portfolio, or send a series of nagging emails to try to get your users to remove duplicate or simple passwords.

Next, how synchronization with your vault happens across multiple devices differs. The ideal use case for these products would be for a user to move effortlessly among different endpoint devices: Start with an iPhone in the morning, move to their Windows desktop during the workday, and then to a Chromebook or some borrowed desktop’s browser at a remote meeting location. LastPass and LogMeOnce both do the best job of this. Other products, like 1Password, have very cumbersome synchronization mechanics. When you evaluate these products, pay attention to where they store their password vaults and how these vaults are protected.

What if you have older endpoint versions? Some of the products don’t support older OS versions, particularly on mobile phones and tablets. That could be a concern depending on the mix of vintages present in your end user device population, and knock a few of these tools out of the running. For example, the latest version of 1Password only supports Macs running Yosemite and LogMeOnce doesn’t work with iOS versions before 8.0.

Speaking of operating systems, dealing with Windows 10 is a problem for all of these tools. Microsoft hasn’t made it easier for these password managers with the release of Windows 10 and its Edge browser. Edge doesn’t support any browser extensions and therefore won’t work with any of these products. If you want to make use of them you will either have to install another browser such as Firefox or Chrome, or try to make do with the built-in version 11 of Internet Explorer. This seems counter to what Microsoft was trying to do to make a more secure browsing environment.

Many vendors have improved their multifactor authentication support, although none of the vendors reviewed offer authentication methods on a per-login basis that could step up authentication for particularly sensitive logins: for that level of granularity you will need to use an SSO tool. But each vendor offers different MFA tools, with LastPass the most flexible and LogMeOnce the easiest to setup. Both of these offer multiple MFA methods as part of their tools. StickyPassword and Dashlane offer the fewest MFA methods, while the others are in between these extremes.

Finally, consider how each product is managed by an enterprise IT administrator. In the individual reviews we get into the specifics: most products have a separate web-based portal that admins can use to set up security policies and directory synchronization, among other features.

This story, "How to evaluate password managers" was originally published by Network World.


Copyright © 2015 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)