full screen background image
Saturday 27 May 2017
  • :
  • :

What Makes a ‘Good’ Password Manager Good?

Before we can decide on which password manager is a good one to use, we will need to consider what “good” means for a password manager. We will describe a set of criteria that we will use in evaluating a number of password managers.

The first criteria will be in the category of usability. First, the password manager must be easy to obtain and install. It should be available from the usual sources for each platform, and it should install with standard methods used by a typical user not requiring any advanced techniques.

The manager should work across many platforms and browsers. Many people have several devices with various operating systems. They need to access password-protected websites from all of these devices. If a change is made while using one device, the other devices should synchronize and pick up the new password without a lot of extra input. It should work on laptops, desktops, tablets, and smartphones, and require initial setup on only one device. It should work on Windows, MacOS, iOS, Android, and Linux. It should work on any of the major web browsers used on these platforms.

Closely related to this is the ability to work remotely. The reality is that many of us with our multiple devices have to access passwords at home, at work, and on the road. The password manager should work seamlessly no matter where we are.

Once installed on any operating system, it should be easy to get it set up and working. If another manager has been used, a handy feature is the ability to import the database of passwords from the previous program. If the web browsers have been used to manage passwords, the new password manager should be able to import from these as well.

Once operating, the manager should be able to detect new password events and capture them effectively. It should be able to auto-fill commonly used passwords and other forms. A nice feature is the ability to securely store notes as well as passwords. Ideally it would be able to handle passwords in other applications and handle passwords for decrypting files in the operating system.

Does the password manager require special hardware, such as a USB key? If so, will this affect the portability? These can be effective for security but highly inconvenient if forgotten at home.

Finally, some people need the ability to share sets of passwords with others. In this case, a password might be updated by another person, not the same person on another device. The manager should be able to synchronize these events well. This is typically done with record-level synching.

The greatest scrutiny will come in the area of effectiveness. The main idea of a password manager is protection. The problem with passwords is that a good password is hard to remember. The same length and complexity that makes a password safe also makes it difficult to memorize. For maximum safety you should have a different password for each site you use. This way if any one site is compromised, no other sites will be at risk. The task of memorizing many complex passwords is too daunting for normal human beings, so they end up with the same poor passwords on all of their sites.

The password manager solves this problem by storing passwords and making them available when needed. The passwords can be unique for each site and complex enough to be safe. The essential function of the password manager is to store these passwords encrypted so that only you can see them.

The encryption has to be strong and ideally, impossible to crack. Only the user with the legitimate key should be able to see the passwords. The central question for a good password manager is “is it secure?”

One essential requirement is that the encryption used in the manager should be strong, industry standard encryption. It is a well-known fact among security experts that proprietary or newly-invented encryption systems are often insecure. Paradoxically, well-known systems are safe. They do not rely on secrecy to be effective. These are the systems that should be used by a good password manager.

Another security feature is 2-factor authentication. A password is combined with a hardware key or a code sent to a mobile device. This may offer an increase in security, but also prolongs a login and can be inconvenient if the hardware is not available. Worse yet, it can be left behind in a remote computer. This is frequently offered as an option to those who don’t mind any potential inconvenience. Another option is to trigger two-factor authentication only when logging in from a given device for the first time.

The major caution here is to consider who has the credentials needed for authorization.  If you are giving these credentials to a company that manages authentication, there is a security risk because they may botch the encryption or other security and the credentials may be stolen. The essential condition for security is this: is the company forthright and open about what they are doing? If they are, then you as the potential customer can decide if the risks are acceptable.

Cross-platform and remote operations require some form of synchronization and centralized remote access. However, this opens a major security concern. If a database is available for remote access and synching, it is also available for remote hacking. It should be very clear what methods are used to prevent unauthorized access. Web applications are extremely insecure and will not be considered to be safe for this review.

The password manager should help you to enforce good password practices. If it does not forbid insecure passwords such as dictionary words, it should at least warn you and give a strength indicator. It should give the option of generating truly random passwords for you. Another good option is the ability to set expiration dates and generate reminders. It is important to remember that you are not just protecting against random attempts to log in to an account. If the password database is stolen, the crooks then have the ability to run many cracking routines. Poor encryption practices combined with poor password practices make even random passwords easy to decipher.

For each password manager, we will be commenting on each of these factors. You will need to decide which ones are important to you and choose a password manager according to your needs.


Sean Comeau is a computer security and cryptography enthusiast based in Vancouver, BC, Canada.