Carnegie Mellon University
Computing Services  ›  Information Security Office  ›  Governance  ›  Information Security Office Guidance  ›  Password Managers

Password Managers

Remembering a lot of passwords is difficult, but security experts (including ISO) recommend that you DO NOT reuse passwords.  So, how do you manage the hundreds or even thousands of passwords you need to remember in your daily life?

Passwords managers help you generate unique and strong passwords, store them in one safe (encrypted) place, and use them while only needing to remember one master password. The master password unlocks your encrypted vault which grants you access to each of your passwords. 

If you are considering a password manager, the biggest decision to make is whether you want your passwords to be stored locally on your own computers and mobile devices, or in the cloud on someone else's servers. 

Users encounter security threats whether using cloud or local password storage, and there is no one-size-fits-all option. 

Local vs Cloud Management

LOCAL STORAGE

Local storage hampers the user experience but forces hackers to resort to difficult malware-based approaches like using keyloggers and other advanced tools. Since the password is stored on the user's device, the user has total control over its security. 

Password manager licenses can only be used on one device, meaning multiple licenses need to be purchased for every single device needed to sync passwords. If the device is lost and/or stolen the passwords are all compromised.

CLOUD STORAGE

Cloud storage improves accessibility and user convenience. Since encrypted passwords are stored on cloud servers, users can access them from any number of devices and sync passwords between devices relatively easily without any required additional steps. These services keep encrypted copies of your vault on their own servers, ensure that all your devices are always synced and encrypt the transmissions between your devices and their servers. Cloud storage also makes passwords recoverable if the user loses the device. 

The downside of cloud storage is that the user cannot ensure the security of the data. The risk, though small, is that one of the cloud-based services could be breached and your passwords released out into the wild. If a password manager is doing it's job right, it is storing all your passwords in an encrypted format, and storing your master password only as a "hash" that's the result of an irreversible mathematical process.

Storing your Andrew Password

The Computing Policy prohibits sharing your password with 3rd parties.  How does this affect password managers?  The approved password managers listed below do not share your password with the 3rd party.  They share an encrypted version of it, where you, the user, control the key and the ability to decrypt your passwords. If your favorite password manager is not listed, please contact us at iso@andrew.cmu.edu and we can review it resources permitting.

Multi-Factor Authentication

Most password managers now support multi-factor authentication using either your device's fingerprint reader/face ID, or a second factor in the form of a seed in an authentication app.  Some support Yubikeys and other FIDO hardware tokens.  Where possible, the ISO recommends using an additional hardware token for access to your encrypted passwords - keeping in mind that losing that token may prohibit you from accessing your stored passwords.

Recommended Password Managers

The ISO recommends four password managers that you can use in your daily life: 1Password, Apple's iCloud Keychain, BitWardenKeePass, and LastPass (alphabetical order).  Each of these Password Managers use highly advanced encryption and more than adequate security for your passwords. While ISO recommends these tools, this software is not supported by Carnegie Mellon University.  If you have questions or support concerns, you will need to contact the software vendor directly. 

Each of these password managers have their pros and cons.  The password manager that is best for you may not be best for a co-worker or family member, so select which manager you use based on the features and functionality that fit your use case.

1Password

https://1password.com/

Platforms: Windows, Mac, iOS, Android, 1Password X Platforms: Linux, Chrome OS
Free-version Limitations: Single mobile device
Two-Factor Authentication: Yes
Browser plugins: Chrome, Firefox, IE, Safari, Edge, Opera
Form Filling: Yes
Mobile App PIN Unlock: Yes
Biometric Login: Face ID, Touch ID on iOS & macOS, most Android fingerprint readers
Storage Option: Locally or Online (Cloud)
Price: Individual Plan-$36/year, Family Plan- $60/year

1Password has a history as a Macintosh/Apple/iOS specific manager. 

1Password is a trusted password manager app which keeps your login information private and secure. 1Password does lack a free version, but you can check it out for 30 days before signing up. An individual subscription runs $36 a year and comes with 1GB of document storage and optional two-factor authentication additional security. A travel mode lets you remove your 1Password sensitive data from your device when you travel and then restore it with one easy click when you return, so it's not vulnerable to border checks. On Macs, you can use Touch ID to unlock 1Password, and on iOS devices, you can use Face ID, too. 

Other features: Watchtower, which notifies you if you have an account that may have been compromised (based on the URL and news reports), a weak password, or even a reused password.

Apple's iCloud Keychain

Platforms: Mac, iOS
Free-version Limitations: N/A
Two-Factor Authentication: Yes
Browser plugins: Safari
Form Filling: Yes
Biometric Login: Face ID, Touch ID on iOS & macOS
Storage Option: Cloud
Price: Free

Apple's iCloud Keychain is recommended with limitations. 

Apple’s iCloud Keychain (used by Safari, iOS, iPadOS, and macOS) is a password manager that allows you to sync and share your passwords between any Apple device that you are logged into using your iCloud account. Apple’s keychain functionality can be used by other applications to store items, such as public and private certificates, passwords, etc.

Apple does not have access to your stored passwords when they are stored on their servers. The encryption mechanism that is used contains a general key that is derived from your iCloud password as well as a separate, unique device key for each device attached to your Apple iCloud account.  The encryption mechanism is unique to Apple, though they use standard algorithms.

More details on Apple’s Keychain syncing can be found at https://support.apple.com/guide/security/keychain-syncing-sec0a319b35f/web.

For users of iOS versions prior to 13, and/or macOS versions prior to 10.15 (Catalina):  

If a user has multiple devices, or two-factor authentication for iCloud is enabled, key recovery is accomplished by using another device.  If a user has a single Apple device, Apple provides an optional key recovery (escrow) service that allows Apple to have access to decrypt your keychain under certain circumstances.  If you are storing your Andrew credentials in iCloud keychain, you should not set up the key recovery service.

To store your Andrew credentials, you must:

  • Use a strong password or passcode on all of your devices where Keychain is enabled.
  • Enable two-factor authentication to your iCloud account (required on iOS13+ or macOS Catalina 10.15+) or select your own long iCloud Security Code when you initially set up Keychain which must be memorized.

BitWarden

https://bitwarden.com/ 

Platforms: Windows, MacOS, Linux, iOS, Android
Free-version Limitations: Can only share with one other user, cannot use Yubikey as a 2nd factor
Two-Factor Authentication: Yes
Browser plugins: Google Chrome, Mozilla Firefox, Opera, Microsoft Edge, Safari, Vivaldi, Brave, and Tor
Form Filling: Yes
Biometric Login: Face ID, Touch ID on iOS & macOS, most Android fingerprint readers
Storage Option: Locally or Online (Cloud)
Price: Individual Plan-$10/year, Family Plan- $40/year

BitWarden supports both a cloud and on-premise option, with the on-premise option requiring a hosting environment (Docker).  The free version is only available in the cloud solution.  Bitwarden supports sharing vaults between users.  It also offers an account recovery option for Enterprise users where there is more than one Organization owner.  If there is only one owner, accounts cannot be recovered. Non-free users can see reports on the status of their passwords - reused, weak, or compromised.

KeePass

http://keepass.info/

Platforms: Windows, Mac, iOS, Android, Linux
Free-version Limitations: N/A
Two-Factor Authentication: Yes
Browser plugins: None
Form Filling: No
Mobile App PIN Unlock: Depends on version
Biometric Login: Depends on version
Storage Option: Local
Price: Free

KeePass is a local only database of passwords.  While Dropbox, iCloud, network shares, and USB drives can be used to share the database file, care should be taken to close the file on one computer before opening it on another.  If you are concerned about storing your passwords “in the cloud”, KeePass is the best free local storage option storing passwords on your laptop, desktop, or mobile device.

KeePass is open source, and the source code is available for your review.  Plugins may or may not be open source, and care should be used when using any available plugins as ISO has not evaluated any of the available plugins.  Browser integration is only available using plugins.

LastPass

https://lastpass.com/

Platforms: Windows, Mac, iOS, Android, Linux, Chrome OS, Windows Phone, watchOS
Free-version Limitations: Limited password sharing, limited 2FA
Two-Factor Authentication: Yes
Browser plugins: Chrome, Firefox, IE, Safari, Edge, Maxthon, Opera
Form Filling: Yes
Mobile App PIN Unlock: Yes
Biometric Login: Face ID, Touch ID on iOS & macOS, most Android & Windows fingerprint readers
Storage Option: Cloud 
Price: Free (Premium Plan-$36/year, Family Plan- $48/year)

LastPass is an enterprise level online password manager.  The basic version is free for use, with a Premium version available for a cost.  The basic version provides most of the same features as the Premium version, except it lacks the security password audit feature, customer service support, and the capability to share password vaults with family members. LastPass features an easy to use interface and has a variety of features available with a free account.

Other Premium Features: The LastPass Security Challenge features a password auditing tool alerting you of weak, old, compromised, or reused passwords. LastPass will provide you with a new password for those accounts.Google password storage and syncing

We cannot recommend Google's password storage and syncing through Chrome at this time.  Google has access to your unencrypted passwords.

Selecting a master password (passphrase) for your password manager

Additional guidance on selecting a strong password can be found on ISO's news pages.

DO

  • Select a long phrase that you will remember, but is not that easy to guess.
  • Include at least one of each: upper case letters, lower case letters, numbers and special characters.
  • Select a passphrase that is easy to type, especially on a cellphone keyboard since you will be typing this passphrase in many times throughout the day/week.
  • Configure two-factor authentication with your password manager to add additional security

DON’T

  • Use your Andrew password as the master password for your password vault.         
  • Select well-known lyrics, or lines such as “To be or not to be” as a starting point.
  • Forget your master password.  You will have to reset the passwords on all sites/areas you used the password manager to store. It is very important to remember your “master” password!