Carnegie Mellon University

Remembering a lot of passwords is difficult, but security experts (including ISO) recommend that you DO NOT reuse passwords.  So, how do you manage the hundreds or even thousands of passwords you need to remember in your daily life?

Password Managers

Passwords managers help you generate unique and strong passwords, store them in one safe (encrypted) place, and use them while only needing to remember one master password.

The ISO recommends three password managers that you can use in your daily life: 1Password, KeePass, and LastPass (alphabetical order).  While ISO recommends these three tools, this software is not supported by Carnegie Mellon.  If you have questions or support concerns, you will need to contact the software vendor directly.

Each of these three password managers has pros and cons, including cost.  The password manager that is best for you may not be best for a co-worker or family member, so select which manager you use based on the features and functionality that fit your use case.

One big decision you will need to make is whether you are comfortable with your encrypted passwords being stored “in the cloud”.  All of the managers recommended below encrypt your passwords on your local computer first before storing them in the cloud. Thus, we consider them safe for the majority of users. There is still a remote possibility that your passwords could become compromised if stored “in the cloud” so just be aware and use your comfort level when making that decision.  ISO is comfortable recommending either storage option based on the technology in use.

All password managers share a few pros and cons.  The biggest con being that if you forget your master/main password, you will lose access to all of your other passwords.  No one can retrieve them for you, you will have to reset the passwords on all sites/areas you used the password manager to store.  The software vendor will not be able to recover your master password. It is very important to remember your “master” password!

1Password

https://1password.com/

1Password has a history as a Macintosh/Apple/iOS specific manager, and while there is a Windows and Android version, the standalone application is not available for Linux.  1Password allows you to store your passwords completely locally, or use a 3rd party service such as Dropbox, iCloud or a local network share – your choice.  Your master password is used to encrypt your information in the “vault” locally and only someone with your master password can decrypt your vault.

1Password offers an online managed account as well.  This is still a secure option.

Other features: Watchtower, which notifies you if you have an account that may have been compromised (based on the URL and news reports), a weak password, or even a reused password.

1Password is not free, the standalone license for 1Password is $64.99 per person for the software, or $2.99/person/month for the online version.

Pros

Cons

Can choose to store password vault locally or remotely

Costs money

Browser integration (Safari, Chrome, Firefox, Internet Explorer)

Apple centric

Randomly generates passwords according to your rules

 

Online version supports Linux

 

Password auditing

 

KeePass

http://keepass.info/

KeePass is a local only database of passwords.  While Dropbox, iCloud, network shares, and USB drives can be used to share the database file, care should be taken to close the file on one computer before opening it on another.  If you are concerned about storing your passwords “in the cloud”, KeePass is the best free local storage option.

KeePass is open source, and the source code is available for your review.  Plugins may or may not be open source, and care should be used when using any available plugins, as ISO has not evaluated any of the available plugins.  Browser integration is only available using plugins.

KeePass will run on Windows systems with the .NET framework or Linux, BSD, and OS X via Mono.

Pros

Cons

Randomly generates passwords according to your rules

Browser integration is only supported with plugins

Supports Linux (via Mono)

Not designed for network/shared drive use (plugins available)

Supports a plugin framework for extensions

 

Free

 

Local only storage

 

LastPass

https://lastpass.com/

LastPass is an enterprise level online password manager.  The basic version is free for use, with a Premium version for $1/mth billed annually.  LastPass stores your passwords both online (backup), and offline – there is no offline only option.  Passwords are encrypted locally with your master password, and are unrecoverable in most cases.

LastPass also features a password auditing feature alerting you of weak or old passwords.

Pros

Cons

Browser Integration (Chrome, Firefox, IE, Safari and Opera)

Synchronization is only free for one device (multiple devices available with Premium)

Smartphone/tablet apps

Online storage required, not optional

Generates randomized passwords

 

Password auditing

 

Offers two-factor authentication (Premium feature)

 

Mostly free

 

 

Selecting a master password (passphrase) for your password manager

DO

Select a long phrase that you will remember, but is not that easy to guess.

Include at least one of each: upper case letters, lower case letters, numbers and special characters.

Because you will be typing this passphrase in many times throughout the day/week, select something that is easy to type – including on a cellphone keyboard!

DON’T

Use your Andrew password as the master password for your password vault.          

Select well-known lyrics, or lines such as “To be or not to be” as a starting point.

Quick Comparison

 

1Password

KeePass

LastPass

OS Support

Online version supports Linux, otherwise OS X, Android, iOS, Windows

Supports Linux (via Mono)

Windows .NET

Windows, Linux, OSX, iOS, Android

Browser Integration

Browser integration (Safari, Chrome, Firefox, Internet Explorer)

Browser integration is only supported with plugins

Chrome, Firefox, IE, Safari and Opera

Cost

$64.99 per person for the software, or $2.99/person/month for the online version

Free

Free with a premium option ($1/mth billed annually)

Storage Options

Can choose to store password vault locally or remotely (Dropbox, iCloud, network share)

Local only storage  Not designed for network/shared drive use (plugins available)

Online only option (passwords available offline)

Password Generation

Randomly generates passwords based on your rules

Randomly generates passwords according to your rules

Generates randomized passwords

Other features

Password auditing

 

Password auditing, two-factor authentication (Premium)