Carnegie Mellon University

Password Managers

Remembering a lot of passwords is difficult, but security experts (including ISO) recommend that you DO NOT reuse passwords.  So, how do you manage the hundreds or even thousands of passwords you need to remember in your daily life?

Passwords managers help you generate unique and strong passwords, store them in one safe (encrypted) place, and use them while only needing to remember one master password. The master password unlocks your encrypted vault which grants you access to each of your passwords. 

The biggest decision to make is whether you want your passwords to be stored locally on your own computers and mobile devices, or in the cloud on someone else's servers. 

Local vs Cloud Management

LOCAL STORAGE

Storage hampers the user experience but forces hackers to resort to difficult malware-based approaches like using keyloggers and other advanced tools. Since the password is stored on the user's device, the user has total control over its security. 

Password manager licenses can only be used on one device, meaning multiple licenses need to be purchased for every single device needed to sync passwords. If the device is lost and/or stolen the passwords are all compromised.

CLOUD STORAGE

Storage improves accessibility and user convenience. Since encrypted passwords are stored on cloud servers, users can access them from any number of devices and sync passwords between devices relatively easily without any required additional steps. These services keep encrypted copies of your vault on their own servers, ensure that all your devices are always synced and encrypt the transmissions between your devices and their servers. Cloud storage also makes passwords recoverable if the user loses the device. 

The downside of cloud storage is that the user cannot ensure the security of the data. The risk, though small, is that one of the cloud-based services could be breached and your passwords released out into the wild. If a password manager is doing it's job right, it is storing all your passwords in an encrypted format, and storing your master password only as a "hash" that's the result of an irreversible mathematical process.

Users encounter security threats whether using cloud or local password storage, and there is no one-size-fits-all option. 

Storing your Andrew Password

The Computing Policy prohibits sharing your password with 3rd parties.  How does this affect password managers?  The approved password managers do not share your password with the 3rd party.  They share an encrypted version of it, where you, the user, control the key and the ability to decrypt your passwords. If your favorite password manager is not listed below, please contact us at iso@andrew.cmu.edu and we can review it resources permitting.

Recommended Password Managers

The ISO recommends four password managers that you can use in your daily life: 1Password, Apple's iCloud KeychainKeePass, and LastPass (alphabetical order).  Each of these Password Managers use highly advanced encryption and private adequate security for your passwords. While ISO recommends these tools, this software is not supported by Carnegie Mellon University.  If you have questions or support concerns, you will need to contact the software vendor directly. 

Each of these password managers have their pros and cons.  The password manager that is best for you may not be best for a co-worker or family member, so select which manager you use based on the features and functionality that fit your use case.

View a list of Pros and Cons for each of the recommended password manager options below.


1Password

https://1password.com/

Platforms: Windows, Mac, iOS, Android, 1Password X Platforms: Linux, Chrome OS
Free-version Limitations
: Single mobile device
Two-Factor Authentication: Yes
Browser plugins: Chrome, Firefox, IE, Safari, Edge, Opera
Form Filling: Yes
Mobile App PIN Unlock: Yes
Biometric Login: Face ID, Touch ID on iOS & macOS, most Android fingerprint readers
Storage Option: Locally or Online (Cloud)
Price: Individual Plan-$36/year, Family Plan- $60/year

1Password has a history as a Macintosh/Apple/iOS specific manager. 

1Password is a trusted password manager app which keeps your login information private and secure. 1Password does lack a free version, but you can check it out for 30 days before signing up. An individual subscription runs $36 a year and comes with 1GB of document storage and optional two-factor authentication additional security. A travel mode lets you remove your 1Password sensitive data from your device when you travel and then restore it with one easy click when you return, so it's not vulnerable to border checks. On Macs, you can use Touch ID to unlock 1Password, and on iOS devices, you can use Face ID, too. 

Other features: Watchtower, which notifies you if you have an account that may have been compromised (based on the URL and news reports), a weak password, or even a reused password.

Pros

Cons

Apps for Windows, macOS, Android, iOS, and popular browsers

Confusing browser extension system

Intuitive password organization into distinct vaults

Limited password import options from other password manager accounts

 

Unlimited instant password syncing across all devices

Sharing limited to family plans 

Password auditing (Watchtower)

Lacks password-inheritance feature (passing on your account to your heirs after demise)

Supports app and U2F key-based two-factor authentication Does not have a free version

Allows for multiple tags for saved items in the vault

 

Apple's iCloud Keychain

Platforms: Mac, iOS
Free-version Limitations
: N/A
Two-Factor Authentication: Yes
Browser plugins: Safari
Form Filling: Yes
Mobile App PIN Unlock: If 
Biometric Login: Face ID, Touch ID on iOS & macOS
Storage Option: Cloud
Price: Free

Apple's iCloud Keychain is recomended with limitations. 

Apple’s iCloud Keychain (used by Safari, iOS, iPadOS, and macOS) is a password manager that allows you to sync and share your passwords between any Apple device that you are logged into using your iCloud account. Apple’s keychain functionality can be used by other applications to store items, such as public and private certificates, passwords, etc.

Apple does not have access to your stored passwords when they are stored on their servers. The encryption mechanism that is used contains a general key that is derived from your iCloud password as well as a separate, unique device key for each device attached to your Apple iCloud account.  The encryption mechanism is unique to Apple, though they use standard algorithms.

More details on Apple’s Keychain syncing can be found at https://support.apple.com/guide/security/keychain-syncing-sec0a319b35f/web.

For users of iOS versions prior to 13, and/or macOS versions prior to 10.15 (Catalina):  

If a user has multiple devices, or two-factor authentication for iCloud is enabled, key recovery is accomplished by using another device.  If a user has a single Apple device, Apple provides an optional key recovery (escrow) service that allows Apple to have access to decrypt your keychain under certain circumstances.  If you are storing your Andrew credentials in iCloud keychain, you should not set up the key recovery service.

To store your Andrew credentials, you must:

  • Use a strong password or passcode on all of your devices where Keychain is enabled.
  • Enable two-factor authentication to your iCloud account (required on iOS13+ or macOS Catalina 10.15+) or select your own long iCloud Security Code when you initially set up Keychain which must be memorized.

KeePass

http://keepass.info/

Platforms: Windows, Mac, iOS, Android, Linux
Free-version Limitations
: N/A
Two-Factor Authentication: Yes
Browser plugins: None
Form Filling: No
Mobile App PIN Unlock: Depends on version
Biometric Login: Depends on version
Storage Option: Local
Price: Free

KeePass is a local only database of passwords.  While Dropbox, iCloud, network shares, and USB drives can be used to share the database file, care should be taken to close the file on one computer before opening it on another.  If you are concerned about storing your passwords “in the cloud”, KeePass is the best free local storage option storing passwords on your laptop, desktop, or mobile device.

KeePass is open source, and the source code is available for your review.  Plugins may or may not be open source, and care should be used when using any available plugins as ISO has not evaluated any of the available plugins.  Browser integration is only available using plugins.

Pros

Cons

Strong security

Browser integration is only supported with plugins

Password database is on a key file (physical piece of hardware) means safe from cyber attacks

Not designed for network/shared drive use (plugins available)

Supports a plugin framework for extensions

Highly technical, open-source nature can be intimidating

Free

 Unfriendly user interface

Offers the most configurable, detailed password generator options

 

LastPass

https://lastpass.com/

Platforms: Windows, Mac, iOS, Android, Linux, Chrome OS, Windows Phone, watchOS
Free-version Limitations
: Limited password sharing, limited 2FA
Two-Factor Authentication: Yes
Browser plugins: Chrome, Firefox, IE, Safari, Edge, Maxthon, Opera
Form Filling: Yes
Mobile App PIN Unlock: Yes
Biometric Login: Face ID, Touch ID on iOS & macOS, most Android & Windows fingerprint readers
Storage Option: Cloud 
Price: Free (Premium Plan-$36/year, Family Plan- $48/year)

LastPass is an enterprise level online password manager.  The basic version is free for use, with a Premium version available for a cost.  The basic version provides most of the same features as the Premium version, except it lacks the security password audit feature, customer service support, and the capability to share password vaults with family members. LastPass features an easy to use interface and has a variety of features available with a free account.

Other Premium Features: The LastPass Security Challenge features a password auditing tool alerting you of weak, old, compromised, or reused passwords. LastPass will provide you with a new password for those accounts.
*The Information Security Office provides group or individual training for getting started with LastPass. To inquire please contact iso@andrew@cmu.edu.

Pros

Cons

Synchronization across multiple devices (smart phone, tablet, laptop, etc)

2015 Security Breach, 2017 & 2019 Reported Security Vulnerability (did not affect user passwords/accounts)

Smart phone/tablet apps

Online storage required, not optional

Variety of features for free version including unlimited password storage

 Tech Support only for Premium members

Password auditing feature (premium)

Password inheritance only for premium accounts

Offers two-factor authentication (including DUO)

 

Easy to use interface and initial setup 

 

Allows for flexible password sharing with other LastPass accounts

Google password storage and syncing

We cannot recommend Google's password storage and syncing through Chrome at this time.  Google has access to your unencrypted passwords.

Selecting a master password (passphrase) for your password manager

DO

  • Select a long phrase that you will remember, but is not that easy to guess.
  • Include at least one of each: upper case letters, lower case letters, numbers and special characters.
  • Select a passphrase that is easy to type, especially on a cellphone keyboard since you will be typing this passphrase in many times throughout the day/week.
  • Configure two-factor authentication with your password manager to add additional security

DON’T

  • Use your Andrew password as the master password for your password vault.         
  • Select well-known lyrics, or lines such as “To be or not to be” as a starting point.
  • Forget your master password.  You will have to reset the passwords on all sites/areas you used the password manager to store. It is very important to remember your “master” password!