Password Manager Shootout – eWallet vs. KeePass vs. LastPass

pwkey

I initially intended for this post to discuss my disappointment with password managers.  After a few years of hearing tech sites and other tech geeks praise password managers, I finally jumped on the bandwagon last week.  A password manager is software that helps you organize and remember passwords, PIN codes, and sometimes even bank account and credit card information.  I wanted a password manager that would work across multiple platforms – PC, iPhone, and U3 (SanDisk’s thumbdrive technology).  For that reason, I started with eWallet.  From there, I also looked at KeePass, which is the manager I have seen discussed the most in tech circles.  In both cases, I was disappointed.  I was wondering whether my expectations had been too high.  It was then that I discovered LastPass.

For another password manager comparison, check out our showdown between LastPass and 1Password.

Photo by Mirko Macari

At first, I thought eWallet was the answer.  eWallet has a portable app and an iPhone app.  I was disappointed to learn that eWallet does not automatically integrate itself with your browser (or, if it does, I haven’t been able to find out how).  Instead, you click on links from within eWallet, and then that page is opened in Internet Explorer with your login info already completed.

You also may have noticed that I mentioned that eWallet autofills pages in Internet Explorer.  I did not mention Firefox for a reason.  eWallet’s autofill functionality doesn’t work at all with Firefox.  Despite the fact that I had already paid for eWallet for the iPhone, this alone removed it from my list as a possible desktop application.

I then turned to KeePass.  KeePass is not only free, but is open source, which is a big plus with programs that depend upon encryption.  This typically makes it subject to more scrutiny than a proprietary application.

KeePass was a step up from eWallet.  It at least has autofill functionality via a hotkey combination, and has a plugin that allows automatic autofill integration with Firefox and Internet Explorer.  Unfortunately, after hours of playing around with this on two different machines, I couldn’t get this to work reliably.  A quick look at the KeePass forums reveals that one of the longest threads there is from people having similar problems.  Even when working, it takes some customization of the autofill configuration if a page doesn’t have standard input boxes.  I could live with that I suppose, but there is no iPhone version of KeePass.  There is talk of one being stuck in Apple’s approval process, so hopefully this will change soon.  When it does, KeePass might be worth another look.  But the lack of iPhone functionality, coupled with the troubles I had with the autofill features, made me cross KeePass off of my list.

Just when I was about to give up on password managers, I stumbled upon LastPass.  I initially noticed that LastPass has an elegance that eWallet and KeePass don’t touch.  LastPass works how I always had assumed (mistakenly so) that all password managers worked.  When you visit a site in your browser, your password can be automatically filled in, assuming you previously entered it into LastPass.  It was not hit or miss for me like KeePass.  It simply worked.

LastPass is an online password manager, but it is only online in the sense that you can sync your passwords from any computer.  Your data is still stored locally, and, most importantly, your passwords are encrypted locally before being sent to the LastPass servers.  This means that even if someone would steal the LastPass servers, it would still be almost impossible for them to access your passwords.  LastPass uses 256 bit encryption, which reportedly would take a few trillion years (literally) to crack.

LastPass is not open source, so it does require a bit of trust on your part that the LastPass developers have implemented the encryption correctly.  For some, this might be a dealbreaker.  Since I’m migrating from Firefox’s native, unencrypted password manager, LastPass is a step up even in the face of any such concerns.  The LastPass developers also have discussed a third party audit once Lastpass matures beyond the stage where they are making frequent releases of the software.  I may not place all of my bank account and financial passwords there for now, but I’ve already loaded everything else.

Getting passwords into LastPass is easy, as it can import them from several sources, including from Firefox’s native password manager.  I did have to tweak the settings for LastPass a bit, to make it as nonintrusive as possible.  First, I switched OFF the compact toolbar.  This not only created a large, undesirable toolbar for LastPass, but also created a small icon on the bottom right of my browser.  Right-clicking on that icon shows a menu, with the option to hide the large toolbar.  After doing so, all I had on my screen was the small icon on the bottom right of the browser.  I could open it to access more detailed features, but the autofilling and other features worked just fine with that minimal interface.

Like KeePass, LastPass also has an iPhone application that has been submitted to Apple, but is stuck in approval purgatory.  For now, there is an iPhone bookmarklet that is not perfect, but does autofill passwords with a couple of taps.

Last but not least, LastPass is also free.  The LastPass creators have indicated that they aim to be profitable by selling their technology to businesses.

In fairness, this is not a feature by feature comparison of each of these three applications.  Once I discovered that eWallet and KeePass were missing some of my must-have features, they became too cumbersome for me to use for extended periods of time.  And eWallet’s iPhone application is nice, such that I will probably use it to store my credit card information.  But once I discovered LastPass, the competition was over.  Your mileage may vary based on what your needs are, but for me, LastPass was the hands down winner.

Evan Kline

Hello, I'm Evan. I write about tech from my perspective – that of the average 40-something tech geek. You can also find me on Twitter and at my real-life job as a lawyer.    MORE ABOUT ME.

113 Comments:

  1. I’m a Lastpass convert.

    I used to use 1Password, but was also frustrated with the lack of cross platform support (this was 1-2 years ago). This led me to try Lastpass, which has become the most important software/service I have ever used. It functions on every platform in a consistent manner (for instance, it offers to autofill on every platform, as opposed to just offering autofill on Macs but making me copy/paste things from one place to another when in windows). It also supports every browser via superb plugins, and has so many configuration and security options to satisfy even those people like me that are extreme security conscious.

    What I especially like about Lastpass is the option for dual factor authentication. For instance, I have one trusted computer, which I have setup so I can access my Lastpass data with one strong password I have memorized. However, on any other computer, you would need my strong password PLUS a second form of authentication before you could access my data. In this case, I use a Yubikey, but Lastpass offers a couple of options for second factor authentication. I find this very secure even though my data is stored in the cloud. If someone could somehow get access to my data from the Lastpass servers, they wouldn’t be able decrypt it without my strong password AND the physical key that I keep on me.

    I rarely comment about any software or services, but I make the exception for Lastpass, because it really has become essential for me.

    • You nailed all the important points, Javier. Yesterday, we wrote about the addition of Google Authenticator as a multi-factor authentication option. I use a Yubikey, but I’m half tempted to switch to using Authenticator.

  2. Pingback: Password Managers: Don’t Buy It – Rent It!

  3. Prathamesh Gharat

    Firefox has an built-in option called ‘Master Password’ to encrypt your saved passwords with 3DES in CBC mode (by default)

    If a good and strong password is chosen this level of encryption is fine. 3DES is rated to be good for general use through 2020.

    Am a web & windows app developer.
    Read my reviews and hire me at https://www.freelancer.com/users/2071579.html

  4. I highly recommend SplashId , because i have used it myself. Browser integration is fabulous. Also it is very easy to use. As soon as you create your account, you can actually set a pattern for splashid login, therefore you technically have to remember zero passwords. Extremely secure for USB usages as well. highly recommended.

  5. I prefer the password manager that is not just efficient and well balanced in harmonizing security over convenience but also the one that offers great extra benefits. The SplashID Safe came up with small teams and business edition for storage and sharing of critical enterprise information.

  6. I really like what you guys are usually up too. This
    type of clever work and reporting! Keep up the great works guys I’ve added you guys to our blogroll.

  7. SplasdID from Splash data is a very good tool. Manages all your passwords at one place. User friendly and highly secure. I have been using this since quite some time now. Highly recommended!

    • I’ve heard of SplashID, John, but never checked it out. Looking at the features, it looks like it is worth a look for those looking for a password manager. It looks like it has a desktop feature, which, to my knowledge, LastPass does not.

  8. I highly recommend Intuitive Password, it is a cloud system and works on any desktops, tablets and mobile phones. Easy to use and nice look and feel. Check it out http://www.intuitivepassword.com

  9. These days, I am working on Ubuntu PC’s ( after loosing all my data because of one of my kids clicking around in Win7, somehow getting Win7 to reinstall.
    Nice clean install, but the end for Win for me, definite.)
    On Ubuntu still using Lastpass, just as smooth as ever.
    On my Android, I didn’t like the interface so much, and it took quite a bit of space as well. So, since my Android phone doesn’t have so much space to spare, I took it off again.

    For security on a foreign PC, like in a cybercafe or where ever not at home, Lastpass now has the option of one-time passwords.
    You create a list of those in advance and keep them with you when traveling.
    On a oreign PC, you log in, using such one-time password.
    These passwords will work only one time. They turn void immediate after you use them.
    So if anyone did capture that password, he will not be able to log in with it after you have used it.
    Next time you want to log in, you have to use different one-time password, or your default password.
    Just make sure if you make a couple of those passwords, to kepp them somewhere safe and secure…

  10. Pingback: LastPass Security Flaws Disclosed | 40Tech

Leave a Reply