Password Manager Shootout – eWallet vs. KeePass vs. LastPass
I initially intended for this post to discuss my disappointment with password managers. After a few years of hearing tech sites and other tech geeks praise password managers, I finally jumped on the bandwagon last week. A password manager is software that helps you organize and remember passwords, PIN codes, and sometimes even bank account and credit card information. I wanted a password manager that would work across multiple platforms – PC, iPhone, and U3 (SanDisk’s thumbdrive technology). For that reason, I started with eWallet. From there, I also looked at KeePass, which is the manager I have seen discussed the most in tech circles. In both cases, I was disappointed. I was wondering whether my expectations had been too high. It was then that I discovered LastPass.
Photo by Mirko Macari
At first, I thought eWallet was the answer. eWallet has a portable app and an iPhone app. I was disappointed to learn that eWallet does not automatically integrate itself with your browser (or, if it does, I haven’t been able to find out how). Instead, you click on links from within eWallet, and then that page is opened in Internet Explorer with your login info already completed.
You also may have noticed that I mentioned that eWallet autofills pages in Internet Explorer. I did not mention Firefox for a reason. eWallet’s autofill functionality doesn’t work at all with Firefox. Despite the fact that I had already paid for eWallet for the iPhone, this alone removed it from my list as a possible desktop application.
I then turned to KeePass. KeePass is not only free, but is open source, which is a big plus with programs that depend upon encryption. This typically makes it subject to more scrutiny than a proprietary application.
KeePass was a step up from eWallet. It at least has autofill functionality via a hotkey combination, and has a plugin that allows automatic autofill integration with Firefox and Internet Explorer. Unfortunately, after hours of playing around with this on two different machines, I couldn’t get this to work reliably. A quick look at the KeePass forums reveals that one of the longest threads there is from people having similar problems. Even when working, it takes some customization of the autofill configuration if a page doesn’t have standard input boxes. I could live with that I suppose, but there is no iPhone version of KeePass. There is talk of one being stuck in Apple’s approval process, so hopefully this will change soon. When it does, KeePass might be worth another look. But the lack of iPhone functionality, coupled with the troubles I had with the autofill features, made me cross KeePass off of my list.
Just when I was about to give up on password managers, I stumbled upon LastPass. I initially noticed that LastPass has an elegance that eWallet and KeePass don’t touch. LastPass works how I always had assumed (mistakenly so) that all password managers worked. When you visit a site in your browser, your password can be automatically filled in, assuming you previously entered it into LastPass. It was not hit or miss for me like KeePass. It simply worked.
LastPass is an online password manager, but it is only online in the sense that you can sync your passwords from any computer. Your data is still stored locally, and, most importantly, your passwords are encrypted locally before being sent to the LastPass servers. This means that even if someone would steal the LastPass servers, it would still be almost impossible for them to access your passwords. LastPass uses 256 bit encryption, which reportedly would take a few trillion years (literally) to crack.
LastPass is not open source, so it does require a bit of trust on your part that the LastPass developers have implemented the encryption correctly. For some, this might be a dealbreaker. Since I’m migrating from Firefox’s native, unencrypted password manager, LastPass is a step up even in the face of any such concerns. The LastPass developers also have discussed a third party audit once Lastpass matures beyond the stage where they are making frequent releases of the software. I may not place all of my bank account and financial passwords there for now, but I’ve already loaded everything else.
Getting passwords into LastPass is easy, as it can import them from several sources, including from Firefox’s native password manager. I did have to tweak the settings for LastPass a bit, to make it as nonintrusive as possible. First, I switched OFF the compact toolbar. This not only created a large, undesirable toolbar for LastPass, but also created a small icon on the bottom right of my browser. Right-clicking on that icon shows a menu, with the option to hide the large toolbar. After doing so, all I had on my screen was the small icon on the bottom right of the browser. I could open it to access more detailed features, but the autofilling and other features worked just fine with that minimal interface.
Like KeePass, LastPass also has an iPhone application that has been submitted to Apple, but is stuck in approval purgatory. For now, there is an iPhone bookmarklet that is not perfect, but does autofill passwords with a couple of taps.
Last but not least, LastPass is also free. The LastPass creators have indicated that they aim to be profitable by selling their technology to businesses.
In fairness, this is not a feature by feature comparison of each of these three applications. Once I discovered that eWallet and KeePass were missing some of my must-have features, they became too cumbersome for me to use for extended periods of time. And eWallet’s iPhone application is nice, such that I will probably use it to store my credit card information. But once I discovered LastPass, the competition was over. Your mileage may vary based on what your needs are, but for me, LastPass was the hands down winner.
Related posts:
- Would LastPass Stand Up to a Password Cracker?
- 5 Tools to Keep You Synchronized Everywhere
- The Top 10 40Tech Stories of 2009
- 10 Firefox Extensions to Die For
- How to Password-Protect Evernote (Updated)
If you enjoyed this post, please consider leaving a comment or subscribing to the feed and get future articles delivered to your feed reader.
Founding Editor 
Senior Editor
I am a new fan of LastPass. I have been using it now for about a week and I am pretty impressed. It also has a Windows Mobile and a Blackberry app.
I can't wait for their iPhone app to come out. Between this and some of the other apps we've both discussed, it sounds like our computers would look pretty similar.
Lol! I don't doubt it. Right down to the games, I'd wager….
Lol! I don't doubt it. Right down to the games, I'd wager….
I'm using one password with mac os x. It's great and I don't have to remember my passwords.
I am always looking for the latest in apps and software. I use Spb Wallet and love it. It has autofill in IE browser and it's own browser with autfill in the Iphone App. I have several apps that I use tht all are for the same pupose and will def go see what last pass is all about. I do highly reccomend Spb Wallet on the same note!!! thanks for are your reviews!!
Thanks for the suggestion. I'll have to take a look at Spb Wallet.
Is there anything you would trust for your bank account and financial passwords?
What I’ve been using, Jan, is eWallet on my iPhone. It is encrypted, and resides only with me (i.e. it doesn’t go out in the cloud to a company). Because of the encryption, it would be difficult (maybe impossible) for someone to hack it, even if they stole my iPhone. If you use a solution like that, make sure you use a long and strong password, with a combination of letters, numbers, and symbols.
Another possibility would be to use something like TrueCrypt and Dropbox, if you wanted to access your account info on multiple computers. You could set up a TrueCrypt container, which is sort of like a file that gets expanded into a “make believe” hard drive when you decrpyt it (see http://www.40tech.com/2009/09/01/4-steps-to-secure-evernote-on-a-shared-computer/ for an idea as to how that works). You could share that encrypted container among all your computers using Dropbox.
I should add that the problem with both of these solutions is that you still need to key in your details. They aren’t autofilled as with Lastpass.
I find it hard to fathom that you left out the best password manager BY FAR: RoboForm by Siber Systems. It integrates seamlessly with your browser (even includes an extension for FireFox.) Many nice features, like a password generator are built in. My only problem right now, is that they do not yet have an Android client for my new Droid!
Thanks for the suggestion, Jeff. I’m familiar with RoboForm, as that one has been around longer than the others I believe, but I went with LastPass based on a few reviews that had compared the two. I haven’t tried RoboForm, myself though, mostly because from the look of their website, it seems the free accounts have limitations. Since LastPass is free and does everything I need, I couldn’t justify springing for the RoboForm Pro account. I also like that LastPass is available everywhere, on any computer. I’m not sure if RoboForm is or not, as the site wasn’t clear. But that’s the great thing about software- there are many different choices, and different people’s needs will be served by different software. So, what works for my needs might not be the same for you, and vice versa.
RoboForm does indeed have a “use it anywhere” option, called RoboForm Online (though it is still in beta, I believe). I have not used that, but the RoboForm2Go client on a USB stick is pretty great for using it every place.
All that said, I think I may have to try LastPass on my Droid for now. It looks like the only really decent option for Android mobile devices… at least that I can find. If any of your readers know of a better option, paid or free, I’d sure love to hear about it!
I’d be curious to hear how LastPass is on the Droid, if you give it a try. The iPhone now has an app, but it is a paid app. I use the bookmarklet instead, which works fine but might not be as secure, as it keeps you logged in to your LastPass account for a period of time.
I have used Roboform for about 3 years now. I also use 1Password for my mac. Roboform was okay, but I switched to LastPass a few days ago because I needed cross platform capabiltiy. I can use LastPass on my Windows 7 box, on my laptop, on my macbookpro, and on my iphone. The integration is there, I don’t have to worry about copying data between mulitple password programs to keep them up to date.
The thing I don’t like about Roboform is that it won’t fill in any of my windows application passwords. I still have to do that manually. It was nice to see that LastPass is working on adding this functionality.
1Password is for Mac only, and they support the iPhone, but as I stated earlier, I wanted cross platform integration and 1Password just didn’t have it. I rank Roboform above 1Password because Roboform will automatically login to the website you go to. With 1Password, you still had to navigate to the site, hit the 1Password Icon in the browser bar and select the appropriate login for the page.
The nice thing about 1Password is that it works with multiple browsers on the Mac, so Safari, Flock, and other browsers are supported. Roboform only works with IE and Firefox, and they have a Chrome Plug-in, for Windows only. I use a lot of different browsers, depending upon what I am doing. Roboform doesn’t support Mac. They are attempting to do that now with a browser plug-in, that will leverage data that you have stored online at online.roboform.com. I just don’t like the idea of accessing my passwords over the web. I’d rather pull from a local source.
Roboform is able to synce data online through the use of another tool called GoodSync. You pay another fee for this tool, and it integrates with Roboform to analyze and sync passwords to the cloud. The down side is that if you run multiple windows computers, you have to buy a separate license for each instance of Roboform and GoodSync. It can be pricey. The benefit of GoodSync is that you can use to to compare other files and sync them. It is not just for Roboform passwords.
In the end, I decided to use LastPass because it currently covers all bases for me. The only browser that I see is not yet supported, but in development is Chrome on Mac. Since that browser is currently under development, I don’t see that as being an issue. I am happy to wait for it.
Hope that helps. If you have any other questions, feel free to give me a shout.
Cheers,
Shawn Hank
Wow, thanks for the great and thorough review of those options, Shawn! I was particularly interested in what you had to say about Roboform. Jeff, above, had mentioned it, and then I was at a professional seminar the other day on how to integrate tech into my profession, and Roboform was discussed again. I think you reinforced my decision to go with LastPass.
My pleasure.
The one thing I didn’t cover was the cost. LastPass is free, and has a yearly subscription fee for premium features. It’s 12 bucks a year. VERY Cheap when you consider how often one might use this tool. Even the iPhone app for premium users is free. There is just tremendous value with this product. Unlike 1Password’s iPhone upgrade that really made many people mad, the team at LastPass seem to really listen to what their users want, and work hard to deliver.
Roboform is 29.95 for a one time fee. Goodsync is another 29.95 as well. They have licenses for thumbdrives if you want your data to be portable, etc. There is no iPhone app for Roboform – a real bummer for anyone who uses this too. You can access your passwords vial the mobile Safari browser by logging into your online.roboform.com account. This doesn’t really allow you to do anything except cut and paste password which is a pain.
1Password is 39.95 for a single license and 69.95 for up to 5 Macs. The upgrade to a the version that works fully with Snow Leopard (OS X 10.6) is normally 29.95 for a single license and 49.95 for a family license. But they are being generous and offering discounts for this new release. The 1Password iPhone app is 7.99. A bit pricey but it does work well.
One thing to note about any of the iPhone apps discussed here. None of them integrate with the native mobile Safari browser. Apple forbids any kind of integration with their browser, so each has a built in browser that allows you to select a site/password and have it auto login for you. It’s an acceptable work around for me.
Both Roboform and 1Password are good programs, and I would recommend them to folks, but I would really ask them what their needs are, what OS they are using, and other questions to really make sure any of these solutions would work well for them. Like anything else, it comes down to what you are doing and how you want to leverage any tool. For me LastPass fits perfectly…for now.
Very cool, Shawn. I use the LastPass bookmarklet with mobile Safari, which works pretty well. The only drawback is that it keeps you logged in for a period of time, so you need to make sure you don’t lose your phone.
Been a mostly happy camper using PasswordSafe for a couple of years. With Dropbox it’s easy to sync, but no Mac version. Yes, Password Gorilla reads PSafe files, but it has the finesse of it’s namesake and is about as pretty.
The big issue is the crypto. It’s clear that PSafe is solid but, for other products, accurate info is so difficult to get, not to mention reliable reviews by crypto experts. Any one can say they’re an expert, or even write a pretty “technology” page for their product, but who knows? I’ve also been using FFox’s password manager with a master password, but now the LastPass install offers to turn off the “unsafe” pw mgr. If FFox is unsafe that’s good to know, but knowing why would be better.
I’ve got close to 200 entries in PSafe now, including a dozen or so financial logins. I am starting to use LastPass, but immediately there’s a problem: The conversion from PSafe includes dumping all entries to an *unencrypted* file, and then a cut/paste into a web form. Just at a time when serious design flaws have been uncovered in SSL/TLS.
http://www.google.co.cr/search?hl=en&q=%22ssl+flaw%22
Guess I’ll migrate this in two chunks: Financial logins by hand, then upload everything else. Also, I will definitely use Eraser to clean up the unencrypted file left behind and then track down the FFox pw mgr db and erase that also. Feels like progress…sure hope that it is.
I wasn’t aware of PasswordSafe or Password Gorilla.
As much as I love LastPass, I don’t keep my financial logins in it. I don’t think I’d keep that in any password manager, no matter how safe. That might be illogical on my part, but I feel more comfortable that way.
I’ll have to check the LastPass forums soon, to see if they ever opened it up to 3rd party audit yet. They had mentioned that would come some day.
I use Sticky Password for password management and I think it is the best on the market. It is integrated and everything is automatical.
http://www.stickypassword.com
I hadn’t heard of that one. There are so many products on the market, that it can be hard to keep them straight. I like the idea that it supports more than browser passwords, but I couldn’t tell from the site if it was cross-platform compatible or not. I do like the price of LastPass, though – free.
No, it is not cross-platform, but when I have tested Lastpass, it wasn’t working for me
Lot of accounts were not filled etc.
i sprang for the $39.00 for roboform a few years ago. it’s awesome, and I think you can install it on everyone computer you have. there is no annual subscription fee. so once you pay, you’re in forever. free updates included. The mobile version is a separate fee, which I haven’t bought yet.
one really nice thing about it (or not, depending on how you spend money), is that it will fill in “identities”, such as credit cards, billing addresses, shipping addresses, etc. If you were discouraged from purchasing by having to go get your credit card, those days are over. The down side: it’s far too easy to buy stuff. click to open your B&H photo/video account, select your purchase, click to enter your credit card info and address. $350.00 gone in 5 minutes.
I’ve heard many good things about Roboform, Dan. I think that one is the elder statesman in the field. LastPass does have form management, too, although I haven’t messed with it much, so I can’t say how well it works.
If you’re serious about password management Lastpass.com or Passpack.com are your only viable options as both support multi-factor authentication using Yubico Yubikey’s (www.yubico.com), which RoboForm Online does not.
Should your username/password combination be compromised by an intruder, they would still need physical access to your Yubikey to access your account.
A Yubikey is something I’ve been thinking about adding to my arsenal for a while. What happens if, for example, you go to work and leave your key at home? Does that mean you can’t access any of your accounts if you don’t remember the passwords?
If you have forgotten/lost your Yubikey, an unassociate Yubikey link is available (refering to Lastpass here), which will send ‘how to unassociate’ instructions to your registered email account.
Of course should you not wish to unassociate your key, you will not be able to gain entry to your account.
Good to know. Thanks for the quick reply!
After using LastPass for a while, this morning I signed up for the premium service. I am now using their Sesame portable app on a USB drive as the authentication device. And, as I have both a Mac and a PC, I put both the Mac and the PC version of Sesame on the same device. Works great. First time in many years that I start to feel like this might be an adequate solution.
Of course there’s a downside to using authentication devices. My bank now requires another device, and another bank I use will soon require yet one more device. By then I will need to get an iPhone to avoid having to carry around 3 dongles.
The reason I stick with Keepass is it’s ability to use it OUTSIDE of the browser. You can use it for your Truecrypt containers, MS Money, Outlook, etc. It’s NOT tied to the browser like Lastpass. That is what is winning me over.
Completely agree, and that’s why I stuck with PasswordSafe for so long. There is a LastPass “Pocket” version that installs on your hard disk or on a USB drive. Using this briefly tonight, it looks like it has all the stuff I’m used to with PSafe which, IIRC, is quite similar to Keepass. With the Pocket app, as with the LastPass Sesame app, both the Mac and PC versions run from the same USB drive.
The LastPass Pocket version can load entries from either the LastPass website or from a locally saved encrypted data file. Since I have LastPass configured to require the Sesame app, the Pocket version requires both my master password and a Sesame one-time password to access the entries, both local and remote. Looks like this is maybe the best of both worlds. Finally, yay.
Been using Lastpass for ages now, like most started off with 1password on mac and roboform on pc.
Just to add to the information about using sesame for extra authentication, you can have “trusted computers”, that don’t require your sesame key just your master password.
saves the hassle of digging out a usb stick with sesame for your own personal computer.
Nick
Great to know, Nick. Thanks for the info!