Password Manager Shootout – eWallet vs. KeePass vs. LastPass
30. Jun, 2009 
53 Comments
I initially intended for this post to discuss my disappointment with password managers. After a few years of hearing tech sites and other tech geeks praise password managers, I finally jumped on the bandwagon last week. A password manager is software that helps you organize and remember passwords, PIN codes, and sometimes even bank account and credit card information. I wanted a password manager that would work across multiple platforms – PC, iPhone, and U3 (SanDisk’s thumbdrive technology). For that reason, I started with eWallet. From there, I also looked at KeePass, which is the manager I have seen discussed the most in tech circles. In both cases, I was disappointed. I was wondering whether my expectations had been too high. It was then that I discovered LastPass.
Photo by Mirko Macari
At first, I thought eWallet was the answer. eWallet has a portable app and an iPhone app. I was disappointed to learn that eWallet does not automatically integrate itself with your browser (or, if it does, I haven’t been able to find out how). Instead, you click on links from within eWallet, and then that page is opened in Internet Explorer with your login info already completed.
You also may have noticed that I mentioned that eWallet autofills pages in Internet Explorer. I did not mention Firefox for a reason. eWallet’s autofill functionality doesn’t work at all with Firefox. Despite the fact that I had already paid for eWallet for the iPhone, this alone removed it from my list as a possible desktop application.
I then turned to KeePass. KeePass is not only free, but is open source, which is a big plus with programs that depend upon encryption. This typically makes it subject to more scrutiny than a proprietary application.
KeePass was a step up from eWallet. It at least has autofill functionality via a hotkey combination, and has a plugin that allows automatic autofill integration with Firefox and Internet Explorer. Unfortunately, after hours of playing around with this on two different machines, I couldn’t get this to work reliably. A quick look at the KeePass forums reveals that one of the longest threads there is from people having similar problems. Even when working, it takes some customization of the autofill configuration if a page doesn’t have standard input boxes. I could live with that I suppose, but there is no iPhone version of KeePass. There is talk of one being stuck in Apple’s approval process, so hopefully this will change soon. When it does, KeePass might be worth another look. But the lack of iPhone functionality, coupled with the troubles I had with the autofill features, made me cross KeePass off of my list.
Just when I was about to give up on password managers, I stumbled upon LastPass. I initially noticed that LastPass has an elegance that eWallet and KeePass don’t touch. LastPass works how I always had assumed (mistakenly so) that all password managers worked. When you visit a site in your browser, your password can be automatically filled in, assuming you previously entered it into LastPass. It was not hit or miss for me like KeePass. It simply worked.
LastPass is an online password manager, but it is only online in the sense that you can sync your passwords from any computer. Your data is still stored locally, and, most importantly, your passwords are encrypted locally before being sent to the LastPass servers. This means that even if someone would steal the LastPass servers, it would still be almost impossible for them to access your passwords. LastPass uses 256 bit encryption, which reportedly would take a few trillion years (literally) to crack.
LastPass is not open source, so it does require a bit of trust on your part that the LastPass developers have implemented the encryption correctly. For some, this might be a dealbreaker. Since I’m migrating from Firefox’s native, unencrypted password manager, LastPass is a step up even in the face of any such concerns. The LastPass developers also have discussed a third party audit once Lastpass matures beyond the stage where they are making frequent releases of the software. I may not place all of my bank account and financial passwords there for now, but I’ve already loaded everything else.
Getting passwords into LastPass is easy, as it can import them from several sources, including from Firefox’s native password manager. I did have to tweak the settings for LastPass a bit, to make it as nonintrusive as possible. First, I switched OFF the compact toolbar. This not only created a large, undesirable toolbar for LastPass, but also created a small icon on the bottom right of my browser. Right-clicking on that icon shows a menu, with the option to hide the large toolbar. After doing so, all I had on my screen was the small icon on the bottom right of the browser. I could open it to access more detailed features, but the autofilling and other features worked just fine with that minimal interface.
Like KeePass, LastPass also has an iPhone application that has been submitted to Apple, but is stuck in approval purgatory. For now, there is an iPhone bookmarklet that is not perfect, but does autofill passwords with a couple of taps.
Last but not least, LastPass is also free. The LastPass creators have indicated that they aim to be profitable by selling their technology to businesses.
In fairness, this is not a feature by feature comparison of each of these three applications. Once I discovered that eWallet and KeePass were missing some of my must-have features, they became too cumbersome for me to use for extended periods of time. And eWallet’s iPhone application is nice, such that I will probably use it to store my credit card information. But once I discovered LastPass, the competition was over. Your mileage may vary based on what your needs are, but for me, LastPass was the hands down winner.
Author Info
![How to Quickly Switch Audio Between Speakers and a Headset [Windows]](http://www.40tech.com/wp-content/themes/headlines/thumb.php?src=wp-content/uploads/2010/08/headsetspeakerswitch576x200.jpg&w=48&h=48&zc=1&q=90){kind=small}
I am a new fan of LastPass. I have been using it now for about a week and I am pretty impressed. It also has a Windows Mobile and a Blackberry app.
I can't wait for their iPhone app to come out. Between this and some of the other apps we've both discussed, it sounds like our computers would look pretty similar.
Lol! I don't doubt it. Right down to the games, I'd wager….
Lol! I don't doubt it. Right down to the games, I'd wager….
I'm using one password with mac os x. It's great and I don't have to remember my passwords.
I am always looking for the latest in apps and software. I use Spb Wallet and love it. It has autofill in IE browser and it's own browser with autfill in the Iphone App. I have several apps that I use tht all are for the same pupose and will def go see what last pass is all about. I do highly reccomend Spb Wallet on the same note!!! thanks for are your reviews!!
Thanks for the suggestion. I'll have to take a look at Spb Wallet.
Is there anything you would trust for your bank account and financial passwords?
What I’ve been using, Jan, is eWallet on my iPhone. It is encrypted, and resides only with me (i.e. it doesn’t go out in the cloud to a company). Because of the encryption, it would be difficult (maybe impossible) for someone to hack it, even if they stole my iPhone. If you use a solution like that, make sure you use a long and strong password, with a combination of letters, numbers, and symbols.
Another possibility would be to use something like TrueCrypt and Dropbox, if you wanted to access your account info on multiple computers. You could set up a TrueCrypt container, which is sort of like a file that gets expanded into a “make believe” hard drive when you decrpyt it (see http://www.40tech.com/2009/09/01/4-steps-to-secure-evernote-on-a-shared-computer/ for an idea as to how that works). You could share that encrypted container among all your computers using Dropbox.
I should add that the problem with both of these solutions is that you still need to key in your details. They aren’t autofilled as with Lastpass.
I find it hard to fathom that you left out the best password manager BY FAR: RoboForm by Siber Systems. It integrates seamlessly with your browser (even includes an extension for FireFox.) Many nice features, like a password generator are built in. My only problem right now, is that they do not yet have an Android client for my new Droid!
Thanks for the suggestion, Jeff. I’m familiar with RoboForm, as that one has been around longer than the others I believe, but I went with LastPass based on a few reviews that had compared the two. I haven’t tried RoboForm, myself though, mostly because from the look of their website, it seems the free accounts have limitations. Since LastPass is free and does everything I need, I couldn’t justify springing for the RoboForm Pro account. I also like that LastPass is available everywhere, on any computer. I’m not sure if RoboForm is or not, as the site wasn’t clear. But that’s the great thing about software- there are many different choices, and different people’s needs will be served by different software. So, what works for my needs might not be the same for you, and vice versa.
RoboForm does indeed have a “use it anywhere” option, called RoboForm Online (though it is still in beta, I believe). I have not used that, but the RoboForm2Go client on a USB stick is pretty great for using it every place.
All that said, I think I may have to try LastPass on my Droid for now. It looks like the only really decent option for Android mobile devices… at least that I can find. If any of your readers know of a better option, paid or free, I’d sure love to hear about it!
I’d be curious to hear how LastPass is on the Droid, if you give it a try. The iPhone now has an app, but it is a paid app. I use the bookmarklet instead, which works fine but might not be as secure, as it keeps you logged in to your LastPass account for a period of time.
I have used Roboform for about 3 years now. I also use 1Password for my mac. Roboform was okay, but I switched to LastPass a few days ago because I needed cross platform capabiltiy. I can use LastPass on my Windows 7 box, on my laptop, on my macbookpro, and on my iphone. The integration is there, I don’t have to worry about copying data between mulitple password programs to keep them up to date.
The thing I don’t like about Roboform is that it won’t fill in any of my windows application passwords. I still have to do that manually. It was nice to see that LastPass is working on adding this functionality.
1Password is for Mac only, and they support the iPhone, but as I stated earlier, I wanted cross platform integration and 1Password just didn’t have it. I rank Roboform above 1Password because Roboform will automatically login to the website you go to. With 1Password, you still had to navigate to the site, hit the 1Password Icon in the browser bar and select the appropriate login for the page.
The nice thing about 1Password is that it works with multiple browsers on the Mac, so Safari, Flock, and other browsers are supported. Roboform only works with IE and Firefox, and they have a Chrome Plug-in, for Windows only. I use a lot of different browsers, depending upon what I am doing. Roboform doesn’t support Mac. They are attempting to do that now with a browser plug-in, that will leverage data that you have stored online at online.roboform.com. I just don’t like the idea of accessing my passwords over the web. I’d rather pull from a local source.
Roboform is able to synce data online through the use of another tool called GoodSync. You pay another fee for this tool, and it integrates with Roboform to analyze and sync passwords to the cloud. The down side is that if you run multiple windows computers, you have to buy a separate license for each instance of Roboform and GoodSync. It can be pricey. The benefit of GoodSync is that you can use to to compare other files and sync them. It is not just for Roboform passwords.
In the end, I decided to use LastPass because it currently covers all bases for me. The only browser that I see is not yet supported, but in development is Chrome on Mac. Since that browser is currently under development, I don’t see that as being an issue. I am happy to wait for it.
Hope that helps. If you have any other questions, feel free to give me a shout.
Cheers,
Shawn Hank
Wow, thanks for the great and thorough review of those options, Shawn! I was particularly interested in what you had to say about Roboform. Jeff, above, had mentioned it, and then I was at a professional seminar the other day on how to integrate tech into my profession, and Roboform was discussed again. I think you reinforced my decision to go with LastPass.
My pleasure.
The one thing I didn’t cover was the cost. LastPass is free, and has a yearly subscription fee for premium features. It’s 12 bucks a year. VERY Cheap when you consider how often one might use this tool. Even the iPhone app for premium users is free. There is just tremendous value with this product. Unlike 1Password’s iPhone upgrade that really made many people mad, the team at LastPass seem to really listen to what their users want, and work hard to deliver.
Roboform is 29.95 for a one time fee. Goodsync is another 29.95 as well. They have licenses for thumbdrives if you want your data to be portable, etc. There is no iPhone app for Roboform – a real bummer for anyone who uses this too. You can access your passwords vial the mobile Safari browser by logging into your online.roboform.com account. This doesn’t really allow you to do anything except cut and paste password which is a pain.
1Password is 39.95 for a single license and 69.95 for up to 5 Macs. The upgrade to a the version that works fully with Snow Leopard (OS X 10.6) is normally 29.95 for a single license and 49.95 for a family license. But they are being generous and offering discounts for this new release. The 1Password iPhone app is 7.99. A bit pricey but it does work well.
One thing to note about any of the iPhone apps discussed here. None of them integrate with the native mobile Safari browser. Apple forbids any kind of integration with their browser, so each has a built in browser that allows you to select a site/password and have it auto login for you. It’s an acceptable work around for me.
Both Roboform and 1Password are good programs, and I would recommend them to folks, but I would really ask them what their needs are, what OS they are using, and other questions to really make sure any of these solutions would work well for them. Like anything else, it comes down to what you are doing and how you want to leverage any tool. For me LastPass fits perfectly…for now.
Very cool, Shawn. I use the LastPass bookmarklet with mobile Safari, which works pretty well. The only drawback is that it keeps you logged in for a period of time, so you need to make sure you don’t lose your phone.
Been a mostly happy camper using PasswordSafe for a couple of years. With Dropbox it’s easy to sync, but no Mac version. Yes, Password Gorilla reads PSafe files, but it has the finesse of it’s namesake and is about as pretty.
The big issue is the crypto. It’s clear that PSafe is solid but, for other products, accurate info is so difficult to get, not to mention reliable reviews by crypto experts. Any one can say they’re an expert, or even write a pretty “technology” page for their product, but who knows? I’ve also been using FFox’s password manager with a master password, but now the LastPass install offers to turn off the “unsafe” pw mgr. If FFox is unsafe that’s good to know, but knowing why would be better.
I’ve got close to 200 entries in PSafe now, including a dozen or so financial logins. I am starting to use LastPass, but immediately there’s a problem: The conversion from PSafe includes dumping all entries to an *unencrypted* file, and then a cut/paste into a web form. Just at a time when serious design flaws have been uncovered in SSL/TLS.
http://www.google.co.cr/search?hl=en&q=%22ssl+flaw%22
Guess I’ll migrate this in two chunks: Financial logins by hand, then upload everything else. Also, I will definitely use Eraser to clean up the unencrypted file left behind and then track down the FFox pw mgr db and erase that also. Feels like progress…sure hope that it is.
If your looking for a Mac based password manager, you might want to try 1Password. It is Mac based, and provides one of the riches feature sets anywhere. Just a few features are, Integration with all Web Browsers, Stong Password Generator, Auto Fill Credit Cards while online, Secure Notes, and much more. You can get a free trial at their website, http://www.agilewebsolutions.com.
Thanks, Chuck. I’ve heard good things about 1Password.
I wasn’t aware of PasswordSafe or Password Gorilla.
As much as I love LastPass, I don’t keep my financial logins in it. I don’t think I’d keep that in any password manager, no matter how safe. That might be illogical on my part, but I feel more comfortable that way.
I’ll have to check the LastPass forums soon, to see if they ever opened it up to 3rd party audit yet. They had mentioned that would come some day.
I use Sticky Password for password management and I think it is the best on the market. It is integrated and everything is automatical.
http://www.stickypassword.com
I hadn’t heard of that one. There are so many products on the market, that it can be hard to keep them straight. I like the idea that it supports more than browser passwords, but I couldn’t tell from the site if it was cross-platform compatible or not. I do like the price of LastPass, though – free.
No, it is not cross-platform, but when I have tested Lastpass, it wasn’t working for me
Lot of accounts were not filled etc.
i sprang for the $39.00 for roboform a few years ago. it’s awesome, and I think you can install it on everyone computer you have. there is no annual subscription fee. so once you pay, you’re in forever. free updates included. The mobile version is a separate fee, which I haven’t bought yet.
one really nice thing about it (or not, depending on how you spend money), is that it will fill in “identities”, such as credit cards, billing addresses, shipping addresses, etc. If you were discouraged from purchasing by having to go get your credit card, those days are over. The down side: it’s far too easy to buy stuff. click to open your B&H photo/video account, select your purchase, click to enter your credit card info and address. $350.00 gone in 5 minutes.
I’ve heard many good things about Roboform, Dan. I think that one is the elder statesman in the field. LastPass does have form management, too, although I haven’t messed with it much, so I can’t say how well it works.
If you’re serious about password management Lastpass.com or Passpack.com are your only viable options as both support multi-factor authentication using Yubico Yubikey’s (www.yubico.com), which RoboForm Online does not.
Should your username/password combination be compromised by an intruder, they would still need physical access to your Yubikey to access your account.
A Yubikey is something I’ve been thinking about adding to my arsenal for a while. What happens if, for example, you go to work and leave your key at home? Does that mean you can’t access any of your accounts if you don’t remember the passwords?
If you have forgotten/lost your Yubikey, an unassociate Yubikey link is available (refering to Lastpass here), which will send ‘how to unassociate’ instructions to your registered email account.
Of course should you not wish to unassociate your key, you will not be able to gain entry to your account.
Good to know. Thanks for the quick reply!
After using LastPass for a while, this morning I signed up for the premium service. I am now using their Sesame portable app on a USB drive as the authentication device. And, as I have both a Mac and a PC, I put both the Mac and the PC version of Sesame on the same device. Works great. First time in many years that I start to feel like this might be an adequate solution.
Of course there’s a downside to using authentication devices. My bank now requires another device, and another bank I use will soon require yet one more device. By then I will need to get an iPhone to avoid having to carry around 3 dongles.
The reason I stick with Keepass is it’s ability to use it OUTSIDE of the browser. You can use it for your Truecrypt containers, MS Money, Outlook, etc. It’s NOT tied to the browser like Lastpass. That is what is winning me over.
Completely agree, and that’s why I stuck with PasswordSafe for so long. There is a LastPass “Pocket” version that installs on your hard disk or on a USB drive. Using this briefly tonight, it looks like it has all the stuff I’m used to with PSafe which, IIRC, is quite similar to Keepass. With the Pocket app, as with the LastPass Sesame app, both the Mac and PC versions run from the same USB drive.
The LastPass Pocket version can load entries from either the LastPass website or from a locally saved encrypted data file. Since I have LastPass configured to require the Sesame app, the Pocket version requires both my master password and a Sesame one-time password to access the entries, both local and remote. Looks like this is maybe the best of both worlds. Finally, yay.
Been using Lastpass for ages now, like most started off with 1password on mac and roboform on pc.
Just to add to the information about using sesame for extra authentication, you can have “trusted computers”, that don’t require your sesame key just your master password.
saves the hassle of digging out a usb stick with sesame for your own personal computer.
Nick
Great to know, Nick. Thanks for the info!
After reading some timely postings on the LastPass discussion forum and doing some further reading, it turns out that all of the popular and easy attempts at browser security are in vain. Passwords don’t help, secure or otherwise, and two-factor authentication is not effective. However, I am Still Hopeful, as during my searching I found a possible alternative. I have collected some notes on all this here: http://ccobb.net/blahblahblog/?p=658
I am a Roboform user. However mainly for portable use on a USB stick. It is just great and realy easy and safe to use that way. Especially the possible setting that it asks for the main password after coming out of the screensaver..
It picks up your logins on first time entry with utter ease, creating new entries automaticcaly, and fills also difficult webpages, on which I’ve seen other password managers fail.
I did have lesser experiences with Goodsync and their online storage however. Some mistakes when synching did cost me some entries.
I must say, it doesn’t work properly under Android2.1 as well. On my HTC Desire, the password ends up in the username field, and I can’t log in after all.
So I will give Lastpass a chance for my Android….
I’ve heard almost all good things about Roboform. I do like the USB possibilities. LastPass has that, too, which is something I’ve been meaning to look into.
Hello Evan,
I’ve been trying Lastpass today.
On Android it works good.
On PC slightly less convenient then Roboform.
Although I am missing one critical feature with Lastpass, which Roboform offers, That is autologout on screensaver/lock screen.
That means whenever I walk away from my PC, I hit the windows key together with “L”, which initiates the screensaver, automatically logging off Roboform.
Automated safety first !!
I must say, that I prefer to keep my login info stored locally.
On USB, Roboform is by far the better one.
Just insert the stick, boot the app (all in just 1 click) and it automaticcaly generates the toolbar in your browser, whatever browser you use. Rady to go just like that.
When you remove your USB stick, Roboform automatically shuts down and wipes all traces from the PC after you.
With Lastpass, you either have to start a Keepass like app from your stick with local credentials which require cut and paste kind of use, or have to start a portable browser from you stick, which has the Lastpass prugin installed.
And then it still wants to go online by default.
After using both, I must say, only the buggy online sync and poor performance of Roboform on Android make Lastpass the better one now.
If you are happy with use on PC only, or want to use a USB stick for carrying your credentials, (which is better then installing apps evereywhere you go, and retreiving your ligins from online storage everythime you use it, think of keyloggers that might run on a strange PC) there is no question about it: Only one choice: Roboform.
Best solution: Roboform2Go
Wow, thanks for the thorough review! You can set LastPass to automatically logout when you close your browser, or when you’re idle for a set period of time, but you’re right- there is no option for it to log you out when your screensaver kicks in. I’m fortunately in a work environment where nobody is savvy enough to get into my machine anyway when I lock it, but I can see how this would be an important feature in other environments.
Say Even,
A last remark, ar rather important notice:
Whe you are on an unknown PC, be aware of the risk of a keylogger, especially when abroad in some internet cafe.
When using Lastpass, a keylogger will show the owner of the keylogger your main password.
That means anyone, using a keylogger on a PC, where you use your online vault, will have access to your vault, after you are left.
Better to use a USB stick solution like Roboform2Go, when you are on an unknown PC, and use online sync only from your own trusted PC.
“When using Lastpass, a keylogger will show the owner of the keylogger your main password.”
Not an issue if you use LastPass with a Yubico YubiKey, which I do always.
Failing that, LastPass can generate One Time Passwords (OTP) which can used when operating a public machine.
Hello Dukeswharf,
What you say sounds right, although this “Yubikey” is new to me. Haven’t seen or heard from it around here in The Netherlands, Europe.
If you know what you’re doing, You can work safely with Laspass.
Though, with all the lazy and maybe not so up-to-date users in mind, the app should be safe the way it works with basic settings.
It should not be required to be aware of all possible dangers and adjust for each situation to a specific possible danger.
This is what you have such app for: to do that for you.
The basic user just want a one-click app that keeps them safe, and remembers for them, all they need to know to login.
No matter which system one uses, and I fully recommend and use LastPass daily, multi-factor authentication is a must.
Using LastPass in conjunction with a Yubico Yubikey, is simplicity itself.
Evan, did you say LastPass was free? I found in my Droid marketplace for $12 a year. Also, I am looking for an app where I can store by passwords and maybe my credit card information so I can ditch my wallet.
Byron, I can’t speak for Android. On the PC, it is free. I know on the iPhone the app is $1 per month, but I just use the javascript bookmarklet instead, which is free. I imagine that is probably not as secure, but since my iPhone never leaves my hand or my pocket, I’m not worried about it.
I still do use eWallet, one of the other apps reviewed here, for stuff that I don’t need (or want) autofilled online, like credit card info. Basically, I use it for stuff that I need to look up every now and then “in real life.”
I have thought about going the premium route with LastPass, just to throw some money their way. I do like to support developers of programs that I find really useful.
Some updates:
Roboform:
At this moment, Roboform doesn’t charge for the goodsync app that can be downloaded for synching the Roboform app with the online storage. So only charge for Roboform sofar is the Roboform license itself.
The Android app is free.
The Android app does work properly now, though does require quite a different approach then Lastpass, and requires quite some steps to follow through in daily use.
When using it to browse to a stored website, one has to get the website from the favorites, under favorites chapter “Roboform”.
For logging in, one has to go to the favorites again, and choose the crdentials form the Roboform chapter in favorites, which can now be autofilled and submitted nevertheless.
Lastpass is here still the more convenient one. Though as Byron mentioned, Lastpass for Android is not free, but on subscription base, for $1 / month
Roboform is a one-time fee for the Roboform license on a PC, or when using Roboform on Android only, there is no fee.
The Robofom Android app is however limited at this time to fill and submit. It won’t store new login’s from the Android app. This needs to be done in the online storage from a browser, or synched form a Roboform app on a PC.
Thanks for reporting back. Some good info there.
Some remarks
Lastpass costs money for Android, because in order to be able to use it, you need to have the premium online Lastpass storage.
To Byron:
For future: Roboform is planning on an Android app that stores credentials local in the phone. Might be a good solution for what you are looking for, though not yet today