Password Management Solutions Compared
Is a dedicated password management app better than a browser based password manager?
Ah, passwords. One of the most necessary but annoying creations of humankind. If you want to set a strong, unique password for each website, you risk forgetting them, leading to frequent password resets. It comes in your way and you lose time and energy resetting your password. Contrarily, if you want a hassle-free experience, you are better off remembering just that one password that is made up of your birth date and your pet’s name, and reusing them across all the websites. These can be easily cracked with a little bit of social engineering and dictionary attack — exactly like how Elliot Alderson does in the TV show Mr. Robot. Even if they were complex, the fact that you are reusing¹ them makes them weak. This convenience vs security trade off has plagued us ever since passwords came into existence. Thankfully, there are password management tools at your disposal that help strike the balance between convenience and security. Let us compare the different options available and see which one is the best. But before that, let us understand why exactly password reuse is a no-no.
Perils of Password Reuse
The guidelines for setting a strong password are quite simple and you must have come across these in a lot of websites while signing up:
include special characters
include numbers
include a mix of lower and uppercase alphabets
minimum length should be at least 8 characters
it should not contain your username, name, date of birth, email address etc
If you are someone that has an internet connection, you most likely have several dozen accounts across a variety of websites where you are required to set a password. So, what do you do? For the sake of convenience, you start re-using that one password you came up with by following the above guidelines. By doing that, irrespective of how strong your password is, you just handed over the attacker his/her biggest weapon.
If the password you have set for your dog’s food delivery account gets leaked and if it is the same password as your banking account, then you better be broke. Otherwise, the attacker will make sure you are broke. The below comic strip perfectly illustrates how password reuse can be exploited.
Solution: Use a Password Manager
If human memory sucks, then passwords suck too, don’t they? If you have to set different and complex passwords for each website then it becomes an arduous affair to remember all of them. It is an indisputable fact that humans cannot retain information for extended periods of time like computers can. There is nothing you can do about the ephemeral nature of human memory.
But you can do something about passwords. You can replace passwords with biometric authentication (FIDO2 & WebAuthn²). However, this technology is only in it’s nascent stage and it will take several years for this transition to complete. As of today, passwords are ubiquitous and it is incumbent upon us to manage them safely. This is why password managers are an indispensable part of your arsenal in the fight against unsafe passwords. You need them until the passwordless future becomes a reality.
Password Management Tools Compared
Now that we have established the need for password managers, let us look at which one is the best, shall we?
Management of passwords broadly comprises of the following aspects:
Generation
Storage
Retrieval
Analysis
An ideal password management solution should help you generate a strong password whenever you need one. It should store it securely for you. It must make retrieval of stored passwords quick and easy. It should be able to analyze your passwords to identify any weak or reused passwords. It should also check and notify if your password has been compromised in any of the data breaches that has occurred till date. Remediation starts with identification and an analysis of your passwords helps in identifying the unsafe ones.
There are 3 options available today — human memory, password managers in browsers and a dedicated password manager. Let us evaluate them on the basis of these 4 aspects and see which one is the best.
Note: In this article, I will consider Chrome’s password manager³ since Chrome enjoys a large chunk of the market share (64% approx.). For the dedicated password manager, I will be going with the unpaid version of LastPass⁴ since that is one of the most popular ones out there.
Password Generation
Human Memory:
Con
For the sake of convenience, you settle for an easily crack-able password and/or you resort to password reuse.
2. Chrome Password Manager:
Pro
It can suggest new passwords of good strength thereby keeping you away from unsafe passwords.
Con
However, it lacks the options that a dedicated password manager like LastPass boasts.
3. LastPass:
Pro
It does not simply generate a password when you need one but it also provides you with a suite of options while generating one. You can adjust the character length, the types of characters and also gives you the option of making it readable and/or pronounceable.
Password Storage
Human Memory:
Con
Computer memory >> human’s memory when it comes to storing data. We have gone through this already.
2. Chrome Password Manager:
Pros
Chrome generally tries to use the operating system’s user storage mechanism wherever possible and stores them encrypted on disk, but it is platform specific (more information can be found here).
It auto-detects when you have filled in some form/payment information/credentials and offers to store it.
Cons
Anyone who has access to your windows machine can easily decrypt the passwords that Chrome has stored using tools like ChromePass.
No two-factor authentication option available. If someone knows your windows password, he/she can view all of your passwords stored in Chrome.
3. LastPass:
Pros
LastPass encrypts your passwords locally on your device with the help of your master password. It then sends this encrypted blob over to it’s servers for storage. This way, even if LastPass wanted to view your passwords, it cannot since it would require your master password.
It supports several two-factor authentication options — see the picture below. This provides an additional layer of security that keeps your passwords safe even if your master password is compromised.
Con
Unlike Chrome, it does not offer to save form data when you are filling up a form. Instead, you need to set up the form and payment data in LastPass beforehand and only then will you be able to use it.
Password Retrieval
Human Memory:
Con
How often have you found yourself thinking ‘was it an ‘S’ or ‘s’ or ‘$’ in the password that I created for this account last week?’. Retrieval from human memory is slow and prone to inaccuracy.
2. Chrome Password Manager:
Pro
It does auto-fill (of credentials as well as form data such as name, email, house address, credit card details etc) the best — it is quick, (almost) accurate and reliable.
Con
It lacks cross-platform flexibility. It syncs your credentials and form data across all your devices — mobile, desktop and tablet, but only as long as you are using Chrome. You cannot retrieve these passwords from Safari or Firefox.
3. LastPass:
Pros
You get a quick and seamless password auto-fill experience across devices and it has cross-platform flexibility. Your passwords are always accessible irrespective of which OS or which browser you are using.
Want to share your Amazon credentials with your spouse/friend securely? Fret not for LastPass provides a handy feature that lets you share your credentials/payment data with another person. This makes password storage and retrieval easier for the other person too.
Con
While password auto-fill works great, the form auto-fill requires a little bit of work (refer Password Storage — LastPass)
Password Analysis
Human Memory:
Con
Processing all the passwords cannot be done by your brain unless you write them all down in a paper and compare them manually. And writing them down in a paper (or even digitally, in a notepad) is a bad idea.
2. Chrome Password Manager:
Pro
Recently, Google has introduced the ‘Password Checkup’ feature that identifies unsafe passwords.
3. LastPass:
Pro
LastPass also provides this feature and it is called ‘Security Challenge’
Conclusion
LastPass emerges victorious!
That is just one of the key takeaways, though. The other key takeaway is that the human memory is the worst password management solution.
Dedicated password manager > password manager built into browsers >> human memory.
Using just about any password manager⁵ is significantly better than relying on your brain. So go ahead and do that!
Related Links
[1] Detailed explanation of the dangers of password reuse: https://www.gosolis.com/technology-news/why-reusing-passwords-is-a-horrible-idea/
[2] Complete guide to FIDO2 and WebAuthn: https://www.okta.com/blog/2019/04/the-ultimate-guide-to-fido2-and-webauthn-terminology/
[3] Managing passwords with Google Chrome: https://support.google.com/chrome/answer/95606?co=GENIE.Platform%3DDesktop&hl=en
[4] You can check out more about LastPass here: https://www.lastpass.com/
[5] Best password managers in 2020: https://www.tomsguide.com/us/best-password-managers,review-3785.html
Edit: A lot of people told me that this article was biased (in favour of LastPass). I understand why one might think that way but I would like to clarify that LastPass has it’s own disadvantages compared to other password managers. For example, it isn’t open source like BitWarden or KeePass. I didn’t mention them since my evaluation was only based on these 4 parameters.