Over the years, the internet has become a dangerous place. As its popularity has increased, it has attracted more hackers looking to make a quick buck. However, as our dependency on the web grows, it becomes increasingly difficult to sever all ties. This means we have to protect one of our weakest points, the password.
Our passwords act as the primary defense against hackers accessing our accounts and the data they contain. With all the information within just one account, we need to make sure we employ the strongest password. But this creates a dilemma — a strong password is hard to memorize, but an easy-to-memorize password is a weak one. Plus, you need a unique password for every account you use, which can easily reach into double-digit figures. This is where a password manager comes in.
A password manager is an app with a database containing your login information for all the various accounts you use. The database is typically encrypted with a master password to prevent unauthorized access. While this master password may be combined with other secret unique information to increase security, a user typically won’t need to memorize anything more than the master password itself.
The master password is how one part of the great dilemma is solved. You only need to memorize one strong password for all your accounts. However, you don’t reuse this password — instead, you allow the manager to create passwords for all your other accounts.
Once a master password is created, you add the login information for all your accounts into the database. At this point, you’ll want to replace the password for each account with a stronger one. Using the “change password” function for each of your accounts, the password manager will create a new passcode. The manager will allow you to choose from various parameters such as whether to include uppercase or lowercase, special characters, and the overall length of the passcode to create a strong password that you will never have to memorize.
Key Comparison Points
Premium Price (Single-User): The price to unlock all features for a single user.
Family Price: Value pricing for multiple accounts. All but LastPass provide five user accounts for the listed price, with LastPass including six users. Like the Premium Price, this will unlock all features.
Free Version Available: Whether or not you can use this service for free.
Local-Only Mode: This feature provides security in place of convenience. Instead of using the cloud to synchronize the database, your database resides only on your device. This provides more control as to who has access to it and who can view its contents, and it decreases the risks of being hacked.
Cloud Sync: Your database is stored in the cloud making it accessible across multiple devices. Using the cloud, any modification made on one device will automatically update all the other devices with access.
Audit Passwords: The manager reviews all login credentials and will recommend changes to passwords. For example, the manager will recommend changing if your password hasn’t been modified in a while (typically three months), or if you use the same password for multiple accounts.
Multiple Accounts: Within the Android app, you can access multiple databases. For those who wish to separate their family database from their work database, the convenience of quick switching on one device is necessary.
Share Passwords: Users can extend access to passwords (whether individually or as a group) to other users. Some managers require that the users receiving access already have an account with the service.
Emergency Access: In the case of the user’s death or incapacitation, loved ones can be assigned access to the database. This way, the user’s online accounts can be managed or deleted depending on the user’s situation.
Autofill (Nougat or Lower): For Android users not running the latest iteration of the OS, the password manager offers some method to automatically fill login information into apps. Autofill is typically accomplished using Accessibility (which operates similarly to Autofill API) or via a special keyboard (with a special button to autofill).
Autofill API (Android 8.0+): One of the new features with Android Oreo was the inclusion of an Autofill API. If an app has this feature, you can select its database in your phone’s settings, then user names and passwords from your database will be automatically populated into apps and websites on your phone.
Tech Support: The managers on our list provide support through either an online ticket system or email. Email is superior as it is more convenient to use and not susceptible to failure because a web page went down.
Encryption: The method used to ensure the security of the database. As of today, the highest standard available is AES-256 encryption. Encryption protects the database by making it virtually unreadable to unauthorized users.
Multi-Factor Authentication: Using multiple means to authenticate (identify) users. The most common form is using a third-party authenticator, which is an extra app you install that receives an OTP (one-time password) that you enter in addition to your password to prove your identity. Some examples include Google Authenticator, Microsoft Authenticator, and Authy.
Universal 2nd Factor: Also known as U2F, this is another way of providing multi-factor authentication. U2F is a set of hardware keys (typically USB) which you need to login to your database along with your password. Since you physically hold onto the hardware keys, many feel this provides the highest level of protection.
Fingerprint Login: Using the fingerprint scanner on your device to access your database instead of having to input your master password. Fingerprint login provides convenience for users who repeatedly enter their database.
Secure Cloud Storage: Encrypted cloud storage that comes with your subscription. Keeper is the only manager to require that you upgrade to a family plan to access any storage, while the other two managers which offer the feature include it with the premium plan.
Bug Bounty Program: The security of a system is heavily dependent on its ability to work as intended all the time. However, even the most well-written code will have bugs and unforeseen errors. To combat this, companies offer a financial incentive to those outside the company to report these errors. Typically, higher rewards attract more white-hat hackers (hackers for the good guys) and higher skilled ones.
White Paper Available: A technical report on how security and authentication are handled by the software. It provides necessary transparency and allows others to make suggestions to improve security for all.
How We Picked These Apps
Today’s password managers can do more than just store your passwords. Many have been moved from local storage to cloud storage, which means a copy of your password database is available on all the devices you use and automatically syncs to ensure any modification is reflected on all systems. While not a requirement for our list, each of the managers chosen offers this feature.
Our first parameters revolved around security. We would only consider password managers that used the latest security tools available. Currently, that meant AES-256 (Advanced Encryption Standard with a 256-bit key), PBKDF2 SHA-256 (Password-Based Key Derivation Function 2 and Secure Hash Algorithm 2 with 256-bit digest), and salted hashes.
Another requirement was that all apps in this list had to use Android’s new Autofill API. Found in Android 8.0 or higher, this feature lets you choose a system-wide password database that will be automatically populated into any login fields — including both apps and websites. To use it, you simply install one of these apps, set up your password database, then select it in your phone’s settings.
Piggybacking on the last criteria, there should be some way to autofill passwords for all of the non-Android Oreo devices out there. Specifically, there should be a way to autofill passwords in apps, as most password managers can autofill within the browser (whether through a plugin or an integrated browser).
Emergency Access was another requirement, as it lets your loved ones access your account if you die or become incapacitated. With emergency access, your loved ones can close your accounts, access your finances, and take control of your online accounts when you are unable to do so. In that vein, you should also be able to share passwords.
Finally, we only selected apps that had well-designed interfaces and were easy to use, which eliminated apps such as KeePass. Users of all experience levels should easily be able to create a database, add logins, and autofill those logins. You shouldn’t have to set up security tools or spend excessive time in the settings menu, and all of these apps meet that criteria.
Easily the most popular app on our list, LastPass has worked hard to offer an amazing array of features that are unmatched by any other password manager out there. Due to the abundance of features being offered at the lowest price, we had to give it the top spot.
LastPass was designed with cloud syncing in mind. The company intends for every user to have access to their database no matter what device they’re using, with all their data perfectly in sync. This is exemplified by the fact that they are the only manager on our list to offer this feature for free. LastPass is available on all major operating systems and most major browser, allowing access to their synchronized database no matter what device you’re using.
One of the more important aspects of any password manager is security. A great password manager must utilize the highest level of security available to ensure your database won’t be compromised. LastPass follows this principle and utilizes AES-256 encryption to protect your database.
Since LastPass doesn’t support a local-only database, your password database resides in the cloud (with a copy stored locally on your device). This requires authentication (to ensure only authorized users are connecting to the servers) and encryption during transport. LastPass accomplishes this using PBKDF2-SHA256 salted hashes. Once the user is authenticated, a decryption key unlocks the local copy of your vault. All communication between the server and the user is within an encrypted connection, adding extra layers to the security.
In addition to the above protection, LastPass forgoes any contact with your decryption key, preventing them from accessing your database remotely. While they do store your database, they can’t read its contents, ensuring your privacy remains intact.
LastPass also supports multi-factor authentication, which provides an additional step to prove your identity. One of the most secure versions of this is Universal 2nd Factor (U2F), which houses a one-time password (OTP) within a USB stick. The user must physically possess the USB stick in order to prove authentication, protecting against remote attacks.
LastPass also tries to improve its users’ personal security by auditing passwords. Upon review, LastPass will suggest you make changes to passwords that are weaker or have been repeated. Premium plans have access to 1 GB of secure storage to hold your most precious data. LastPass also uses a bug bounty program, offering awards up to $5,000 for any vulnerabilities (or bugs) found within their software.
LastPass checks most boxes of essential features users want in a password manager. With the exception of a local-only mode and access to multiple accounts within the app, users are provided everything else needed in a top-tier password manager.
Somehow, LastPass is able to offer this at $24 a year, which is approximately six dollars cheaper than its closest competition. Its family pricing is not only the lowest at $48 a year, but it also includes six accounts compared the competition’s five. Even better, you can use most features for free! LastPass provides security, convenience, and privacy while remaining relatively inexpensive. And for these reasons, it is number one on our list.
Keeper is an excellent alternative to LastPass if you’re looking for additional security. If you don’t want to trust any company with your database, Keeper offers one of the few essential features not supported by LastPass — a local-only database. It does this while standing toe-to-toe with LastPass on most other fronts.
Keeper offers both a free version and a premium version. Keeper’s premium price (for one user) is the second cheapest option on our list, while its family pricing is the most expensive. However, the free option is where it loses the most ground to LastPass.
In the free version, cloud syncing isn’t available. Your database is stored and encrypted locally, and not located anywhere else. Therefore, you never have to worry about your vault traveling across the web — but the downside is you’ll have to manually copy your database over to any other devices, while repeating changes manually on each device.
In addition, Keeper is a “zero knowledge” service, which means it doesn’t know your master password, store any information, or have access to your decryption key. This means Keeper cannot access your database, protecting you from them and reducing the consequences if Keeper was to ever become compromised.
However, local-only does surrender the convenience of syncing your database across multiple devices and platforms. For users who care more about this convenience, they will need the premium version.
With the premium version (whether single or family), users have access to several features, including cloud sync and unlimited password storage. Users also gain access the ability to use the fingerprint scanner on their device to login into their database versus inputting the master password each time.
Keeper allows premium users to share passwords, with the only requirement being that the other party is also a Keeper user. The same security tools used to protect your vault when using sync features is used to share the password safely and securely.
In addition to sharing passwords, Keeper’s premium version also includes Emergency Access. This feature allows users to give up to five loved ones access to their account in case of an emergency (such as death). The emergency contacts will need to wait a specific time before accessing, but after that, they can manage your vault. Users can modify the list of loved ones at any time.
Keeper premium plan offers the largest capacity of cloud storage at 10 GB, but limits it to family accounts only. Keeper also provides access to multiple accounts from within the app. Before inputting your password (or fingerprint) to log into your vault, users can use the drop-down menu to select from other accounts they may have with Keeper.
Keeper is a great alternative to LastPass’ free version. It allows users to have a local-only database, which is more secure than using cloud storage. However, for premium users, it is a different story. While it offers many of the same features as LastPass (including two that LastPass doesn’t have), its price tag is significantly higher than LastPass. While the single-user price is close, the family pricing is more costly for fewer users. However, because of its lengthy feature list and local-only free version, Keeper is highly deserving of its second-place finish on our list.
Dashlane’s approach to the password manager centers on ease of use. It accomplishes this with a well-designed app and with a set upcoming features codenamed Project Mirror.
First off, let me stress that Dashlane is well designed. Each menu option is clearly labeled, removing any guesswork to its function. The default page is Recent Items, providing quick access to the accounts you frequently use. The integrated browser provides autofill for webpages and accounts without apps.
Dashlane also has a free version which removes cloud syncing (similar to Keeper), allowing for a local-only mode. Premium users can also turn off synchronization, which removes all copies of your database besides the local copy on your device. Therefore, premium users can choose how they wish to utilize Dashlane.
Dashlane supports autofill via Autofill API for Oreo users and via Accessibility plugins for older devices. However, one of the biggest features of Dashlane is Critical Account Protection, an upcoming component of Project Mirror.
Critical Account Protection reduces the difficulty of using a password manager. Once this feature is implemented, Dashlane will scan your email inbox and add all accounts associated with that email address. It analyzes each account’s security and creates a report that displays information such as a timeline of when accounts were created, what type of accounts you have, and the risk level if a breach occurs. You are then given the ability to mitigate the risk by quickly changing passwords.
Unfortunately, Project Mirror features are not yet implemented, which is the main reason Dashlane slipped to number three on our list.
As it currently stands, the main two issues with Dashlane are its lack of features compared to its competition and its price tag. Until Critical Account Protection is added, the ability to audit passwords is limited. Dashlane will inform you of the password strength, but not much else. Dashlane is also the only manager on our list which doesn’t offer a secure cloud storage option.
Dashlane also is the most expensive option. It has the highest single-user price per year and doesn’t offer family pricing. That means if a family wants to use Dashlane, each user must pay $39.99 a year. While not a bad option, LastPass and Keeper offer more value for less.
While 1Password is last on our list, it does have advantages not found with the other managers. Specifically, 1Password’s approach to security is greater the previous three options and highly recommend for those who want cloud synchronization in the most secure method possible.
1Password authenticates users using what known as a two-secret key derivation. Normally, managers use the master password to create a hash to authenticate users with their servers. A hash is a one-way function that alters data (in this case the master password) to a fixed size. The modification is usually irreversible (hence one-way) so hackers aren’t able to derive the master password from the hash.
1Password goes a step further by introducing a second component. This component is known as the Secret Key, and it’s also unique and only known by the user, improving the security of the hash. The Secret Key is a string of characters that is first generated by your device when you initially create an account. This key is stored locally and is inaccessible by 1Password. While you’ll never need to memorize the key as the system automatically retrieves it, its uniqueness is what makes it secure and helps with authentication.
Because of this two-secret key derivation, 1Password believes it is unnecessary to support third-party authenticators (multi-factor authentication) or universal 2nd factor (U2F). While they do have a point, the idea of having something on you to assist with authentication does ease the fear of customers and provides them some level of control that’s unavailable with a software-based solution.
1Password has by far the largest reward for its bug bounty program, offering payment up to $100,000 for potential vulnerabilities. Such a large amount will attractive higher skilled white hat hackers (good guy hackers) and lead to a more secure platform.
For years, 1Password offered local-only storage. However, as of two years ago, it has transitioned to a subscription model and stopped offering the ability to create new accounts for the standalone model. So while there is a free tier, there’s no way to access it unless you already had a license.
Pricing is high, charging the second most for single user and family subscriptions (with the latter only 11 cents away from the most expensive listing). Also, it is the only one our list without a free version, but it does offer a free trial for 30 days.
Nonetheless, 1Password is a great option, especially for those not using multi-factor authentication that want the convenience of cloud database. However, its lack of a free version and high pricing forced us to place it on our list.
With the frequency of cyber attacks increasing, users need to fortify their online defenses. However, according to Splashdata, last year continued the trend of people using the passwords “123456” and “password” for many accounts. But as previously mentioned, it is difficult to memorize a unique and complex password, especially for the many accounts we have. The is is why in 2018, password managers are vital.
While password managers vary in functionality based on platform, for Android users, the best password manager available is LastPass. With its rich features, wide availability, and low pricing, users should look no further when it comes to storing their passwords. However, if you’re looking for maximum privacy and want to store your database locally, then Keeper is your best option.
Are you using a password manager? If you aren’t, why not? Let us know in the comments below. And for more information on how to keep your Android secure, check out our Android Security collection using the link below.