Password Managers
Over the past couple years I spent time with several password managers. Each password manager I tested addresses different problems. As with all technology, understanding what problems a technology addresses allows you to make informed decisions about its use.
I will cover password managers at a high level before going into three password managers and the problems and use cases they have. The password managers I tested are KeePass, Dashlane Password Manager, and Moolipass Mini.
Password Managers
There are many good posts that discuss passwords and managers. Here are some to start with, but they aren't required reading material:
- Password managers don't have to be perfect, they just have to be better than not having one" by Troy Hunt. 2017-04-04
- "Passwords Evolved: Authentication Guidance for the Modern Era" by Troy Hunt. 2017-07-26
Okay, here's the quick version.
- Authentication is proving that you are who you say you are. You can prove that with:
- Something you have: A physical object or token
- Something you know: Passwords, or passphrases
- Something you are: Biometrics
- Multiple-factor authentication use two or more of the above.
- Authorization comes after you have authenticated and defines what resources you can access.
- Accounting is tracking who accessed what resources when.
Time has proven that passwords and passphrases are the most secure means of authentication, and can be enhanced using multi-factor authentication.
In order for passwords to provide secure authentication they must remain secret. In a world where the data from many breaches is freely available the only protection end-users have is having unique passwords for each service. Still, password reuse is the largest cause behind major hacking incidents.
Password reuse is the problem password managers are designed to solve. In their purest form a password manager is a secure (read: encrypted) location in where your usernames and passwords are stored. This allows users to remember a master password to access their database of unique passwords. Password managers typically contain a tool for creating long, complex passwords.
Thus, password managers have two jobs:
- Securely store a list of usernames and passwords
- Allow a user to create long (16-64 characters), complex (lowercase, uppercase, digits, and special characters), unique passwords
There are many password managers out there and each tackles these two jobs slightly differently, usually while adding additional features. I will speak about three password managers that have very different use cases and features.
KeePass
KeePass is the long-standing monarch of password managers. It is a basic stand-alone application that fulfills the requirements of a password manager. It is also free and open-source. Here's a quick overview:
- Stores account credentials in a simple list
- Runs on Windows (version 2.x runs on most platforms)
- Secure encryption of the database
- Customizable password generator
KeePass was my first password manager. The major problem that I had with it is that there are no official versions for android and iOS. KeePass stores data locally in an encrypted file, so it does not automatically sync between devices - this might be something you want.
Summary: I don't have much to say about KeePass. It's effective and free. It did not meet my needs, however.
Dashlane
Dashlane is a competent, user-friendly password manager. At its most effective, you don't notice that Dashlane is there after you log into it.
Dashlane does target some specific problems with a bare-bones password manager like KeePass:
- Automatically generates passwords on account creation pages
- Automatically stores new credentials
- It can automatically enter credentials and log you in
- Premium: cloud-sync across multiple devices
I liked Dashlane. It worked for me most of the time, however I encountered a problem. On a desktop it requires an application install and an extension for your web browser to enable auto-magic. This meant that using computers that I cannot install software on, I was forced to access my database from my phone and manually type credentials.
I switch between computers often and access many password-protected resources. Having to pull out my phone, enter my master password, search for credentials, and then enter them by hand was a chore that I endured for the convenience it offered on trusted computers.
Summary: Dashlane is designed to be used on a couple trusted devices. On my trusted devices I didn't notice that it was open and signing me into my services. It adds more steps when you are using public or unfamiliar computers. For some users, the fact that it cloud-syncs is going to turn them off it.
Mooltipass Mini
The Mooltipass Mini is a very interesting piece of hardware. I am going to very quickly get into the bullet points:
- Hardware device (Completely offline)
- Encrypted on device
- Compatible with most devices
- Built-in 2FA
- Tamper-Evident
Disclosure: Someone, not a company or seller of the product, payed for the device and shipping so I could write this post. I pocketed the $20 that was left over.
Overview
This device is the odd one out on this list. I have not seen many password manager reviews that include it. Not without reason, of course. The device addresses a separate set of problems than other password managers.
The Mooltipass is completely offline, and interacts with most devices as a keyboard. The possible attack vectors for most password managers do not apply to this device. There are no credentials stored in your host's RAM, nor is there software to exploit on your host. Although it has browser extensions that you can install, you must press a button on Mooltipass before credentials are sent.
The device uses the same chip-and-pin system that bank cards use. Your card must be inserted in the device and you must enter your pin before you can access your Mooltipass. If you fail to correctly enter your pin three times in a row, the Mooltipass renders your password database unrecoverable.
When I first held my Mooltipass I had difficulty finding the seams where the two halves of the case met. It's designed to be tamper-evident, not tamper-proof. While I will not say it is impossible to physically alter the device without the knowledge of it's owner, but it would require an unreasonable amount of time and skill.
I find the Mooltipass to be an astounding piece of engineering. The designers clearly examined the threats that password managers face and kept them in mind at every stage of development. The only vector of attack that most people might face is a keylogger; which threatens more than password managers. The only way a third party should be able to access your password database is by asking you very nicely to give it to them.
My Experience
For my particular use case, where I have a large number of accounts that I have to access from public computers, the Mooltipass is perfect.
I have several accounts at the operating-system level, before I have access to software, and on many computers I use I cannot add or modify software. Using my phone meant that my password would sit visibly on my desk or in my lap in crowded computer labs.
Using the Mooltipass is fast. It takes less than ten seconds for me to plug it in, enter my pin, find credentials, and push them to host. Compared to using my phone it is nothing and I am getting faster with it.
I have encountered two issues with the Mooltipass. When I disconnect it from my android phone the phone crashes, but I don't have to do this often and I believe it has more to do with how old my phone is. The second problem that I encountered is the micro-USB connector in my Mooltipass is a little finicky, but it has not been too bad and it does not appear to be getting worse.
Adding credentials to the device requires the use of a Chrome app. Whenever you attempt to view, add, or modify credentials you must confirm it the connected Mooltipass. This is not something that comes up often and the process is painless.
Conclusion
I have covered the basic goals of a password manager and did a quick overview of the password managers that I have used. I spent a lot of time talking about the Mooltipass because it is a fascinating piece of hardware.
This article was written because I love my Mooltipass and because I said that I would write about my experience with it. That experience has been fantastic.
Everyone should use password managers. I hope I provided some insight that will help users assess password managers so that they can select one that will meet their needs.
Support the Author
Devon Taylor (They/Them) is a Canadian network architect, security consultant, and blogger. They have experience developing secure network and active directory implementations in low-budget and low-personnel environments. Their blog offers a unique and detailed perspective on security and game design, and they tweet about technology, security, games, and social issues. You can support their work via Patreon (USD), or directly via ko-fi.