As mentioned at the end of my last blog, this instalment is going to look at three key products for securely storing multiple passwords: PasswordSafe v3.34.1, KeePass v2.28 and Dashlane 3.0.7 (Free version). I’m going to focus my attention on the security of each application, but will also touch on usability and any additional features I feel are worth highlighting.
Overall ratings for Password Management Applications
A password manager is meant to be a place for you to store all of your credentials. This makes it extremely valuable to either yourself or an attacker, and as a result, needs to be secure. I would liken it to locking all of your valuables in a safe – there would be no point putting your prized possessions in a safe that a thief could break into in a matter of seconds.
Dashlane uses Rjindael encryption with a 256 bit key. Rjindael won a global competition and was adopted as the Advanced Encryption Standard (AES) in 2000 and is widely regarded as the leading standard in encryption, which is why it’s used by the NSA for encrypting classified information.
KeePass also uses Rjindael encryption with a 256 bit key and when creating your password it lets you set the number of times the password should be transformed before being used as the encryption key. This slightly increases the time taken to open the database, but makes it much harder to perform a dictionary attack on the database.
PasswordSafe uses Twofish encryption. Twofish was an AES finalist and created by Bruce Schneier. Bruce is highly regarded in the IT Security Community and is also the designer of PasswordSafe. Twofish encryption is commonly regarded as being more secure than Rjindael, but not as efficient (AES winner was based on various criteria, not just security).
Whilst the encryption method used is very important, it is critical that your master password is of a high complexity. Once you have populated your password manager, your master password is the only one you will need to remember and is also the only password an attacker needs to guess, in my last blog I offered some advice on how to create a memorable, yet complex password.
Dashlane and PasswordSafe both offer forms of two factor authentication. Dashlane lets you use a free app such as Google Authenticator on your mobile device to provide an additional password needed to log in. However, this will require you to have an internet connection each time you wish to access your database. PasswordSafe allows you to configure a YubiKey that will need to be plugged into your computer each time you open password safe. If you already own a YubiKey with a spare configuration slot, you can program it to work with PasswordSafe. KeePass allows for a keyfile to be used in conjunction with your password which can be stored on an external device, providing an extra layer of security to access your master database. KeePass provides information regarding its additional security features, such as enhanced protection against keyloggers.
Dashlane also has a Security Overview section, this gives you an overall security score based on the strength of your passwords, whether the same password is used over multiple sites etc. In my opinion, one of the main reasons for using a password manager is so you can use a unique complex password for each service, without having to remember them. Dashlane clearly and concisely shows you the accounts that share the same password, prompting you to log into these accounts and change the password to something unique, after doing so, you will see your overall score increase. Thanks to a partnership with Pwnedlist, Dashlane receives instant updates on the latest security breaches, so if you have an account with any of these compromised sites, Dashlane will alert you immediately and help you to change your password. Additionally, it will clearly show you any other sites that share the same password.
Overall: All of the products use strong encryption methods to keep your passwords safe and can be configured to use additional levels of security. For me it will come down to a personal preference of the authentication method used or a specific feature that is desirable.
Usability and additional observations
After security, the next most important aspect for me is how easy the application is to use. If you are unable to navigate around the password manager, easily organise your passwords and then locate them again afterwards, you may as well not use one. They are primarily meant to allow you to manage your passwords, but that doesn’t mean they should hinder your day-to-day activities.
Whilst setting up your database, Dashlane offers you the chance to import passwords from common internet browsers. I had IE, Chrome and Firefox installed and with the click of a button Dashlane accessed all of them for me and populated my database. Dashlane also offers to install an optional plugin for each of your browsers, the plugin will recognise when you log into a service not already stored in Dashlane and pop up a window offering the ability to save the credential and choose a category. When browsing to a site that you have stored credentials for, Dashlane will work like a Single Sign-On solution and populate the username and password fields for you, ready to log in. The plugin also gives you the option to use Dashlane’s safe search engine, replacing your browsers default search engine. After submitting a search, each result has a little colour coded shield to the right hand side, letting you know if there have been any security breaches on those websites, this is quite handy if you often visit websites that you are not familiar with. I found Dashlane very easy to use, the only part I had difficulty with was getting Dashlane to generate a new password for me. The application is meant to detect when you have gone to a password reset screen and then offer to generate a secure password and save it to your database. I found this feature to be a bit temperamental with certain websites.
I find I always struggle with PasswordSafe if I haven’t used it in a while. The key thing to remember is that once you have set up your database, you don’t go to file > new to add an entry, instead it is Edit > Add Entry. There are no predefined groups for you to use and all entries are added manually, unless importing a database. However, there are a lot more options available for you to customise, such as setting a default password policy to be used when generating new passwords. This is great for having an extremely secure default policy to be used on all websites, then a slightly less secure one for websites that do not allow certain symbols to be used in passwords.
KeePass offers some pre-set groups to get you started, but similar to PasswordSafe, you need to go to Edit > Add Entry, to enter a new credential. KeePass also allows you to create custom password policies to be used when generating new passwords. Right clicking on an entry shows you a menu of all the actions you can perform using that entry, as well as the keyboard shortcuts to make it quicker in the future.
All of the applications allow you to configure interactions with the webpages, enabling the password manager to open a website for you and then automatically type the required credentials. Dashlane makes life easier by using plugins, but when the plugins failed to recognise I was resetting a password, I did miss not having a “generate password” button close by.
I have always used KeePass as my main Password Manager, it came bundled with a Linux distribution and I adopted it soon after using it for the first time. There are plugins available for almost any required functionality and huge amounts of available resources. I found that KeePass and PasswordSafe both provide for the most customisation when being used solely as a password manager.
Having said that, I have found myself growing fonder of Dashlane the more I use it. I’ve taken a particular shine to the Security Overview and find it extremely beneficial for efficiently managing your passwords. As well as being a password manager, it allows you to store Credit Card information as well as personal information that you find yourself regularly entering into online forms. With browser plugins installed, Dashlane really sets itself apart as being more than just a password manager, it is essentially a Single Sign-On solution, helping you to manage your online day to day activities far more securely. I would certainly recommend giving Dashlane a try if you haven’t already.
I’ve barely scratched the surface with what each application can do, if you have specific needs of a password manager, I would research them first. Otherwise, any of the applications mentioned in this blog will be suitable.
A few tips when using any password manager
For using the same database on different devices, I would suggest using a secure cloud storage service. There are some that will encrypt your files on your device before sending them to the cloud, ensuring that no one has access to them. This would be ideal. However, given that all of the password utilities already encrypt the databases for you and you will of course have a very complex master password, it is not a necessity.
Always keep a backup of your database. Without a backup, should your computer die or the database become corrupted, you would lose all passwords.
Use a long password, I can’t stress this enough. You only have to remember one, so try to make it as long and complex as possible.
Given the recent news coverage of the Citadel Trojan, I felt I had to include a bit of information and some advice. Essentially this latest version of Citadel will activate a keylogger when it detects certain computer processes in action, specifically targeting the processes of well-known password managers. This is a concern, but if your computer is infected with Citadel, there is nothing to say it is not infected with other malware, keylogging all stroke regardless of the processes running, granted there would be more information for someone to sift through to get to your passwords, but the information would be available. The most important things are to have an up-to-date security suite installed on your computer with regular scans scheduled, and to use two-factor authentication wherever it is available on any service you use. If you are still concerned, you could use an on screen keyboard to log into your password manager, thwarting a keylogger. If you suspect your password has been captured by a keylogger, change it immediately and resave the database, remembering to make a backup copy and securely shred old versions of your password database.
If you take home nothing else from this review, please ensure you use a password manager and make your master password as complex as possible.
*Third party plugins may receive honorary mentions, but will not be reviewed in depth.
Priority One – IT Security