Your browser is out of date.

You are currently using Internet Explorer 7/8/9, which is not supported by our site. For the best experience, please use one of the latest browsers.

866.430.2595
Request a Consultation
banner

Password Manager Comparison Cerberus Sentinel Blog

Apr 04, 2019 | Steven Anderson

Why You Need A Password Manager

When it comes to personal security, first things must come first. Get. A. Password. Manager….NOW. This is one of those security steps that InfoSec industry folks turn blue repeating during security awareness training. Your CISO has probably said it 100 times or more, hasn’t she? A password manager is simple. It saves time. It protects your accounts, so the only reason we can come up with that everyone on the planet is not already using one is that some folks may be unsure which password manager to utilize. Whereas it has become globally accepted that simply “remembering” passwords leads to reusing the same codes, which leads to lists of hacked passwords on the dark web, which leads to account access on your organization’s network and accounts, we are going to help you compare and contrast the three most popular password solutions out there.

Following on the heels of his last blog on personal security as a first step to professional security, True Digital Security’s Steven Anderson has evaluated 1Password, LastPass, and KeePass through the lens of a seasoned security consultant. Feel free to use Anderson’s conclusions as your own password manager Cliff’s Notes, linking directly to your chosen solution if you’d like. Then, by the next installment in this series, you’ll be bragging to your friends about how locked down your accounts are, and maybe your CISO will even be breathing normal breaths again.

Password Manager Comparison 

1Password (https://1password.com)

    1. Pros
        1. Integrates with browsers
          1. Automatic detection of domain allows for recommendations on username and password injection
          2. Example:
            1. The 1Password browser plugin detects that you arrive at gmail.com
            2. You have 2 Google logins stored in 1Password
            3. It will suggest the 2 accounts for your choosing
            4. You choose one of the accounts
            5. 1Password will automatically provide the username and password in the necessary field
        2. Built-in support of TOTP multi-factor authentication (MFA) algorithms
          1. Generates the codes within the app
          2. Auto-fill possible
          3. Rationale: This cuts down on the number of MFA applications you need to have installed on your phone such as Google Authenticator, Microsoft Authenticator, Symantec VIP, Authy, Duo, and many more possible apps. It provides all necessary authentication functionality in one place other than email, phone call, and SMS codes.
    2. Cons
      1. Costs money
        1. $3/month or $36/year for a single user license
        2. $5/month or $60/year for a family license (up to 5 users)
      2. Database stored in the cloud
        1. Rationale: This feature provides accessibility at the expense of security. It requires us to place trust in the provider since our data will be hosted on their servers and technically out of our control. While this is not unusual these days, it remains less secure than controlling the data yourself if security is important to you.

LastPass (https://www.lastpass.com)

    1. Pros
        1. Integrates with browsers
          1. Automatic detection of domain allows for recommendations on username and password injection
          2. Example:
            1. The LastPass browser plugin detects that you arrive at gmail.com
            2. You have 2 google logins stored in LastPass
            3. It will suggest the 2 accounts for your choosing
            4. You choose one of the accounts
            5. LastPass will automatically provide the username and password in the necessary field
        2. LastPass does support TOTP multi-factor authentication algorithms through a second app
          1. Rationale: This can cut down on the number of MFA applications you need to have installed on your phone (see more above).
    2. Cons
      1. Costs money
        1. $24/year for a single user license
        2. $48/year for a family license (up to 6 users)
      2. Support of TOTP multi-factor authentication (MFA) algorithms NOT built-in
        1. Rationale: There are already many independent MFAs available. The benefit of LastPass having MFA capabilities is reduced significantly since it requires another app to be installed and opened in order to complete the login process on your websites
      3. Database stored in the cloud
        1. Rationale (see under 1. above)

KeePass (https://keepass.info)

    1. Pros
      1. Free
      2. Stored locally (no cloud storage)
        1. Rationale: This prevents the accidental compromise of your password database in the off-chance that:
          1. the cloud password provider gets breached AND
          2. that they weren’t properly securing the data using strong encryption methods OR
          3. that they were storing unencrypted/decrypted data OR
          4. they maintained the ability to access your password database (weak/reversible encryption or stored master password)
          5. NOTE: The chances of the above happening is extremely slim
      3. Password injection possible through app
        1. Rationale: KeePass does allow you to inject into websites, but you must already be at the appropriate website before you attempt it.
    2. Cons
      1. Does not integrate with browsers, so no automatic storage of or injection of passwords
        1. Rationale: Since KeePass does not have a browser plugin, it does not detect the site you are at and cannot provide recommendations. Further, it cannot detect when you are creating an account, so it cannot offer to store the password for you.
      2. No built-in support of multi-factor authentication algorithms

Important Password Reminders

  • Remember to create a long, complex master password using a passphrase (the longer the better), regardless of the password manager you choose
  • Ensure you are not sharing passwords between accounts.  Most password managers will tell you if the password you are using is already in use on another of your accounts

Assuming you’ll have a manager in place by next week, having been given these easy-to-follow steps and evaluations, Steven Anderson will help us dig into why your personal email account is the next biggest priority in personal security. We will look at how attackers use personal email accounts to pivot into other accounts, as well as how to secure the most common account type in the US.

For a more in-depth look into ways accounts can be leveraged, listen to our most recent Penetration Testing webinar from Josh Bozarth and Aaron Moss.

Ask A Question