Wednesday, May 09, 2007

Review: 13 Mac OS X Password Managers, two that don't suck

[Added 6 more password managers thanks to user feedback]
Nobody wants to have their online accounts stolen. This article reviews 20 password managers for my requirements. Only four of them got a good grade so there's room for improvement. Firefox will happily show any user sitting at your computer all your web site passwords unless you secure it (and has had security vulnerabilities in 2.0.0.2 - fixed in 2.0.0.3).

But first, some tips to maintain the higher level of security. This advice depends on your paranoia level and how much you want to avoid identify theft and scams.

For the average user, good security usually means strong passwords, using different passwords for different sites ... and other measures such as:
  • avoid responding to instant messaging/email phishing scams
  • don't believe that you have won a lottery or that you can help some African smuggle millions out of his country,
  • don't run anything on your computer except software you have specifically intended to install,
  • never buy anything from spammers, anything that comes from non-family oriented image sites is always infested with nasties than the girls themselves would have
  • NEVER open email attachments from anyone except for items you have specifically requested (this means you do NOT open the joke file that your friends have just sent you)
  • have anti-virus and anti-spyware installed
  • have your computer behind a NAT router and/or install a software firewall.
So, most of this is simple experience/education. Let's look at passwords.

What makes a good password?

There are plenty of sites about the place that can tell you about the quality of passwords as a function of recovery speed. Basically, you should use upper and lower case, you should include digits and some punctuation/symbols, your password should be at least 10 characters long, better to be 12 to 16 and contain no dictionary words. (Although apparently windows passwords should not be 14 characters). You should have different passwords for different sites. You should never leave a password set to the default. Never write passwords on post-its.

You can also try using a pronounceable password generator like Xyzzy. This isn't perfect but it's one way to remember moderately complex passwords. It runs on Windows and Mac.

My OS and/or browser remembers passwords for me!

Most browsers will remember your password for you if you let them. I don't like this feature and recommend against it. Like the dark side of the force, this feature can be very tempting as it is so easy but introduces a couple issues that you have to be aware of:
  • Backup of passwords - your hard drive could crash at any time. Maybe right now!
  • Anyone with access to your browser when you are away from the keyboard will be able to access all of your sites - do you lock your machine?
  • You will be unable to use the protected websites when you're away from your beloved password enabled browser.
  • How does your browser protect your passwords?
  • How vulnerable are these stored passwords to web script attacks?
  • What about passwords for things other than the web - eg: encrypted documents.
  • I will kill a kitten for every person I find using this feature.
Safari has wonderful synching via .Mac account which will Synch you keychain with all your other Mac computers. This assumes that you have other Macs, that you are willing to pay to have the .Mac account and that you are using Safari for your secure browsing.

Firefox has a good friend in Google who developed BrowserSync that will synch your bookmarks, passwords, cookies and history on any firefox browser that has the plug-in installed. HIGHLY recommended.

Also, for Firefox users: Firefox -> Preferences, Security Tab, Show Passwords, Show Passwords ... exposes passwords!!! Not many people know this, but now you do. This also works on the Windows and Linux versions of Firefox as well and is the default setting unless you change it ... so if you insist on having Firefox storing your passwords then tick the "Use a master password" setting and set that master password!

I was turned off browser password storage back in the early days of Opera, where it stored certain passwords in clear text files. I'm sure they don't do that now.

Keychain access is awesome for all sorts of OS related items but lack convenience and features of most of the password managers listed below. Obviously Keychain is part of the solution for OS X but would be a discussion all by itself and this article is already way too bloated and still terse.

Authentication questions.

Often a site will have questions that you have already pre-answered that will identify you if you forget your password. Things like “what town were you born in?” and such. These sort of questions will allow an attacker who has some knowledge about you to get into your account. Also, if the hosting site is hacked then this question and answer may be exposed to the hacker which gives them more information about you. My suggestion is to lie in a random way. For the “what town were you born in?” question, just make up a password unique to that site and use that as the answer "jgdalpitwburg".

So, now you have strong passwords for all of the web sites you visit ... how do you remember them all? Well the answer is – you most likely can't. You need some sort of password manager.

Password managers expose you to another set of problems:
  • someone who can crack your password manager will have all of your passwords and access to everything.
    • give your password manager a really strong password to open (this can be open to a keylogger attack though - a combination of GUI-based input can help).
    • choose a password manager that uses good encryption and has a good security model.
  • you won't be able to access your sites unless you have the password manager with you.
    • remember the passwords to the most important sites (eg: webmail). The Xyzzy application might help (see above).
    • have the encrypted data file available online.
    • choose a password manager that can link to a mobile device, or export to text file that you can encrypt on your PDA.
  • if you lose your password manager data then you won't be able to access anything.
    • back up your data. You MUST do this anyway.
Password manager features I would like to see:
  • password required to open password manager. if it uses a keylogger-safe method, even better.
  • do not expose password at any time, only password out is copied to buffer to allow pasting into fields.
  • auto lockout : timeout (duration configurable in prefs) that closes password manager or requires re-entry of password.
  • clear buffer (if still contains the password) after n seconds.
  • export of data in encrypted form for backing up.
  • export of data in plain text for ... whatever use (to PDA).
  • autofill web forms
  • logging of activity. Logs not available from any menu item - just log file location specified in the documentation.
  • take an isight photo at the beginning of each session of activity (limit of n images set in prefs)
Not all of these features are essential, although the first couple are. I didn't note any password manager that had the last two features.

I would not use a password manager that exposes your password as part of the normal procedure to open the associated web site. This means that anyone with you can see the password, which makes the password manager a security hazard rather than a security aid. I was shocked at how many of the password managers actually did this.

Of the 20 password managers that I looked at, I found that only four were good (5/5) and two more were worth considering (4/5). Two of the 20 were from web sites that were so dodgy-looking that I was afraid to install the software. Note “My rating” is purely subjective and based on my requirements. The “Notes” column is far from comprehensive but gives a guide to notable things that struck me as I was looking at the software.
Software Cost $US My rating Notes
PasswordWallet $20 5/5 + never exposes password
+ heaps of features
+ autotyping (clever)
+ synch with PalmOS device
1Passwd$30 5/5 - exposes password on edit
- auto lock tied to keychain access
- expensive
+ excellent autofill
+ wonderful memorising of forms
+ Palm
+ Excellent Export/Import
PasswordVault free / $15 5/5 - free limits to 15 entries
- expose password with click in edit mode
+ funky interface, skinable
+ mac + windows + linux versions
+ great export options
Yojimbo $39 5/5 - very expensive
- no launch URL
- no auto lock
+ password req to copy/view password
+ excellent documentation
+ feature rich
+ more than a password manager
+ very slick
Password repository $25 4/5
- exposed by button.
- butt ugly.
- expensive.
- lacking features.
+ file handling.
+ good documentation.
Vault $5 4/5 - limited prefs, features.
- no auto lock.
- no auto clear buffer.
- no export ... but obvious data file.
+ never exposes password.
+ simple interface.
info.xhead $15 3/5 - exposes password on entry/edit.
- buggy exposure of password.
+ autofill web sites (clever).
+ funky interface.
+ lots of features.
PasswordPlus $30 3/5 - exposes password on edit or via show click in view
- expensive
- doesn't auto open URLs
+ Good documentation
+ OS X/Windows/Palm OS.
KeyMinder $20 (£10) 3/5 - exposes password on click
- unknown preferences (have to register)
- no auto lock
+ OS X/Windows
AutoID $5 2/5 - exposes password on entry/edit.
- butt ugly.
+ autofill web sites (clever).
+ option to hide password, but still exposed on dbl click.
iSafe Lite/Pro free / $20 2/5 - exposes password as you copy.
- doesn't export.
- no preferences.
- no copy password to buffer.
- poor documentation.
- time out is fixed time ignores activity.
+ encrypts docs.
Wallet $15 2/5 - exposes password
- clunky interface
+ autofill
KeePassX Free 2/5 - expose password on click
- no launch URL
- no auto lock
- buggy conversion to OS X
- no help (probably a URL function)
+ Linux/KeePass:Windows/Palm
SafePlace $10 2/5 - exposes password to copy it.
- no preferences.
- butt ugly.
- data file location?
Pastor free / donate 2/5 - exposes password mouse-over
- clunky interface
PasswordMaster $10 2/5 - exposes passwords by default.
+ pref option to hide passwords.
- pref doesn't hide entry of password.
- doesn't force password encryption of data!
DataGuardian $20 2/5 - exposed by click.
- butt ugly.
- totally undefined initially.
- ugh, fricken waste of time.
+ very configurable.
WebConfidential ~$27 (20Euro) 2/5 - exposes password on mouse over
- expensive
- butt ugly
+ autofill - very cool!
+ excellent net application integration
+ OS X/Windows/Palm OS
SecureNotes $30 *1/5 - expensive.
- site looks dodgy, example of downloading movies. (*did not install it)
+ can store files.
KeyMaster free / donate *1/5 - exposes password
- weak description, dodgy (*did not install it)

11 comments:

Bala said...

Hi,

Read your post on Password Managers, it was quite interesting. And I thought of introducing ManageEngine PasswordManager Pro (PMP), a privileged password management solution for enterprises.

PMP helps control the access to shared administrative/privileged passwords of any 'enterprise resource' such as servers, databases, network devices, applications etc.,

PMP is centralized, web-based and enables IT managers to enforce standard password management practises such as maintaining a central repository of all passwords, usage of strong passwords, frequent changing of sensitive passwords and controlling user access to shared passwords across the enterprise.

Features:

# Secure, centralized repository of passwords
# Password ownership and sharing
# Role-based access control for users
# Enforcement of password policies
# Remote password synchronization
# All user access to passwords as part of comprehensive audit
# Tools for backup & disaster recovery
# Personal password management for users
# Access from anywhere through a web-browser

Trial Version Download: http://www.passwordmanagerpro.com

I would be happy if you could give PMP a try and share your views on the product.

Thanks & Regards,
Bala
(ManageEngine PasswordManager Pro Team)

recuperaciĆ³n de los datos said...

You can recover your lost Mac data with Stellar Phoenix Mac Data Recovery.

Try this now!!
http://www.stellarinfo.com/mac-data-recovery.htm

Anonymous said...

For online backup news, information and articles, there is an excellent website:

http://www.BackupReview.info

This site lists more than 400 online backup companies and ranks the top 25 on a monthly basis.

Any one can add their company in the directory. Just click on the "Search" button found at the top.

Cheers,

Marco Barulli said...

Using a password manager is not merely convenient, it’s an effective way to adopt better security practices without too much stress. It basically sums up to: 1) never re-use the same password, 2) use strong passwords.

Software products are certainly an option, but you could also consider a web based solution.
(Yes, I’m a tad biased …)

Clipperz is an online password manager that can do much more than simply storing your passwords.
- ubiquitous access
- direct login to online services
- offline version
- bookmarklet for quick data entry
- nothing to install or backup
- …

It’s free and completely anonymous.

Clipperz lets you submit confidential information into your browser, but your data are locally encrypted by the browser itself before being uploaded.

The key for the encryption process is a passphrase known only to you.
Clipperz simply hosts your sensitive data in encrypted form and could never actually access the data in its plain form.

For any further information refer to our website:
http://www.clipperz.com.

Marco
Clipperz co-founder

David J. said...

A password generator site aside from creating true random passwords also creates leet passwords (easy to remember passwords)

http://www.goodpassword.com

Anonymous said...

Am i the only one who thinks it slightly strange you "reviewed" 13 mac osx password and you didn't mention key agent?? the one the comes installed with osx??

Im happy with that.. its free with my mac..

neoporcupine said...

Thank you for your "comment", anonymous, if that is your real name. I put a little note in there about keychain because of your comment; just so people know that anonymous didn't miss it - don't want to sully his good name.

Narbs and I did discuss this at length, he is a keychain fan and lets his browser store his passwords (there goes another kitten). The features of Keychain are quite limited and it really doesn't fit into the (poorly defined) scope of what I was looking at.

In the end, though, as long as anonymous is happy with his security decisions, that's all that matters. As long as he isn't a user on my systems, in which case he had better do what makes me happy.

---

You other spammer guys ... some actually seem to have half decent products that I would in no way endorse because you spammed me, may your souls rot in hell.

---

davidj, Some of the password managers that I looked at actually contained random password generators to various degrees of complexity; pretty sweet. You might also be interested in Steve Gibson's http://grc.com/password

Carl said...

Thanks for the inclusion in your review. I just wanted to point out one small thing. 1Passwd uses its own keychain and the auto-locking is set there and is not tied to the main OS X keychain.

BTW, that Clipperz guy hit my personal blog as well after I posted something about 1Passwd. :)

Thanks

Carl
1Passwd Support
http://1passwd.com/
http://switchersblog.com/

Rolf said...

Hi,

Thanks for the great article, and all the review work.

My problem with these password managers (as with the OSX included password manager) is that you can not (easily) share password files between multiple OS-es.

Most of the multi-plaform password managers require me to pay for both the OSX version AND for the Windows version. This means I can not use my passwords database at work (where I have Windows).

Currently my only solution is the technically very good Password Gorilla which is free and comes in multiple OS flavours.

http://fpx.de/fp/Software/Gorilla/

I'd love for Password Gorilla to be more "Apple Like" on the OSX platform but for now it works, it runs from an USB stick and I can run it on any machine.

I think for a lot of users, this is a very important requirement which is overlooked by a lot of developers.

I hope this little addition makes your article more valuable to you and your readers.

Kind regards,
Rolf

Charles Bouman said...

Hi all,
I have been using 1 password for about 9 months. I purchased the full version, and I am using it on the most up to date version of OS X version 5.4. I am a heavy computer user with fairly good understanding of unix/linux/mac OS.

The primary reason that I purchased 1Password is to synch passwords across .Mac (now MobleMe). I have many machines at different locations, so it is essential that this works correctly.

The synching initially worked OK, but now it has basically just stopped functioning. A typical case, is that the new password I entered on one machine does not show up on a second machine after syncing. So then I create a new password on the second machine, and reenter it into 1Password. (This of course defeats the purpose of 1Password.) When I resync, 1Password now shows 2 new password entries, one from the original entry, and a second from the newly created entry. There must be some type of problem with the keychain entrees?

The bottom line is that 1Password just doesn't synch my passwords on .Mac anymore. (Which is the only reason I purchased it.)

Any suggestions?

Charlie

The Geeks said...

Thanks for review, it was excellent and very informative.
thank you :)