Picking the Best Password Manager for You

tools

#1

Picking the Best Password Manager for You

image

First, my apologies to @peternlewis for starting a topic that is not directly related to Keyboard Maestro. However, it is an important topic for all Mac users, and we have already had much discussion in another thread.

Important

The most important point is to get and use a secure, reliable password manager. Don't store your passwords in insecure places like text files, KM variables, Excel, Word, Pages, Numbers, etc. Do your homework, do some testing, and then pick the password manager that works best for you.

Research

First, it is always best to do your own research. Do an Internet search on "mac password manager", and go from there.

I have done that, and it appears to me that there are at least five viable candidates, maybe more. I'm not going to list them here, but post some links to other reviews.

And there are more. You choose.

Please Post Your Experience

If you have had significant experience with one or more password managers, please post below.

Previous Discussions

I have moved previous discussions (which were off-topic) to below.

I hope all find this helpful.


Unlocking 1Password mini
Unlocking 1Password mini
#2

Hey guys,

why are you fiddling around with an overhyped toy app while we have such beautyfull things like MacPass?!

  • MacPass is using the open-source kdb(x) database format, as used on Windows and Linux for many years (decades?).
  • The app itself is also open source.
  • Because of the aforementioned points, chances are pretty good that your data is secure in MacPass. In any case way better than with a closed-source app like 1Password.
  • The main developer is a nice guy, open for suggestions at any time.
  • There are compatible iOS apps like for example MiniKeePass
  • The database format is cross-platform. That is, you can open it on any Windows or Linux computer. There are also portable apps for any platform.
  • It’s free, by the way.
  • And, yes, it can also handle (many/most) program logins or admin prompts by the system.

Downsides:

  • MacPass will not auto-parse shiny app icons for the software license numbers you are storing. And, honestly, I’m glad it isn’t doing that.

Just a thought.


#3

@Tom

Your comment here about MacPass caused me to go look at MacPass.

1Password has upgraded and are prioritizing memberships. So need to decide once again about 1Password vs an alternative.

Have you commented anywhere in more detail about MacPass vs 1Password for less tech savvy users? Would be great to have your view. And to understand what features MacPass may not have - for example as far as I can tell MacPass is not so well integrated with browsers. And if I have to install another software for browser integration and another for the phone, I wonder about the security of the other two.

Thank you.


#4

Not sure what “memberships” means. In case it is “subscriptions”:

Yeah, this has started one or two years ago; the 1P app (as standalone app then) was in an incomplete state (for years already), essential functionalities were missing; those functionalities had been promised to the customers for years. Finally they arrived, but: only for subscribers of the then new subscription model (it was called “Team“ or something, at that time). Wow, great, guys, you really managed to string me along all the years just to tell me at the end „Here it is, go get a Family Subscription if you want it!”. Pretty significant slap in my face. Thanks.

OK, I’ll stop the Agilebits rant here. They are a gang of merchandising-skilled people, nothing more. I had commented this on my blog.

And, after all, the gained insight that Agilebits is not a trustworthy company has been the major motivation to look elsewhere for something more sincere. And that was a good thing.

Have you commented anywhere in more detail about MacPass vs 1Password for less tech savvy users? Would be great to have your view.

No, I have not commented anything about that anywhere.

What is “less tech savvy users”? You are posting on the KM forum, so maybe I can assume that you are able to build a basic KM macro, and that you understand what you are building. For example a simple GUI macro that checks for a window title and clicks a particular button if that window is on screen.

If you can do that, then no problem at all with MacPass.

Applications like LastPass or 1Password try to integrate the “password entering experience” seamlessly with your browsing experience. And they do a good job there. (At least from a usability perspective.)

MacPass (or similar programs, like KeePassXC) are not focussing on that aspect.

The basic mechanism of MacPass (or KeePassXC) is:

  1. There is the kdbx database that holds the data (passwords, logins, etc.). It’s you who provide the data to that database (not a web browser or such).
  2. There is or there is not an association between a record of that database with — for example a web page.
    • If things go well, those associations will be created automatically.

If things are ambiguous you’ll have to held a hand, you’ll have to help the program. Sounds like stone age, no?

No. The advantage of that concept is that there is no vulnerable connection between the database and your browser. No Javascript, no Proxies, simple as that.

The main connection between MacPass and the browser (or other apps!) is the so-called Autotype.

The Autotype is a shortcut (by default ⌃⌥M) and basically it is like a little Keyboard Maestro macro: It takes the entries from the database (name and password), checks if there is any window with a corresponding name open, and if Yes, it types the credentials into the fields.

It is obvious that this can fail: Page title does not match, URL is not parsable in a meaningful way, etc. So, with MacPass you must be prepared to lean it a hand:

For example, you notice that a password does not get filled in -> why -> find it out -> maybe the page title is not-unique, or it has changed since the last time, etc., -> but no major problem, since you can adjust all that.

You see, MacPass is not maintenance-free.

But, a side effect of this “very unsophisticated way to transfer data” is that MacPass also works with logins of arbitrary programs, or even System logins. (Outside of any web browser.)

In other words: It can also fill-in credentials in app logins, system logins or other non-web-releted instances. (1Password or LastPass will not do this and they never will.)

Well, I’m using MacPass not as my “only solution”. And I think this is the key to using it satisfactorily:

I dare to say that 95% of my passwords are trivial. They are mostly logins to some web sites, forums, like this one, and whatnot. If one of those passwords is compromised, this is not a problem.
(Of course, as long as you don’t use the same password for each and every site; but that’s the whole point of password managers).

So, what I’m doing is this;

I have all my credentials in my kdbx database. This database is backed-up and synced in multiple ways, it’s the base of all.

But, I have 95% of my credentials also in my iCloud keychain: Forum logins and all the stuff that is not related to my credit card or to other sensitive things. Things that are exclusively in my kdbx database (and not in the iCloud keychain) are my bank access data, logins to shops that have access to my card (Amazon, …), and some other sensitive stuff.

So, you may say, you are not really using MacPass if you’re only using it for 5% of your stuff!

Right, exactly. Using MacPass for each and every forum login would be tedious and overkill. We do have Safari’s excellent Password Management for this.
(That being said, be careful: Apple is putting pretty much effort in security, and also their marketing is emphasizing the same; so I have (some) reasons to trust them. But with other things like Firefox, Opera the story may be a different one. Not to speak about Google Chrome and similar stuff…)

So, let’s say (as “tl;dr”):

  • Use Safari for your trivial every-day credentials
  • Use MacPass (or any other secure database) for the really sensitive stuff

This way you get both: convenience and security. And both for free, “free” as in “beer”. It requires a bit more of attention than using only LastPass or 1P, but — it’s your data.


A couple other things to think of:

  • kdbx (the format MacPass, but also KeePassXC is relying on) is an established database format, with security on first priority, and it will be hard to gag this. (Honestly, I think, companies like Agilebits or LastPass are already gag-ordered for many years; but that’s just my personal opinion)
  • With that format you are not bound to a specific platform (macOS, for instance). It exists on Linux and also on Windows for many years.)

#5

Tom, this is one subject that we disagree on. In your zeal to promote MacPass, you have grossly denigrated 1Password. It is clearly NOT "an overhyped toy app". It is a professional, top-rated app, as rated by users and reported by lifehacker.com (see below).

I highly recommend 1Password. I've been using it for years now, and have never had any issues. It is well-maintained, having numerous free updates throughout the year, is quick to respond to any new general security issues found in the wild, and provides great new features one a year or so for a modest paid upgrade. However, starting with 1Password 7, they are using a subscription model with a modest price of $3/month for individuals, and $5/month for a family account (5 users).

The same 1Password account and vault (database) work across all my Macs and iOS devices.

I have to strongly disagree with that. There is nothing inherent about open-source apps that make them more secure, and there is nothing inherent about closed-source apps that make them insecure. In fact, AFAIK, there has never been a security issue found with 1Password.

From The Five Best Password Managers -- lifehacker.com

1Password is well-loved and well-regarded for offering a powerful and secure password manager and digital wallet in a really sharp-looking package that shines on every platform it runs on.

  • It’s flexible, easy to use,
  • works seamlessly in just about every web browser, and
  • packs in the same features that you’ve come to expect from a premium password manager and secure document storage tool.
  • 1Password looks great,
  • comes with a strong password generator to help you pick good passwords every time you change one,
  • secure notes for other passwords or notes that you want to keep private,
  • a digital wallet for bank accounts and payment info, and
  • a password “recipe” builder that lets you customize your passwords to your demands instead of just accepting whatever algorithm the password generator spits out at you.

I've never used MacPass, so I can't comment on it, except to say it apparently is a Mac clone of KeePass. Based on the LifeHacker.com article and the MacPass web site, it appears that MacPass and 1Password have a number of differences, both in architecture and UI.

So my suggestion to those that don't have a password manager is to get one ASAP. Do your homework, and pick the one that is well qualified and works best for you.


#6

Jim,

why are you referring to the previous post, while I already posted another one, hopefully better and more explanative.

And: There is no need to quote “authorities” (lifehacker, and whatnot). What I’m posting is from personal experience. I’m completely aware of what most “authorities” are saying about 1Password. I will not say that all of this is sponsored stuff, but think of it.

But, as said, independently if your sources are sponsored, I’m reporting my personal experience. Unaltered.

In other words: I’m not trying to compete with you (or any other poster) in quoting reviews.
You should post what you want.

– Tom


#7

@JMichaelTX, this might have got received a bit the wrong way. What I wanted (and want) to say is: I’m just reporting my personal experience. I did not want to to say that you have quoted consciously false or sponsored reviews.


#8

@JMichaelTX,

I really have no “zeal” for MacPass. You may or may not have noticed that I’ve mentioned at least two times in the thread that there is another app, that does roughly the same.

Personally I prefer MacPass, since the author does great efforts to make it a real “Mac-App”, but KeePassXC (cross-platform) isn’t shabby at all.


#9

OK, @JMichaelTX, please allow me a couple of questions:

  • Since when and for how much time did you use 1P?
  • have you tried anything else during that period (LastPass, or kdbx-based solutions)?
  • did you have contact with the support crew of Agegilebits?
  • have you ever tried any other password manager before or after that (LastPass, DashLane, etc.)

#10
  • Since when and for how much time did you use 1P?
    • I think I started with 1PW 4 in Feb 2015
    • I use it many times a day, every day
  • have you tried anything else during that period (LastPass, or kdbx-based solutions)?
    • Nope. I do not have a need to try anything else
  • did you have contact with the support crew of Agegilebits?
    • Nope. I have not had any issues. No need to contact them.
  • have you ever tried any other password manager before or after that (LastPass, DashLane, etc.)
    • I think I tried LastPass many years ago, but maybe on Windows.

You make an allegation without providing any evidence whatsoever.
I've read LifeHacker for years, and I have never seen any evidence that their reviews are "sponsored" (whatever that means). I've generally found them to be independent and accurate. If you have evidence of otherwise, please post.

IAC, in this specific article, the "best password managers" were based on user ratings.

At the time I started writing my above post, you had not yet made that post. But by the time I completed my writing and hit the reply button, you had made the post.

Now responding to your post above

Were you using 1PW then? What you post is not at all supported by my experience with 1Password 4+, starting in Feb 2015.

They made two major updates before moving to the subscription model: 1PW5, 1PW6
I upgraded to both of those and they worked very well.

I have not used 1PW7 (the subscription model), but I did just review its feature list. I did not see any thing major in it that was not already in 1PW6.

Totally disagree. I have not seen any evidence of this.

Again, I totally disagree with that strategy:

  1. Doesn't work for Chrome, FireFox, or any other browser.
  2. I have to remember which place I keep which password
  3. Apps like 1Password also store app credentials (like license info), user Identities, and credit cards
    • So with 1PW I have everything in one very secure place, that is easy to use, and easy to review/edit

1Password is available for:

  • Mac
  • Windows
  • iOS
  • Android

FWIW, I am not pushing 1Password per se -- just responding to false allegations.

To Other Readers

Again, I'll make the point that the most important point is to get and use a secure, reliable password manager. Don't store your passwords in insecure places like text files, KM variables, Excel, Word, Pages, Numbers, etc. Do your homework, do some testing, and then pick the password manager that works best for you.


#11

Thank you for the detailed comments and insights that you have gained along the way and recommendations!

Indeed, I meant subscription. The company is strongly nudging users towards becoming subscribers.

A KM enhanced workflow with MacPass and with "autotype" appears doable.

I am a little concerned about not being able to use Chrome easily a) because some websites seem to open better in Chrome, and 2) it appears that browser automation using Keyboard M is easier with Chrome (I may be wrong on this). I do prefer Safari where possible because of Apple's stated commitment to privacy and security.

And it seems iOS is not fully covered for users of MacPass. There is the app you referred to - MiniKeePass, but then is it yet another app that needs to be vetted for being secure? Or can one assume that because it is open source, and popular, it must have been vetted by expert security users? Trying to understand.

Thanks again for your detailed comments.


#12

I finally broke with 1P when they introduced the subscription model in its first incarnation (~$60, called “Family” and/or “Teams”, don’t remember exactly).

Have you clicked the link to my blog? With “essential functionalities were missing” I’m actually referring to that. (Non-functional and deprecated 1PasswordAnywhere and no valid substitution, except you subscribe to Family/Teams. The ability to reliably get to your data if your iPhone is bricked/lost is —in my book— a very, very essential thing for a password app.) [1]

I’m not a fan of subscriptions in general, but it’s OK for me if a company offers a subscription that gives you the full feature set, and a standalone app with a basic feature set. However, if you do that, security-crucial features must be present in the standalone app. Furthermore, it had been promised that 1PasswordAnywhere would be brought back to a working state, or replaced by something equivalent. [2]

I have not tried 1P anymore since the introduction of the first subscription model.

Did they actually reintroduce the above described functionality to the standalone app?
Explicitly: Is there now a possibility to have quick and reliable access to the database from any computer without having a subscription? (e.g. in emergency situations when traveling and the phone is lost)

Replace “Safari” with “the browser of you choice”. I guess, also Chrome can store passwords. At least Firefox can.

I have to remember which place I keep which password

Sorry, didn’t repeat it in the tl;dr (but I have said it in the main text of my post): I have all my data in the kdbx database; in addition the trivial every-day credentials I have also in Safari’s iCloud keychain, for convenience.

Apps like 1Password also store app credentials (like license info), user Identities, and credit cards

In a kdbx database you also can store that.

So with 1PW I have everything in one very secure place, that is easy to use, and easy to review/edit

See above.

I can see that my post might have been insinuating that 1P is only available for macOS, which is not true, of course.

What I wanted to point to, is this: I can store the kdbx file on any FAT-formatted USB stick, and on the same stick I can store a macOS, Linux and Windows version of a portable kdbx reader. I can also store the database on Dropbox, iCloud, an email server and whatnot, and open it with the portable app from my stick on any available or public computer.
(Normally you would not want to do that, but we’re speaking of emergency situations.)

During the time where I used 1P it was impossible to launch the app from a stick.


Footnotes:

[1] Explanation: The old “1PasswordAnywhere” functionality allowed you to store the database in Dropbox and open it on any computer via any JS-capable web browser. At a certain point this stopped working reliably, and shortly after it has been officially deprecated.

[2] At that time I confronted them with the problem on the support forum, telling them that it is not OK to promise to bring back a crucial feature, and then at the end making it available only with a $60 subscription.
All I got were dodging and even snappy replies. That gave me the deep impression that they were well aware of the issue and that it was a conscious/tactical decision to not make that functionality available to non-subscribers, even though it’s security-crucial.
The statement by @sims “1Password has upgraded and are prioritizing memberships” seems to confirm that they continue with that subscriptions-first policy.


#13

Short answer: Yes

IF you have setup 1PW6 to sync via DropBox (or maybe iCloud), then you can access your account and database from any device that has the 1PW6 app installed. So, I guess this means that if you are on travel and lose your phone/computer, then you would have to get/borrow a new one and install the app. Not ideal, but doable.

Of course, if you go with 1PW7+, the subscription model, then your database would be available anywhere. (but you need to verify this)

Tom, I get it that you don't like 1Password, and that is fine. It has worked very well for me for 3+ years now, and I'll continue to use it. I'm using 1PW6, and not sure that I'll update to 1PW7 (subscription), since at this point I don't see any new compelling features.

I think we have pretty much beat this horse to death, so I'll refrain from any further posts here, since I think all of my points have already been made. :wink:


#14

Well, then consequently the correct Short Answer would be “No”:

If you are in trouble and quickly need access to your data, then having to get a new iPhone and installing the app is simply not comparable to the possibility to just put an USB stick in any computer.

I think/hope my point is clearer now.

Yes, this is how it works (at least at the time when they introduced the subscription models). And this feature was indeed the official replacement for the formerly existing and then abandoned 1PasswordAnywhere functionality. Just with the slight difference that now I would have to buy a subscription in order to get that (already paid) functionality back :wink:

I understand that, and I’m also tired of speaking about that app, believe me :wink:
I posted this last follow-up just for other readers, to make clear what the problem with 1P (for me) is. No need to post any reply.


#15

Whew. The thread derailment is finally over.


#16

I know I said I would refrain from further posts here, but I later thought of a possible workaround for Tom's concern.

If I understand correctly Tom likes MacPass because he can carry it on a thumb drive as a backup, and always have access to his passwords. So, my workaround is to use an old phone (iPhone or Android) where you have installed/updated the 1Password app before you leave on a trip. Keep this backup phone in a secure place during your travels. I have used this technique for other data, and it works well.

For me, I never go anywhere without both my iPhone and my MacBook Air, so I have an automatic backup.

HTH. Signing off for now . . . :wink:


#17

I sincerely apologize that I dared to suggest an alternative app as a solution :wink: (That’s where the whole derailment started.)

But, judging by the number of clicks on the MacPass link (and @sims’s post 7 months later), there seem to be users who are interested in alternative apps. So, at least, it was not completely in vain :wink:


#18

And derailment it is, as it didn't a provide a solution to unlocking 1Password Mini with Keyboard Maestro.

If your purpose is to promote MacPass, then perhaps so. Otherwise, this is simply a rationalization for justifying the derailment.


#19

Not for that problem. I provided it as solution for the question “How to you get it to log in to Mac apps?”, see this post.

But good that you mentioned it. This means the derailment didn’t actually begin with my post but with one of the posts before mine. I’m more calm now :wink:


#20

From a unbiased perspective, not so. He was responding to a direct question.

Compare that to your post, which is breaking into the conversation to promote MP.