From TREZOR to LastPASS: Best Password Managers 2016 Review

15

About a week ago I discovered that some hacker managed to get a hold of 99Bitcoins’ email addresses and started spamming our mailing list. If you’re on the email list then you probably already received my official apology for this. If you’re not, then this shouldn’t matter to you anyway. Since then I’ve taken measures to secure the email records and now things are back to normal more or less.

However, this whole fiasco got me thinking a bit more about security, and that’s what I want to devote today’s post to. So today I’m going to show you:

  • Just how weak your own passwords are,
  • How I lost $1500 because I used the same password over and over again (sounds familiar?)
  • Finally, review the best password managers around (including a Bitcoin related password manager).

How a weak password cost me $1500

Somewhere around 2010 I was running all sorts of marketing campaigns on Google Adwords, Yahoo! and Bing. I had my credit card on file with each of these accounts, and not being too preoccupied with security I used the same password on all of my accounts.

At the time I thought my password was secure, it was “x9Jevslt” – seems pretty hard to guess right?

However one day I received an email saying that my account was reloaded with funds. Since I didn’t have any active campaigns running at the time I decided to check what was this email all about. When I logged into my account I found out that $1500 were spent from my credit card on Google ads in order to promote some scam website that claims to sell computers.

At the same time, my Paypal account (that of course had the same password) was drained by another few hundred bucks. Luckily enough I was reimbursed for my losses by the credit company and Paypal but I’ve also learned a very important lesson.

Ever since I’ve been taking password management pretty seriously by employing the following methods:

  • Use a different password for every site
  • Use lengthy passwords with symbols and non standard characters
  • Change my most important passwords once a month

Even though it may sound hard to live such a lifestyle so to speak, today’s password managers can easily take care of all 3 tactics for you. But before getting into that let’s see just how easy it is to crack your password.

Is your password good enough? Let’s put it to the test…

Many people out there think that their password is super strong, so did I. Here’s a very simple tool that will show you just how strong (or weak) your password really is. If you try entering my old password (x9Jevslt) you can see that it will take a computer about 2 hours to crack it. Put any password with less characters (mine had 8) and it will take a computer around 7 minutes to crack it.

So does this mean your password is going to get cracked? Not necessarily…

There’s an old joke about two men who are walking through the woods when a large bear walked out into the clearing no more than 50 feet in front of them. The first man dropped his backpack and dug out a pair of running shoes, then began to furiously attempt to lace them up as the bear slowly approached them. The second man looked at the first, confused, and said, “What are you doing? Running shoes aren’t going to help, you can’t outrun that bear.” “I don’t need to,” said the first man, “I just need to outrun you.”

I know, the joke sucks…but it makes a good point. When dealing with password security most of the time your don’t need to have THE most secure password, you just have to be more secure than the guy next to you.

Using a password manager will make sure you don’t have any repeating passwords, so even if one gets hacked all of the others are safe. It will also allow you to generate much more complex passwords than the ones you currently have.

Moreover, password managers have an “auto fill” feature so that you can log into most websites with just a mouse click. This prevents any malicious keyloggers that spy on your keystrokes to know your password.

Now that I’ve hopefully convinced you of the advantages of a password manager, let me introduce you to some of the more recommended ones around.

Roboform – My personal password manager

I decided to start out with reviewing Roboform since it’s my personal password manager which I’ve been using since 2010. As most password managers it allows you to generate different passwords to every website you sign up to, store these passwords in its databases and autofill forms online.

Everytime I want to log into a website I can use the Roboform chrome extension to auto-populate the username / password settings and quickly log me in. Robform is a cloud based solution so you can easily access your passwords from multiple devices.

The way your passwords are kept secure on roboform is through the use of one “master password”. The master password shouldn’t be written down anywhere and should be memorized by heart. This is somewhat of a standard practice with all password managers as you’ll soon see, and it’s also their major disadvantage. Since if someone hacks your master password all of your passwords are basically exposed.

The main downsides to using Roboform is that it doesn’t call out weak passwords and also doesn’t use 2 factor authentication (2FA) on Mobile. The 2FA is an additional security measure that allows you to protect your passwords even if someone got a hold of your master password. In this case after you log into you account you will also need to verify an access code that will be sent to your mobile phone.

All in all I’ve been using it for 6 years now and I’m very satisfied (until I wrote this review).

Price: $19.95/year

Learn more about Roboform here

LastPass – The most popular password manager around

LastPass is probably the most popular password manager out there. It has a very robust free version that will allow you to save all you passwords, autofill forms and also sync password across devices of the same type (i.e. desktop, tablets, etc).

LastPass has some extremely useful features such as password sharing. This means that if you want someone to log into an account you own you can just send them an email that will allow them to log in but not view your actual password for that account. I think this can come handy if you’re working a lot with freelancers who need access to your servers.

LastPass also gives you the protection of 2FA to your account using Google Authenticator, so even if your master password is compromised, the hacker will still not be able to access your account. You can also install a 2FA application to any flash drive and enable authentication only when the flash drive is connected to the computer (similar to how a TREZOR works).

At $1/month this is probably the best value for money password manager you can find.

Price: $12/Year

Learn more about LastPass here

TREZOR – Using your Bitcoin wallet as a password manager

SatoshiLabs announced TREZOR Password Manager, a new lightweight application designed to store and manage passwords. The Chrome extension is available for public beta testing for all TREZOR hardware wallet owners.

TREZOR Password Manager aims to bring advanced cryptography into the hands of computer users regardless of their skill level. With one click, the user encrypts each password entry with his personal TREZOR device. The Password Manager then automatically uploads the encrypted data to user’s private cloud storage, making them always available when needed.

The most refreshing thing about using TREZOR’s password manager is that it eliminates the use of a master password that can be hacked. Similar to the use LastPass does with a flash drive, the TREZOR device itself can serve as a physical 2FA, unlocking your passwords only when your device is physically connected to your computer.

Also since TREZOR uses a security PIN entry that is protected against any type of malware it’s basically un-hackable. If you want to learn more about how TREZOR avoids the hazard of keyloggers take a look at this video demonstrating the device.

 

Your passwords will be saved on your Dropbox account and encrypted with a unique encryption key derived from TREZOR. So even if someone hacks your Dropbox account it would be almost impossible to read the stored password.

At the moment TREZOR’s password manager is probably the most secure password manager around but also the most inconvenient for everyday use, since it requires you to physically connect your TREZOR and approve certain actions on it. It’s also currently lacking some key features due to the fact that it is in public Beta, but this will definitely be an application you’d want to keep your eye out for.

Price: $99 (one time payment for the TREZOR wallet)

Learn more about TREZOR here

Dashlane – The password manager I’m probably switching over to

Before writing this review I was pretty happy with my password manager, until I read about Dashlane. Even though it’s not as popular as LastPass (yet), it seems to be gaining traction fast. The things that distinguish Dashlane from the rest of the password managers are:

  • It can act as a digital wallet that saves all of your different payment methods. You can then pay with one click.
  • It has a password changer feature which is HUGE in my opinion. You see I tend to change my most important passwords every month or so, but at the moment I do it manually. Tech experts at Dashlane have analyzed hundreds of popular sites in order to devise scripts that automate the password change process. That lets Dashlane perform a hands-off password update for any supported site, and with Version 4 the list of supported sites jumps from 200 to 500.
  • It has an “emergency contact” feature. So if something unfortunate happens to you, you are able to define who will get access to what passwords.

All of the other features I’ve mentioned in other password managers are also included here, and there’s also a free version that’s pretty robust.

Price: $39.99/year

Learn more about Dashlane

P.S.

I’ll probably be switching over to Dashlane soon mainly due to the “password changer” feature…

Keepass – The open-source solution for password managing

As always there is the free open-source solution. Keepass is a pretty popular solution that allows you to store your password on an encrypted file on your computer. It has all basic password manager features that include autofill and password generation.

The main downside to Keepass is that it’s pretty unintuitive, but if you’re willing to go the extra mile in order to save a few bucks that’s totally fine. Here’s a video preview of the product (with some annoying music so turn off the speakers):

Price: Free!!

Learn more about Keepass

Nothing is ever 100% secure

To sum up this post let me say this: I AM NOT A SECURITY EXPERT. I’m just a guy who has a lot of sensitive information stored online that’s trying to secure it as much as possible. Nothing will ever be 100% secure and if someone is deliberately targeting your passwords, they’ll probably find a way to get them.

Just to illustrate my point you can read the story of Shapeshift’s hack, which is one of the most interesting articles I’ve ever read about a theft from a digital currency exchange. In this case someone was deliberately targeting a specific site and person.

However in most cases no one is targeting you directly. Hackers are just trying to catch the “low hanging fruit”, the passwords that are easiest to obtain. So making it that much harder for them by using a password manager will probably be worth the investment.

If you are using any password manager I’d love to hear your own experience with them in the comment section below. Stay safe!

Find the best exchange to buy Bitcoins


Ofir Beigel

Owner at 99 Coins ltd.
Blogger and owner of 99Bitcoins. I've been dealing with Bitcoin since the beginning of 2013 and it taught me a lesson in finance that I couldn't get anywhere else on the planet. I'm not a techie, I don't understand "Hashes" and "Protocols", I designed this website with people like myself in mind. My expertise is online marketing and I've dedicated a large portion of 99Bitcoins to Bitcoin marketing.

15 Comments

  1. As others have stated, LastPass indeed does automatic password changes. It offers many options for 2FA including its own mobile app, text messages, and a myriad of third party apps and hardware keys. Overall, it functions much better and smoother than anything else, has more features, and is more robust. It’s proven and FREE. You need only pay $12 per year if you must have it on desktop and mobile, which I do. It seems a foolish investment to pay so much more for Dashlane.

    • I agree. All of the features auto changing passed and emergency contact are available in lastpass including ability to sync between devices. All this for free. Now I don’t understand the logic of dashlane unless he is paying you with a free for life subscription to write this piece

      • Actually they are not, I just wasn’t aware that these features were present there when I made this piece. This is my personal opinion, so feel free to disagree with it.

  2. Hi Ofir,
    Don’t most browsers come equipped with a free password manager? What would you say to those? They don’t come with all the fancy features of Dashlane, but the question is how secure are they?

    • Ofir Beigel on

      Yeah they do, but personally I don’t want anyone who has physical access to my computer to be able to log into any site. I also don’t know how secure these password saving processes are.

  3. Dashlane’s 2FA have never worked for me and syncs horribly, and only managed to change 6 of my passwords, and fails when I need to bring it up and auto-logins when I don’t need it to. Enpass is my temporary solution but ultimately I’m likely to use Yubikey and a OTP solution not connected to that key with a 3rd failsafe.

    • Ofir Beigel on

      You don’t need to enter your actual password. You can enter a variation of it that is still close to it.

    • Why bother? It’s not like it takes a rocket scientist to make up a strong password. A 12-15 digit long mix of random numbers and characters including upper/lower/special characters and you have a damn powerful password which no hacker is gonna bother cracking. Most passwords are stolen by keyloggers and human carelessness anyway. Complexity of passwords is rarely an issue unless you are using single dictionary words.

  4. Hi Ofir,

    Have a look at Enpass Password Manager. It’s an offline cross platform app available for iOS, Android, BlackBerry, Windows 10 with forever free desktop app for Mac, Windows and Linux.
    Enpass uses peer-reviewed and open-source encryption engine SQLCiphe for AES-256 encryption. The built-in password generator generates strong and unique passwords for every login. It’s widest 6 cloud sync including ownCloud/WebDAV makes data available on every platform. Desktop app supports browser extension for Chrome, Firefox, Safari and Opera.

    For mobiles, app is free to download and offers all functionality like cloud sync, folder support, editing etc. as Pro does except that it can save upto 20 items. To add more it charges one time fee 9.99 USD per platform for lifetime license. There is no monthly or annually subscription.

    So if someone is looking for a good and cost effective password manager, then Enpass definitely suits him.

  5. Simon Dedman on

    I’m not in ‘love’ with lastpass due to annoying changes that have made the UI worse IMO, and occasional small usability glitches and failures to autofill sites etc, but in fairness to it, re: dashlane pros, laptpass also does 1 & 3, i.e. one click (well, more than one if you have more than one payment method or profile) payments, and emergency contact.

    So IMO this shifts the conversation to: is password auto-switching worth $28/yr to you?

      • LastPass does automatic password switching also. So, really your best bet is probably LastPass. It has also been independently reviewed (Source Code) by Steve Gibson. The conduct of lastpass as a business during any bugs or hacks has been #1 top priority protect the customer. They do right by you. Its also free unless you need the mobile bit.

        You will get used to whatever interface changes they make.

Leave A Reply