The next password leak will definitely come - and it could also affect you. Since January, several data packages circulate with millions of stolen access data in the network. The leaked e-mail addresses and their associated passwords are sometimes several years old - but one can assume that many still work. Because many people never change their passwords or use them on several pages (which is not recommended).
A simple step towards more password security is the use of a password manager. Such a program manages all access data in a secure database, a so-called vault.
If you use a password manager, you no longer have to remember your passwords for services, apps and email accounts yourself - and you can say goodbye to short or too simple passwords. A password manager also stores complex access data and, if desired, helps to enter it in the browser when a quote is called. All users need to remember is a strong master password - the key to the vault.
Most security experts believe it's better to use a password manager with a single, strong password rather than using many insecure or even identical passwords for different online services. The password manager databases are encrypted using common technology so that even if they fall into the hands of attackers, they will be difficult to crack without the master password.
But which password manager is the right one? Below we introduce the three popular programs LastPass, KeePass and Dashlane. And in a photo series we explain each step by step how to set it up.
1) LastPass
photo gallery
15 pictures
The Online Manager: That's how LastPass worksLastPass is a cloud-based password manager. It runs completely in the browser, either via the website of LastPass or in the form of a browser extension. Alternatively, the program can be used as a smartphone app for Android and iOS.
LastPass works with all major browsers and is free in the basic version. Additional features such as emergency access by family members and extended support offers a premium version for currently from 2.60 euros per month.
The benefits of LastPass and other online managers, including the equally popular 1Password, are clear: as the data is stored on company servers, it's always available. Who sets up LastPass first on the PC and later on the laptop, has instant access to all his passwords, because they are stored in the cloud. Even when traveling passwords are therefore always available - if the Internet is available. Otherwise, only the option to log in offline is left. The manager can also be used if the LastPass servers have problems.
The online storage of the data has not only benefits for customers anyway. In 2015, there was a hacker attack on LastPass that stole customer data, albeit no concrete passwords. They are encrypted locally, ie on the respective device.
The key and the master password are never sent to LastPass, the service always gets only a so-called authentication hash. Even if the encrypted databases are stolen by the LastPass servers, it is difficult or even impossible to open them. Nevertheless, one should be aware that cloud-based managers always transfer their own passwords - in encrypted form - to external servers.
In addition, LastPass is not open source: Although it uses the current AES-256 encryption technology, large parts of the software are proprietary, which means that they can not simply be screened by every security researcher for vulnerabilities.
Security test for better passwords
For some users, automatic form recognition from LastPass might be helpful. If the browser extension to the program is installed, every time you log in to a website, the option to automatically enter the username and password will appear. At the first login on a new page, LastPass also asks if the data should be included in the vault.
Users can also manually store passwords directly in the vault. For a better overview, access data can be categorized into different categories. Likewise, users can choose whether LastPass should automatically log them in everywhere or whether the program should completely ignore individual websites.
On weak and multi-used access data LastPass draws attention with a security test: The service analyzed on request all passwords for their strength. Anyone who then decides to change weak accesses to individual services gets the option to use the password generator from LastPass directly in the input field. This can easily create a random and secure login.
LastPass does not only store passwords. In the browser vault, users can alternatively also take secure notes, such as the mobile phone PIN or ID and credit card information. A form assistant helps with online shopping, filling out forms not only with the password, but also automatically with the address or payment data - if LastPass recognizes the respective fields, which is not always the case with German shops.
Conclusion : LastPass is ideal for beginners. The software runs on many platforms and is free in the basic version. In addition, the data is synchronized across multiple devices and the automatic filling of login forms also works well via smartphone app. However, one should keep in mind that with LastPass and other cloud-based managers, all stored passwords (after all in encrypted form) are transferred to the company's servers.
2) KeePass
photo gallery
14 pictures
Offline is (maybe) better: this is how KeePass worksKeePass is conceptually the opposite of LastPass: The password manager stores all passwords locally on one device only - in a database encrypted with AES-256. Nothing is transmitted to the internet. KeePass is free and for Windows. Apple and Linux users can only use it as a detour in the form of the Mono software or by using compatible software such as Macpass or the same KeePassXC available for several operating systems. A German version is available through a language file that needs to be copied to the installation folder.
There are different versions of KeePass because the password manager is open source. This means that anyone can use the source code and program their own extensions or alternative versions for other operating systems. In addition, experts can examine the code for vulnerabilities at any time.
KeePass is popular with technology savvy users due to its many expansion options through plugins. The manager also offers more options than LastPass or Dashlane - but the handling is a bit more complex.
Since there is no company behind KeePass, you do not need any registration. The manager is either installed as a program or simply unpacked from a ZIP file, you're ready to go. At the first start, a database is created and protected with the master password and optionally an additional key file. Because the software is very small, users can start it from a USB stick while traveling.
Of course, this only brings something if you also have your own password database with you. This shows both the advantages and disadvantages of offline managers. On the one hand, the password vault does not leave your own computer, so the passwords do not end up in the cloud. On the other hand, KeePass is only as safe as its own PC: if infected by Trojans or keyloggers, attackers can theoretically attack both the database and the master password.
Many customization options through plugins
KeePass users must also be careful to back up their database. If you accidentally delete them or crash the hard drive, all passwords would be gone forever - a disaster. His database should therefore be backed up regularly on a USB stick or a second PC.
Such database copies, however, are needed anyway, if you use multiple devices. Who adds a password on the PC, must do the same on the laptop, or he just copies the database.
An automatic synchronization like LastPass does not exist. However, there is the function to transfer the database to an external server, such as your own web space. Using the aforementioned plugins, the KeePass database can also be synchronized using storage services such as Google Drive or DropBox (which, of course, negates the benefits of local storage, because files in cloud storage are another hacker target).
There is only an auto-type feature for automatically completing logins on websites. For this, the browser must be opened with the corresponding login page in the background. Users will only get better browser support via plugins like KeeForm or PassIFox. These, in turn, have to be set up and do not work as well as LastPass or Dashlane.
This works better in KeePassXC. This KeePass version already includes browser support. Otherwise, it offers the same password generator as KeePass and can divide access data into different groups and provide additional notes. For smartphones, there are apps like KeePass2Andrpoid and MiniKeePass that can open KeePass databases.
Conclusion : Local, open source, expandable: KeePass is the password manager for anyone who does not trust cloud-based companies and would rather do everything themselves. Better control, however, also requires more responsibility: Users themselves must ensure that their password memory is not lost. A good compromise is KeePassXC. It is based on KeePass, but also runs on macOS and contains a passable browser support.
3) Dashlane
photo gallery
15 pictures
The premium complete package: That's how Dashlane worksA third recommended password manager is Dashlane. The software of the US company usually performs very well in tests. Although there is a free version, but that is limited to a maximum of 50 passwords and only a single device. If you want to save unlimited passwords, synchronize them across multiple devices and use all additional functions, you currently have to pay 3.33 Euro per month for a premium account.
Like KeePass, Dashlane can be installed as a stand-alone desktop software, on Windows, MacOS, Android and iOS. But if you are traveling or using Linux or a Chromebook, you can only use the browser extension, as with LastPass.
After the installation Dashlane guides its users through all functions. First, it checks whether passwords are already stored in the browsers. If so, they can be imported directly into the Dashlane safe. The import of data from other managers such as LastPass, KeePass or 1Password is also possible, corresponding instructions are available on the website. This facilitates the entry.
Passwords do not need to be synced online
Anyone who does not exclusively use the browser extension will be redirected to the desktop application whenever he wants to change or create a new password. In Dashlane, users can also store their addresses and credit cards for faster online shopping. The detection of credentials and forms usually works very reliably.
Unlike LastPass, Dashlane does not automatically synchronize the stored data with the company's servers. You will initially be local to the device where the Dashlane app is installed. If you log out of the software, the browser addon will not work anymore.
Synchronization of the data is still possible with Dashlane with a premium account. It comes to it as soon as users set up a second device. Who then changes a password on his smartphone, the change is also displayed on the laptop. The synchronization can be issued later, the data stored on the servers will be deleted.
Emergency contacts and VPN: The additional functions of Dashlane
In addition to login data, users can still enter secure notes, credit card details or identity papers as with LastPass. Before it expires, Dashlane reports with a note. Users can also name an emergency contact, which gets access to saved passwords and notes after a certain period of time - on what exactly and after which period, can be set.
Practical is the so-called identity dashboard: The users are listed there at a glance, which of their passwords are weak, which are used twice and which are at risk. Dashlane also offers a "Dark Web monitoring", for which up to five e-mail addresses can be entered. Should a large password leak occur again and the addresses be affected, the program will issue a warning. How well this works, we have not tested, as well as the VPN service to get the customers of a premium subscription.
Conclusion : Dashlane is a password manager for those who like to use desktop software and who do not want to spend a lot of time with the setup. The program is easy to use, the form recognition via the browser extension works perfectly. Synchronization across multiple devices is possible, but optional. A disadvantage is the slightly higher price for a premium account.