Web based password managers: 3 years later

Almost three years ago (yes, I was quite surprised myself), I wrote about my requirements from a web based password manager. That post generated a lot of discussion, and we have come a long long way since then. I figured it was a good time to step back and present what I feel are some of the best solutions out there.

First, let us recap some basic requirements:

  • Security: this is a no-brainer. If I’m going to trust my passwords to a software, it better be secure. In particular, the developer/owners of the software should not be able to look at my passwords.
  • Online and offline access: I want access to my password regardless of whether or not I have internet connectivity. I should also be able to get to my passwords from any of my devices from anywhere in the world. This usually translates to a web-based system where passwords are stored at some server(s) in the “cloud”.
  • Export: My password data is mine and mine alone, and I want to be able to export it out of the system (for personal backups, for instance).
  • Desktop, Tools, API: I would prefer an open system, one that provides rich access interfaces. I’d love to have a desktop app, plugins for Do or QuickSilver etc. You get the idea.
  • Simple to use: The password manager should not get in my way. Adding new passwords should be a breeze. Using stored passwords should be equally simple. Ideally, I shouldn’t even notice that I’m using a web-based password manager and not the stored passwords from my browser.

Without further ado, here are the top three web-based password managers.

clipperz
clipperz

If you are really paranoid about security, clipperz might be a good option. clipperz is open-source, so you can audit the code yourself should you so desire. It is also a measure of confidence from clipperz — by revealing their source code, they are basically saying, “Hey, we are clean, you can check us out yourself”. It also signals that clippers does not believe in security by obscurity. Apart from being open source, clipperz has all the other expected goodies: you can export your data, it supports one-click logins, you can download an offline copy etc.

I personally did not end up using clipperz because a variety of small problems: I did not like the interface; when I started using clipperz, the one-click login was barely functional; and overall I found the user experience of PassPack much better (read below).

PassPack
PassPack

PassPack is the first web-based password manager that I used seriously, and so far it has worked out great! The team is very responsive and constantly rolling out new features. I think PassPack did a really good job of promoting and educating the public on “host-proof hosting“, meaning that even the service provider does not have access to your data. This is something that most web-based password managers now support, but at least in my mind, PassPack really led the way in terms of awareness.

Some features that really drew me to PassPack: password tagging; I can mark certain passwords as “favorites” so they are loaded first; the two-level security; the desktop app based on Adobe AIR; the ability to store arbitrary notes (such as routing numbers or PINs).┬áPassPack is particularly well-suited for groups. You can share passwords in a secure manner with people in your group. Recently they even added a feature to allow sending passwords securely via email. Now you no longer need to copy/paste your passwords into chats and emails.

What I always missed in PassPack was browser integration and seamless one-click login. With the PassPack bookmarklet, one-click login is almost seamless, but it never worked very well for me. For some websites it just won’t work. For others I’d have to re-login into my PassPack account. Yet other times there the bookmarklet would work in one browser but not in another. At the end of the day, it was just becoming cumbersome to manage multiple copies of my passwords — one in each of the browsers I used on each of my devices, and one in PassPack.

LastPass
LastPass

I recently discovered LastPass, and right now it is my favorite tool. I found it via its Chrome extension, which is when I realized that they have plugins for Firefox and work with pretty much all the good browsers on all the major platforms. I have to admit though, LastPass is nowhere close to PassPack in terms of the maturity of the UI and the overall user experience. But the killer feature for me was browser integration. With LastPass, adding new websites is exactly like Firefox asking you to store password information for a website. In fact, the FireFox plugin for LastPass allows you to disable and bypass the Firefox password manager altogether. When you come to a website that has already been stored in LastPass, it will fill out your username and password just like your browser would do. No need to click on a bookmarklet or any thing else. Transparent, seamless integration.

Unlike PassPack, LastPass has no group features at this point, which is perfectly fine by me. In the words of Tara Kelly, a co-founder of PassPack:

Passpack is pwd mngr with sharing & workgroups. Lastpass is login tool for individuals. Different strokes 4 different folks.

If there is a better web-based password manager out there that you know of, I’d love to hear about it.

15 comments

  1. Ashiff

    Hi,

    Passwordstate looks much better. If you are looking for team based usage, give it a try. Only issue is that it is not php based but MS based

    http://www.clickstudios.com.au/

    Minimum System Requirements
    * Microsoft Windows Server 2003 or above (x86 or x64)* Internet Information Services (IIS) 6.0 or above* Microsoft .NET Framework 3.5* Microsoft SQL Server 2005 or above* IE 7.0 or FF 3.0 or above

  2. Rick

    If you are on Mac, 1Password is the way to go… it has plugins for all the major browsers. It will record usernames, passwords, keep secure notes and more. Also has a iPhone program to match.

    I used to use SplashID, but quickly made the jump to 1Password after about five minutes of use!

  3. Web Filter

    Why install a potentially unsafe 3rd-party app. to remember passwords when you can just back them up in the browser the right way?

    It’s simple in FF. Just backup the whole user profile. Not only will you have your logins and passwords, but also your plugins, their configurations, your history and your bookmarks.

    • Jeff

      Maybe because we are not discussing password backing up…we are discussing storage, security, and the easy retrieval of stored passwords.

      Backing up passwords in FF is not even close to what is being discussed here.

  4. Anonymous

    So………… Open..Own server..Mobile clients..Offline..Groups..Browser Plug
    Clipperz…Y……….Y………………N…………………Y………….N*………..FF Only
    LastPass..N………N……………..N…………………Y…………..Y………….N
    PassPack..N………N……………..Y…………………Y…………..N………….Y

    So they all need work :( Clipperz has sharing coming soon. If only PassPack were open source and would let me run my own server…

    Sorry I couldn’t take the time to do a proper table.

    • Anonymous

      Sorry, Clipperz’ offline implementation supports anything that has javascript in a browser, so maybe that could be considered mobile phone support…. My bad.

  5. Wouter

    Hi,

    If you need more flexibility for storing secure data the way to go is to buy yourself a digital signature for your email address. Based on that you can encrypt your email. In Mozilla Thunderbird you can store your drafts encrypted. In Mac Mail.app you can send yourself encrypted mails and store them in a specific folder.

    It’s very flexible and you don’t need a third party solution.

    Cheers, W.

  6. Pingback: Password Mangers for groups with anywhere access « Shabad Chawla's blog
  7. Pingback: A Fruitless Search for a Password Bookmarklet » lankycoder

Leave a Reply