A client of ours recently turned me on to Dashlane, a very popular password manager. I had never given much thought to using a password manager, but it prompted me to do a little bit of research to understand the pros and cons of using one. I reviewed three of the leading password management apps (Dashlane, LastPass, and 1Password) and hopefully this blog post will help answer the question – Are Password Managers Worth It? I’ll also share why I believe a password manager is important to you from a financial planning perspective.
Before I get started, let me disclose that I only tested these password managers on Apple products (MacBook Pro, iPhone, and iPad). But from my understanding these apps also work well with non-Apple products. Also, let me disclose that I am not an IT professional. But you likely already knew that since this is a blog on financial planning and investment management tips. For the more technical items or questions, you may have to do a little bit of investigation or perhaps you can leave a comment below and one of our IT clients / viewers can chime in.
Now that we have that out of the way, you may be wondering why a financial planner is writing about password managers considering that I am not an IT professional. The reality is that many people access their financial accounts online these days. Therefore, managing passwords becomes a key component to protecting those accounts – something that a good financial planner should help you with.
WHAT IS A PASSWORD MANAGER?
A password manager is an app / service that securely remembers all of your passwords. That way, you don’t have to jot them down in a notebook, a sticky note, or a Word / Excel document.
Additionally, password managers help you to generate passwords so that you can have unique and very complex passwords for every site that you log into. This is very critical as many people choose to have the same password (or a very similar one) for all sites that they visit. When you are using a password manager, you have your passwords available at your fingertips without having to remember every one of them (which would be impossible unless you are one of those people who uses the same password for everything – please don’t do that!).
ARE PASSWORD MANAGERS SAFE?
One of the reasons that people tend to shy away from password managers is that they don’t want their passwords stored in the cloud (more on this below). But the reality is that risk is present no matter which route you go.
If you don’t use a password manager, then you have to keep track of your passwords somehow. Perhaps they are on your computer or written down somewhere in your house. Either way, there is a risk that your computer gets stolen, your notes get lost, your house burns down, someone hacks into your computer, etc.
I would argue that it would be safer to store your passwords with a password manager provided they have the right security measures in place.
Of the three providers that I reviewed, 1Password has the reputation for being the most secure. Some people knock 1Password for not having two-factor authentication, but it’s really unjustified. Two-factor authentication is basically when you have to log in twice to access a site. Usually this consists of inputting your primary password and then inputting a code that is sent to your device (i.e. phone). The premise is that it would make it extra difficult for a person to access your account especially if they didn’t have your device. Two-factor authentication is an awesome security feature, but it’s not troubling that 1Password doesn’t have it. Instead they employ what they call a Secret Key. This is basically a very lengthy, complex password that only you know. Therefore if anyone were to break into 1Password, they would have to know your Master Password as well as your Secret Key (neither of which are stored on 1Password servers). Additionally your passwords on 1Password servers are protected with industry standard AES-256 bit encryption. According 1Password’s white paper on security, data is only encrypted and decrypted on your device and never on their servers. As you can see, multiple layers are in place to protect your data.
Dashlane appears to be very secure much like 1Password. One of the main difference is that they employ two-factor authentication technology which as I said before is a very good security feature. Dashlane also encrypts data via AES-256 industry standards. Your Master Password is not stored on Dashlane servers and according to Dashlane’s white paper on security, only a specific user can decrypt data. This leads me to believe that a hacker would need access to your Master Password and your device in order to access your passwords.
Based on everything I’ve read, it appears that LastPass has the reputation for being the least secure of the three providers discussed. This is likely because of a fairly large breach that occurred in 2011. However, it didn’t compromise any client passwords and LastPass was very proactive in resolving the issue and protecting their clients. Like 1Password and Dashlane, LastPass also uses AES-256 bit encryption. Your Master Password and the keys used to encrypt and decrypt your data are not stored on LastPass servers. Therefore, criminals would need both your Master Password and your device to access your passwords. Lastly, LastPass employs two-factor authentication technology. For what it’s worth, I couldn’t find any white paper on security for LastPass.
LOCAL VS CLOUD STORAGE
There’s an ongoing debate as to whether or not local vs cloud-based password managers are best. A local option is one where your passwords are only stored on your device (i.e. computer, phone, or tablet); they are not stored in the cloud. The risk with this option is that if your device gets stolen then perhaps your passwords could be accessed. But that would be difficult as the thief would still need your device password as well as your Master Password for your password manager app.
The other issue with local storage is that you have to manually sync your passwords to other devices. This is not very user friendly, which is why most people don’t go the local route. On top of that, if you wanted to backup your passwords to protect against losing your device, then you would likely store the backup on a service like Dropbox or Google Drive, which essentially turns local-based storage into cloud-based storage; the very thing you were trying to avoid in the first place. Alternatively, you could back up to a thumb drive, external hard drive, etc. and keep that in a safe place such as a safe or a lock box. But again you would have to continually update the backup manually, which would likely drive you crazy.
The three providers that I will be reviewing today are all cloud-based. With a cloud-based service, your passwords are automatically stored and backed up on the password managers’ servers, which allows your data to be synced across all of your devices. And as mentioned above, all encryption and decryption of your passwords happens on your device not on the password managers’ servers (note that it was not clear whether Dashlane encrypts data on your device or their servers).
With both Dashlane and 1Password you do not have to sync your data across your devices if you don’t want to. With Dashlane, you can simply just turn off the syncing option. For 1Password, you would have to buy a license for each device instead of choosing the monthly subscription cloud-based option. I was unable to find any information from Last Pass about whether or not sync could be turned off. If anyone knows, please chime in. Turning off the sync option is likely not a big deal for most as one of the primary reasons that a person would use a password manager is to sync data across devices.
Even though cloud-based options backup your passwords, it would be very wise for you to keep your own hard-copy backup on some sort of thumb or hard drive. Additionally, even though the passwords may be stored on the password managers’ servers, the information is encrypted and is useless if a hacker doesn’t have your Master Password. For all the providers reviewed, your Master Password is never stored on the password managers’ servers.
BENEFITS OF USING A PASSWORD MANAGER
Contingency Plan – in our experience, usually one spouse handles the finances. If something were to happen to them then the other spouse wouldn’t know passwords to pay bills, access important websites, etc. But if a password manager were used, they could easily have access to all passwords and sites.
Automatic Backup – whenever you log into a site, your credentials will automatically be stored and backed up in your password manager. Some password managers are better than others at this. More on this in a moment. The benefit of this is that you no longer have to manually keep track of your login info.
Password Generator – as mentioned above, people tend to use the same password or some variation of that password across all the sites they visit. With a password manager, you can generate a very complex, long, and unique password for every site you visit. And the good news is that you don’t have to remember it.
Sync Capability – password managers offer the ability to sync your data across every device that you use. So, whether you are accessing a site on your phone, tablet, or computer, you’ll have the password handy. Some people question whether or not they need a password manager since their browser (Chrome, Safari, Firefox, etc.) can automatically fill in their user name and password. However, this is not a very secure way to handle your credentials as anyone who can get into your device can automatically access your sites or even your financial accounts.
Security – it is likely more secure for you to store your passwords with a password manager rather than storing them in Dropbox, Google Drive, on a piece of paper, in a spreadsheet, via your browser, etc.
Time Savings – you will no longer have to manually keep track of all of your passwords. I used to do this in an Excel spreadsheet, but it is very burdensome and time consuming. Every time a password was updated I had to log into the spreadsheet, which is not easy on a mobile device, and update the password. Then if I ever wanted to log into a site from a mobile device, I had to open the spreadsheet just to remember the password. You will avoid all of these problems with a password manager and will be able to log into sites much quicker and safer.
DRAWBACKS OF USING A PASSWORD MANAGER
Doesn’t work well with mobile devices – password managers work best on actual computers. It can be difficult logging into sites on a phone or tablet because they use a different operating system than a computer. Depending on the site and the browser you use, sometimes the log in information fills in and sometimes it doesn’t. However, just having the passwords available on your mobile device is a plus and will allow you to cut and paste your user names and passwords into the site. Additionally, whenever you log into a site for the first time on your mobile device, your log in credentials do not automatically store in the password manager or sync to your other devices. This was one of my biggest beefs, but unfortunately, none of the password managers that I reviewed have this capability. The work around is that you have to add the site to your password manager app first.
Doesn’t work well with apps – this goes hand in hand with the first drawback since most sites these days are accessed through apps on a mobile device. My understanding is that in order for apps to work well with password managers each separate app has to build in an integration with the password manager. As mentioned above, you can open the password manager on your phone and cut and paste your log in info into the app. It still beats trying to remember your credentials or having your browser do so.
Doesn’t fill in security answers – while a password manager will automatically fill in a user name and password, the three services that I reviewed don’t have an ability to automatically fill in security answers. Many sites will require you to answer security questions if you are logging in from a different location but you may not always remember the answer, whether or not you used upper or lower case, if you used spaces, etc. The work around to this is that you can store the security answers in the password manager, but you will have to cut and paste them into the site manually.
Bank sites can be difficult to log into automatically – this can be due to the bank asking security questions (which as I mentioned don’t automatically populate) or it could be due to the user name and password fields being on separate pages. It’s really not that big of a deal on computers but more of an issue on mobile devices.
Security – nothing is 100% foolproof. No matter how great a password manager says their security is, it’s not perfect. If it were perfect then companies like Target, Home Depot, Equifax, etc. wouldn’t get hacked. But with that said, the security features of password managers incorporate so many layers that it would be near impossible for a hacker to access your information.
PROS AND CONS UNIQUE TO EACH PROVIDER
1. When I first started testing the three password managers, Dashlane stood out as the best. The set up process was by far the easiest of the three. Dashlane easily walked me through importing passwords from Google Chrome, setting up a credit card, sharing a password, setting up form fill, and adding a note. None of the other providers did this.
2. As mentioned above, Dashlane automatically (and very quickly) imported all of my passwords stored in Google Chrome. This is a really nice feature that the other two password managers didn’t have.
1. Although the set up was very simple, I found Dashlane to be very frustrating once I actually started to use it. Since I imported all of my passwords stored on the Google Chrome browser, there were some accounts that needed to be deleted since I didn’t use them anymore (or perhaps they were duplicates). When I deleted them on my laptop, they would still show up on my iPhone. Or if I deleted them on my iPhone they would still be on my laptop. At one point I deleted them off of my Mac and then they later reappeared. Basically this means that the syncing feature wasn’t working very well, which is one of the main reasons a person would want to use a password manager. Stuff like this doesn’t give me a comfort level with their security. It’s probably not correlated, but still I didn’t have a warm and fuzzy.
2. At one point, Dashlane asked me to re-register my laptop. This then caused me to have two laptops listed under registered devices.
3. I find that the Dashlane user interface is not as slick as 1Password or LastPass.
1. The setup process was fairly straightforward. Once my account was created, LastPass took me to a screen to begin adding items (i.e. passwords, credit cards, etc.). It was very simple.
2. One of the nicest benefits of LastPass is the way that it looks. It is very user-friendly and looks aesthetically pleasing. The login sites are organized very neatly on both the desktop and mobile versions.
3. LastPass is the only one of the three that has a free option that includes syncing across all devices.
1. I had a really difficult time getting the passwords to automatically save in LastPass, which is the very reason I wanted to use a password manager in the first place. Whenever you log into a site for the first time, a password manager should prompt you to automatically save the site. Sometimes LastPass did this and other times it did not. To be fair, most times it worked.
2. When you are logged into LastPass, there is an alert bell (which I have no idea what it is supposed to do) in the menu. When I clicked on this, an icon spun around forever and I was unable to access any other data until I restarted the app. It made me think that if something as simple as this is broken, what does that say about their security. Again, probably no correlation, but it was still very frustrating.
3. Website icons do not always populate into LastPass cleanly. Whenever log in credentials are saved in a password manager, it pulls in a logo from the website so that you can see all of your sites neatly organized. For example, when my Discover Card credentials were saved in LastPass, it didn’t bring over the Discover logo. Instead it was just the letter “D”. Not a big deal but just annoying.
4. Whenever a new password is automatically added to LastPass, it would log me out of LastPass every single time without exception.
5. Passwords are not automatically imported from your browser. Instead you have to download a CSV Excel file and upload it to LastPass. In reality having all passwords automatically imported is not really that important since your browser will still auto-fill your user names and passwords when you go to a particular site. Then as you log in, LastPass will automatically capture the data. Plus, I found that automatically importing the passwords created more problems since duplicate and non-used sites came over which required a bit of clean up.
1. Similar to Dashlane, the set up process was very smooth. While it didn’t walk me through as many items as Dashlane, 1Password provided a nice Welcome Email directly within the app itself which guided me on what to do next. Especially helpful was the link to their YouTube channel which had very short videos on multiple topics.
2. Everything synced seamlessly between all of my devices. No problems at all.
3. Whenever I logged into a site for the first time or changed a password, 1Password captured it instantly.
4. Both Dashlane and LastPass have icons in the User Name and Password fields so that you can easily click on them to auto-fill your log in info. At first glance this seems like a very smooth time saving feature, but the way 1Password has you log in is even more slick. By clicking on the password manager icon in your browser menu, you can scroll down and choose the site that you want to access and you will be logged in automatically (most of the time). Dashlane also provides this feature.
5. 1Password has the best user interface of all three apps in my opinion. This is true for computers and mobile devices. The logo icons from sites that I access populate very smoothly into 1Password. Everything is very neatly organized and easy to access. It just looks “real nice Clark”.
6. 1Password has a unique feature that none of the other apps have. It’s called Travel Mode and it allows you to remove your passwords and other sensitive data you have stored (i.e. credit card info, social security numbers, bank account info, etc.) from your devices when you’re traveling. The info is not just hidden, it is completely removed from your device.
1. 1Password doesn’t offer a free version.
2. Can’t automatically import passwords from your browser.
WHICH PASSWORD MANAGER IS BEST?
At the end of the day, I feel that 1Password is hands down the best option of the three I reviewed. First, it simply “just works”; there were no major bugs or hang ups like I experienced with Dashlane and LastPass. Second, I feel that 1Password has the most secure platform. I have no IT background to back this claim up, but based on everything I read and the fact that there were some pretty questionable drawbacks when testing the other providers, 1Password appeared to be the most secure. Third, the syncing capability worked flawlessly every time. Fourth, 1Password has by far the best user interface making it very organized and easy to use. Simplicity is a big deal for me as I hate it when companies make things unnecessarily complex.
LastPass would be my second choice due to their free option which provides syncing across all devices at no extra charge. Additionally, their user interface was very good.
My last choice would be Dashlane since their user interface wasn’t on par with the other two apps and their syncing capability didn’t work consistently.
ARE PASSWORD MANAGERS WORTH IT?
None of the password managers are perfect; there are flaws with every single one. But even with that said, I believe the benefits far outweigh the drawbacks. For me, the syncing of data to all my devices, the no longer having to remember or manually keep track of passwords, the backup capability, the password generator, and the time savings makes password managers definitely worth it.
I would love to hear any experiences you have had (either good or bad) with password managers. What are your thoughts on their security? Do you find that they save you time and hassle? Are they user-friendly? Do you or would you use one?
If you’re new to our blog and wish to receive weekly financial planning tips, please sign up for our eContent.