2008 Evaluation Team Report: Password Manager
The Fall 2008 Password Manager Evaluation Team was tasked with evaluating applications used for managing various user and account passwords. Product availability for the University's supported operating systems, general use scenarios, best practices, and security implications were considered.
Team concludes that KeePass Password Safe is an appropriate password manager application for the everyday Windows user, while Keychain Access is a good choice for Mac OS users. As KeePass Password Safe is available for multiple platforms (e.g., for handhelds) these versions look promising for mobile device users. Specifically for iPhone users also using Mac OS, 1Password is an attractive alternative to Keychain Access. For enterprise environments, Citrix Password Manager is a consideration.
An initial product list for evaluation was suggested to the Team. The product list was expanded after discussion among Team members. To record uniform results, a testing script was created to review products based on various criteria. The script assessed objective factors such as actual capabilities or characteristics of the product (e.g., security features, ciphers and algorithms, presence or lack of usability features), but subjective impressions by the reviewer were also solicited (e.g., user interface rating, ease-of-use, free-form commentary sections). Questions from the script included:
- What area of password management does this application focus on?
- What platforms are supported?
- Is this application tied to the user account login?
- Can the application database be backed up to a USB drive?
- Can it safe passwords for wireless networks?
- Do other usability enhancements/features exist (e.g., secure notes about your website or resource)?
- Key escrow or master password recovery?
- Password complexity requirements?
- Password generator?
- Password strength indicator?
- What ciphers and algorithms are supported (RSA, Blowfish, Diffe-Hellman, AES, etc or proprietary)?
- What is the encryption level (e.g., 128-bits, 256-bits, 512-bits, etc.)?
- Can it remind you to change passwords after an interval of X?
- Does it write the password anywhere insecurely?
- Note the application's "chattiness"or how much "in your face" it is during normal work
- How processor intensive is the application?
- Is the UI intuitive?
- Stable? Doesn't crash browser? Doesn't have memory leaks?
- Overall ease of use?
- Overall rating?
- Ease of vendor contact and support?
- Knowledge base/forums?
Initial investigations revealed that some products were unsuitable due to poor design, inadequate support structures, inferior user experiences, or other factors. Due to time constraints and limited resources of the Team, these unsuitable products were eliminated from consideration. A short list was created for formal evaluation. These products were KeePass Password Safe, Citrix Password Manager, Keychain Access (for Mac OS), and 1Password. Handy Password Manager and My Password Manager were also held for consideration, time and resources permitting. The formal product short list was as follows:
- KeePass Password Safe
- Citrix Password Manager
- Keychain Access
- Handy Password Manager
- My Password Manager
- Lenovo Client Security Subsystem
- Password Safe
- Sticky Password Manager
During testing, best practices for the use of password managers became a consideration. The Team decided to capture such best practices and recommendations for password manager product users:
- Do not walk away from your workstation after unlocking your password/keychain manager with your 'master password.' Always lock your password manager application, or at least lock your screen saver if you're going to walk away from workstation.
- Avoid writing down your passwords. If you must keep a manual list, store the master list in a safe, or locked drawer. Never leave passwords stuck to your monitor, under your keyboard, or other insecure location
- If you keep a list of passwords in a file on your computer, use some kind of encryption on the file, so that if your machine is compromised, the hacker doesn't come across a clear-text file labeled "My Passwords" for easy reference. Viable encryption options include:
- Pretty Good Privacy (PGP) -- Commercial
- Gnu Privacy Guard (GPG) -- Free
- Windows using Encrypted File System to encrypt a folder -- Include in OS
- Mac using Disk Utility to create a secure disk image -- Included in OS
- Change your passwords on a regular basis. If you have a password management application, changing more frequently becomes easier, and makes you less vulnerable to account compromise.
Though available for multiple platforms, KeePass Password Safe appears to be the most attractive everyday option for Windows users. Features include support for external password database use (USB drive) and inclusion of password generator and password strength indicator. Well-known ciphers and algorithms are employed, as well as adequate encryption level. There is an appropriate level of user interaction ("chattiness"), minimal memory footprint, and fairly intuitive user interface. Ease-of-use and overall ratings are high for the product. Its open source nature provides auditable security at no cost. Finally, technical support and online forums rate average for this product.
Citrix Password Manager is a solution geared more toward an enterprise environment, but is not suitable for the typical end-user. It earns very high marks in security such that organizations requiring compliance with various standards (e.g. HIPAA, GLB) might do well to consider this product. Due to its client-server nature, the product requires an adequate IT infrastructure to run (including a sever administrator). The Team could not locate a hands-on demo for actual testing; however, product literature and documentation suggests a comprehensive feature set.
Mac OS solutions
The University-supported versions of Mac OS (Mac OS 10.4.x and 10.5.x) include Keychain Access, a password manager solution included with the operating system. For basic password management for the average end user, this is an adequate solution. Features include support for external password database use, and password generator/strength indicator. Apple employs the well-known 3DES cipher, with adequate encryption level. There is an appropriate level of user interaction ("chattiness"), minimal memory footprint, and average user interface. Ease-of-use and overall ratings are high for the product; since it's included with Mac OS, there is no additional price and it is supported by Apple (i.e., good technical support, knowledge base, discussion forums).
1Password is an attractive alternative for Mac OS users. At its core, it uses Apple's Keychain, so it enjoys the same security features (3DES) as Keychain Access. However, the standalone 1Password application along with its plug-in support for various web browsers offers a superior user experience with a very appropriate level of user interaction, and minimal memory requirements. Ease-of-use and overall ratings are excellent for this product. 1Password especially shines with its integration and syncing abilities with its related product for iPhones, making it an attractive solution for Mac OS/iPhone users. One huge drawback is its price: it is not a free option (US$39.95), though this includes a generous licensing policy on a per-user, unlimited computer basis. 1Password is backed by good technical support and online forums.
Team recommends a further look at password manager solutions which, due to time and resource constraints, could not be evaluated. This includes the Lenovo Client Security module which is included on current Lenovo notebooks. Some other vendors (e.g. HP) include similar password management features in their products.
Team also recommends a more scrutinizing look at Citrix Password Manager as a solution for enterprise environments that already have an appropriate IT support infrastructure and require a product for compliance with various standards.
Team suggests that Linux users keep a close watch on KeePass Password Safe. There are unofficial/contributed ports of the product that are compatible with Linux-based operating systems, so KeePass may be a good password management solution for Linux users.