by Chris Taylor

Security experts say you should use unique, complex passwords for each service you use. My memory was good enough for me … up until about 6 or 7 different services. I now have dozens and I can’t remember them all.

A password manager stores all your passwords in an encrypted vault. You just have to remember one password to open the vault. As long as you use a unique, long, and complex password for the vault itself, all of your passwords inside are secure. There are lots of password managers to choose from. This article is not intended to be all-inclusive. I am not even saying I think these are your best options. It’s about how I chose a password manager.

Proven cryptography

Cryptography is very easy. Good cryptography not so much.

Bruce Schneier, a highly-respected cryptographer and security pro wrote, “Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break. It's not even hard. What is hard is creating an algorithm that no one else can break, even after years of analysis.”

Here I simply have to trust others; I am not a cryptographer. I did web searches to see if lots of others believe a given password manager uses a proven encryption algorithm and has implemented it properly. An open source solution is highly desirable; maybe others who understand encryption will look for flaws in the source code.

Features

I then looked at features. My shortlist; free; not locked into a service run by a provider who may start charging or go out of business; portability (ability to run without installation); a notes field to add related information; and multi-platform (Windows and Android) so I could access my passwords from all my computers and my phone.

Password Safe

Password Safe (https://pwsafe.org/) is a free open source password manger that uses the Twofish encryption algorithm. Designed by Bruce Schneier, I trust the encryption is implemented properly.

Password Safe can generate random, strong passwords for you. It can autofill web page logon screens to save you typing. The Windows clipboard is securely cleared afterwards, but only when Password Safe is closed or you click a button on the toolbar. There is a Notes field where you can store information related to a password entry.

Password Safe automatically locks the database if you have not used it for 5 minutes, helping keep secrets secret.

There is a Windows installer version, a portable version, and a free, unofficial Android port.

As an aside, Schneier’s newsletter Crypto-Gram (https://www.schneier.com/crypto-gram/) and blog Schneier on Security (https://www.schneier.com/) are well worth reading.

KeePass

KeePass (https://keepass.info/) is well-known, free, and open source. It supports the Advanced Encryption Standard (AES) and the Twofish algorithm to encrypt its password databases. Both are highly regarded.

KeePass includes measures to protect against dictionary and guessing attacks. Process memory protection keeps your passwords encrypted while KeePass is running, so they are not revealed even when Windows dumps the KeePass process to disk. There are protections against keyloggers.

There are lots of convenience features. It can generate complex passwords. Usernames and passwords can autofill web logon screens and information it puts on the clipboard is automatically cleared after a user-defined time period. There are many options including the ability to automatically lock the vault after a user-defined period of inactivity.

A Notes field allows you to store other sensitive information such as your Social Insurance Number. Entries can even store file attachments, such as a photo of your passport or birth certificate.

There’s a Windows installer version and a portable version. Even the installer version does not write outside the program directory, other than to create the program directory and Start menu icons. KeePassDroid is an unofficial, open source Android port.

I’ve been using KeePass and KeePassDroid for many years and am very satisfied with both.

I store my KeePass vault in a local Google Drive folder, which is automatically synched between all my computers and phone. The KeePass portable program files are also on my Google Drive, so I can access my passwords from any internet-connected Windows computer.

Standard Notes

If you don’t want to mess with setting up your preferred cloud storage to store your password vault and configuring all your devices to access the vault from that location, Standard Notes (https://standardnotes.org/) is an interesting free & open source note manager. It is not designed as a password manager, so don’t expect it to generate passwords, enter your password into web sites, etc. But it can be used to manage any text-based information, including passwords.

Standard Notes uses AES-256 for encryption with a password-stretching algorithm (https://en.wikipedia.org/wiki/Key_stretching) with over 100,000 iterations.

Beyond being secure, what I like about Standard Notes is that a free account allows automatic database synchronization between all your devices. If you worry that the vendor might go out of business, you can self-host the synchronization back-end.

Standard Notes is available for Windows, Android, Linux, iOS, and Mac. You can also access your notes through a web site (https://app.standardnotes.org/)

A puzzling default

Standard Notes assumes your operating system has been adequately secured; to the extent that, once you open your vault the first time and provide the password, it will never ask for your password again if you are logged into the OS.

If the operating system’s security is adequate, why bother with a password manager at all? Many people treat their overall Windows experience in a low-security fashion with a weak or even no password. Then they want to treat specific sensitive information in a more secure fashion. Fortunately, Standard Notes does have an option, which I highly recommend, to add a password requirement every time you open your vault.

top of page