Generally speaking, creating strong passwords and protecting those passwords from being found out is a user’s key tenant in their own protection online when using certain services. But creating complex enough passwords that are difficult to guess or hack with a dictionary attack often leaves a bunch of passwords for each service that’s difficult to even remember.
You could write it down, but that could be found out. And while browsers like Google Chrome do come with their own password managers, that does leave all your passwords behind one single password that is probably just as vulnerable as any others.
Password security is particularly important for crypto enthusiasts and traders, who deal with hackers and infiltrations on a far more regular basis than regular internet users, because there’s literally money to be gained by these bad forces and stolen funds are extremely difficult to recover. There are a lot more hackers out there, and a lot of times where cryptocurrency and other digital assets get stolen.
So with that in mind, a slew of password managing services have become available in the market over the years to aid users with this specific security issue. Let us look at some of the most popular ones in the market right now.
Check out our video: YubiKey Review and Guide for a full look at how to use the YubiKey and all its features. You can also check out our article Yubico’s YubiKey: Review and Guide for a step by step written guide on how to use it. Also, check out our YubiKey Review and Guide for a full look at how to use the YubiKey and all its features:
Fundamentally, the YubiKey has the same advantages of having a literal physical key for a physical vault. It’s a physical object, so in order to login and configure the account of an online service, the actual YubiKey must be used to deliver the necessary passwords it provides.
Yubikey, like all hardware authenticators, essentially allow two factor authentication (2FA) to be used safer and more conveniently, because it can produce one time passwords (OTP) you don’t have to create yourself or remember and enter them for you. So not only is it safer, but it’s also very convenient – two advantages that don’t usually coincide.
Physical hardware authentication devices are particularly good at avoiding the kind of hacks seen in Coinbase and USD1mil crypto heist last year, where SMS-based 2FA codes were hacked using SIM swapping.
It’s easy to set up as well as use and provides a strong layer of security for the services it protects. Just plug it in, follow the prompts on the service that you’re using (assuming it is supported), press the key and it’s set.
For crypto exchanges such as Binance, password keys like the YubiKey can be set to lock withdrawals, logins and password resets individually. What this means is that even if someone were to hack into the account, the individual actions a hacker could do inside is also locked away and needs the YubiKey to access them.
Its greatest strength is also perhaps its biggest weakness. Physical objects used for security can still be damaged, left behind in a rush by accident or even lost. And losing a YubiKey can involve some incredibly tedious solutions, so be forewarned. On top of that, some might find the need to carry one around a minor inconvenience, particularly if they do exchanges in different locations.
Another issue that needs to be addressed is that some crypto exchanges might not support YubiKey, particularly for mobile users. So it’s important to check for support before purchasing one. For mobile power users, this makes the YubiKey models with USB-C and Lightning connectors somewhat useless, even if USB-C models are still useful on certain laptops like MacBooks.
One minor issue was discovered by the people at Zapier who kept triggering their YubiKey’s when accidentally touching them, resulting in a secured code being entered into whatever textbox you have open at the time. It’s happened so often on Slack, that Zapier has decided to run with the joke and made a custom Slack emoji. Most hackers won’t know what to do with this sudden burst of password code getting posted on a chat, but it’s not a habit many would encourage, and they do provide a means to make the press less sensitive.
And like many password managing solutions, this won’t stop hackers from getting into your account if the exchange itself is not secure.
2- Trezor Password Manager
Using the Trezor physical wallet as a password manager is somewhat similar to using the YubiKey, but takes the process of securing passwords one level higher. Physical wallets like Trezor and Ledger are cold wallets because they confirm transactions within themselves before they are made, and while you compromise convenience and speed using them, they are by their very nature far more secure.
And by virtue of how it works, Trezor can essentially save an unlimited amount of passwords too.
One noted advantage The Trezor might have over the YubiKey is that so long as you know your seed key, losing a Trezor and getting a replacement is far more straightforward. It is a series of words between 12 and 24 words long using the BIP39 format, and using it in one physical wallet that supports it basically replicates that wallet in another device, restoring your passwords and addresses.
It’s important to note that while using a Trezor as a password manager, it’s main focus is as a physical wallet. Getting one as just a password manager is a bit overkill considering the prices they go for. It must also be pointed out that this is still a physical device that can be lost or damaged, and replacing one is still kind of pricey as well.
On top of that, the seed key is fundamentally the wallet’s identity and is often targeted by hackers. The same convenience that allows a Trezor to be replaced with a seed key, also means anybody else that has it can replicate yours too and steal your assets, if you’re not careful.
It is therefore incredibly risky to keep online, so it must also be written down or inscribed on a physical medium of some kind. Paper is typically not encouraged, but there are metal alternatives that are far more durable and secure. Again, these can be damaged, lost or stolen if you’re not careful too.
If you have multiple physical wallets (and some traders do, for diversification and security purposes), you can use a single physical wallet to store the multiple subordinate sed keys, but this can also lead to a recursive rabbit hole of problems, where compromising of the “prime” key jeopardises the other “subordinate” keys, even if the later is now incredibly secure.
But to be fair, if you do trade large amounts of capital and you are concerned about hackers, then maybe getting a physical wallet like the Trezor is not a bad investment, and if they are valuable, most people know to treat them as such and secure them well. Plus you get to reap the perk of having a physical authentication device that supports far more kinds of cryptocurrency than the YubiKey.
Lauched in 2008, LastPass is well-known among cyber-experts and is among the most feature-rich password protectors available. It has multi factor authentication as well as browsers and is easy to use. The free version is also pretty decent but has its own limitations as we’ll get to below.
LastPass also uses 256-bit AES encryption to scramble your passwords, allowing a zero-knowledge policy within the company. It also allows users to use it in an offline mode, which is a rare trait in online password managers.
The product is also very highly rated across the board for its incredibly feature rich paid-version and is generally considered affordable for what it can do, with Forbes, CNET and many other tech sites.
There have been potential security risk discoveries in 2021, 2019, 2018, 2017 (and again in the same year), 2016, 2015 and 2011 where vulnerabilities were discovered and then patched, but the password vaults themselves were secure. Lack of open source code aside, they have also never been vetted by a third-party auditor to test their product.
One the one hand, this could be a little worrying. Even if no passwords seemed to be compromised, the idea that they could have been is a little nerve-racking. But on the other hand, LastPass seems to be on the ball with regards to making sure users are well-informed and that their product is constantly patched and reinforced.
LastPass’ free version has seen what might be seen as a huge downgrade as of last year after it was limited to only one device per user. People already on LastPass’ free version before found this change worth swapping to another manager altogether. For newer users looking to just secure one device, this isn’t really an issue but most password manager users would rather their manager work across several platforms.
At first glance, this doesn’t look like a very impressive password manager. The installation is a bit confusing and the application itself isn’t very stylish or intuitive.
It is however open-source and free (barring the modest demand for donations), and while the former seems frivolous to the end user and the later not all that important to crypto-enthusiasts who are looking to protect fairly large amounts of capital from hackers, they matter for two crucial reasons
Firstly, its open-source nature allows anyone to create a startling myriad of plug-ins and customisations. This almost DIY nature of KeePass allows a savvy-enough user to modify KeePass in almost whatever way they want. On top of that, it could be argued that open-source software allows more experts to scrutinise it and its flaws (assuming a sizable-enough enthusiast community, which KeePass has).
Secondly, that it is free makes it an incredible password management solution for tech-savvy individuals, tech businesses or organisations that are cash-strapped but have the skills to utilise KeePass to its fullest potential. Staying free factor turned out to be quite an important factor, as LastPass’ changing its terms on its free users showed.
On top of that, various versions of KeePass (that was originally meant to run on desktops and laptops) have come about to provide for platforms it wasn’t originally designed for, such as for iPhone and Android.
KeyPass’ incredibly customisable, almost DIY nature also reflects the fact that on its own, it is a very bare password manager and probably alienating to a user who isn’t particularly tech-savvy or wants to do the extensive customization to provide features its other rivals have out of the box.
The necessity for its over 100 plugins to provide the convenience most other solutions have right out the box is going to turn off people who want to simply get the solutions over and done with. Its interface is not intuitive and there is no official tech-support.
On top of that, you must choose which database to store your encrypted passwords, because it does not have cloud-based storage for them built in. It is possible to have KeePass store it on detachable storage, such as a thumbdrive, but again, that must be opted. This does make it more secure, but if the storage device is stolen, you lose access to all your devices.
In many reviews either about, including or just mentioning Bitwarden, the positives of its free version are often contrasted to LastPass’ own ever since the later changed its free version’s service terms to only sync between either personal computers or mobile devices, almost to suggest that Bitwarden has dethroned LastPass among free app users.
And it’s hard to deny that it has earned its reputation as one of the best open-source free password managers out there.
Bitwarden provides multi-factor authentication via authenticator apps, and is secured with AES-256 encryption, which is then hashed with SHA-256. You can even host all your passwords on your own server for added security. Bitwarden also allows you to create and share passwords and audit password usage. It also auto-fills passwords and their credentials in one go, though this can malfunction on certain sites. And all synch via an unlimited amount of devices.
That’s not to say that it’s affordable paid version doesn’t get much better, with support added for YubiKey, U2F, and Duo, 1GB encrypted data vault storage, vault health reports, a time-based OTP authenticator and generator and even priority customer support.
Its creators too have had a sterling reputation for transparency, having gone through a third-party audit by Insight Risk Consulting as well as German cybersecurity team Cure53, while its source code is available for anyone on Github to examine. It has even a bug-bounty on vulnerability coordination platform Hackerone.
Like its open-source counterpart KeePass to an extent, Bitwarden does suffer from a lack of an intuitive interface and its true capability requires some expertise to extract via plugins. But generally speaking, it’s an incredibly difficult password manager to fault for most reasonably experienced users.
Its introduction is fairly intuitive and quite helpful, walking you through the setup process step-by-step from a warning about browser-based password managers to password imports, and then an installation of web plugins, a tour of its features and the introduction of multi-factor authentication.
Keeper can be used via a web-app, but the actual desktop app allows for biometric logins and an offline mode. Keeper also has a series of other add-on features that you can pay for (or opt out from), such as encrypted file storage, secure messaging and dark web monitoring. Overall, it’s a well-priced, intuitive and easy to use password manager with rather good support for businesses.
In terms of security, Keeper is quite strong, having third party audits, compliance with ISO 27001 information security management system standards, the US Department of Commerce and the European Commission’s Privacy Shield framework and even has an internal bug-bounty programme.
Keeper is priced somewhat similar to LastPass for its first package tier, but offers a wide variety of packages to suit various sorts of needs for families, business and whole enterprises, and offers a 50 percent discount if you are a student.
The most glaring drawback to Keeper is that its free version, while reasonably capable, can only do those things on one mobile device. There won’t be any auto-fill for passwords. Also, Keeper’s free version may be terminated within 12 months of inactivity and take your passwords and files with it. Finally, Keeper’s support is also not as good with personal users.
One possible vulnerability is that Keeper doesn’t fully automate password updates. When it detects a password-change page, it offers to update and save a stronger password. Your passwords exist for a certain time on Keeper’s company servers – unconducive to the zero-knowledge test.
It’s one of the best password managers available on the market right now, priced similarly to LastPass for its standard version, which allows unlimited passwords across unlimited devices, and is offered in a variety of packages suited for their intended demographics too. This allows
It has the sort of features you expect from a good password manager of this range, such as 256-AES encryption, a zero-knowledge policy, two factor authentication, password strengthening and good browser extensions.On top of that, it has straight-forward security recommendations and an easy to use interface.
However, it stands out with some interesting features that make it particularly useful.
One is being able to make multiple password vaults that you can organise for different purposes. On family and business plans, you can set up sharing settings with other users that are unique to each vault. On business plans specifically, administrators can remotely configure these settings for team members.
When in travel mode, it hides all password vaults and only shows the ones deemed safe for travel, and gives no indication that the mode is on, which is good if someone wants to keep sensitive information secret, particularly if a device is stolen. Such vault information might include form fills, passwords, secure documents and credit card information.
It will also tell you if your passwords are weak, or if you’ve been reusing them for different services, and has a simple-to-use feature that wipes clipboards to remove sensitive data after a timer is set.
1Passworld can also create an Emergency Kit – a PDF with your account email, Secret Key, and a place for you to write down your master password. It offers peace of mind in case you lose some valuable bit of data and can’t gain access to your passwords.
There are some minor concerns, though. 1Password’s browser extensions can’t be used to add passwords or edit them, and while it will tell you if your passwords are weak, it won’t insist they get stronger with special characters, which is odd.
Also, if you’re moving from a different password manager, you must export your passwords via a CSV file, which seems less secure.
It also has no free version.