Recommended + Software & Apps

8 Password Manager Options for Mac and iOS

Posted on September 27th, 2012 by

Passwords are like undergarments: it’s good to keep them hidden, and you should change them often. Likewise, if someone sees your password it may leave you feeling exposed and uncomfortable. As we mentioned in our 4 Tips for Creating Secure Passwords post, it's important to create complex, unique passwords so they're more difficult to crack. Unfortunately, the more complicated your passwords, the easier they are to forget. How do you securely keep track of all your different passwords? With a password manager, of course!

There's a lot more to love about password managers than not having to remember so many passwords. The password managers in this list all have a variety of benefits that will make your computing life easier and more secure:

  • Encrypting passwords and data using Advanced Encryption Standard (AES)
  • Automatically and securely logging into websites as you're surfing
  • Browser auto-fill for your personal info, so you can make quick work of shopping or registration
  • Helping you generate customizable, secure passwords so they're not easily cracked
  • Backing up and restoring your passwords so you aren't up a creek if something happens to your machine

Choosing a password manager is often a daunting task in and of itself--there is such an overwhelming array of features to choose from! We did some of the dirty work for you and researched a few of the numerous password managers out there. This post highlights eight password managers that are available for OS X and iOS, among other platforms.

LastPass (Version 2.0.13)

LastPass offers the best security with Grid Multifactor Authentication and custom security levels

Cost: Free. A Premium version is offered for $1 per month and includes mobile version, among many other features

OSes: OS X, iOS, Windows, Linux, Blackberry, Windows Mobile, Windows Phone, Android, WebOS, Symbian

LastPass has a huge variety of versions for desktop and mobile OSes, plus integration with just about every browser under the sun. If you have a device that isn't covered, it's probably older than dirt or so impossibly arcane only you and 20 of your friends have ever used it. The focus of LastPass seems to be protecting against attacks such as breaches, keyloggers and phishing. This has been an eye-opening year for security breaches, and spyware and phishes are always in season, so this certainly makes sense.

LastPass has recently partnered with PwnedList and added a new feature called Sentry that automatically emails you whenever a breach has been reported on one of your online accounts. They also offer a couple of different methods (such as an onscreen keyboard for password entry) to protect against keyloggers. This is one of the few password managers that supports Multi-Factor Authentication. You can import and export data, and securely share your login credentials with others. It also allows you to create secure notes.

DataVault for Mac OS (Version 4.5.4)

Cost: $9.99 each for DataVault for iOS and DataVault for OS X

OSes: iOS, OS X, Windows, Android and Blackberry

DataVault, as the name tells you, focuses on managing and securing your data. Along with the usual password management features, DataVault supports iCloud backup, plus Wi-Fi, WebDAV, and Dropbox synchronization. It also lets you resolve conflict resolutions manually, or you can choose whether the “Desktop Wins” or the “Handheld Wins” automatically. DataVault allows you all sorts of ways to arrange data stored within the app, like by grouping by items, category and types. You can also use some provided templates, or create your own, and you can expand the list of "actionable fields" so that you can initiate phone calls, emails or web site logins.

If you're a visual person, you can assign different icons to different accounts so you can tell at a glance which you're choosing. You can import your data to DataVault from several different password manager applications or from a CSV file, and you can export it to a password-protected file. When you quit DataVault, it automatically clears your clipboard so it can't be used to poach your data.

RoboForm for Mac (Version 1.2.9)

Cost: $29.95 for OS X, Free for iOS

OSes: iOS, OSX, Windows, Linux, Android, Blackberry,Windows Mobile, Palm, Symbian

RoboForm, like LastPass, has a version for all kinds of different operating systems, and supports a wide variety of different browsers. It focuses on speeding up your Internet browsing experience by helping you automatically login to your favorite sites once you've set up all the needed information. Not only can you do this one site at a time, as you're surfing you can batch-login to multiple sites at once.

RoboForm has a number of different ways of grouping sites for you: by most recently visited, most popular logins, or with a bookmark list. You can associate different icons with your various accounts, like DataVault. You can create secure notes, secure and sync your booksmarks, and create searches for different search engines. If offers multiple user profiles, and you can share login credentials with others. RoboForm also offers keylogger protection with an onscreen keyboard.

Wallet for Mac (Version 3.2.4)

Cost: $19.99 for OS X, $9.99 for iOS

OSes: iOS, OS X

Wallet, like DataVault, seems to focus on securing and managing your data. It gives you several options to arrange your data for easy access: you can create custom groupings, and there is a global search option to help you find your data again. Wallet lets you sync your data using Dropbox, WebDAV or Wi-Fi. It will automatically lock your machine after a customizable period of time, and you can clear your clipboard to stop data from being gathered from it. You can create secure notes to securely store information. Wallet supports both Chrome and Safari integration.

SplashID Safe (Version 6.2)

Cost: $19.95 for SplashID Safe for Mac (available on the Mac App Store), $9.99 for SplashID Safe for the iPhone and SplashID Safe for iPad (both available at the iTunes App Store)

OSes: iOS, OS X, Windows, Android, Windows Phone, Windows Mobile, Blackberry, WebOS, PalmOS, Symbian

SplashID Safe also focuses on securing and managing data. And again with the prodigious list of supported OSes! (But no Linux? Huh?) You can create groups of record types and categories for storing your personal and confidential information. SplashID also offers protection from phishing attacks by incorporating clickable URLs for access to your web logins. You can assign icons to your various accounts, so you can quickly see which is which.

One neat feature that seems to be unique to SplashID Safe is that it includes reminders to periodically change your passwords, and it lets you know when the expiration date is approaching for stored credit cards. Another cool feature is that the desktop product allows you to create alternative logins: rather than using an alphanumeric password, it enables you to trace a pattern using your mouse or a finger on your touchscreen.

1Password for Mac

Cost: $49.99 for the desktop version (Mac App Store), $14.99 for the iOS version (iTunes)

OSes: iOS, OS X, Windows, Android

1Password encrypts your information and stores it either locally or by way of Dropbox. It gives you a bevy of different features for securing and managing data. Like many of the other password managers here, you can set icons for different login IDs, wallet items and accounts. You can also clear your clipboard and create secure notes (1Password also includes spellcheck in this option, which could be nice!). You can create tags for different data, and there's a powerful global search option to help you find what you need.

1Password also has a cool feature that will intelligently copy data to the clipboard for credit card numbers so that it will not include spaces or dashes. There are browser extensions that offer support for Chrome, Firefox, Safari. You can also attach files in 1Password, which can be helpful if you need to securely store certain files.

mSecure

Cost: $9.99 for mSecure for iPhone, iPod touch and iPad (App Store); $19.99 for the Mac OS X version (Mac App Store)

OSes: iOS, OS X, Windows, Android

mSecure too focuses on securing and managing your data. Like many of the other apps, you can create different groupings for your data, use default templates or create your own, and use custom icons for your different accounts. You can also import data from other products or from a CSV file. And you can securely share your login credentials with other people.

mSecure also has a global search that helps you find your data quickly. You can sync multiple devices over Wi-Fi or Dropbox, and backup via email. You can import data either from competitors' products or from a CSV file. mSecure provides a customizable auto-lock feature, and it also has an optional self-destruct feature in case your mSecure password is guessed incorrectly.

eWallet for Mac OS X

Cost: $9.99 for eWallet for iOS; $19.99 for the Mac OS X version (Mac App Store)

OSes: iOS, OS X, Android, Windows Mobile, Windows, Blackberry

eWallet is a very basic password manager for those who just need to store data simply. You can sync data with iOS devices, other computers on the same network, and eternal hard disks. You have the option of customizing your accounts with different icons and credit card backgrounds. Like the other apps, you can create categories to group your data, and you can set certain accounts as favorites. You can include secret question information for each account, which could be handy if you (or a handsy toddler) accidentally mangle edit and then forget your password.

While we decided to write about only eight password managers, here's a list of some other good options:

In the end, while some of the decision may come down to differences in feature-sets, your ultimate choice between password managers may come down to your own personal preference for navigation and organization of your data. There is quite a variety of different options in this arena, and one may suit your own style better than another. The best way to get a feel for this would be to take apps for a spin and see how easy they are to work with, and decide according which feels most powerful and useful for you.

Do you use any of the password managers mentioned in this post? If so, what's your opinion of them? If not, do you have any other password managers you highly recommend?

  • http://twitter.com/w7tek Tommy Knowlton

    The blog linked above (“Even 1Password doesn’t measure up to LastPass on security features alone”) appears to base its entire security claim on the use of multi-factor in LastPass. It’s kindof an apples-to-oranges comparison, though, because 1Password data (stored locally) does not require “authentication”, but “decryption” as explained at the last subheading here: (1Password users should wait a bit before trying Dropbox’s two-step verification). LastPass is not authenticating you in order to unlock your encrypted blob, it is authenticating you in order to decide whether you can retrieve the blob from the remote server where it is stored. Both systems perform the actual decryption of the keystore on your local machine, and the security of that is controlled entirely by the security of your passphrase.

    Also, while the linked article is over a year old (and so maybe LastPass has caught up by now), it does note that 1Password employs PBKDF2 and LastPass doesn’t. I’d rather have the security of PBKDF2 effectively preventing brute-force attacks against my keystore, than the orthogonal and irrelevant “protection” that 2-factor auth with LastPass offers.

  • Greg

    From a security perspective what am I lacking if I just use the built-in password manager in Chrome?

    • http://www.ictymusic.com Jacob Daley

      Did you know that anyone with physical access to your computer can view passwords stored in Chrome by simply typing “chrome://settings/passwords” into the Chrome search bar?…

  • http://agilebits.com/ Khad Young

    As Tommy Knowlton mentioned, 1Password technically doesn’t even perform “one-factor” authentication since it is an *encryption* app. :)

    Multistep authentication has clear and obvious security benefits. So it is more than natural for people to ask why 1Password doesn’t employ it. We’re planning to write a more detailed explanation of our developing thoughts on it, but let’s discuss the difference between authentication and decryption.

    When you connect to some service, like Dropbox, you or your system has to prove that it really has the rights to log in as you. That process is called “authentication”. It is the process of proving to the Dropbox servers in this case that you are really you. You can do this through a username and password; you can do this through a username, password, and code sent to your phone; you can do this by having a particular “token” stored on your computer. Authentication always involves (at least) two parties talking to each other. One party (the client) is under your control; the other (the server) is under someone else’s control.

    1Password, however, involves the 1Password application (under your control) talking to your 1Password data (under your control) on your local disk (again, under your control). This is not an authentication process. So 1Password doesn’t even do one-step authentication. It does no authentication at all. 1Password doesn’t gain its security through an authentication process. Instead the security is through encryption. Your data on your disk is encrypted. To decrypt it you need your 1Password master password.

    There are great advantages to this design: Your data and your decryption of it doesn’t require our participation in any way once you have 1Password. Your data is yours. Even if AgileBits were to get abducted by aliens tomorrow, you would still have access to your data since we never store it on our servers.

    However, one disadvantage of this design is that the kinds of techniques used for multi-step authentication are entirely inapplicable to 1Password. Those techniques are designed to add requirements to an *authentication* process, but unlocking your 1Password data is **not an authentication process at all**. Because there is no 1Password “server”, there are no (additional) steps we can insist on as part of a (non-existent) login process.

    1Password is decrypting data stored locally on your system, it is not authenticating against some service. So in truth, we don’t even have 1 factor authentication, as there is no authentication in the first place. So typical approaches to MFA won’t work.

    However that doesn’t mean that it is impossible for us to do something that **looks like MFA**. There are roughly two approaches (each simpler than PKI). One of them is key splitting. That is the result of processing your Master Password doesn’t actually get you a working key to decrypt further, instead that result would need to be XORed with another 128-bit key. So it is simply a case of storing that other “half” of the key on some other device. 1Password would need to be able to read that device, which may be tricky on iOS, but it isn’t insoluble.

    The other approach would be to move the keyfile. 1Password (on the desktop) has a file called encryptionKey.js. That file contains an encrypted key, which is what gets decrypted by the key derived from your master password. That file (and some backups of it) are part of your 1Password.agilekeychian (which is actually a folder bundle, which looks like a single file on the Mac). It would be possible for us to allow that file (and its backups) to reside on some device or location. Both that file and the Master Password are required to get any further.

    We are more inclined to do key splitting rather than having a movable keyfile.

    The real technical difficulty is getting this to work on every platform. Again, because this is all about data decryption and **not authentication**, we can’t just implement this on one platform (if it were to be anything other than just for show). So while this isn’t insurmountable it means that even the “simple” approaches that I described would be tricky.

    But the real reasons that we haven’t put in substantial effort in that direction is because for every case where someone reports that their computer or device has been stolen, we get probably a hundred more of “I forgot my Master Password” or “I damaged my data and didn’t have usable backups”. My fear is that key splitting or keyfile moving wouldn’t just double the rate of people getting locked out, but would increase it much more. The threat of data lose becomes very substantial.

    Again, because we aren’t running a system that people authenticate against, there is nothing we can do the help people recover their data if they damage a key or forget their Master Passwords.

    Now of course we could make it an advanced option with lots of warnings, but we know that people will always dial up security settings to 11 whether it is in their interest or not. Remember that 1Password is a mass market product. It’s great that security geeks use and respect it, but we don’t want to give our users rope to hang themselves
    with.

    I’m just spelling out why, to date, we have resisted calls for MFA. It’s harder to get right for a decryption system than for an authentication system, and we think that it might do more harm than good.

    None of this is written in stone. The threat landscape, patterns of usage, and device capabilities change. So while there are no immediate plans add this, we are leaving the door open in the design of our new data format.

    Khad Young, AgileBits, http://support.agilebits.com/

  • Jeff Goldberg

    [Disclosure: I work for AgileBits, the makers of 1Password.]

    You are absolutely correct that there is growing demand and need for things like multi-factor authentication for password managers, and this is something that 1Password doesn’t provide. But I find it odd that you wrote, “It’s not clear why, but 1Password does not support multi-factor authentication.”

    There are reasons for this described in our blog, but the main summary is that unlocking your 1Password data isn’t an authentication process; instead it is a decryption process. So we don’t really even do “single factor auth”, as authentication just isn’t part of the process. Thus the usual methods for adding a second factor are not applicable. This is because you never go through any service/server of ours to get at your data; so there is no “extra” gate we can add to getting authorized by some service of ours.

    Also because a user is decrypting data stored locally, many of the threats that MFA defends against aren’t threats to 1Password data. When you authenticate to a service, you may be doing so over an insecure network or even from a computer that you can’t trust. Those situations don’t arise nearly as much with 1Password’s design of just decrypting local data.

    Of course, those details may not matter to ordinary users, but this is exactly why many users must rely on expert evaluation. Anyway the analogue for multi-factor auth when using decryption instead of authentication is “key splitting”. That is the Master Password would need to be combined with some decryption key that is stored separately (say a USB device) to derive the actual key that is used to unlock the 1Password data.

    I won’t repeat why we haven’t moved on this (yet), but it is something that is under consideration. Basically we need to find a way to do this that won’t lead to unacceptable rates of people losing access to their data. Unlike authentication where tokens can be reset server side, if someone loses or damages this second factor there is absolutely no way to ever unlock the data again.

    I also found it odd when you said, “But for its price, it better focus heavily on security in addition to looking great on Macs, right?.”

    Just because 1Password is beautiful don’t imagine that it doesn’t have brains.

    In evaluating the security of password managers, it is important to look at the actual design of the system carefully. It’s not simply a list of user visible security features. Everyone uses AES, so listing it as a “security” feature of some password managers while omitting it from others can be confusing for readers. From a security perspective questions like what encryption modes are used with AES or how initialization vectors are generated is often far more important that issues of key size. (This is, everyone uses AES, but it is in these other sorts of design questions where people make mistakes.)

    There are many other issues as well. There are issues of how much data is ever decrypted at any one time, or key derivation, or source of entropy for initialization vectors, and so on. To suggest that 1Password is “less secure” because it doesn’t do MFA is, I think, a disservice to your readers, particularly if you didn’t consider so many other things that go into data security.

    If you do a proper evaluation of the security of password managers, it will certainly be possible to find fault with 1Password (and the others). Indeed, there are a number of substantial changes that need to be made in our data format design. We’ve fully acknowledged those and are preparing a new data design. But despite those, I’m confident that 1Password will come out well in any systematic and proper analysis of the security of password mangers

    We are all working to help Mac users remain secure. There will be times (like this) when we (at AgileBits) disagree with you (at Intego) on some things. But I know that personally, I will continue to direct people here for great news and explanations about Mac security.

    Cheers,

    -j

    • pc mac man ny

      Hi there If i may chime in here a bit I just downloaded the 1PASSWORD for MAC OSX and i noticed there’s a few times when I am creating LOGINS where it only requires me to enter my PASSWORD ONLY 1x and so if I inadvertently mistype a letter or character at the end of my entry I can then end up LOCKED out of my login part or not realize its wrong until i try to enter it somewhere like a website – I guess I would have to reset it???or re-enter it again- It work in IT and and always expect the PASSWORD fields to be duplicated so that it can verify and confirm i am actually entering it in correctly- is this something your are working on as well?? pcmacmanny

      • http://www.facebook.com/francoys Françoys Guay

        In 1Password, if you want to check if you have the right password, just hold down Option and Command keys simultaneously and the field will reveal the password instead of the bullets.

    • icyrock1

      Nice, now can you guys start working on an android version that works?

      Please and thank you,

      1password customer.

  • http://www.intego.com Intego

    We really appreciate your feedback and decided to amend the descriptions of the password manager products. The revised version offers more of a rundown of each product, which we hope will provide greater value to our readers.

  • John Emry

    Thank you.

  • Richard van den Berg

    You say “1Password also lacks in the area of keylogger protection.” compare this to “SplashID also offers protection from keyloggers and phishing attacks by
    incorporating clickable URLs for access to your web logins, and the
    desktop version auto-fills logins for you.” Of course 1Password also offers clickable URLs and also auto-fills logins.

    It is too much to ask for a security blog to review security products based on their actual security features?

  • http://brownchickenbrowncow.myopenid.com/ Joel

    There was no
    mention of which program provides Two-Factor Authentication. I use 2FA across a lot of my accounts. I
    feel a lot more secure when I can telesign into my account. If you have that
    option available to you use it, it is worth the time and effort to have the
    confidence that your account won’t get hacked and your personal information
    isn’t up for grabs.

  • 0579186585

    So, is Intego vouching for these apps? Have they been fully vetted from a security standpoint? Right off the bat I see some issues – Wallet by Acrylic Software has ceased development according to their website.
    SplashID has been around for many years yet it was only recently discovered that the password protection was basically non-existant, as it apparently relied on a universal key that was hard coded into the app! Apparently, that issue has been fixed, but it goes to show that just because an app throws terms around like AES, security, military grade encryption, that there are lots of potential mistakes that can be made resulting in an insecure password manager…

    • keith gould

      I can’t answer for Intego, but I would have thought that the collection of Apps was provided for information purposes. Given the litigious environment we live in it would be unwise to do much more. As with all things, you need to invest some time and judgement and then make an informed choice for yourself.

      • LysaMyers

        This is indeed intended to let people know about a few popular offerings, not as a review or vouching for any particular product.

  • Jay Cross

    I’ve had 1Password for Mac (Chrome) for a year and I still haven’t figured it out. I plan to dump it in favor of a freebie solution. The UI is far from intuitive.

  • keith gould

    I have been a highly satisfied 1Password user more or less since it first hit the market. I have multiple Macs and iOS devices and need all of the information 1Password manages to be instantly available to me where ever I am. Whilst I seriously value it’s password generation and log in tools, it’s ability to create secure notes, and manage software license keys is also a reason I will keep recommending it to all of my customers.

    • BerryLee

      I use IntuitivePassword.com. It supports all major browsers and mobile devices, no need to manually sync your data. The user interface is very nice too. Most important thing is that their system is running on the cloud servers so you data is very secure, and you database gets backed up everyday. It is worth to have a try.

  • LysaMyers

    Password security is (like many security issues) less about achieving an absolutely locked-down machine and more about achieving better protection. As few people are able to create and remember strong and unique passwords for all their login requirements, it’s better to have a secure program to both create and remember for you.

  • Autoankauf-online.net

    Very Good and interesting !

Join Our Awesome Email Newsletter

Enter your email address below to start receiving the best Mac Security Updates.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}