September 2018. You see your user ID listed as having its login compromised in a recent hack. You know you need to change your password but don’t don’t want to (or just can’t) remember yet another different one. Everybody is talking about password managers as the way to go, but you also heard about password generators, which make passwords on the fly rather than store them. You suspect that’s better than a conventional password manager.
And you are absolutely right. Just about every blog and website out there will give you a list of commercial and free apps and extensions that will store your passwords quite securely. Allegedly, that is, because they’re getting hacked too, as this news article on LastPass’s 2015 breach exemplifies. If you go to, say, the Chrome web store looking for a “password manager,” you will be rewarded with dozens of competing products, some of which you may have heard about, but the majority will be completely unknown. If your search for “master password” you will see a quite different list and almost as long as the other.
There is a key difference between a password manager and a password generator. A manager stores your passwords; a generator does not. This allows managers to also give you your user ID, if you have forgotten it, plus other secret data you may want to remember that is not a password. But of course, storing confidential data implies a need to keep the storage secure and free from corruption. It also brings in the issue of who can access the data and under what conditions. Generators have no such issues since they simply don’t store secrets. Their issues are rather how easy they are to use and how well they can re-generate passwords without error or insecurity.
In this post I score the leading “password generators” from the Chrome web store, as well as a few “password managers” with the ability to generate passwords, as a comparison. A warning: virtually all password managers can generate “random” passwords, but they do so once and then they store it more or less securely rather than generate it again every time you need that particular password.
All the password generators scored here work more or less the same under the hood: the user supplies a Master Password, which is then combined with the name of the website and perhaps the user ID or some other data, in order to make the result different for each website; then a hash function is applied to the resulting string, which becomes the site password after some final tweaking for length, allowed characters, etc.
These are my criteria for scoring them, which is significantly different from the way most reviews score password managers. The maximum score possible is 100:
- Vault-less: 20 points if there are no secrets stored (because anything stored can be hacked). 10 points if secrets are stored, but only locally, without using “the cloud.” 5 if using “the cloud.” Zero points for any secret storage that is not encrypted with a user-supplied key.
- Cached Master: 15 points if the Master Password, or whatever is used to identify the user, is kept in memory for a short time (because storing this would mean that anyone who can access your computer would get your passwords). 10 if not cached at all (a little safer, but a lot less convenient). 5 points if cached for the browser session (someone can go to your computer and used the cached password, if it doesn’t expire). Zero points if there is no Master Password or it is stored in a way anyone can get it.
- Strong password enforced: 10 points if the app makes high entropy passwords that it can remember or re-generate for you, and are different for each website. 5 points if it can do this, but defaults to user-produced weak passwords, and it takes extra effort to go the strong-password route. Strong passwords are expected to be different for different websites.
- Fills user ID: 5 points if it remembers and fills user ID.
- Simple: 5 points if there are no options to set on a separate page.
- Un-intrusive: 5 points if there are no automatic popups.
- Detects change password pages and behaves accordingly: 10 points if the program adapts to help you with password changes. 5 points if it allows you to change a site password without changing the Master.
- Auto-paste: 5 points if the program fills the password fields on the page automatically.
- Open-source: 10 points if the program is open-source, so you can view the code and comment on it, perhaps even help to improve it.
- Free: 15 points if completely free, 10 points if there is a free version without major shortcomings, 0 points if a single payment is needed, -5 points if a subscription is required.
I’ll give you the name of the contenders first, without any scores. Then the scores, and finally a little explanation of why they got scored the way they did. Here are the contenders; the first five are not generators, but managers, and are included as a comparison (links are for the Chrome extension version of each app, when appropriate):
- Chrome browser password manager: because it is built into Chrome
- Apple keychain: built into Apple OS, but only in Apple devices. Some people swear by it
- LastPass: the most popular password manager today, with nearly 2 million users for the Chrome extension
- 1Password: an old one with a lot of experience and some 500k users
- KeePass: also a manager, but this one is open-source; no official Chrome extension, but the unofficial ones count some 200k users
- Master Password app: fairly recent, but more popular than the other generators
- PasswordGen: and old one with a lot of options
- OnePass: a simple one released less than a month ago
- SynthPass: my own, just released
- PwdFly: simple open-source generator
- PawHash: another simple one with a spartan interface
- My Password: simple one with a fair number of users
- PasswordMaker: port of a well-known password generator
And here are the scores:
|name||storage||cached Master||forced strong||userID||options||un-intrusive||smart change||auto-paste||free & opensrc||total|
As you probably expected, most of the password generators leave the “managers” in the dust because they don’t store secrets and I’ve given a lot of points for that feature, although most generators squander this advantage early on by not being too sophisticated in their handling of the Master Password that everything depends on. Two of them (OnePass and PasswordMaker) even store it permanently, which pretty much throws all security out of the window.
You can’t get a weak password from a generator, which is another clear advantage, and they all make them different for each website. Even though most managers offer the ability to make strong pseudorandom passwords, this is never the default behavior. Perhaps they should have lost more points for this, since this allows users to keep re-using passwords across websites, which is a real bad habit, caused by their former inability to remember so many different passwords.
Auto-paste of the generated passwords is generally available in generators, but it often requires several clicks. The exception is SynthPass, which fills passwords with only one click, as do most managers. SynthPass also displays a different dialog for “change password” pages with the option to fill the boxes with different passwords, whereas the other generators fill all password fields with the same, which creates a problem if both the old and the new password were generated by the app. A few generators lose some points by having too many options that require extra clicks to get to.
Ah, and what if the user can’t even remember his/her user ID? Managers always record it because recording is their business, but of the generators only SynthPass offers that courtesy. SynthPass can also handle the even when you are forced to change your password. You can get a new one, without having to change your Master Password, by adding a “serial.” There’s no problem remembering the serial because SynthPass remembers it for you, since it really is no secret that needs to be kept secure. Master Password and PwdFly offer a similar “generation” tweak, but they do not remember it.
It really should be no surprise that SynthPass comes out the winner. I designed it precisely so it would be. And it has more features that I didn’t give it any credit for: showing you a mnemonic word so you know you typed your Master correctly (lifted from Master Password), an entropy-compensated generator based on SCRYPT (state of the art; most other generators use md5, which is known to be insecure), dictionary-based scoring of Master Password strength (only a few “managers” have this), a comprehensive Help page including videos on how to use it, a matching mobile-friendly web-app. The list goes on.