A Comparative study of five password management software

Ayeah Godlove Akoni

April 2019

Dissertation submitted in partial fulfillment of the Requirements for the award of a

University Diploma of Technology (UDT) in

Computer Networking and System Maintainace

Department of Computer Engineering (CEN).

University of Bamenda

1
 CERTIFICATION

I hereby certify that this thesis entitled “A Comparative study of five password management
softwares” has been carried out by me Ayeah Godlove Akoni with registration number
UBa16P254 in the Department of Computer Engineering and of the option Computer
Network and System Maintainance of the College of Technology (ColTech) Bambili,
University of Bamenda.

Date: Date:
__________________ ______________________
Dr. LINEOU JEAN PIERRE Dr. LINEOU JEAN PIERRE
Senior Lecturer Associate Lecturer
Supervisor Head of department

Signature: Signature:
_____________________ ________________________

2
 ATTESTATION

I hereby declare that I am the sole author of this project. I authorize the College of Technology
(ColTech) Bambili to lend this project to other institutions or individuals for the purpose of
scholarly research.
I understand the nature of plagiarism, and I am aware of the University’s policy on this.

I certify that this project reports original work by me during my University project except for the
extracts obtained from other sources as detailed in the appendix or bibliography:

Signature Date

__________________ __________________

AYEAH GODLOVE AKONI

3
 DEDICATION

To my Brother AYEAH GIDEON and Sister AYEAH JOY.

4
 ACKNOWLEDGEMENTS
Glory is returned to God for this work which was carried out with the assistance of several
people to which I address my sincere thanks here. In particular I express my acknowledgements
to:

 The Director of the College of Technology (ColTech) Bambili, Pr. FONTEH Mathias,
who did not spare any effort for the good walk of our establishment;
 The Head of department of Computer Engineering Dr. LIENOU, for the particular
attention he paid to our training;
 All lecturers of the College of Technology (ColTech) Bambili, who contributed to our
training through the different courses taught to us by them;
 My supervisor Dr. LIENOU JEAN-PIERE, for all his advices and contributions for this
work;
 My parents Mr. and Mrs. AYEAH TEFUH ALFRED and NSOM ROSE YIWULI who
supported me morally and financially throughout my training in HTTTC Bambili;

All those who directly or indirectly contributed to the success of this project

5
 UDT PROPOSAL THEME
An Open Source software for account passwords management
Supervisor: Dr LIENOU JEAN PIERRE
PROBLEM STATEMENT
Today you need to remember many passwords. You need a password for the
Windows/Linux/MacOs network logon, your e-mail account, your website's FTP password,
online passwords (like website member account), etc. The list is endless. And each online
account needs a strong password to be entered anytime a user wishes to access his/her account.
How are the users supposed to remember all these account passwords example include ; Gmail,
yahoo mail, interest, Facebook, twitter, amazon, flicker, Skype, and also bank account pins,
credit cards pins etc. It is really a hard issues of keeping tones of passwords and security hints.
There are two problems then. How to first of all how to manage these account passwords using a
password management software and also practicing secure password management practices.
OBJECTIVES (General and Specific)
I will cover a comparative study of five password management software, I will provide an
overview of how password management applications work, the security they provide, and the
benefits and risks of using them. And I will also take a deeper dive into the potential security
vulnerabilities of five of the most popular password management softwares: LastPass,
DashLane, KeePass, 1Password and Keeper.
Methodology, Tools, Equipment
I will be using five of the most popular password management applications (LastPass, Keeper,
KeePass, 1Password and DashLane). I will be focusing on password management on common
computing devices desktop, laptops and smart phones either running the Windows, Linux
(Ubuntu, BSD, Linux mint etc.), Mac, Android and IOS operating systems.
BASIC SKILLS NEEDED
 Knowledge on third party password management applications.
 A deep knowledge on secure password management practices.
AWAITED RESULTS
Rather than cracking our brains just to remember password for different online accounts, we just
simply make use of a password management software, which will do the job for us effectively,
efficiently and accurately, and gives you the possibility to recall just one master password.
 These password management software’s fulfill all the secure password management
requirements.
 They create complex passwords that are very difficult to guess or crack. They can
remember an unlimited number of passwords.

6
  They are fast, efficient, provide easy to use interfaces, and most include additional
functionality such as auto-fill to speed up or eliminate the data entry required for an
online purchase or account registration.
CHONOGRAM
A comparative study of open source third-party software for managing account password. Three
days
Installations and Configuration, of the open source password management. Three days
Report writing 1 week
REFERENCE
VA Software, (November 1999). The Complete Open-Source and Business Software Platform. Referred
from https://sourceforge.org/ .

Bruce Schneier, Crypto-Gram. (1999-09-15). The official website of KeePass. Referred from
https://keepass.info/ .

Wikimedia Foundation Inc, (June 2013) .Password Management. Referred from

https://en.wikipedia.org/wiki/Password_manager .

Sans Institute Reading Room, (March 25 2009). Password Management Applications and Practices
referred from https://www.sans.org/reading-room/whitepapers/bestprac/ .

7
 ABSTRACT

Passwords are fundamental for information security. They are used as a first-line defense in
securing almost all our electronic information, networks, servers, devices, accounts, databases,
files, and more. Most of us now have a multitude of passwords we need to somehow keep track
and remember. This article will provide an overview of how password management software
applications work, a comparative study of five password management systems (LastPass,
Dashlane, Keeper, 1Password and Keepass) and finally the latest recommendations for secure
password management practices, the security they provide, and the benefits and risks of using
them.

8
 RESUME

Les mots de passe sont fondamentaux pour la sécurité d'information. Ils sers comme une
première ligne de défense contre les attaques de presque toutes nos informations électroniques,
réseaux, serveurs, artifices electronique, comptes, bases de données, dossiers et plus. La plupart
d'entre nous maintenant ont des multitude de mots de passe que nous devons d'une manière ou
d'une autre prendre la note et nous souvenir. Cet article fournira un aperçu comment l’
administration de mot de passe avec des applications de logiciel travaillent, une étude
comparative de cinq systèmes d'administration de mot de passe (LastPass, Dashlane, Keeper,
1Password et Keepass) et finalement le plus récent recommandations pour les pratiques
d'administration de mot de passe sûres, la sécurité qu'ils fournissent et les avantages et les risques
en leur utilisants.

9
TABLE OF CONTENT HERE

10
 CHAPTER I
1. Introduction
In today’s era, IoT (Internet of things) has become much popular around the world. Almost all
devices, which are known as smart device, can connect to the Internet and access data from any
corner of the world. And whether we like or not it in order for us to use these services, we need
some levels of authentication to have access to the services offered by these devices. Examples
of the services include; web services like UBa students account, Administrative platforms,
moodle.org, Gmail, Facebook, Yahoo mail etc. One of the most common methods of
authentication now our days is through passwords: where a user needs to provide a username and
a password before he/she uses certain services. Facing the threat of cybercrime now ours days,
there is a need to creating and managing passwords to be as secure as possible. So we see that the
password is the sentry that guards the mass of sensitive data such as; our accounts (students,
staff), credit cards, addresses, and social security numbers. Just imaging that a school likes
COLTECH using a manual account password management system or not even using an account
password management system at all, how dangerous and inconvenient is this?

2. Problem Statement
There are two main problems then. First is how to create strong passwords for online accounts
and secondly how to manage these account passwords (remembering these passwords and
keeping these passwords safe).

We all can bear witness that Password compromise is the root cause behind many cyber
breaches. Research has proven that two out of three breaches involved attackers using stolen or
misused credentials because many people still do not follow secure password management
practices.

From my study, I’ve come to realization is that; most students, staff, and generally internet users
rely on memory alone to keep track of their passwords. Just the fact that one rely totally on
memory is a clear proof that they are not following secure password practices, because if they
can remember all of their passwords then they must be creating simple passwords, or reusing
passwords for multiple accounts, or both.

1
 3. Solution to the Raised Problem
Password management software applications are one answer to the problem because they fulfill
all the secure password management requirements. They help us create complex passwords that
are very difficult to guess or crack for all our online accounts whether student, staff, ecommerce
sites, etc. They help us remember an unlimited number of passwords. They are pretty fast,
efficient, easy to use, and most include additional functionality such as auto-fill to speed up or
eliminate the data entry required for an online purchase or account registration. We therefore see
that password management applications offer convenience that we need to manage our different
passwords.

Secure password management requires that unique passwords be used for each and every
account. Passwords must be both long and complex; comprised of numerals, mixed case letters,
and special characters. Passwords should not be words, or be names of anything which could be
associated with their owner. Finally, passwords must be changed frequently.

4. Historical Background of the Passwords

Fernando J. Corbató is a prominent American computer scientist, notable as a pioneer in the
development of time-sharing operating systems. Born ( July 1, 1926) in Oakland California
Corbató received a bachelor's degree from the California Institute of Technology in 1950, and
then a PhD in physics from the Massachusetts Institute of Technology in 1956. He joined MIT's
Computation Center immediately upon graduation, became a professor in 1965. Corbató is
credited with the first use of passwords to secure access to files on a large computer system.

These first passwords were simple and easily stored, since sophisticated hacking networks and
password-cracking programs did not yet exist. But the system was also easily duped. In 1962,
Allan Scherr, a Ph.D. researcher with access to CTSS, printed out all of the passwords stored in
the computer, so he could use CTSS for more than his four-hours-per-week allotment.

Cryptographer Robert Morris, who inadvertently created the infamous Morris worm, developed a
one-way encryption function for his UNIX operating system, known as "hashing," which
translated a password into a numerical value. The actual password was therefore not stored in the
computer system, making the information less readily accessible to hackers.

2
In the last decade, startups and researchers have proposed appropriately futuristic methods to
strengthen passwords, or replace them entirely. These range from password management systems
like LastPass, KeePass, Dashlane 1Password and Keeper to personal data lockers, which
centralize and encrypt passwords and other personal data.

Sadly, most of us still use terrible passwords. Could you believe that in 2019, someone is using
‘password’ or maybe ‘123456’ as his/her password? Well that’s what most of us still do.

5. Literature Review
Before we proceed into covering our topic, first we’ll make a run through some keywords
used under password management.

5.1. Password
A password is a string of characters that gives you access to a computer or an online account.

5.2. Password Management

There are several forms of software used to help users or organizations better manage their
passwords.

5.3. Password Managers

Think of password managers as a wallet. Passwords managers will help us generate unique
and strong passwords, store them in one safe place, and use them while only needing to
remember one master password.

5.4. Dropbox
Dropbox is a free service that lets you keep a cloud copy of anything within the Dropbox
folder on your desktop. That folder is then accessible across computers and devices. Any
change to that folder is synced across every connected computer.

5.5.Authentication
Authentication is a process by which a user proves his identity to a system normally when
logging in.

5.6. Authentication factor

An authentication factor is something a user presents to a system in order to prove his
identity. It may be something he (and hopefully only he) knows, or proof of possession of a

3
physical object, or a measurement of some physical characteristic (biometric) of the living
human user. In other words, something the user knows, or something he has, or something he
is.

5.7.Multi-factor authentication
Multi-factor authentication means authentication using multiple factors. For example, a user
might sign into a system with a combination of two things he knows, or a combination of
something he knows and something he has, or perhaps something he knows, something he
has and something he is. Adding authentication factors makes it more difficult for an attacker
to impersonate a legitimate user to gain access to a system.

5.8. Internet of Things

The Internet of things (IoT) is the extension of Internet connectivity into physical devices and
everyday objects. Embedded with electronics, internet connectivity, and other forms of
hardware (such as sensors), in which these devices can communicate with others over the
Internet, and can be remotely monitored and controlled.

5.9.Typo squatting
Typo squatting, also known as URL hijacking, is a form of cybersquatting (sitting on sites
under someone else’s brand or copyright) that targets Internet users who incorrectly type a
website address into their web browser (e.g., “Gooogle.com” instead of “Google.com”).
When users make such a typographical error, they may be led to an alternative website
owned by a hacker that is usually designed for malicious purposes.

5.10. Common threats against passwords

Let’s take a look at some common types of attacks on password on most of our internet
accounts.

5.10.1. Brute Force Attacks

Brute Force attack is one of the most common forms of attack. It is a method of guessing a
password by literally trying every possible password combination.

5.10.2. Dictionary Attack

Dictionary attack is a similar technique to brute force, but one based on entering every word
in the dictionary of common words to identify the user’s password.

4
5.10.3. Social Engineering
The art of gaining sensitive information or unauthorized access to a system or account by
taking advantage of human (users) psychology. It is also known as the art of deception. In
reality, companies are typical targets of social engineering and it is more challenging to
manage by IT organizations. Why? Because it relies on the fact that users are:

 Naturally helpful, especially to someone who is nice or they already know

 Not aware of the value of the information they possess
 Careless about protecting their information

6. Methods of password management

6.1.Manual Password Management Technique
Besides using password management applications, there are still a group of persons who use
manual methods to track passwords.

6.1.1. Use of Notebook or Paper

This is a scenario where a user manually writes his/her passwords down in a notebook or
piece of paper. This method has its own advantage like keeping your passwords offline
protects them from Internet based attacks; although that notebook or paper could still be
stolen or even get missing. The biggest drawback of this method is inconvenience. It requires
that you manually write down long password or passphrase, the notebook will be carried
from place to place, and manually fill account credentials whenever you need to login to your
account. That is so much labour to do all the time. Most people still use this method to
manage their account passwords.

6.1.2. Storing passwords unencrypted in a file on a connected device

Another group of people store their passwords in plaintext in a file on the devices from which
they will be used. Although this is more convenient then the paper based method above, it is
still not secure. Besides being vulnerable to physical theft, this method also exposes the
passwords to all the various Internet attacks and malware. It is also not portable, because the
passwords cannot be accessed from other devices.

5
6.1.3. Storing passwords using browsers
Another group of internet users store passwords on browsers. Example Chrome, Firefox, and
Internet Explorer all have built-in password managers. But both Chrome and Internet
Explorer store passwords in plaintext on the device. Mozilla Firefox, however, does have an
option which allows you to encrypt your saved passwords and to protect them using a master
password. This is very similar to how Password Managers store your password, except that
Firefox will not create new passwords for you, and has very limited syncing capabilities.

6.2. Using password management Software applications to manage account passwords

6.2.1. Overview of how password management applications work
Password management software can help defend against criminals by generating and storing
a different password one that's long and complicated for each of your online accounts. Here's
a detailed explanation of what you need to know about password management applications.

6.2.2. What Are Password Managers, Exactly?

Like mentioned earlier most of us still use weak passwords or reuse one password on
multiple accounts. We have saw that these practices could lead us into much trouble that we
couldn’t imagine. A password manager will generate, retrieve, and keep track of long,
complex random passwords across countless accounts for us with no stress, while also
protecting all our vital online information like PINs, credit-card numbers and their three-digit
CVV codes, answers to security questions, and more with encryption so strong (most
password managers use AES 256 bit encryption) which will take many hundreds of years for
a hacker to crack.

And the beauty of using password managers is that we’ll only need to remember a single
password called “Master Password”, which is the password used unlock our vault. All our
login information will be locked down and, at the same time, remain right at our disposal.

There are so many password management applications to choose from today. Choosing the
best depends on our needs. Here are some password management applications tested and
approved to be excellent by Top security experts, International Standard organization, Life
Hacker, and Digital Trends: Lastpass, Dashlane, 1Password, Keeper and KeePass. All five of
these applications provide the following features, except where noted.

6
 Create unique passwords

These password management applications can provide unique passwords for each
account. They have the capability to create and save an unlimited number of passwords.

 Create strong passwords

All of these five password managers can create secure passwords which provide
protection from password cracking attacks, such as brute-force, dictionary or rainbow
table attacks.

 Safely store passwords

The applications will store passwords using very strong encryption rather than just in
simple plaintext. This means that even if they are stolen they are still useless to an
adversary unless he can decrypt them.

 Bookmark web sites

Password managers will store our passwords, user ids and their URLs altogether in the
password database. This will help to alert users about phishing attacks because the user id
and password for a site will not be provided by the application unless the URL is an exact
match of the saved URL.

 Auto login to websites

Using a password manager, there is no need to type your user id and password, once it
has been saved in the password database. The password managers will do the login
automatically when a login is required.

 Allow additional information to be saved in the password database

The password database can also be used to save other personal information, such as credit
card numbers, PINS, name, address, telephone number, etc. This additional feature
provides a convenient way to secure your other important information online.

7
 Auto fill forms

The password managers can also auto fill information on common forms. For example,
common information which is needed to make purchases online, such as credit card
information, name, home address, and email addresses can all be auto filled from the
database.

 Synchronize your password across devices

All, except Keepass, offer the ability to synchronize user passwords across all his/her
devices.

 Provide access to your passwords from a public device

Lastpass, Dashlane, 1Password and Keeper, allow access to your passwords
through their websites. On a computer where the password manager is not installed the
passwords can be retrieved from the password manager website. The decryption of the
passwords in this case is carried out locally through client scripts which are embedded in
the webpage. KeePass, however, does not have this feature. It is a local database only.

 Password Strength Report

All of these applications will rate the strength of your current passwords.

 Export passwords and user IDs

All of them allow exportation of user passwords in various formats.

 Multi-Factor Authentication
All of these managers offer some means of multi-factor authentication.

 Password Sharing

All of these password managers except Keepass offer the ability to share
passwords with spouse, friends or family. Passwords are shared securely using
TLS for transport and are sent in their encrypted form only.

8
6.3. Password Managers Mobile Phones
All of the password managers I have listed previously run almost on all mobile platforms
(BlackBerry, Android, iOS, Tablets, etc.). Depending the platform we’re using, one of these
password managers will be suitable to run on it.

7. Why use password management software (password manager)?

Firstly, it is more convenient because we only have to remember one master password rather
than having to store so many passwords just by memory.

Secondly certain password managers can also help protect us from certain phishing attempts.
We might not notice that the site we want to login into has been typo squatted but our
password manager will. Imagine we open an ecommerce site and our password manager
doesn’t do the auto-filling of our credit card details, it simply means we’re on a cloned site.

For the sake of security and convenience, absolutely everyone should be using a password
manager.

9
 CHAPTER II
After reviewing and analysing the questionnaires (see Appendix A) I took out to some
individuals ( COLTECH staff, students and internet users), it was very clear that so many people
out there still do not follow secure password management practices. There were two groups of
people; (See Appendix A for raw data collected)

 Those who know the importance of secure password management but still do not follow
secure password management practices

 And those who didn’t even know the importance of secure password management

8. A Typical Password Management Scheme

To better understand the security of password management system, I came out with a password
management scheme sample.

User

Manager
Web Application

(a). authentication to a web application

Manager

Collaborator User

(b). sharing with a collaborator

10
Fig1: (a). Password Management system authentication to a web application (b). Password
Management system sharing with a collaborator

9. General Password Managers Workflow Model

This model shows the basic functionality of every Password Management Software.

Password Manager

Save manually entered

password Auto-fill username and
password

Fig2: Password Management system workflow

11
 9.1.Manual Auto-filling

With manual auto-filling, the user needs to interact with input components like keyboard and
mouse as show below.

Page
Load

User Interaction

Fig3: Password Management system manual auto-fill

9.2.Automatic Auto-filling

With automatic auto-filling, the user needs not to interact with any input devices. Upon loading
of the browser, the password manager automatically fills in the form as show below.

Page
Load
User Interaction

Fig4: Password Management system automatic auto-fill

12
 10. Methodology for Random Password Generation in Password Managers

A random password generator’s objective is to produce random password that are difficult to
guess and crack during attacks. Generally, random passwords have various benefits over user-
chosen password where it enhances security and confidentiality. This methodology has been
created to generate random password which consists of both upper & lower case letter, digits
from 0 to 9 and special characters (~!@#$%^&*-_+=), with fixed length. The password
generator algorithm selects a random character from a random character list and forms the
password, which is combination of numbers, lower & upper-case letters and special characters.

The entire character size is 75 [13+10+26+26=62], which indicates 13 special characters, 10

digits (0 to 9), 26 upper-case letters and 26 lower-case letters. There are 75 possibilities of
occurrence of each character in password. For example our password length is 12 characters. So
the number of possible passwords will be: 75x75x75x75x75x75x75x75x75x75x75x75 = 7512

Procedure:

Step 1: Start the process

Step 2: Create random character list with numbers, upper & lower-case letters.

Step 3: Password must be in fixed length example 12 characters.

Step 4: Create Random Password Generator method to generate the password.

Step 5: Random Password Generator chooses any of the three character set.

Step 6: The index position of any one of the characters from the random character set is returned.

Step 7: Append the characters selected through the index, one by one.

Step 8: Print the password.

Step 9: End.

See Appendix B for implementation of Random Password Generator in both C++ and PHP
programming languages.

13
 11. What to take into consideration when building a password manager

There are people who believe that they shouldn’t trust software which they have not build or
participated in the development. There are so many questions to ask and answer when
developing a password management system.

i. What is your source of randomness for key and password generation?

ii. What is your key derivation function? Will you use something like PBKDF2 to
resist password cracking attempts?

iii. How much sensitive data remain decrypted at any time online?

iv. What measures does the system use to prevent data loss? Does the backup system
perform any integrity check on the data prior to making the backup?

v. How is memory of sensitive data cleared when it is no longer needed?

vi. Are there obfuscation (intentionally making it hard) techniques for sensitive data
(such as decryption keys) that may need to reside in the app’s memory for a while?

vii. Will your system automatically lock or does it require you to take action to
lock/close your data?

viii. Can you eliminate or minimize the use of Copy and Paste of sensitive data?

ix. Most important, are you ready to keep researching on newer techniques and
update your password management system?

14
12. Common Attacks on Password Management systems and their defense

12.1. Sweep Attacks

Sweep attacks are vulnerable mostly when password manager auto-fill username and
password field automatically when a webpage loads. It occurs when a target user connects to
the Wi-Fi hotspot controlled by the attacker.

So when the user launches a browser, the browser is redirected to a standard hotspot landing
page asking for user consent to standard terms of use. This is common behavior for public
hotspots. The use not knowing that the landing page contains invisible elements that
implement the attack.

By the time the user is taking a look at the fully loaded landing page, most of their
credentials would already be gone; about ten passwords can be extracted per second.

12.2. The Evil Coffee Shop Attack

Somewhat similar to sweep attacks, a Wi-Fi router in a coffee shop (for example) is all that is
needed, when you connect to it all your passwords could are in the attackers palms.

These attacks require only temporary control of a network router and it is much easier and
thus more likely to happen in practice. The user needs not interact with a website, to say the
user connected to the Wi-Fi router is completely ignorant of what is going on.

12.3. Injection and Extra-filiation

12.4. Defenses

The main proposed defense is secure filling, which requires a modified browser (and
modified password managers to work with the modified browser).

Secure filling requires:

1. The password manager to store the action present in a login from when username and
password were first saved

15
2. When a login form is auto-filled by a password manager, it becomes unreadable by
JavaScript (hence the requirement for a modified browser).

3. If username or password fields are modified (by the user or JavaScript) while an auto-fill
is in progress, the auto-fill aborts clearing the password from the password field and
making the field readable again.
4. Once a form with auto-fill is submitted and after all JavaScript code that is going to be
run has run, the browser checks the form’s action matches the stored one and only
submits if so.

16
 Chapter III
13. Comparative Study Of Five Password Management Software’s

We will now take a study on each password manager in details taking note of the security
they provide, the technology it uses for security, its additional features its advantages and
disadvantages, and the report breaches it has endured.

13.1. KeePass

13.1.1. Overview

KeePass (KeePassX is the version Mac or Linux) is a free open source password manager,
which helps you to manage your passwords in a secure way. All your numerous account
passwords are locked to one database and you only have to remember one single master
password to unlock the whole database. KeePass is really free, and more than that: it is open
source (OSI certified). You can get you’re a copy from https://keepas.info

Fig 5: Keepass interface

17
13.1.2. No built in Synchronization
Unlike Lastpass and Dashlane, Keepass uses a local database only. There is no web
application to log into, and it does not support the synchronization of passwords over the
internet. Passwords can be shared using a USB drive, or other methods such as Dropbox,
however.

13.1.3. Additional features

 Choice of how the password database is protected

Keepass offers a choice as to how the password database is protected. The choice is a
master password, a key file, or both.

 Secure Desktop Option

Keepass offers a secure desktop option which if enabled will turn off tracing software
such as keyloggers when prompting for the master password of key file.

 Configurable Password Generation

Keepass allows for more details in the configuration of generated passwords. It can
generate special passwords and keys that the other password management applications
cannot.

13.1.4. Security

The password vault are encrypted using the best and most secure encryption algorithms
currently known (AES and Twofish).

13.1.5. Technology Used For Security

Keepass uses SHA-256 to derive the encryption key and AES 256 and Twofish for
encryption. If the master password is used in conjunction with the key file, then the formula
is as follows: SHA-256 (SHA- 256 (password), key file contents). The number of iterations
defaults to a value of up to 6000 depending upon the device, but this number is configurable.

18
13.1.6. Breach Report

The tool called KeeFarce can be used to crack KeePass without need to know the master
password that controls the KeePass account. Many hackers have used these methods to get
user credentials.

13.1.7. Advantages and Disadvantages of KeePass

 Advantages

 Completely free

 Open source code makes for transparency

 Can export your passwords to a text file.

 Has an app for iPhone – MiniKeePass

 Disadvantages

 Takes time to understand for ‘non-technical’ types

 Does not provide browser extensions that support password

13.2. LastPass

13.2.1. Overview
LastPass is a very popular cross-platform and award-winning password manager that stores
all of its data in the cloud on LastPass servers. It works on all the major operating systems
and web browsers. LastPass can automatically save logins, help generate safe and secure
passwords and automatically fill in your passwords when you visit a site. It also allows users
to share passwords with each other through a secure means.

19
Fig 6: LastPass interface

13.2.2. Pricing
LastPass is free to use for a single device. But to synchronize your account on all your
devices you will be charged $12 a year. You can get you’re a copy from
https://www.lastpass.com

13.2.3. Additional features

Lastpass has many additional features that are not offered by the other password management
applications. Three of them are as follows:

i. Multifactor authentication

Lastpass includes many additional options for multifactor authentication.

 Web Authentication Applications

20
  Physical Grid

 USB

 Fingerprint

ii. One Time Passwords (OTP)

A One Time Password (OTP), as the name implies, is a password which can only be used
once. These passwords are to be used instead of the master password when there is more of a
risk that the master password may be stolen. Lastpass recommends using them for access
from a public computer or a public network.

iii. Recovery Of the account for forgotten master passwords

Recovery of the password vault is a feature that allows users to recover their password vault
in case they forgets their master password.

13.2.4. Security

The master password is used to derive the encryption key for the password database. The
password database is referred to as the vault. The vault is protected using very strong
encryption (AES 256 bits). The only person that knows the master password is you because
.Lastpass does not know it.

13.2.5. Technology Used For Security

Lastpass uses Password-Based Key Derivation (PBKDF2) with SHA-256 to convert the
master password into an encryption key.

PBKDF2 is a standard function which is part of the Public-Key Cryptography Standards

(PKCS). The PBKDF2 function requires a seed, a salt, number of iterations, a hashing
algorithm and the plain text master password to derive the key.

Lastpass uses SHA-256 as the hashing algorithm, the user id as the salt, and a random
number as the seed value. The number of iterations is a configurable value that for windows
currently defaults to 5000.

21
13.2.6. Breach Report

Lastpass password manager has suffered a breached in the years 2011 and again in 2015.
Neither of these compromises was deemed to be critical, because the actual passwords stored
in the password databases were not exposed.

13.2.7. Advantages and Disadvantages of LastPass

 Advantages

 The free version has really no great difference with the premium version

 Your passwords are encrypted so that even LastPass can’t get into your passwords

 Two-factor authentication

 The paid version includes 1gb of encrypted cloud storage

 The free version includes credit monitoring

 Works across all devices

 Disadvantage

 The paid version doesn’t offer enough over the free version, which might cause
problems for the company in the long run

 Because it is so popular, it tends to be a target for hackers and has had

vulnerabilities in the past.
13.3. Dashlane

13.3.1. Overview
Dashlane is a newer password manager. It has application for almost every platform,
extensions for every browser, and can store passwords locally.

22
Fig 7: DashLane Interface

13.3.2. Pricing
Dashlane is free for a single device. But if you want to synchronize your passwords across
multiple devices then the current cost is $39.99 per year. You can get you’re a copy from
https://dashlane.com

13.3.3. Additional features

The following are three unique features offered by Dashlane

 Password Changer
Dashlane has a password changer feature which allows all the passwords in the database
to be changed automatically. Dashlane can login to each website on behalf of the user,
and change the password.

 Emergency Contact
Dashlane also allows you to set up an emergency contact that can gain access to your
passwords in the case of emergency or death. The sharing is setup for future after a pre-

23
 defined waiting period. If there is no activity on the share request before the end of the
waiting period, then the passwords will be shared with the emergency contact.

 Breach Notification
Dashlane sends an email notification if any of the websites in the password database has
been breached.

13.3.4. Security
The Dashlane security premise is similar to Lastpass. The password vault is protected by an
encryption key which is based upon a master password known only to the user. The master
password is never stored or sent. Its uses AES 256 bit encryption.

13.3.5. Technology Used For Security

The encryption key, like Lastpass, is derived using the master password with PBKDF and
SHA-256. The number of iterations is not configurable and is about 10000.

Communication between the browser and Dashlane is secured using AES256 with the
OpenSSL.

13.3.6. Breach Report

Dashlane has not been compromised yet. No record proofs that an attack was successful.

13.3.7. Advantages and Disadvantages of Dashlane

 Advantages

 Stores password locally

 Has a low memory footprint
 Can keep passwords either locally or in the cloud
 Simple interface
 Digital wallet for tracking and making purchases at online retailers
 Will automatically reset passwords when a site is hacked
 Includes a VPN

24
  Disadvantages

 You can’t sync passwords over multiple devices without paying a fee
 Expensive, especially if you already have a VPN. The built-in VPN lacks the
ability to choose the server country
 Does not work well with Internet Explorer. Although, if you are still using Internet
Explorer
13.4. Keeper
13.4.1. Overview
Keeper is less well known but has a strong focus on security and supports most devices and
browsers. It integrates with Duo for one-tap authentication. It can also stop people from
logging into your account from other parts of the world (which is good until you forget to
change it when you go on vacation).

Fig 8: Keeper Interface

25
13.4.2. Pricing
Encrypt vault for every user folders and subfolders, shared team folders, Access from
unlimited devices $30 annually billed. The free tier of service for Keeper limits your usage to
only a single account without any syncing, but you’ll get a 30-day free trial to determine
whether the paid service is right for you.

13.4.3. Additional Features

 BYOD Integration (bring your own device or BYOD)
In a BYOD world a single stolen smartphone is a major inconvenience for the consumer;
it can be catastrophic for a company. Keeper requires a separate login from the device, so
even if the user has defeated the device login, the passwords are still secure. Admins can
even set the auto-logout timer according to company policy.

 Active Directory Integration

Keeper AD Bridge allows businesses running Microsoft Active Directory to integrate

Keeper password management software within their current systems, automatically
adding any number of Nodes (organizational units), Users, Roles and Teams. Once
connected, Keeper enables role-based access control (RBAC) at any Node. Those
controls can be cascaded to all lower Nodes if desired. Teams may be provisioned for
sharing credentials. As the people move throughout the organization, Keeper keeps their
roles updated through AD.

13.4.4. Security
It starts with client-side AES-256 encryption, which means your data is encrypted and
decrypted locally. Keeper never sees any of your information and it’s never sent to Keeper’s
servers without being encrypted first.

You can set anywhere from 1,000 to 100,000 rounds of PBKDF2 hashing before sending
your unique key to Keeper to unlock your vault. The more rounds of hashing, the less likely a
hacker can brute force your password.

26
This is known as a zero-knowledge model, meaning you, and only you, know what’s inside
your vault. Likewise, Keeper never receives your master password or stores it locally. It is
the single key to unlock your information and only you know it.

That means Keeper can’t unlock your account in the event you forget your master password.
You can add up to five emergency contacts who can access your account after an amount of
time you specify. Emergency contacts must have a Keeper account and RSA key pair to
accept the invitation.

When sharing anything in your vault with another user, both parties will also need an RSA
key pair. This ensures that, even if your information is accidentally sent to someone else,
only the intended recipient will be able to decrypt it.

13.4.5. Breach Report

Keeper has not yet been comprised. But some faults have been identified which were solved
by Keeper engineers.

13.4.6. Advantages and Disadvantages of Keeper

 Advantages

 Excellent security
 A wide range of supported devices, including Blackberry and Windows Phone
 Allows you to designate an emergency contact
 Can lock out people in other parts of the world, which can protect you in the event
of a breach
 One-tap authentication
 Disadvantages

 Free trial version works only on a single device

 Relatively expensive
 Weak form-filling capabilities
 Limited functionality on ChromeOS
 Takes longer than most managers to change a password

27
  Does not have PIN numbers to access apps, forcing you to type in the master
password all the time if your phone or tablet does not support biometrics

13.5. 1Password

13.5.1. Overview

1Password from Agile Web Solutions is a great way to manage, create and securely access
my passwords from a Mac, iPhone, iPad or Android device.

The application has plugins for all the major web browsers Safari, Firefox and Chrome, and
you can also pull up your passwords from the application itself.

Fig 9: 1Password Interface

13.5.2. Pricing

28
Does not offer a free version. It has a trial version of 30days. Total cost annually is $36. You
can get your copy from https://1password.com

13.5.3. Additional Features

 Breach Notification
1Password sends security alerts if any of the websites in the password database has been
breached.

 Travel Mode
1Password gives a possibility to remove sensitive data from your devices when you travel
or when on vacation and ability to restore them when you come back.

13.5.4. Security
1Password manager uses AES-GCM-256 encryption, to protect the password vault.
1Password also uses PBKDF2-HMAC-SHA256 for key derivation which makes it harder for
anybody to guess your master password.

13.5.5. Breach Report

No record of any successful breach by any means.

13.5.6. Advantages and Disadvantages of 1Password

 Advantages
 Allows you to lock down most of your passwords when taking a device
overseas, protecting you from overzealous customs or law enforcement or if
your phone is stolen
 Its interface is the most elegant of the bunch, with numerous small touches that
make it easier to use.
 Acts as an authenticator application
 Integrates with a large number of mobile applications
 Runs across almost all platforms
 Checks for compromised passwords and reminds you which sites use two-
factor authentication
 Allows remote deactivation of devices
 Stores password neatly by category

29
  Will create passphrases as well as random passwords

 Disadvantages
 Does not have automated password updates
 Does not support Internet Explorer
 Have to install a separate extension for each browser you use
 Can only import passwords from Chrome, LastPass, Dashlane, and RoboForm
 No password updating
 Requires a separate authenticator application to operate its own two-factor
authentication
13.6. Features Comparison chart

LastPass 1Password Dashlane Keeper KeePass

Other Platforms Linux, Chrome Linux, Chrome OS, Chrome OS, Linux / Mac OS
that support it OS, Apple Watch, Chrome OS, Linux, Apple Linux, X
apart from Firefox OS, Apple Watch Watch Windows
Windows Surface Phone,
(Windows, Mac,
RT, Windows BlackBerry
iOS, Android)
Phone

Browsers that Firefox, Maxthon, Chrome, Fire Chrome, Firefox, Chrome, Chrome,
support it Opera, Internet fox, Opera, Opera, Internet Firefox, Firefox, Opera,
Explorer, Edge, Internet Explorer, Edge, Internet Safari
Maxthon, Chrome Explorer, Opera Explorer, Edge
Safari, Edge,
Opera

Form Capture Automatic as you Automatic as Automatic as you Automatic as Yes

submit forms you submit submit forms; you submit
also captures

30
 forms receipts forms

Form autofill By default, Auto fill on page Auto fill on yes

/auto submit Optional auto fill auto fill and load page load
on page load; auto submit
optional auto when you
submit press a
keyboard
shortcut

Primary Data Cloud-based Cloud-based, Cloud-based Cloud-based local option

storage Location with local
option

Data accessibility Yes, with optional Yes, except Yes Yes

offline desktop app with No
1Password X

Data accessibility Yes, with ads for Yes, Yes, only for Yes No
on the web non-Premium subscription premium
subscribers accounts only subscribers

Syncing Proprietary cloud Dropbox, Proprietary cloud Proprietary Dropbox

service only iCloud, folder service only cloud service
sync, local Wi- only
Fi sync, or
proprietary
cloud service.

Automatic Yes No Yes No No

Password
Change

31
Security audit Yes (except Yes
e.g. Password Yes version 6 for
Yes Yes
Windows)

Two Factor Yes Yes Yes Yes Yes

authentication

Encryption Uses standard Uses standard AES256 with the Uses standard Uses standard
Method AES-256 bit AES-GCM- OpenSSL AES-256 AES and
encryption on your 256 encryption encryption Twofish 256-bit
data. encryption on
your data.

Interface Simple Interface Easy to use sleek and elegant Has a Complex user
user interface user interface modernized interface
user interface

Recovery in case Yes Yes No No No

Forgotten Master
Password

Table 1: Comparative study of password management systems

14. How Do I Set It All Up

Except for Keepass, getting started with any password manager is roughly the same and it
simple. With Dashlane, Keeper and 1Password, you’ll first download (Take note to
download from the official site stated above) and install software and an extension for your
browser. LastPass requires only a browser extension. You can also download an application
for your mobile phone or tablet from Google Play Store.

To set up an account, you’ll use your email address and will need to come up with a master
password a long, random, complicated one (Note this is the only password you’ll need to
memorize).

32
Next, you’ll have to let the password manager know about your various accounts by setting
up the bookmark (site URL, username, and password). Also you’ll be able to either import
passwords you’ve stored in your browsers or have the manager store your username and
password the next time you log in to a site, or enter the information manually.

15. Some Recommendations on How to Choose a Strong Password

15.1. Guidelines for creating strong password
These are some guiding rules to follow for creating strong passwords. A strong password
should be at least;

 Be at least 8 characters in length

 Contain both lower and uppercase alphabetic characters (e.g. A-Z, a-z )
 Have at least one numeric character (e.g. 0-9)
 Have at least one special character (e.g. ~!@#$%^&*()_-+ =)

15.2. Best Practices/ Recommendations for maintaining strong a password

The following are some recommendations for maintaining strong a password:

 Do not share your password with anyone for any reason

 Change your password upon indication of compromise

 Consider using a passphrase instead of a password (a passphrase is a password

made up of a sequence of words with numeric and/or symbolic characters inserted
throughout)

 Do not write your password down or store it in an insecure manner as a general

rule, you should avoid writing down your password. Use password manager
recommended by security experts (including ISO).

 Avoid reusing a password when changing an account password.

 Avoid using the same password for multiple accounts.

 Do not use automatic logon functionality on a public device

33
16. Conclusion
We see that in today’s world, more and more of our transactions are sent over the internet
and there is nothing we can do to reverse that. And as the world is becoming a global village,
it will never been more important for each and every one of us to follow safe and secure
password management practices. Like I mentioned earlier Passwords are the sentry that
guards our online information including bank accounts, emails, medical records and more.

I recommend that we should use password management applications to manage out accounts
passwords because it’s the most practical and secure way for us to follow secure password
practices. Although they are not infallible and like all other software applications they are
susceptible to attack, I fully do believe that it is much safer to use a password management
application than not to use one. So far we have reviewed five popular account password
management systems, yet, there are many others to choose from. And please take note when
choosing password management software’s make sure it follows the principles I have
covered in this study. I recommend LastPast and Keepass password manager for it has
withstood the test of world top hackers. I hope by know we’ve understood how to better
manage our account passwords and also best security practices when managing them
accounts.

34
 Bibiography
1. Sans Institute Reading Room, (March 25 2009). Password Management

Applications and Practices. Retrieved from

https://www.sans.org/readingroom/whitepapers/bestprac/.
2. Bruce Schneier, Crypto-Gram. (1999-09-15). The official website of

KeePass. Retrieved from https://keepass.info/

3. Wikimedia Foundation Inc., (June 2013). Password Management. Referred

from https://en.wikipedia.org/wiki/Password_manager
4. Betters E, (2013, October 11). Password Managers Explained The Best

Apps Available And Why You Need One. Retrieved from:

http://www.pocketlint.com/news/124283-password-managers-explained-the-
best-apps-availableand-why-you-need-one
5. BYOD Integration (2014, December 12). Bring your own devices integration

policy. Referred from https://keepersecurity.com/assets/pdf/Keeper-BYOD-

White-Paper.pdf

35
 Appendix A
Questionnaire

Account Password Management Systems study Questionnaire

May 03, 2019
Ayeah Godlove Akoni
Thank you for participating in this study of account password management systems, I am a year
two student of the College Of Technology department of Computer Engineering. This study
objective is to gather information on how staff members of the College Of Technology
administration manages accounts password and also how individuals manage their passwords.

Part ONE: This Section is all about your person knowledge on password management

1. How do you manage your accounts password?

Write them down on a paper

Use just a single password for all accounts

Store them in your phone/computer in plaintext in a text file

Use very simple passwords

By using password managers

Memorize them

2. Has any of your accounts ever been compromised before? YES NO

Which of them? ______________________________

3. How often do you change your passwords? After every 1 month after every
3 months after every 6 months. Never unless stated by online site.
4. What kind of passwords do you often use for your account safety?

Complicated Password (e.g. @Ga8obL!$)

Simple Passwords (e.g. 123456, password, date of birth, your name, your number)

5. Do you know what a password manager is? YES NO

36
 6. Have you ever used one? YES NO Give its name____________________

7. Is it an open source password management software or it is a commercial software?

Open source software commercial software.
8. On your point of view is password management really necessary?
YES No. If yes then why do you think it’s a necessity?
________________________________________________________________________
________________________________________________________________________

Data Collect from users

Manual Technique Password

Management Software
Number of Write Down Relying Solely Password management
store password in text file
questionnaire filled passwords on book on memory
computing devices software

10 02 04 03 01
100% 20% 40% 30% 10%

𝑇𝑜𝑡𝑎𝑙 𝑛𝑢𝑚𝑏𝑒𝑟 𝑜𝑓 𝑃𝑒𝑜𝑝𝑙𝑒 𝑢𝑠𝑖𝑛𝑔 𝑃𝑀𝑠 = 01 𝑝𝑒𝑟 10 𝑝𝑒𝑟𝑠𝑜𝑛𝑠

Questionnaire Simple and After How long do they Account breach Name of password
number Complicated change account password management software they use
01 Simple Never None None

02 Simple Never unless alert by site facebook None

03 Complex Anytime my password None LastPass

manager tells me
04 Simple Never Gmail None

37
04 Simple Never None None

Appendix B

This is an implementation of a password generator I did using C++ programming language. It

gives the user the ability to input his/her desired password length and then generates a complex
password of the length specified.

38
The figure below is sample running program on the terminal in Ubuntu 16.04. The user selects a
choice by entering a value either 1(to generate password) or 2 (Exit). Then the user still has to
enter the length of which he wants his/her password to be.

39
The figure below is another implementation of a password generator this time using PHP server
side scripting language. It gives the user the ability to select the characters to be includes in
his/her complex password.

The figure below is sample running program on Apache and MySQL servers in Ubuntu 16.04.
The user selects a choice by clicking on the various checkboxes to select what type of characters
to be included in his/her generated password.

40
41
42