Paid Password Managers Suck

An Important Note: I am Nobody

To be fair, I am by no means an expert in any sense. I work in IT, specifically system administration and system security. To some degree, I am a professional. But, that does not mean I am an expert or am even well-versed in the specific issue of paid password management software. What I am, though, is smart enough to see when something doesn't make sense. I posit that the concept of paying someone else to hold your passwords is absolutely ridiculous.

Also: I will be ripping on Dashlane for most of this article, but it should be made clear that all of these subscription-based closed-source password managers suck in the exact same way Dashlane does.

The Password Remembrance Issue

Companies don't exist without an identified problem. The issue here is that most people use easy-to-remember passwords that are easily guessed by computer software, whether it be brute force attacking, dictionary attacking, etc. For example, let's make up an individual, let's name him Ryan Broman. Ryan is around my age (1999), and being of that age Ryan used a very basic password when he got his computer sometime around 2008, let's say christmas¹. As Ryan grew up he realised that using a basic password, while easy to remember, allows you to quickly fall victim to hacking. So John adds a capital letter to his universal password and exchanges an "i" for a "1" (13374L1F3). So his password becomes Chr1stmas. Along the way some symbols get involved, and the password becomes something like Chr!stmas.$. On the surface this seems like a secure password, and since Ryan uses it for everything he'll have it memorised by now. So this creates a password that is secure and easy-to-remember.

As you may have guessed, having a universal password is not a good idea. So this creates the issue where the average everyday end-user needs to memorise n passwords for n services they use. As an IT security professional I can tell you this does not happen. So, what then is the solution?

"You should get Dashlane!" --Dashlane, 2021

Take a look at this excerpt from an article titled You Should Get a Password Manager :

How is Dashlane different? Dashlane generates strong, unique passwords for each of your accounts and stores them securely. How? Dashlane encrypts all your data locally (on your device) using your Master Password before sending it to our servers. Your Master Password is never transmitted on the internet, so in the unlikely event that your data is somehow intercepted, the encryption ensures no one will be able to decipher it.

It doesn't take a genius to realise that this article, entitled "You Should Get a Password Manager" is a bit biased towards Dashlane, a subscription-based password manager / digital wallet application launched in 2012. Take a look at the website that published this article. Ah, right, it's Dashlane themselves. It shouldn't be a surprise that Dashlane's blog shills its own product -- most companies with a similar marketing strategy do the same thing.

Corporations and Influencers: A Red Flag

If my entire opinion on this issue could be summed up in one sentence, it's this: If a company needs to market their product by way of popular social media accounts shilling it, you should not buy that product. At no point should a company's product need to be shilled through influencers. If a person can be paid to pretend to like a product, that person and the company behind it should not be trusted. There really is no argument to be made here. Dashlane is a huge offender in this case. I can't go more than 5 YouTube videos without a quote spat at me similar to this, taken from the first video in my homepage I could find with a Dashlane sponsorship (click here for full video):

...you can be safe online by using Dashlane. Dashlane gives you everything to easily manage your passwords and keep them secure. With Dashlane, logging in to a website is as easy as clicking "Log in" and letting autofill do the rest. It works with addresses and credit cards to make your online shopping seamless and easy. Dashlane works on multiple devices so if you need to log in to an account on your phone, tablet, or desktop, you'll always have access and account info. On top of all that, Dashlane also has a VPN, which stops your ISP from tracking your web activity and allows you to watch shows and movies that are unavailable in your country. If you find this as helpful as I do, you can try Dashlane for free on your first device at https://dashlane.com/iamacorporateshill, and if you decide to upgrade to premium, you can use my code SHILL for 10% off!

What Dashlane does Right

• Dashlane manages your passwords.
• Dashlane is usable on multiple devices.
• Dashlane works with addresses and credit cards.
• Dashlane works on multiple devices.
• Dashlane comes with a VPN.
• Dashlane can be used for free on your first device by visiting this link.

VPN software could be an entire blog of its own. It probably will be.
While there is some opinionated language ("easily", "seamless", "helpful") it is ridiculous to expect advertisements to not promote a product and only state facts. While I am obviously not a fan of Dashlane or other subscription password managers, their influencer marketing strategies almost always stick to the facts of the product. However, as I said before, paying popular people to promote your paid product is a perfectly present portent as to the fact that there is something you are not telling people². What these companies are not telling the consumer is that there are free solutions that directly compete with and in some ways (mainly financial ways) outperform themselves and other paid competitors.

Transparency and Security: The Good Parts

I must give subscription password managers a bit of credit for their dedication to transparency. While their actual software is a black box (and shoving passwords into a black box is never a good idea) the majority of big players have published white papers trying to explain their security methodology to both technically inclined people and the average person in the same paper. NordPass, Dashlane, 1Password, and other major players have explanations available. Transparency is becoming more and more important, and publishing your product's security capabilities is a good step in being an ethical company.

However...

That does not absolve them of selling a product that is available for free. These companies trust that the layperson either does not know or is too lazy to research alternatives. Given the ever-increasing popularity of the subscription model for just about everything, a subscription-based password manager is not outside the realm of possibility for the average person.

The Alternative(s)

So given that paid password managers suck, what is the alternative? Freeware, of course. There exists many free password managers that do the same things subscription-based password managers offer. For example, KeePass is 100% absolutely under no uncertain terms free. Full stop. It has been in development since 2003 and is maintained by Dominik Reichl. I can personally speak for its capability. The only thing it lacks is cross-platform support, which has more-or-less been solved by Antelle's KeeWeb, a more "pretty looking" cross-platform version of KeePass using KeePass's underlying format. Both of these pieces of software combined support everything Dashlane does except for a VPN.

Another alternative is browser-based password managers. I am a Chrome user myself, and I use Chrome's password manager in conjunction with Apple Keychain when using my iOS / macOS devices. It integrates directly into my web browser (of course) and actively monitors my passwords and hashes for web leaks. It is cross-platform, robust, and well-reviewed. Most importantly, I do not pay any monthly fee for it. A browser-based password manager is a direct competitor to paid software. While it is not open-source (at least Google's is not), Google has a strong history of credential safekeeping.

The End

To close, subscription-based password management software is a terrible idea, and if you are using one currently I highly recommend using a free solution. Companies like Dashlane utilise the tried-and-true method of scaring consumers into believing two things: their passwords are not safe, and only their company and protect them. While the passwords are secure in the hands of these companies and their security is transparent, the very concept of a paid password manager is ridiculous, and they obscure this fact by way of influencer marketing and pandering to the layperson. Do not trust them. Do not give them your money.