Overview
Remembering strong, unique passwords, for an ever-growing number of accounts is extremely difficult. It is for this reason that password managers are becoming so popular. There are literally dozens of password managers on the market, and choosing between them is getting trickier.
Keeper is a service developed by the US firm Keeper Security Inc. and it appears to provide exactly what consumers need to effectively protect multiple accounts without the stress of remembering individual passwords. With Keeper, you simply set one master password - following that the software does everything for you.
Anybody who wants to test drive Keeper can do so for free. Free users can only use the password manager on a single device. The good news is that Keeper will remember an unlimited number of passwords even on the free version.
What’s more, despite the seemingly ambiguous nature of the free trial (it is hard to tell whether it is just 30-days or longer); Keeper assured us that it is possible to keep using the password manager for free on one device indefinitely. However, it reminded us that if you were to lose your device, you would lose all your passwords because the free version will only work on one device. This is a pretty serious limitation that could lead to you losing all your passwords.
Anybody who wants the added security and permanence of a full premium subscription will need to pay for either the standalone password manager service (Keeper Unlimited), which is charged at a cost of $34.99 per year or the “Keeper Bundle”.
The “Keeper Bundle” comes with Keeper Password Manager (Keeper Unlimited), BreachWatch and 10GB of Secure File Storage at a cost of $58.47 - only with our discount link.
In this article, we will stick to reviewing the password manager. On the whole, a cost of $2.9 is not considered particularly outlandish for unlimited password management on unlimited devices.
However, it is worth noting that the service is supposed to be used by just one person, and sharing it would require every person to use the same account with a single master password. This is obviously not suitable for most people’s security needs.
Thus, for multiple people who want to use Keeper password manager, it will be necessary to pay for the Family subscription plan which costs $74.49 and allows up to 5 people to all have their own vault with a master password. Beyond that, it is possible to opt for a Business or Enterprise account, which increases the number of individual logins available substantially depending on your needs.
It is worth noting that if you do decide to make a subscription, the firm will cheekily attempt to tack-on 10 GB of file storage for $9.99, and the BreachWatch service at a cost of $19.99. However, these can be deselected at checkout.
Subscribers can opt to pay either with a debit or credit card or via PayPal. However, the firm does not accept any cryptocurrencies at this time.
Features
- Store unlimited passwords
- Secure client-side AES 256 encryption
- Apps for all platforms
- Web portal for ease of access
- Auto-sync passwords by logging in with a master password (unlimited only)
- Autofill forms
- Password generator
- Automatically remembers passwords you change online
- Set custom fields and protect personal data
- Secure offline mode to access passwords any time
- Emergency Access allows up to 5 people to access passwords in case of an emergency
- Store ID data and payment data
- Secure file storage
- Versioning to recover older passwords
- Secure sharing feature to share passwords or files
- Fingerprint and face ID login
- Two-factor authentication
- Unlimited devices (not on free)
Setup
Getting a trial Keeper account setup is extremely easy. Simply head over to the website and click on the button for a free trial. From there, all you will need to do is provide an existing email address in order to sign-up and start using the password manager on a single device.
Following that, you will be asked to provide both a master password and a security question. The security question is used to recover your account in the event that you forget your master password.
When you create an account, you are automatically logged in and are told that an RSA 2048 key pair is being produced to keep your connection to the web client secure.
Once logged in, you are ready to start using your account. First, Keeper invites you to import your passwords from your old password manager. This is a nice touch, which means you do not need to search the software for the import feature (which can sometimes be a little bit of a headache). To do so, you will need to install the Keeper import tool. After that you are free to import your passwords via a CSV file or in plain text, options are also there to import directly from a number of leading password managers.
With your passwords successfully imported, Keeper continues by offering you a guided walkthrough of its features. This makes the service extremely easy to get up and running. This is a massive benefit to non-tech users or people who are not accustomed to using a password manager.
Ease of Use
To get started with storing passwords click on the create icon in the top left of the web client.
We started by creating a folder for our passwords called Ray’s Social Media.
Next, we created a password entry for our Facebook account. We used the password generator by clicking on the dice - and set it to the max. This created a password 51 characters in length. An auto password generator is a very useful feature that allows you to create robust, unique passwords without having to actually think about it.
With the password created, you are prompted to install the browser extension - so that your passwords will autofill when you need them. We installed the Chrome extension because that is the browser we use for testing.
By now we were starting to become extremely impressed by the level of automation that Keeper provides. The level of design and the User Experience is second to none. This password manager is extremely good for beginners who want to manage their passwords without any difficulties whatsoever.
Next, we headed over to Facebook to see how the autofill feature works in practice. Once logged into the extension using your credentials, visiting a login page results in being asked whether you want to autofill. The process is extremely simple and works flawlessly. What’s more, once you have asked to autofill once - Keeper will continue to do so every time without asking.
Moving passwords around into folders is extremely easy, simply grab the password and drag and drop it into a folder that you have created. For anybody who wants to, the menu on the left-hand side lets you start saving other datasets such as card details that can be entered into forms to do online shopping without digging your card out of your wallet.
We tested the BreachWatch feature which lets you check whether your passwords are secure enough. It does this by comparing it against lists of compromised passwords that have previously been sold on the dark web.
The Security Audit feature checks the actual strength of your password to ensure they aren’t at risk of being brute-forced. This is another great feature that allows you to keep on top of your password health.
In order to test offline access of passwords - and to see what the stand-alone software performs - we next got the Windows client from the downloads page. Installing the software was quick, and we had no problems logging in. Once in, you can access your passwords even when you are offline, because the software syncs an encrypted copy of your vault to your local hard drive. The standalone software is an excellent way to avoid possible JavaScript exploits, and it has added features such as the ability to set up hot keys to autofill your credentials into native programs on your local computer. We found the functionality to be identical to the browser-based client, so there was no extra learning curve at all.
All in all, we found this password manager to work like a dream. This service is extremely good for beginners and has everything you need to handle password management without the stresses associated with many other services. The level of support you get at each stage of the process is fantastic, and it is nigh on impossible to fault this password manager in terms of ease of use.
Privacy and Security
Keeper is based in the US, home of the NSA, the CIA, warrants, and gag orders. That means it is possible that the firm could be served a gag order and warrant forcing it to hand over data about its users. It could potentially even be ordered to put a backdoor in its service in order to comply with a warrant.
The good news is that despite this slight downer Keeper operates a completely zero-knowledge service in which users retain full control over their encryption keys and passwords. This means that it should be impossible for Keeper to provide US authorities with anything even if it is asked.
One peculiarity with Keeper’s service is that during account sign up, users are asked to select a Security Question and Answer. This question is used to recover an account in the event that you forget your master password. Usually being able to recover an account would set off alarm bells, because it isn’t usually possible to recover an account with true end-to-end-encryption.
However, Keeper’s account recovery works by storing a second copy of your data key which is encrypted using your Security Question and answer. To complete a vault recovery, you must answer the question, enter an email verification code, and also enter your Two-Factor Authentication code (if it is set up).
We recommend creating a strong security question and answer that is impossible to guess, as well as turning on Keeper's Two-Factor Authentication feature from the 'Settings' screen.
What is pivotal about this system, is that the “data key” is stored client-side. This means that the user genuinely retains full control over their account. Each individual record stored in a Keeper vault is encrypted with an AES (HMAC SHA 256-bit) key that is randomly generated on the user’s device using PBKDF2 key derivation. Communication with the server happens securely thanks to an RSA 2048 key pair.
The only other thing to remember is that if someone guesses your security question, they will be able to gain access to your master encryption key and will be able to update your master password. For this reason, it is imperative to use all the security features available to you (like 2FA).
For added security, data stored at rest on the user's device is encrypted with a secondary key, called the Client Key. And, secure record syncing between devices is also encrypted at the network layer and routed through Keeper's Cloud Security Vault. On paper, this multi-tiered encryption model assures extremely strong data protection and privacy.
However, it is worth noting that you do have to take the firm at its word because the entire implementation of the platform is closed source and cannot be verified by any third party security auditors. Whether this concerns you is chiefly down to your personal threat model. However, for most people, this service is probably going to be considered secure enough to handle password management without cause for concern.
Next, we checked Keeper’s implementation of TLS/SSL to ensure that data is being transmitted securely over the internet. We used Qualys SSL labs and were happy to find that its SSL transport security scores an A+, which means you can trust that the firm has implemented its TLS correctly and that your data is secured while in transit. (In addition to being secured with e2ee.)
For those users who stick to using the browser-based client, it is worth noting that this is implemented with JavaScript which does open you up to certain vulnerabilities, specifically the potential for a man-in-the-middle attack. However, this is true of all browser-based password managers - not just Keeper. Anybody who wants to avoid this possible exploit can get around it by sticking to using the standalone clients which are available on the firm’s download page.
Finally, we checked the privacy policy to ensure there were no nasty surprises. The policy seems solid and clearly states that:
“Keeper Security does not have access to or knowledge of an account holder’s master password, encryption keys or access to his or her Keeper vault. Accordingly, any account disclosure required by law, under a subpoena, would be limited to general account information such as the account holder’s name and account term.”
Customer Support
When it comes to support keeper is exceptional. Not only does it have valuable guides and FAQs on its website but it has a live chat on its website that is available 24/7.
We found the live chat agents to be knowledgeable, and they were extremely patient and willing to help. Live chat support is somewhat of a rarity for a password manager, and this is definitely a side of the service that makes it extremely desirable.
In addition, the level of support provided by the walkthroughs and prompts provided by the actual web client make this password manager extremely easy to use. All in all, the user experience with Keeper is outstanding.
Conclusion
When it comes to protecting passwords, there are few services that offer the level of integration and ease of use you get with Keeper. The software is excellent, and the ability to autofill passwords - and to have passwords added automatically to your repository via the extension - is superb.
Being able to use it for free is a massive bonus, and at a cost of $34.99 to sync it across all your devices this password manager is not particularly pricey, anyway.
Being based in the US is not exactly the best when it comes to privacy services. However, this provider seems to have gone to great lengths to ensure that its end-to-end encryption is flawless. The added ability to use a secret question is a nice touch, which means that you will be able to recover your password as long as you remember either the password or the answer to the security question.
On the other hand, the security question does open you to the possibility of having your account compromised - if you make it too easy. However, as long as you make it difficult enough never to be guessed and also setup dual-factor auth - you should be fine.
Another downside to this service is that it is not open-source. This may put some people off, and it is a shame that such a good service is not auditable. On the other hand, this service has partnered with Bugcrowd to manage an active and ongoing bounty bug program.
We think this is a great password manager that will suit a lot of people, and it is well worth taking the service for a test run. Click on the link below to enjoy our special 20% discount!
0 User Reviews
Leave a Review
Thanks for your review!
1 Comment
Write Your Own Comment
Your comment has been sent to the queue. It will appear shortly.
Liam Knuj