Keeper Password Manager: Security Minded

[Updated June 2018 to note changes in Keeper desktop interface. This review was originally published Dec. 18, 2017.]

Keeper has been around since 2010 and was one of the early entrants into the password-manager market. The company has a strong enterprise presence, but unlike with some of the other enterprise-focused password management services I tested, this presence was evident more in the security language used than in the look and feel of the app.

Since we last tested Keeper, it has made some impressive updates across the board, with a modernized user interface and added functionality, such as desktop biometric login support, password sharing and emergency access. On a feature-for-feature basis, Keeper still can't quite hold up to LastPass or Dashlane, but the service is, without question, one of the best password managers on the market.

MORE: What are the Best Password Managers?

Costs and What's Covered

Keeper hits near the upper end of the price range, at $29.99 per year for a single user and $59.99 for a family plan that can include up to five users. The free tier of service for Keeper limits your usage to a single device without any syncing, but you do get a 30-day free trial to determine whether the paid service is right for you.

The individual paid plan includes unlimited password storage, syncing across all platforms, a password generator, cloud backup of credentials and records, record sharing, and automatic form filling for websites and applications. The family plan adds 10GB of secure file storage to the package. (You can also add this storage to an individual plan for $9.99 per year.)

Keeper is compatible with Google Chrome, Mozilla Firefox, Microsoft Internet Explorer, Apple Safari and Microsoft Edge; the browser extension for the latter is only in the Microsoft Store. Platform support is similarly robust, covering Windows 7 and up, macOS, Linux, Android, iOS, Windows Phone and BlackBerry. You can use the Chrome browser extension for Chrome OS, though its functions may be limited, and a "legacy version" is available for Windows XP.

For this review, I used Keeper on an Apple laptop running Windows 10 and macOS 10.12 Sierra, an iPad Pro 12.9, a Samsung Galaxy S8+ and a Google Pixel. Google Chrome was our primary browser across all platforms, but I also tested with Safari on macOS and iOS.

Setup

As is the case with most of the password managers I tested, the best Keeper setup experience was on the desktop app. It guides users through the basics of using the application without making it feel too drawn-out. As usual, the first step is to create your master password — the one password you can't forget after handing over control to Keeper.

Keeper is one of the two password managers we tested that offer a master password reset; LastPass is the other. Keeper is the only one to use a security question as the method for allowing a reset.

This feels a little disconcerting, as security questions are considerably easier to guess than a strong password, and Keeper's security is otherwise strict to the point of occasional inconvenience. However, you do need to enter a verification code that's sent to your registered email address before you can reset the master password, and if you've set up Keeper's two-factor authentication (2FA), that process will also be required.

The ability to import credentials from other services is also a strength for Keeper. It supports data imports from almost 20 browsers and password managers, along with basic .csv text file import. I had no issues pulling in my data from a LastPass backup.

Keeper has done an excellent job of mirroring the desktop experience in the website.

I then logged in to the Keeper app on my mobile devices, and entered my master password and the answer to my secret question. My data synced across all of my devices. Had I first enabled 2FA, this would have necessitated authenticating each device with one of the four supported mobile 2FA providers: Google Authenticator, RSA SecurID, Duo or Keeper's own DNA. On desktops, a physical U2F security key, such as a Yubikey, is also supported.

MORE: 12 Computer Security Mistakes You’re Probably Making

Keeper on the Desktop

You can access your Keeper vault on a desktop through its stand-alone applications, its browser extensions or its website. Keeper has done an excellent job of mirroring the desktop experience on its website; the two are virtually identical in appearance and functionality.

The browser extension lags behind, with just a basic search to access your logins, a link to your vault and a settings menu. But given the ease of jumping over to the website instead, this is a fairly minor complaint.

The strength of Keeper's website interface is great for users who can't install third-party software on some of their machines or who need to access their passwords from a shared or public device.

One thing to note: If you have a MacBook Pro with a Touch ID fingerprint reader, you'll need to download the Keeper application from the Apple App Store to use the biometric functionality. Likewise, Keeper supports Windows Hello biometric authentication, letting you log in with your fingerprint, iris (eyes) or face on compatible devices, but you'll have to use the version of the Keeper application from the online Microsoft Store (not to be confused with the Edge browser extension).

While the design of Keeper isn't that aesthetically pleasing, it is highly functional. The ability to customize the look and feel with a "theme" is a nice touch, which users can also apply to the website interface and browser extension. As with most password managers, the vast majority of the functionality comes from the left column of the interface.

The default display shows all your login credentials, sorted in folders that you create. You can also switch over to a list view, which is more common among Keeper's competitors. You simply click on an item to view it, then click the pencil icon to edit it.

One way Keeper could improve is by adding relevant website icons for stored credentials. LastPass and Dashlane do this, and it helps you visually parse the information much more quickly. In general, visual website icons make for a more pleasant user experience.

Folder creation and data sorting are a bit cumbersome in Keeper. To create a folder, you add it in the Folder field; if you want to add another item to that field, you need to enter the edit screen for it and type in the folder name again. If Keeper were to let you drag and drop your login items, it would help make short work of organization, which is unnecessarily cumbersome the first time through. (Note: In June 2018, Keeper added the ability to create subfolders and to drag-and-drop items from one folder into another.)

The next section contains shared data or folders. Sharing is a relatively new feature for Keeper, but it is handled well and offers extensive options about what kinds of rights other users have to shared data. You can even let another user become the owner of a password; this seems like it would apply only in an unusual situation, but it reflects the flexibility of this feature.

The Identity and Payments section is, as you might guess, where you save your personal information and payment cards. This feature is more limited than it is in many other password managers, with pretty basic personal information categories and no preset options to save driver's license or passport numbers. (However, you can save such records as stand-alone files in the vault.)

I had trouble with the form-fill functions in Keeper, so it was somewhat less concerning that I couldn't save much information in the first place. Keeper could improve on its feature for storing and filling out personal information, but it doesn't affect the core password-management functionality.

Keeper's security audit gives you an overall security score for all of your credentials, and specifically calls out weak passwords and reused passwords for replacement. Other password managers offer more thorough security audits, such as factoring in the age of a password, but Keeper covers the most prevalent concerns.

Keeper representatives told us that they think the global or multipassword changing features offered by competitors such as Dashlane and LastPass create security problems. As such, Keeper offers no comparable option. While I appreciate that stance, it would be nice if Keeper could find a way to reduce the number of steps needed to change a password in its security audit. Five clicks per credential set can really add up the first time you correct your poor password habits.

The final tab in the left column lets you restore deleted passwords. Or, you can opt to permanently delete them, if you wish.

The rest of the functionality in the Keeper desktop is located at the top of the app window and mostly seems out of place. The five options here are Account, Settings, Import, Backup and Logout.

With the possible exception of logging out of the service, users don't need to access any of these functions regularly, so putting them in such a prominent position in the UI doesn't really make sense. I'm all for not burying features, but this demonstrates the opposite problem: creating clutter in the UI that could be moved to a single settings page or menu.

One notable feature in these menus is Emergency Access, which lets you designate up to five other Keeper users who can access your account in case you are unable to do so. You select the delay period, which can be anywhere from none to seven days; that gives you time to deny users access again if you aren't actually incapacitated.

Keeper Mobile Apps

The Keeper app on Android and iOS largely duplicates the functionality found in the desktop application. The overall look and UI are optimized for mobile, but the app remains intuitive and similar enough to the desktop version to avoid any real confusion when moving between platforms.

Keeper doesn't let you create PINs to quickly log in to its mobile apps, because it sees them as unsafe.

You pick up some additional security options on mobile, such as biometric support on both Android and iOS. (According to Keeper, this includes Face ID support.) That's practically necessary, as Keeper doesn't let you create four- or six-digit PINs to quickly log in to its mobile apps; the company regards PINs as fundamentally unsafe. Without a biometric login, you have to type in your master password every time.

You can also use Keeper's homegrown DNA 2FA, which employs an Android Wear smartwatch or Apple Watch to quickly verify your identity and access the app with a single tap on your wearable.

On the mobile apps, you can view and edit all of your credentials as well as your identity and payment information. The password generator doesn't get a stand-alone spot in the apps, but you can find it next to the password box on any of the edit screens.

Password audit is also available in the mobile apps, in case you feel like doing some general security updates on the go. Because the Keeper desktop application's security audit makes it cumbersome to change each password, this activity actually might be faster on mobile.

KeeperFill handles the actual login entry on both iOS and Android, with the implementation differing only slightly. On iOS, you have to add KeeperFill to the Share Sheet, which is the pop-up menu that appears when you need to share info between apps.

On Android, you need to enable KeeperFill in the general keyboard settings. You'll then be able to switch to KeeperFill by tapping either the floating Keeper icon or the keyboard icon in the lower-right corner of the screen.

Security

Keeper uses AES 256-bit encryption, like many of the other password managers that I tested. This is meant to ensure that, even if your data were to be compromised on Keeper's servers, it would be worthless without your master password to decrypt it. User data is always encrypted when passed to and from Keeper's servers; decryption occurs only on your devices.

Keeper prides itself on its zero-knowledge structure — it never knows what your master password is — and its status as one of the only two Service Organization Controls (SOC 2) compliant password managers, with LastPass being the other.

SOC 2 compliance is certified by the American Institute of Certified Professional Accountants, which assesses whether a company manages to meet five Trust Service Principles when storing consumer information in the cloud: Security, Availability, Processing Integrity, Confidentiality and Privacy.

SOC 2 compliance is a make-or-break issue for some businesses or government agencies using online services, but personal or family users can rest assured it means a company has to undergo audits and thoroughly document its security policies and procedures.

You can use Keeper's desktop application offline, but only on a single device. However, Keeper doesn't provide any instructions on how to sync your vault with other devices without going online. (In theory, you could try to locate your Keeper vault in Windows Explorer or macOS Finder, copy it to a USB stick and then load that onto a different machine, but we haven't tried it.)

If you sign up for a Keeper subscription and create an account, the desktop vault will sync with Keeper's servers as you go online.

MORE: What to Do After a Data Breach

Bottom Line

Keeper has made up a lot of ground against the competition in the past year, thanks to some much-needed updates to its feature set and overall user interface. The service has some of the strongest security bona fides, with SOC 2 compliance to back up its claims. Only LastPass comes close to matching Keeper here.

While we would still recommend either LastPass or Dashlane to most users because of their more extensive feature sets, those two password managers are no longer slam dunks. Security-conscious users, in particular, may find that Keeper leaves them feeling safer while offering enough features to keep them happy.

Image Credit: Keeper

Create a new thread in the Off-Topic / General Discussion forum about this subject
This thread is closed for comments
No comments yet
Comment from the forums
    Your comment