One-time price includes five PC licenses. Two-factor authentication. Can sync with unlimited Android and iOS devices. Virtual keyboard.
Password capture trouble in testing. Limited Web form filling. Lacks secure sharing, password inheritance, and other advanced features .No Mac support.
- Bottom Line
Steganos Password Manager performs basic password tasks and now offers two-factor authentication, but it has trouble capturing some passwords in testing and still lacks secure sharing and other advanced features.
Münich-based software publisher Steganos is all about privacy. Even the name comes from the word steganography, which is the science of not only hiding secrets, but hiding the fact that you have secrets. The company offers encryption, VPN, secure deletion, and other privacy-related tools. Naturally, the privacy lineup includes a password manager. Steganos Password Manager doesn't have the high-end features that typify the very best password managers, though, and its basic password capture system had some trouble in our testing. Two-factor authentication is a welcome addition in the latest release, version 19.
Your one-time payment of $24.95 gets you licenses to install the application on up to five PCs. You don't have to pay again unless you want to update to the next version. You can also tie any number of iOS or Android devices to your account. This pricing is a bit hard to compare with that of the competition. Dashlane costs $39.99 per year and puts no limits on the number of PC, macOS, Android and iOS devices. (Steganos doesn't support macOS.) Just two dollars per month lets you use LastPass Premium on all your devices. And of course, some competitors, such as LogMeOnce Password Management Suite Premium, are completely free.
Installing Steganos Password Manager is quick and simple. If you have a registration code, you enter it during the install process. If not, you can start a 30-day free trial.
Once you've installed the product, it opens to a big, empty window, with instructions on how to proceed. With Steganos, you can create multiple password databases, which it calls keychains. Multiple users on one PC could have their own keychains. But nothing happens until you select New from the File menu, to create your first keychain.
As with most password managers, Steganos starts you off with the creation of a strong master password. You can type it using a virtual keyboard, or create it using the unusual PicPass feature. I'll detail those features below. As you type in your password, Steganos fills in five lock icons, and displays a description of your password's strength. At one lock, it says, "This password can probably be guessed." If you make it to five locks, it declares, "This password cannot be identified by intelligence agencies." Interestingly, it also reports the number of word fragments found in the password. So, while the password IAmTheWalrusFab4 gets five locks, Steganos warns that it found four word fragments.
You can also choose to store the master password on a USB device. This isn't two-factor authentication, since you can use either the USB device or the master password for authentication. True Key and LogMeOnce both allow authentication using multiple other factors, without the need for a master password. In fact, passwordless login is the default for LogMeOnce.
New in this version, Steganos now offers true two-factor authentication. You can use any authentication app that supports the standard Time-based One Time Password (TOTP) algorithm. Google Authenticator is a well-known example, but there are plenty of others. To link the password manager to your mobile app, you snap the QR code displayed by Steganos, and enter the six-digit code returned by the app. Now when you log in on your desktop you need both the master password and the latest code from the app. By observation, mobile login does not require the two-factor code.
Steganos installs the necessary browser extension in Internet Explorer automatically. Menu options to install extensions for Chrome and Firefox appear below the top-level Help menu. I found that to perform these installations, I first had to set the browser in question as my default, which is a bit awkward. In addition, the Firefox extension page came up in German. I crossed my fingers and choose "Zu Firefox Hinzufügen," which proved to be correct. This a better result than during my last review, when the Firefox extension wouldn't install at all.
Dashlane, Sticky Password, and most password managers that let you sync your passwords across multiple devices handle syncing through the company website. As with Kaspersky Password Manager, syncing Steganos passwords between devices requires you to store your keychain in an existing cloud storage service. However, where Kaspersky requires that you install the desktop app for the selected service, Steganos lets you simply log in and grant permission. It supports Dropbox, Google Drive, and OneDrive, as well as the Europe-centric Magenta Cloud. Setting up the connection is simple enough, and of course Steganos encrypts your data before sending it to the cloud. Still, this might be a good time to toughen up the password on your cloud storage.
There is one more option for syncing among devices, but it's not something most users would want to mess with. If you choose File export, Steganos saves your data in a portable, shareable form. Importing that data on another PC is simple enough, but getting it onto an Android or iOS device is a pain. And of course you have to repeat the manual sync process after any changes.
Password Capture Problems
Like almost all password managers, Steganos notices when you log in to a secure site and offers to save your credentials. Some products slide in a notification at the top of the browser window, some create a popup within the browser, and others use a totally separate popup. Steganos used to be among the last group, with a popup window that consistently got stuck behind the browser. In the latest edition, it simply saves the data, without waiting for confirmation. If you want to give the item a friendly name, you'll have to open the main password manager. This is also the place to assign the entry to a category.
I had a good bit of trouble in testing. I couldn't get Steganos to capture two-page logins like what Google uses. When I created a couple of Gmail logins manually, I found that Steganos popped up offering to fill one or the other every time I performed a Google search. Annoying!
It also didn't capture some passwords that use a popup window, like Opentable, Amtrak, Delta, and Southwest. The product does include a manual capture option, invoked by clicking the browser toolbar button and choosing Save form to keychain. However, this didn't work on some of the popups. The password capture system seems to be a step backward from the previous edition.
LastPass, Sticky Password Premium, and RoboForm also offer to capture login data on demand. However, these products didn't need any help with simple pages like Opentable, Amtrak, and Southwest. And when I did need to invoke manual capture with these other services, it worked.
Any time you want to switch to a new password manager, the ability to import passwords from the product you're leaving behind is a big plus. LastPass can import from more than 30 competitors, and KeePass from nearly 40. Steganos imports from just two, KeePass and 1Password; to me these seem like odd choices.
Dashlane, LastPass, Password Boss Premium, and True Key don't merely import passwords stored insecurely in your browsers. They also delete those passwords from the browser, and turn off browser-based password capture. New in this edition, Steganos can import passwords from Chrome, but not other browsers.
When you revisit a secure site, the default behavior is for Steganos to automatically fill in the saved credentials. You can turn off this behavior and manually call on the browser extension when you want it to fill in the data. As is typical, if you have multiple sets of credentials saved, it pops up a list of choices.
Many password managers turn your data into a menu of saved websites. Just click the toolbar button and choose a site to both navigate there and log in. With Steganos, you open the main application window and launch from there.
As with AgileBits 1Password, the Steganos application must be running any time you want to use its browser extensions. That's a bit different from many competing products. I kept accidentally shutting it down, when all I really wanted to do was get it out of the way. The correct way to handle that situation is to minimize the application down to its tiny desktop widget. From the widget, you can restore the main window, or drag/drop the username and password for the selected login.
When you're editing one of your saved password entries, you can invoke the built-in password generator to provide a strong new password. However, it's up to you to go to the site and put your new password in place. Steganos doesn't automatically offer the password generator when you're setting up a new online account, either.
The password generator defaults to creating 16-character passwords, which is good. But it only uses uppercase letters, lowercase letters, and digits, by default. I advise adding symbols to the mix. Note that Steganos doesn't save changes to the password length and character sets as new defaults, so you'll have to remember to add symbols each time.
A 16-character password is tough to crack using brute force techniques, but since you don't have to remember it, longer is better. KeePass and 1Password default to 20 characters, and the free Myki Password Manager & Authenticator creates 30-character passwords by default.
Random numbers used by computer programs aren't truly random. Rather, they start with what's called a "seed" number and use a pseudorandom algorithm on each request for a random number. Steganos takes the unusual step of seeding its random number generator by recording your moue movements, which are truly random. AceBIT Password Depot uses a similar system to ensure a truly random result.
In the main password manager, your saved entries appear as a list at left, with details for the selected item in a panel at right. From this window, you can give each entry a friendly name, add notes or an attachment, or put it into a category folder. However, the actual mechanism for naming and organizing entries is awkward.
There's an Edit button for the details of the current item, which lets you do things like change the username or password, add a note, or attach a file. But you can't change the displayed name here. To do that, you must right-click the item in the list at left and choose Rename this entry.
Creating category folders is another task that's not immediately obvious. To create a folder, you choose from the menu that appears when you right-click the keychain itself, at the top of the folder tree. You can create subfolders by right-clicking existing folders. RoboForm, Sticky Password, and LastPass Premium are among the few competing products that permit multilevel folders. But you can't drag items into folders. Nope, you must right-click the item, choose the category submenu, and then pick the desired category. This all could be so much easier.
With LastPass, Dashlane, LogMeOnce Password Management Suite Ultimate, and other Web-centric password managers, you can log into your password database from any computer. Steganos requires installation of its app on a PC, and doesn't make your cloud-connected database available without it.
However, if you anticipate needing to use the app on an unfamiliar computer, you can create a portable edition on any USB device. Just select the keychain, select the device, and you're done. Any future changes you make in the main app don't appear in the portable edition, so you should recreate the portable edition frequently. In addition, all the data in the portable edition is read-only.
PicPass and Virtual Keyboard
Some people have no trouble remembering a strong password based on a favorite song or quote . Others are more visual, and for those people Steganos offers PicPass. When you choose to define or redefine your master password using PicPass, you start with a grid of 36 photos or 36 symbols. You proceed to click on as many of the pictures as you think you can remember, and then repeat that same pattern of picture-clicks.
However, there's a catch, and it's a big one. The 36 pictures correspond to the 10 digits and 26 uppercase letters, and your fancy pattern of clicks becomes a mundane password like 1UB3OX. Steganos doesn't hide this fact; it even offers to display the generated password. According to Steve Gibson's password search space calculator, an offline password cracker could brute-force that password in a fraction of a second. Yes, you can make the PicPass process tougher by having Steganos scramble the picture locations, but doing so just makes it harder for you to get the right sequence. It doesn't make the password itself more resistant to brute-force cracking.
As for the virtual keyboard, its purpose is to protect your master password from capture by a keylogger, even a hardware-based keylogger. Of course, most keyloggers also capture screenshots, so it's conceivable a spy program (or a shoulder-surfer) could visually capture your password. For paranoid-level security, you can have Steganos scramble the key positions on each use and suppress visual indications that a key was pressed. But wow, the aggravation level entering your password this way is sky-high.
Limited Web Form Filling
Steganos lets you store a very limited set of personal data, little more than name, address, email, phone, and birthdate. It hides this feature pretty well, too. The main window has pages for Passwords, Bank accounts, Credit cards, and Private favorites, nothing about personal data. But way down the Edit menu's choices you'll find Edit personal data.
There's no option to store multiple profiles such as you get with LastPass, Dashlane, and others. And there's certainly no ability to create multiple instances of data fields the way you can in RoboForm Everywhere. You can enter data for any number of bank accounts and credit cards, and sync these between your devices, but the app does not use these to fill Web forms.
In testing, I found that the Web form-filling feature worked decently in Chrome and Firefox, though on one page it filled the First, Full, and Last name fields with the last name and skipped the street address. As with the previous edition, it didn't work at all in Internet Explorer.
If you want to use Steganos for logging into secure sites on your mobile devices, you must configure your account to use one of its cloud storage options. Install the free Steganos Mobile Privacy from the Google Play store or Apple App Store, connect it with your cloud storage, and enter your master password. You're ready to go.
I installed the Android app on a Motorola Moto G5 Plus, just to get a feel for it. The PC edition's tree display is absent, so you must either dig down to the entry you want or use the handy search box. Tapping an entry opens the corresponding website in the app's internal browser and logs you in. There's no integration with other browsers installed on the device.
My experience on an Apple iPhone SE was nearly identical. Both devices allowed me to unlock the keychain using my thumbprint, an especial boon on the SE with its tiny keyboard.
Like the portable edition, the mobile edition is read-only. If you want to add or edit password entries, credit card data, or anything else, you must do it on your PC. But if all you want is quick mobile access to your secure websites, it does the job.
What's Not Here
Dashlane, LastPass, Keeper, and LogMeOnce let you securely share login data with other users. RoboForm, Password Boss Premium, and several others deal with the problem of passing on your credentials in the event of your demise. Steganos sticks with the basic password management features, making no attempt at password sharing or inheritance.
Stashing all your passwords in a password manager is a good start, but if all of them are "password" you still have a problem. Dashlane, Keeper Password Manager & Digital Vault, and several others offer a full evaluation of your passwords, listing them all by strength, flagging any that you've used more than once and making the password change process simple. Dashlane, LogMeOnce, and LastPass can even automate the process of updating problem passwords.
You Can Do Better
It's nice to see a password manager that charges a one-time fee rather than a per-year subscription, but there are disadvantages, too. That yearly subscription pays other companies for things like server space to hold your encrypted data. With Steganos Password Manager, you supply that storage yourself, in the form of an account with one of the big cloud storage providers. Steganos does now offer two-factor authentication, but it lacks other advanced features such as password sharing, an actionable password strength report, and password inheritance. And in my testing the new-style password capture seemed a step backward.
If the low, one-time price really resonates with you, you're probably better off getting one of our top free password managers instead. For those willing to pay a bit, we've identified several password managers worthy of the Editors' Choice title. Both Dashlane and Keeper offer a smoother experience than Steganos, and they pack a ton of advanced features. Sticky Password handles oddball logins well, and includes an extra-secure Wi-Fi-only sync option. If you just go by number of features, LogMeOnce Password Management Suite Ultimate beats all the competition, though its big, busy user interface may put off some consumers. Any of these is a better choice.
Other Steganos Software GmbH Password Managers
About the Author
Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted b… See Full Bio
More From Neil J.
Simple Tricks to Remember Insanely Secure Passwords
Sophos Home Premium (for Mac)
Sophos Home Premium
The Best Android Antivirus Apps of 2018
Kaspersky Security Cloud