Passwords are terrible. We all hate them.
But we’re stuck with them until something better comes along.
Still, it seems like adding insult to injury when the first thing a password manager does is ask us to create and remember…a master password! The folks at LogMeOnce feel your pain.
As long as you have a smartphone or mobile device available, LogMeOnce Password Management Suite Premium is perfectly happy without a master password. Just be sure to keep that smartphone well secured.
This free password manager rivals LastPass in its broad feature set, and it outperforms most of its for-pay competitors.
Like LastPass, LogMeOnce is totally free, with no limit on the number of saved passwords or on the number of devices you use.
Certain advanced features aren’t available in the free edition; gaining access to those requires that you purchase LogMeOnce Password Management Suite Ultimate. Other features have limits not found in the paid edition.
Still, this free password manager is more feature-rich than most of its paid competitors.
Speaking of those competitors, LogMeOnce has the ability to import passwords from LastPass 4.0, Dashlane, Roboform, and 19 others.
If you’re looking to make a change, importing from your old password manager certainly makes it easy. LogMeOnce can also import passwords stored in Chrome, Firefox, and Internet Explorer. KeePass is the import king, with the ability to import password data from more than 40 competitors.
You begin the process of signing up for a LogMeOnce account by entering your first name, last name, and email address. You also choose a security question and answer. Here, as always, it’s extremely important to pick something that nobody could figure out by Googling you or eyeing your social media. Rather than accept one of the predefined questions, add something that has meaning to you, and only you.
Now comes the big choice. You can choose to create a passwordless account, or one that uses a master password.
For testing, I started with the default passwordless account, and installed the necessary browser plugin.
The account creation wizard sent a text to my Apple iPhone 6 with a link to install the LogMeOnce app. Once I entered my email address in the app, the Web page displayed a QR code for pairing.
To finish off the process, I defined a six-digit PIN.
You can use LogMeOnce on any computer, but you do have to install the browser extension first. Once you’ve done that, LogMeOnce sends an authentication request to your smartphone (Android or iOS).
If the phone supports it, you can log in with a fingerprint.
If not, that six-digit PIN does the job.
Bear in mind that a hacker couldn’t do anything with the PIN alone.
Authentication requires knowing the PIN and having possession of the smartphone.
Because LogMeOnce is totally browser-based, it’s not limited to a specific platform.
It works just the same on Windows and macOS devices. You can even use it under Linux (something I haven’t tried). And it’s available in the app store for both Android and iOS devices.
There’s also an unusual authentication option called PhotoLogin. When logging in on the smartphone itself, this feature simply snaps a photo of whatever is in front of the phone.
If the photo matches what you expected to see, you tap to log in.
Using this feature to authenticate your login from the browser-based version is a premium-only feature.
Indeed, when I tried, it simply showed a generic image, with the message “Upgrade to paid edition for actual data.” However, when I tapped to accept, it still unlocked my account in the browser.
While PhotoLogin seems akin to facial recognition, it really isn’t. You, the user, verify that the picture you are seeing is what you just snapped.
Someone who picks up your phone while it’s not locked is equally free to verify the photo, and thereby get full access to your passwords.
The premium edition has additional protection and verification features for PhotoLogin and the related Selfie-2FA (two-factor authentication) feature.
If you’re going to use this feature with the free LogMeOnce, you need to take some precautions.
Enable a strong PIN for the lockscreen, or better yet, fingerprint-based authentication.
Set your phone to always require the lockscreen.
And never set it down without turning it off.
If that seems too tough, you can always go back to using a master password.
It’s worth mentioning that True Key by Intel Security can authenticate without your master password.
Indeed, if you’ve defined enough biometric and other authentication factors, you can reset a forgotten master password. You can’t create an account with no master password, the way you can with LogMeOnce, but you can configure True Key to unlock based on factors other than the master password.
LogMeOnce comes with numerous short videos explaining all its features. On viewing a few of these, you’ll quickly realize that by “applications” this product means what other products might call accounts, passwords, or logins.
As with LastPass, Dashlane, RoboForm Everywhere 7, and most competing products, LogMeOnce notices when you log in to a secure site and offers to save your login credentials as an application. You can assign the new application to one of seven predefined groups at capture time.
Creating new groups is a premium-only feature.
Note, though, that there’s another option for adding an application. LogMeOnce comes with a catalog of close to 4,500 known websites.
If a site is in the catalog, you know that LogMeOnce can handle it, even if it uses a non-standard login page. LastPass and Sticky Password Premium take a different approach to nonstandard logins, allowing the user to simply capture data from all fields.
When you add an app from the catalog, it prompts you to enter the corresponding username and password.
By default, new apps use Single Sign-On, meaning that LogMeOnce will log in automatically.
Turning this setting off means that login won’t happen until you click.
If you choose to enable Single Log-Out, logging out of LogMeOnce also logs you out of the site.
For each application, you can accept the catalog image, use the website’s own icon, or add a custom image.
If you revisit a site that’s already in LogMeOnce, it offers to fill in your credentials, displaying a menu if you’ve saved more than one set. You also get ads on-screen here; the premium edition has no ads.
As with most competing products, you can click the browser toolbar button for a list of available logins. Just click one to go there and log in.
If you’ve saved a ton of sites, you can find the desired one quickly by typing in the search box.
Each letter you type narrows the list.
LogMeOnce stores passwords for websites only, not for other programs.
The only free password manager I’ve evaluated that handles passwords for programs is KeePass 2.34, which doesn’t include the usual password capture and replay for websites.
Password Calculator and Password Policy
When you create a new account, you can use LogMeOnce’s password calculator to generate a strong password.
By default, it creates 15-character passwords using all character types.
That’s better than Symantec Norton Identity Safe, which defaults to 8 characters.
The default in Enpass Password Manager 5 is an impressive 18 characters, but KeePass tops that with 20 characters.
They call it a password calculator because it calculates the approximate time required to break whatever password you type into it.
For example, it estimates three hours to crack “Password,” but 78 days to crack “Password!” with an exclamation mark.
As for its own generated passwords, well, don’t try cracking those unless you have 157 billion years to spare.
The point of setting a password policy is to encourage good security habits.
By default, your master password expires every three months, and must be replaced with a new master password you’ve never used before. You can eliminate or soften the restriction on previously used passwords, allowing reuse after three or five other master passwords.
Those using the premium edition can change the expiry time to as short as one month or as long as one year. Of course, this applies only if you’ve added a master password to your LogMeOnce account.
By default, LogMeOnce requires that a master password consist of at least eight characters, containing uppercase letters, lowercase letters, and digits.
If do choose to use a master password, I suggest you make it a strong one, well beyond the minimum requirements.
Those using the premium edition can set a password policy for website passwords as well.
When you’re using password-less authentication, you’ve already got a form of two-factor authentication. Nobody can log into your account unless they also possess your smartphone.
But if you’re looking for additional security, LogMeOnce has a ton of options.
The two-factor authentication page implies that you must establish a master password to use two-factor protection, but I found that I could use multiple factors along with passwordless authentication. You can use Google Authenticator, or a Google Authenticator work-alike such as Duo Mobile or Twilio Authy, as a second factor. Making the connection is as simple as snapping a QR code with your mobile device.
Like True Key, Zoho Vault, and others, LogMeOnce can send a one-time password via text message, for a second authentication factor.
It can also send that one-time password as a voice call.
But unlike any other product I’ve seen, LogMeOnce charges you for the privilege of using voice or SMS authentication.
In the US, voice calls cost four credits and text messages cost two. You purchase credits in bundles of 1,000 for $10.
Additional two-factor options become available in the premium edition.
These include Selfie-2FA (photo-based security), authentication using a prepared USB drive, and (for geeks only) authentication using an X.509 certificate.
If you enable multiple two-factor options, your master password plus any one of the other factors unlocks the account.
While not precisely related to two-factor security, LogMeOnce’s Mugshot feature also helps secure your account if someone else gets hold of your device. On a failed login attempt, this feature snaps photos with the front and rear cameras and transmits that information to your account, along with the device’s location and IP address. Note that the premium edition includes a full-scale set of anti-theft features.
Filling passwords into login pages isn’t much different from filling personal data into Web forms. Like many other password managers, LogMeOnce lets you define personal information profiles for Web form filling. You can even update personal data from your Facebook profile.
This utility’s collection of personal data isn’t as extensive as some, but it covers the basics, and you can create multiple instances of personal, address, phone, and company data. Personal data consists of first and last name, email address, birthday, and gender (just male or female, not the dozens of choices you get with Tinder).
And you can identify each phone number as cell, home, fax, work, or other.
I was pleased to see that the multiple phone entries correctly filled the matching fields, and that it filled an Age field by calculating from the profile’s birthdate.
New since my last review, LogMeOnce now lets you save credit card details in its Secure Wallet.
Cleverly, it detects the card type based on the number you enter. Like Dashlane 4, it creates a card image using the background of your choice, with the cardholder name and issuing bank. When you click in a credit card field on a Web form, you choose from the clear visual representations of your cards.
Sharing and Inheritance
When you point the mouse at an app in LogMeOnce’s Cloud Dashboard, you see icons for sharing, beneficiary, and automatic password change.
I’ll discuss automatic password changing in a bit.
You can share any of your passwords with another LogMeOnce user, using the recipient’s email address.
The free edition allows five shares; there’s no limit in the premium edition.
As with LastPass and Dashlane, the recipient can use the login but can’t see the password.
If you choose to make it an open share, the password is visible, but still can’t be changed.
There’s also an option to set an expiry date, but only in the premium edition.
Defining someone as the beneficiary is a different matter.
The beneficiary gets access to your data only after a specific waiting period, much like the similar feature in Dashlane. You can define one beneficiary for your entire account, and set a beneficiary for up to five specific apps.
A premium account can have unlimited beneficiaries.
There’s also an option to require proof of death before LogMeOnce releases the data.
Password Reporting and Changing
When you start using a password manager, the first thing you do is get all of your existing passwords into the collection.
It’s easy enough to let the password manager generate strong passwords for any new accounts you register.
But sooner or later, you really must go back and fix any weak or duplicate passwords.
The Security Scorecard page gives you an overview of your security status as well as what it calls a hybrid identity score.
The latter is based on a handful of specific criteria, among them whether you’re using two-factor authentication and whether you’ve watched the training videos.
Clicking for details on master password strength or overall password strength triggers an invitation to upgrade.
Really, the most important part of this report is at the bottom, which lists all your passwords, from weakest to strongest, and also flags any duplicates. Like LastPass and Dashlane, LogMeOnce can automate the password change process for many common websites.
There’s also a separate page that just lists the passwords that it can change automatically, with a big button to change them all.
Another page in the Reports section displays any data captured by the Mugshot feature.
This includes the front and back photos, the IP address, and the location at which the failed login took place. LogMeOnce also provides a list of activities, as well as what it calls productivity charts, different views of how you use the product.
New since my last review, a colorful Productivity Dock across the bottom of the dashboard offers quick access to important features.
As you point to icons in the dock, they expand, much as on the macOS desktop.
And if you’re using the free edition, the expanded icon displays a tooltip noting that you must upgrade to use the dock. You can access a similar collection of items in the Smart Menu connected to your account picture at top right, so you’re not totally missing out. You can even turn off display of the non-functional dock.
The Devices tab under Security lists all your devices, and lets you delete a device that you no longer use.
A map across the bottom lets you locate a missing device…but only if you’re a paid user.
For those who’ve put up the money, LogMeOnce offers a full set of anti-theft features, among them remote locate, lock, and wipe, the ability to display a message on the missing device, and an option to make it ring at top volume, in case you’ve simply mislaid it.
When you get a notification on your mobile device that someone wants to log in to your account, you had better hope that someone is you. Users of the premium edition get a ton of information along with the login request, things like the associated email address, date/time stamp, IP address, and even GPS coordinates.
Still a Knockout
Despite the word Premium in its name, LogMeOnce Password Management Suite Premium is completely free, and it outperforms many of its for-pay competitors. New features like PhotoLogin and Secure Wallet make it even more of a winner.
Granted, the wealth of features means there’s a lot for a new user to learn, but a growing collection of training videos helps with that process.
Along with the free LastPass, LogMeOnce is a five-star Editors’ Choice free password manager.