Münich-based software publisher Steganos is all about privacy. The company offers encryption, VPN, secure deletion, and other privacy-related tools. Naturally, the lineup includes a password manager. Steganos Password Manager 18 doesn’t have the high-end features that typify the very best password managers, though, and even its more mundane features didn’t always work in testing.
Your one-time payment of $24.95 gets you licenses to install the application on up to five PCs. The licenses don’t expire, but they also don’t automatically update to the next version. You can also tie any number of iOS or Android devices to your account. This pricing is a bit hard to compare with the competition. RoboForm Desktop is also a one-time fee, $29.95 in this case, but it doesn’t sync across multiple devices. Dashlane costs $39.99 per year and puts no limits on the number of PC, macOS, Android and iOS devices. Just one dollar per month lets you use LastPass Premium on all your devices. And of course, some competitors, such as LogMeOnce Password Management Suite Premium, are completely free.
When you go to download Steganos, you’re likely to find that it comes with a trial of the full Steganos Privacy suite. This suite includes, among other things, a file shredder, several forms of encryption, and the Steganos Online Shield VPN. In this review, I focus strictly on the password manager.
Once you’ve installed the product, it opens to a big, empty window, with instructions on how to proceed. With Steganos, you can create multiple password databases, which it calls keychains. Multiple users on one PC could have their own keychains. But nothing happens until you select New from the File menu, to create your first keychain.
As with most password managers, Steganos starts you off with the creation of a master password. You can type it using a virtual keyboard, or create it using the unusual PicPass feature. I’ll go into detail about those below. As you type in your password, Steganos fills in five lock icons, and displays a description of your password’s strength. At one lock, it says, “This password can probably be guessed.” If you make it to five locks, it declares, “This password cannot be identified by intelligence agencies.” Interestingly, it also reports the number of word fragments found in the password.
There’s also an option to store the master password on a USB device. This isn’t precisely two-factor authentication, since the USB device replaces the master password for authentication. In addition, you can’t sync with mobile devices if you choose USB authentication. True Key and LogMeOnce Password Management Suite Ultimate both allow authentication using multiple other factors, without the need for a master password. In fact, passwordless login is the default for LogMeOnce.
Steganos installs the necessary browser extension in Internet Explorer automatically, and there’s a menu option to install it in Chrome. Firefox is also supported, but in testing I could not get the extension to load. Even after reinstallation, Firefox reported the extension as corrupt. An Edge extension is in the works, pending approval by Microsoft. True Key by Intel Security is the only competitor I’ve encountered that has a working extension for Microsoft Edge.
Dashlane, Sticky Password Premium, and most password managers that let you sync your passwords across multiple devices handle syncing internally. Not Steganos. If you want to sync between devices, you must configure it to store your keychain in your existing cloud storage services. It supports Dropbox, Google Drive, and OneDrive, as well as the Europe-centric Magenta Cloud. Setting up the connection is simple enough, and of course your data is encrypted before it’s sent to the cloud. Still, this might be a good time to toughen up the password on your cloud storage.
There is one more option for syncing among devices, but it’s not something most users would want to mess with. If you choose File export, Steganos saves your data in a portable, shareable form. Importing that data on another PC isn’t so tough, but getting it onto an Android or iOS device is a pain.
Password Capture and Replay
Like almost all password managers, Steganos notices when you log in to a secure site and offers to save your credentials. Some products slide in a notification at the top of the browser window, some create a popup within the browser, and others use a totally separate popup. Steganos is among the last group, and I found that its popup consistently got stuck behind the browser. You can give the new entry a friendly name at this time, but you can’t assign it to a category.
If you’re switching to a new password manager, the ability to import passwords from the product you’re leaving behind is a big plus. LastPass can import from more than 30 competitors, and KeePass from nearly 40. Steganos imports from just two, KeePass 2.34 and 1Password; to me these seem like odd choices.
Dashlane, LastPass, Password Boss Premium, and True Key don’t just import passwords stored insecurely in your browsers. They also delete those passwords from the browser, and turn off browser-based password capture. Alas, Steganos doesn’t import from browsers at all.
When you revisit a secure site, the default behavior is for Steganos to automatically fill in the saved credentials. You can turn off this behavior and manually call on the browser extension when you want it to fill in the data. As is typical, if you have multiple sets of credentials saved, it offers a menu.
While most websites use standard login screens, easily understood by password managers, some of them march to a different drummer. If you run into a login that Steganos doesn’t capture automatically, you can do it manually. Just sign out, reenter your credentials, and (in Chrome) choose “Save form to keychain” from the toolbar button’s menu. In testing, I found that in IE the equivalent Save Form button did not work. LastPass, Sticky Password, and RoboForm Everywhere 7 have a similar ability to capture passwords on demand.
Many password managers turn your data into a menu of saved websites. Just click the toolbar button and choose a site to both navigate there and log in. With Steganos, you open the main application window and launch from there.
The Steganos application must be running any time you want to use its browser extensions. That’s a bit different from many competing products. I kept accidentally shutting it down, when all I really wanted to do was get it out of the way. The correct way to handle that situation is to minimize the application down to its tiny desktop widget. From the widget, you can restore the main window, or drag/drop the username and password for the selected login.
When you’re editing one of your saved password entries, you can invoke the built-in password generator to provide a strong new password. However, it’s up to you to go to the site and put your new password in place. Steganos doesn’t automatically offer the password generator when you’re setting up a new online account, either.
The password generator defaults to creating 16-character passwords, which is good. But it only uses uppercase letters, lowercase letters, and digits, by default. I advise adding special characters to the mix. Interestingly, Steganos seeds its random number generator before each password generation event by using your own mouse movements.
As noted, you can assign a friendly name at the time Steganos captures a set of login credentials. That name is what appears in the main window’s password list. When you click an item in the list, its details appear at right. You can click Edit to change those details—all except the friendly name. To change that name, you must right-click it in the list.
To start, all your passwords simply appear directly below the root of the tree. If you prefer a more organized approach, you can create any number of categories, which become branches in the tree display. You can even create nested categories, something that few password managers allow. RoboForm, Sticky Password, and LastPass 4.0 Premium are among the few that permit multilevel categories.
I assumed that organizing my saved logins would be a simple matter of dragging them in to the desired category, the way you do with LastPass. It’s not. Instead, you right-click the entry and select its new location in the tree.
With LastPass, Dashlane 4, LogMeOnce, and other Web-centric password managers, you can log into your password database from any computer. Steganos requires installation of its app on a PC, and doesn’t make your cloud-connected database available without it.
However, if you anticipate needing to use the app on an unfamiliar computer, you can create a portable edition on any USB device. Just select the keychain, select the device, and you’re done. Any future changes you make in the main app don’t appear in the portable edition, so you should recreate the portable edition frequently. In addition, all the data in the portable edition is read-only.
PicPass and Virtual Keyboard
Some people have no trouble remembering a strong password based on a favorite song or quote. Others are more visual, and for those people Steganos offers PicPass. When you choose to define or redefine your master password using PicPass, you start with a grid of 36 photos or 36 symbols. You proceed to click on as many of the pictures as you think you can remember, and then repeat that same pattern of picture-clicks.
However, there’s a catch. The 36 pictures correspond to the 10 digits and 26 uppercase letters, and your fancy pattern of clicks gets translated into a mundane password like 1UB3OX. Steganos doesn’t hide this fact; it even offers to display the generated password. Yes, you can make the PicPass process tougher by having Steganos scramble the picture locations, but doing so just makes it harder for you to get the right sequence. It doesn’t make the password itself more resistant to brute-force cracking.
Limited Web Form Filling
Steganos lets you store a very limited set of personal data, little more than name, address, email, phone, and birthdate. There’s no option to store multiple profiles such as you get with LastPass, Dashlane, and others. And there’s certainly no ability to create multiple instances of data fields the way you can in RoboForm. You can enter data for any number of bank accounts and credit cards, and sync these between your devices, but the app does not use these to fill Web forms.
In testing, I found that the Web form-filling feature worked correctly in Chrome, but didn’t work in Internet Explorer. In some cases, it immediately filled personal data into the form’s fields. In other cases, I had to select “Fill form now” from the toolbar button’s menu.
If you want to use Steganos for logging into secure sites on your mobile devices, you must configure your account to use one of its cloud storage options. Install the free Steganos Mobile Privacy from the Google Play store or Apple App Store, connect it with your cloud storage, and enter your master password. You’re ready to go.
I installed the app on a Nexus 9, just to get a feel for it. The PC edition’s tree display is absent, so you have to either dig down to the entry you want or use the handy search box. Tapping an entry opens the corresponding website in the app’s internal browser and logs you in. There’s no integration with other browsers installed on the device.
Like the portable edition, the mobile edition is read-only. If you want to add or edit password entries, credit card data, or anything else, you must do it on your PC. But if all you want is quick mobile access to your secure websites, it does the job.
You Can Do Better
It’s nice to see a password manager that charges a one-time fee rather than a per-year subscription, but there are disadvantages, too. That yearly subscription pays other vendors for things like server space to hold your encrypted data. With Steganos Password Manager 18, you supply that storage yourself, in the form of an account with one of the big cloud storage providers. Steganos also lacks the advanced features found in the very best password managers. In testing, even the simpler features it does contain didn’t always work perfectly.
If the low, one-time price really resonated with you, you’re probably better off getting one of our top free password managers instead. For those willing to pay a bit, we’ve identified several password managers worthy of the title Editors’ Choice. LastPass 4.0 Premium costs just a dollar a month, and it has tons of features. LogMeOnce Password Management Suite Ultimate 5.2 beats all the competition feature-wise, with some security elements not found in any competitor. Dashlane 4 goes for streamlined ease of use, with advanced features including an actionable password strength report, secure password sharing, and account inheritance.