Browser extensions for any platform. Data stored on smartphone, not cloud. Free. One-click authentication. Replaces Google Authenticator. Password strength report. Secure sharing.
Can only use one smartphone. Doesn't fill web forms using personal data. Password strength report is iPhone-only, no Android. Not all features worked correctly in testing.
- Bottom Line
The free Myki Password Manager & Authenticator stores passwords on your smartphone, not in the cloud. Its slick interface and handy authentication abilities make it an excellent option.
The point of using a password manager is to make your life easier and more secure. You can switch out weak and duplicate passwords for strong ones, because the password manager remembers them for you. The best password managers let you sync your data across multiple devices, in most cases by using encrypted cloud storage. That's a worry, for some. Sure, the company promises your passwords are safe, but you have no way to check on them. There's always the possibility the company could get hacked, or go rogue. Myki Password Manager & Authenticator avoids that worry by keeping your encrypted password collection strictly on your smartphone. Browser extensions for Chrome, Firefox, Safari, and Opera communicate with the smartphone app to let you manage passwords on any platform that supports one of those browsers. Myki a clever new entry in the password manager realm.
No cloud storage means no need to maintain a server farm to hold all those password collections—a big savings. Ascendo DataVault Password Manager also uses local-only storage, and passes on the savings by charging a one-time fee of $9.95 per device, rather than an ongoing subscription charge. Myki goes farther, giving you all features for a cost of exactly nothing. That's right, it's a completely free password manager. LastPass and LogMeOnce, which both use encrypted cloud storage, also offer free versions, relying for income on users purchasing the feature-enhanced commercial editions.
KeePass is also free, and also stores your data locally, with no cloud presence. However, syncing is what I can only describe as a pain. You can copy the password database from one device to another and sync manually, or set up an HTTP, FTP, or WebDAV site to hold the master database with which each device syncs. Also, Myki's modern, sleek, and easy-to-use interface totally outshines KeePass' seriously antiquated UI.
Getting Started With Myki
Start by installing the app on your Android or iPhone. Give it your phone number, set up a six-character PIN, and enable fingerprint login, if available. That's it—there's no master password to memorize, yet it's secured by two-factor authentication, or 2FA. A hacker would need to steal your phone (something you have) and either learn your PIN (something you know) or replicate your fingerprint (something you are).
Connecting your Myki app with other devices is ridiculously simple. When you install the browser extension in your browser of choice, it displays a big, shifting QR code. Snap that code with the Myki app to pair the device. Make sure to enable the option to create secure backups, while you're at it. That way, if your phone breaks, you can just restore from backup. Note that at present you can only associate one smartphone with an account. If you want to use your passwords on another phone, you do so by installing the browser extension.
Password Capture and Replay
Myki's browser extension works like most password managers. When you log into a secure site, Myki offers to save your credentials. You can give the entry a friendly name at this point, but Myki doesn't include organizational features like groups, categories, or tags. My company contact tells me that tags are coming soon.
When you return to a recorded site, Myki offers a list of logins for that site. You can also manually bring up the list by clicking a small icon that Myki puts in the username and password fields. Here's where it gets really clever. Making your selection doesn't immediately fill your credentials. Rather, it sends a notification to your smartphone. It fills those credentials only after you tap to approve. You can get a similar tap-to-approve function with Keeper Password Manager & Digital Vault by installing the Keeper DNA app on your smartphone or smartwatch.
Clicking the Myki browser toolbar icon displays a list of your saved accounts. It's a simple alphabetic list, and you can't see a lot of items at once, so I'm glad search is available. The search box narrows the list as you type; chances are you'll only have to type a few characters. When you click an item, Myki opens it in the browser and sends an authentication request. Once you grant access, it logs you in.
If you're using the Myki app on your smartphone, clicking to log into a site naturally skips the authentication step. It opens the site in its internal browser and logs you in. As noted, you can use a different browser by installing the extension. On Android, you can turn on the ability to fill passwords for apps. On the iPhone, Myki walks you through the process of enabling access via the share icon. Once you've done that, you can autofill many popular apps by clicking the share box.
In testing, I found that Myki didn't always fill logins properly in its internal browser. In some cases, it omitted the username. In other cases, it visibly filled the password field, but the site didn't recognize that a password was present. Using the share icon with Safari actually worked better.
Personal Data and Secure Notes
In the browser extension, there are three tabs: Accounts (the default), Payment Cards, and Secure Notes. The smartphone app adds pages for ID cards and 2FA—more about 2FA later. To reach the other pages in the smartphone app, you simply swipe left or right.
When you add a payment card number, Myki automatically detects the card type. I wish more products would do that. The name, cardholder name, and expiry date appear on a replica of a credit card as you type them. Myki uses a different color for each card type. Dashlane takes the concept even further, letting you choose the color to match your physical card and adding the logo. I do wish Myki would let you add a card by snapping it with the smartphone camera, the way Keeper and a few others do.
Like LogMeOnce Password Management Suite Premium, LastPass, and many other competing products, Myki lets you store and sync secure notes. To add one, you type a title and then add the secret information as plain, unformatted text. This feature can be useful for recording non-digital secrets, such as padlock combinations. As with passwords, when you try to access a saved card or note in the browser extension, you get a confirmation request in the app.
Myki can store a wide variety of ID types, among them passport, driver's license, insurance card, and bank account. You can snap a photo of the physical card for reference, but you must fill the information manually. ID Cards don't appear in the browser extension.
Myki doesn't use saved payment card info to fill web forms, though you can click to copy the card number to the clipboard. Email addresses are the only type of data it autofills at this time. If you click in a field that calls for an email address, it displays all the emails from your existing accounts, which is handy.
Many secure websites let you configure two-factor authentication using Google Authenticator, or a Google Authenticator workalike such as Duo Mobile or Twilio Authy. Myki has the same two-factor authentication built in, with a twist.
To set up Myki for two-factor authentication, first log in to the site to capture the username and password. Open the new entry on your smartphone and tap Settings, then tap the Setup 2FA button. Back in the browser, dig into the site's settings to enable two-factor authentication. It may have another name. For example, Dropbox calls it Two-step verification. Scan the QR code with Myki and confirm the associated account. At this point, you're almost done. In the app, swipe left until you see 2FA, find the number next to the account you're working on, and type it into the waiting website.
Here's the twist. That's the last time you'll have to type the authentication code. When you next log into the site, Myki fills in your username and passwords as always. But it also fills in the authentication code. That's a lot handier than having to look back and forth between the phone and the browser, typing (or mistyping) each digit. Note that this automated two-factor authentication works with the browser extensions, not on the smartphone itself.
When you don't have to keep your passwords in memory, they can be as long and complex as a site accepts. Even so, some password managers default to generating unsafely short passwords. RoboForm Everywhere generates eight-character passwords by default, as do SplashID and Trend Micro. DataVault uses eight alphabetic characters by default.
KeePass defaults to an impressive 20 characters, but the Myki app has it beat. Out of the box, Myki generates 30-character passwords! It always includes uppercase and lowercase letters; you can turn off use of numbers and punctuation if you encounter a site that doesn't accept them. You can also set the password length anywhere from four to 99.
Things are a bit different with the browser extension. There's no direct access to the password generator, but when you click a password field while creating an account it offers to gin one up for you. The browser extension always uses lowercase characters but lets you choose whether to use the other three types of character. Furthermore, its maximum length is 200. I'd like to see the options for the app and the extension aligned.
As with LastPass, 1U Password Manager, and Enpass, Myki users can set up secure sharing of any account or other saved data. LogMeOnce also allows sharing, but the free edition only allows five shared items.
Whereas most password managers set up sharing using email, Myki needs a phone number. That makes sense, since your account data lives on your smartphone. You can't enter an arbitrary number; it must come from your contacts list. Once you select the number, the contact shows on the item's sharing page, marked pending. When the recipient accepts the share, the pending notation disappears.
Tapping the share icon at the bottom of the app lets you view all the items you've shared, and all items that others shared with you. You can tap to revoke a share at any time. This not only removes the account from the recipient's collection, it logs out of the site if it's open. Also, for security purposes, shares don't get backed up. Restoring from a backup effectively revokes all shares.
In testing, I found that logging in with shared accounts didn't work properly. I tried to launch a shared Netflix account, but the username didn't show up in the internal browser. When I copy/pasted the username, it seemed to work, but the site acted as if I failed to enter the password. It also didn't replay properly in Safari. My Myki contact confirms that this is a bug, and that they're working on it.
Quite a few commercial password managers include some means for ensuring that your heirs can access your accounts after your demise. LastPass and LogMeOnce are among the few free password managers that include password inheritance. I'm told that that feature is on the drawing board for Myki's next version.
Getting all your passwords under management is just half the job. You also must replace all the weak and reused passwords with new strong ones generated by Myki. The Security Dashboard feature can help. While not as elaborate as Dashlane's Security Dashboard or the Security Challenge in LastPass, it gets the job done. Specifically, it lists all of your saved accounts with a security rating for each password, and flags any that are duplicates. You can filter to see just weak ones, reused ones, old ones (meaning not changed for 90 days), and passwords at risk due to a known breach.
Now for the bad news. At present, this feature is only present in the iPhone edition. Android support is planned, but it isn't ready yet. In addition, the iPhone report looks a bit odd, with Reused and At Risk displaying as "Reu…" and "At R…"
Like the Keeper Security team, the Myki team considered adding automated password change and decided to avoid it. Keeper does help with the process. If it sees a typical three-field password-change form, it offers to update and save the new password with a single click.
Tapping an icon at the bottom of the app lets you view all connected devices and browsers. Tap a device and you can see the connection location and the date of the last backup. The best part, though, is the big, red Disconnect button. If you've lost a device or walked away from a logged-in browser extension, clicking that button both removed Myki's connection to that device and logs out of any sites for which Myki helped with login. You'll have to pair the device with Myki again to restore the connection, but, as noted, that's a simple matter.
I've mentioned the automatic backups that ensure you won't lose your passwords if your phone dies. You can also export your password list to an admittedly insecure CSV (Comma-Separated Values) format. Doing requires that you scan a QR code with your smartphone. At first, I didn't know how to perform that scan, because there's no Export option in the smartphone app. It turns out that you tap Backup Accounts to perform the necessary scan.
A feature called Backup With a Friend is coming, but not quite ready. The concept is simple. Myki sends an encrypted backup to a friend's phone. If you manage to lose your own smartphone before making a backup on some other device, you can restore from that backup.
A Welcome Newcomer
Myki Password Manager & Authenticator is an interesting new entry in the free password manager field. It combines the security of local-only password storage with the convenience of built-in authentication. It is a bit of a work in progress. Some features didn't work properly in testing, and the important password strength report is iPhone-only for now. The company plans some significant feature updates in the next few months; I'll revisit this review after those updates.
With tons of features including password inheritance, automated password updates, and many two-factor authentication options, LastPass remains Editor's Choice for free password manager. Admittedly, it's not as streamlined as commercial Editors' Choice products Dashlane and Keeper, but it does the job. Despite "premium" in the name, LogMeOnce Password Management Suite Premium is also a free password manager, and also an Editors' Choice. But up-and-coming Myki is definitely worth a look.Top
About the Author
Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted b... See Full Bio
More From Neil J.
AVG Internet Security - Unlimited
How to Avoid Phishing Scams
Avast Internet Security