Information Technology

Creating malicious Office macros is still the most common attack technique deployed by cyber criminals looking to compromise PCs after they’ve tricked victims into opening phishing emails.
Phishing emails are the first stage in the attack for the majority of cyber intrusions, with cyber criminals using psychological tricks to convince potential victims to open and interact with malicious messages.
These can include creating emails which claim to come from well-known brands, fake invoices, or even messages which claim to come from your boss.
There are number of methods which cyber criminals can exploit in order to use phishing emails to gain the access they require and according to researchers at cybersecurity company Proofpoint, Office macros are the most common means of achieving this.
Macros are a function of Microsoft Office which allows users to enable automated commands to help run tasks. However, the feature is also abused by cyber criminals. As macros are often enabled by default to run commands these can be used to execute malicious code, and thus provide cyber criminals with a sneaky way to gain control of a PC.
Many of these campaigns will use social engineering to encourage the victim to enable macros by claiming the functionality is need in order to view a Microsoft Word or Microsoft Excel attachment. It’s proving a successful method of attack for cyber criminals, with Office macros accounting for almost one in ten attacks by volume.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 

But Office macros are far from the only attack technique which cyber criminals are commonly adopting in order to make hacking campaigns as successful as possible.
Sandbox evasion is the second most common attack technique used by criminals distributing phishing emails.
This is when the developers of malware build in threat-detection which stops the malware from running – effectively hiding it – if there’s a suspicion that the malware is running on a virtual machine or sinkhole set up by security researchers. The aim is to stop analysts from being able to examine the attack – and therefore being able to protect other systems against it.
PowerShell is also still regularly abused by attackers as a means of gaining access to networks after getting an initial foothold following a phishing email. Unlike attacks involving macros, these often rely on sending the victim to click a link with code to execute PowerShell. The attacks are often difficult to detect because they’re using a legitimate Windows function, which is why PowerShell remains popular with attackers.
Other common attack techniques used to make phishing emails more successful include redirecting users to websites laced with malicious HTML code which will drop malware onto the victim’s PC when they visit, while attackers are also known to simply hijack email threads, exploiting how victims will trust a known contact and abusing that trust for malicious purposes, such as sending malware or requesting login credentials.
The data on the most common attack techniques has been drawn from campaigns targeting Proofpoint customers and the analysis of billions of emails.
“Train users to spot and report malicious email. Regular training and simulated attacks can stop many attacks and help identify people who are especially vulnerable. The best simulations mimic real-world attack techniques,” said Proofpoint researchers in a blog post.
MORE ON CYBERSECURITY More

Singtel has confirmed that personal details of 129,000 customers as well as financial information of its former employees have been compromised in a security breach that involved a third-party file-sharing system. Credit card details belonging to staff of a corporate client and information tied to 23 enterprises, including suppliers and partners, also have been leaked in the incident. 
The announcement Wednesday came just under a week after the Singapore telco revealed “files were taken” in an attack that affected a file-sharing system, called FTA, which was developed two decades ago by Accellion. Singtel said it had used the software internally and with external stakeholders. 
Following its investigations, the telco said compromised personal data belonging to 129,000 customers contained their identification number alongside some other data that included name, date of birth, mobile number, and physical address. 

Bank account details of 28 former Singtel staff and credit card details of 45 employees of a corporate client with Singtel mobile lines also were leaked. In addition, “some information” from 23 enterprises including suppliers, partners, and corporate clients were compromised. 
Singtel would not offer further details on what exactly this information was, citing security reasons. 
The telco did say that a large part of the leaked data compromised internal information that was non-sensitive, such as data logs, test data, reports, and email messages. 
It said it had begun notifying affected individuals and enterprises about the breach and was offering help to mitigate potential risks from the breach. This included provisions for a data service provider to provide identity monitoring services, at no additional cost to affected customers, which would be instructed on how to sign up for the service.

Singtel’s group CEO Yuen Kuan Moon said: “While this data theft was committed by unknown parties, I’m very sorry this has happened to our customers and apologise unreservedly to everyone impacted. Data privacy is paramount. We have disappointed our stakeholders and not met the standards we have set for ourselves.
“Given the complexity and sensitivity of our investigations, we are being as transparent as possible and providing information that is accurate to the best of our knowledge,” Yuen said, adding that its investigations were ongoing to ascertain the full extent of the breach. 
He noted that Singtel’s core operations and functions were unaffected and it was conducting a “thorough review” of its systems and processes. 
Informed only recently of product’s end of lifecycle
ZDNet last week had asked Singtel why it still was using FTA, a 20-year file-sharing product that Accellion said was nearing the end of its lifecycle, but the telco then would not address the question. 
On an updated FAQ posted on its website, Singtel noted that it had continued to use the software since it was “still a current product offered and supported by Accellion”. The telco revealed that Accellion only announced the product’s end of life on January 28 this year, effective from April 30. 
Accellion had released a statement February 1 that said its FTA system was a legacy large-file transfer software nearing the end of its lifecycle. 
Singtel said: “It was unfortunate the attack occurred while we were conducting a review to upgrade or replace the product. And despite promptly updating the vulnerability patches provided by Accellion, the patches failed.”
The telco last week said Accellion’s first fix was deployed on December 24, while a second patch was applied on December 27. Accellion on January 23 pushed out another advisory citing a new vulnerability, against which the December 27 patch proved ineffective, according to Singtel, which said it then took the FTA system offline. 
A subsequent patch was provided on January 30 to plug a new vulnerability, which the telco said triggered an anomaly alert when efforts were made to deploy it. It was notified by Accellion that its system could have been breached on January 20 and, following its investigations, Singtel confirmed on February 9 that data had been compromised. 
RELATED COVERAGE More

The owners of a popular barcode scanner application that became a malicious nuisance on millions of devices with one update insist that a third-party buyer was to blame. 
Earlier this month, cybersecurity firm Malwarebytes explored how a trusted, useful barcode and QR code scanner app on Google Play that accounted for over 10 million installs became malware overnight. 
Having gained a following and acting as innocent software for years, in recent months, users began to complain that their mobile devices were suddenly full of unwanted adverts. 

ZDNet Recommends

Barcode Scanner was fingered as the culprit and the source of the nuisanceware, tracked as Android/Trojan.HiddenAds.AdQR. The researchers tracked malicious updates as the reason — with aggressive advert pushing implemented in the app’s code. 
The app’s analytics code was also modified and updates were heavily obfuscated. 
Malwarebytes said the owner, Lavabird Ltd., was likely to blame, due to the ownership registration at the time of the update. Once reported, the software was pulled from Google Play.
At the time, Lavabird did not respond to requests for comment. However, the vendor has now reached out to Malwarebytes with an explanation for the situation. 

On February 12, Malwarebytes said that Lavabird blamed an account named “the space team” for the changes following a purchase deal in which the app’s ownership would change hands. 
Lavabird purchased Barcode Scanner on November 23, and the subsequent space team deal was agreed on November 25.
While the research team has been unable to contact “the space team,” Lavabird told Malwarebytes on February 10 that they were “outraged no less,” and Lavabird only acted as an “intermediary” between “the seller and the buyer in this situation.” 
According to Lavabird, the firm develops, sells, and buys mobile applications. In this case, the company insists that the space team buyer of Barcode Scanner was allowed access to the Google Play console of the app to verify the software’s key and password prior to purchase. 
It was the buyer, Lavabird says, that pushed the malicious update to Barcode Scanner users. 
“Transferring of the app’s signing key when transferring ownership of the app is a legitimate part of [the] process,” the researchers commented. “Therefore, the request by “the space team” to verify that the private key works by uploading an update to Google Play seems plausible.”
After the update was performed, the app was transferred to the buyer’s Google Play account on December 7. However, Malwarebytes says that at the time of the malware update, ownership still belonged to Lavabird. 
The first malicious update took place on November 27 and subsequent updates obfuscated the malware’s code, up until January 5, before the app was unpublished. 
Lavabird did not verify the buyer, who was found through “word of mouth.” However, the company did say that “this lesson will remain with us for life.” 
“From my analysis, what appears to have happened is a clever social engineering feat in which malware developers purchased an already popular app and exploited it,” commented Malwarebytes researcher Nathan Collier. “In doing so, they were able to take an app with 10 million installs and turn it into malware. Even if a fraction of those installs updates the app, that is a lot of infections.  And by being able to modify the app’s code before full purchase and transfer, they were able to test if their malware went undetected by Google Play on another company’s account.”
If true, and this is a claim accepted by Collier, the case highlights an interesting way for threat actors to exploit app developers, traders, and test the exposure of malware on Google Play through established and trusted user bases. 
“We are very sorry that the application has become a virus, for us it is not only a blow to our reputation,” Lavabird told Malwarebytes. “We hope users will remove the app with a virus from their phones.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Choosing a VPN can be a little bit of a chore. First, you’re going to need to research and figure out which VPN is going to work for you. Then you’re going to want to go through a trial run. But then the real test comes, you need to see how fast that trial goes with your internet once the VPN is set up to your machine and your network. Beth Mauder sits down with David Gewirtz to talk about the research and legwork David has done to come up with the fastest VPN on the market.
Watch my conversation with Gewirtz above, or read a few of the highlights below.

Beth Mauder: Why don’t you go ahead and walk us through what those tests look like?
David Gewirtz: So there’s a variety of ways to figure this thing out, but remember that everybody’s VPN is going to be a little different because you’re in a different location. You’re on the East Coast, for example, I’m on the West Coast. People are in different countries and they’re usually using VPNs to move them to yet other countries. So your performance is going to be a little different. 
From my set of tests, and I tested five VPNs over the course of about two weeks, I started with a raw Windows install, so that everything was consistent across each individual test. And then for each install, what I would do is do tests to a variety of countries, and when possible, repeat the vendor, the ISP in each of those countries. So I tried India, and Sweden, and Taiwan, and Russia, and either Australia or New Zealand, and tried to get out to those countries for each of the VPNs I tested. And then tested upload speed, download speed, and latency and ping time.
I also tested how long it takes to establish the connection because it turns out that some of them take quite a bit longer to connect to the VPN than others. And that can get annoying, especially if you’re connecting on and off in different places. So that was the sum total of the test. So what I did is I repeated them three times for each test, and then I averaged the results to try to get some level of consistency. And it’s a pretty rote process. You just set it up and you run the tests and you record the numbers and put them together into, in my case, a big spreadsheet, which then got turned into charts, which were a lot more fun.
Must read:

Beth Mauder: David, after all of your testing, what were some of the fastest VPNs you can currently get?
David Gewirtz: So I was very surprised. The fastest VPN for download that I found was a product called Hotspot Shield. And what surprised me about Hotspot Shield is they were very hypey in their promotion. They were the kind of company that you didn’t expect to live up to their promises because they were just so full of words, “The best, we’re the greatest, love us, best thing since sliced bread.” It turned out they were substantially faster. And actually, most of my performance to other countries was faster than it was with a direct connection to the other country. So that was an outlier. I was very surprised by that. Then we had CyberGhost was pretty quick. NordVPN was quick. Then StrongVPN and IPVanish wrapped up the set of the five that I did in my own testing.
And I also aggregated tests from around the internet. And that gave me a much better picture. And I’ll talk about that in a second. But from my own personal tests of those five, Hotspot Shield, CyberGhost, and NordVPN were the fastest for download speeds. In terms of ping time, CyberGhost and  NordVPN were the winners for how long it just took to send one signal to the remote site and get it back. That’s what ping time is. It’s I touch that site, I get back a response, and that’s a very quick response. And then time to connect, NordVPN and CyberGhost were slowest, and Hotspot Shield, IPVanish, and StrongVPN were the fastest.
So we’re looking at a range from about two seconds to 16 seconds per connection. So you push your little button and you start to connect and you wait, and you wait, and you wait, and you wait, and then you get your connection. If you’re doing this a lot, if you’re going from airport location to airport location each time you’re reconnecting, then you want the one with the fastest ping connection. If you’re doing it once for your day, then you don’t really care.
Must read:
Beth Mauder: So you said you looked at other sites too, and you aggregated data from elsewhere. Were your tests confirmed? Did you look for something else? What’d you find?
David Gewirtz: One of the things I did was I looked at 10 sites besides ZDNet, and most of them had lists of their top 10 or so VPNs. I eliminated anyone that only had one VPN reviewed or two VPN review because I wanted to see performance across the world. And the purpose of looking at these sites was that every testing, every site that did these tests was in a different location doing different performance. So if we were able to look at each of these different sites, and then see what was consistent across all their results, we’d get a better picture. So what we found was that ExpressVPN, NordVPN, and Hotspot Shield were the top three across all of the sites we looked at. But what was interesting was what’s called the standard deviation, which is the difference between the results, your how many highs and how many lows you have.
It turned out that NordVPN’s difference was very low. They were mostly ones and twos, where Hotspot Shield had a bunch of ones and a bunch of sixes. So what that tells me is that that performance is consistent in certain locations, but not consistent in other locations. And the same applies to a few of the others. So what we found was that if you’re looking for the truest, most consistent set of results across all 10 plus ZDNet sites, then NordVPN was the fastest and the most consistent. If you’re looking for what was just the fastest, but not as consistent across all the test points, then Hotspot Shield showed up pretty well as did  ExpressVPN.
So from that, what do you take out of it? Well, the fact is almost all of these companies have 30 to 45-day money-back guarantees. And the reality is your mileage is going to be different from everybody else’s. Your mileage may vary. So what you really need to take out of this is you need to test it in that 30 to 45 days and find out how it performed for you, especially if you’re just at home and you’re working from home, then that’s easy. But if you’re traveling between home and office, or you’re going to your favorite coffee shop, if they still exist, or you’re going to the airport and you’re allowed to do that, you should test in those environments because that’s the kind of environment you’re working in, and see whether you’re getting the numbers you need. Because really, the bottom line is what our tests can eliminate, you’re having to look at the 500 VPNs out there and narrow it down to, say, three or four to start with. But you should check those three or four for what works best for you.
Must read:
Beth Mauder: Anything else, David?
David Gewirtz: I would say that things to look at, and if you’re looking at choosing a VPN, you want to look for a VPN that has something called a kill switch. What that means is, is that if the VPN ceases to function, it doesn’t just let your data go out. What it does is it shuts off your internet connection. That’s a really important thing to keep in mind. Because again, if you’re in a coffee shop somewhere and the VPN itself quits for some reason, without the kill switch, now your data is free and open to go out to everyone. What you want is to have it decide, “I don’t have a connection. I am just going to shut you on down.” And that way, you’re careful about that. Other things to keep in mind are what you’re using the VPN for. Are you using it just to protect your login information? Or are you using it because you’re concerned about stalkers or you’re an activist or something like that?
If you’re just protecting your own information and you’re in a coffee shop, then most of these VPNs will do fine for you. If you are using the VPN to protect your life, then you need to do additional research. No one of these articles will be enough. You need to go onto forums. You need to go to groups that are like you to see what they say and what they experience. Because many people, well, not many people, but a significant percentage of people use VPNs to protect their lives in certain ways. And for that, be more serious than just reading one review.

ZDNet Recommends More

Dutch police have posted “friendly” messages on two of today’s largest hacking forums warning cyber-criminals that “hosting criminal infrastructure in the Netherlands is a lost cause.”
The messages were posted following “Operation Ladybird,” during which law enforcement agencies across several countries intervened to take down Emotet, one of today’s largest botnets.
Dutch police played a crucial role in the Emotet takedown after its officers seized two of three key Emotet command and control servers that were hosted in the Netherlands.
But today, Dutch police revealed that after the Emotet takedown, its officers also went on Raid and XSS, two publicly accessible and very popular hacking forums, and posted messages in order to dissuade other threat actors from abusing Dutch hosting providers to host botnets or other forms of cybercrime.
A message in English was posted on Raid, a forum popular with stolen data traders, and a second message, in Russian, was posted on XSS (formerly known as DamageLab), a Russian-speaking forum where hackers rent access to malware-as-a-service operations, and a forum usually frequented by today’s top ransomware gangs.

Message posted on the Raid forum by Dutch police
Image: Dutch police

Message posted on the XSS forum by Dutch police
Image: Dutch police
The messages, as can be seen above, warn hackers that “hosting criminal infrastructure in the Netherlands is a lost cause” and that Dutch police plans to continue seizing their infrastructure.
A link to a YouTube video was also included, a video that ends with a message from Dutch police that says: “Everyone makes mistakes. We are waiting for yours.”
[embedded content]

The aggressive messages aren’t a surprise, at least for cyber-security experts, most of which are well aware of the Dutch police’s aggressive stance.
Over the past years, Dutch police have been at the center of many botnet takedowns, big and small. They arrested the owners of two web hosting providers that commonly hosted DDoS botnets, took down 15 different DDoS botnets in a week, moved to intercept encrypted BlackBox cryptophone messages, shut down Ennetcom for providing encrypted chat support for cybrecrime groups, and have aggressively hunted phishers, malware operators, and users of DDoS-for-hire services.
Dutch police are also currently at the heart of a mass-uninstallation operation to remove the Emotet malware from infected hosts, together with German police. More

LastPass has announced some big changes to its free offering, making the service much more restrictive for people who want to access their passwords across mobile devices and computers.
Now, before I go any further, I think it’s worth pointing out that I am a LastPass Premium user. I have been for many years, and I’ve been 100% satisfied with the service, especially for $3 a month.
But I can also understand why you might not be so keen to pay for something that was previously free.
Let’s take a look at what alternatives are on offer to you.

This is a great choice for those in the Apple ecosystem. Save a password on one device, and it’s available on all your Apple devices.
It works well for saving web and app log-in details, but it’s not really suited to other passwords and things like PIN codes.
It’s free, but the cost of entry into the Apple club can hardly be considered free.
View Now at Apple

If you’re a Google Chrome user, then you already have a cross-platform password manager that will work anywhere you have Google Chrome installed and signed in to your Google Account.
It works well for saving web and app log-in details, but it’s not really suited to other passwords and things like PIN codes.
View Now at Google

The free plan allows you to store unlimited passwords, notes, and credit cards and sync them to an unlimited number of devices, but you can only have one active device (in other words, you’ll be logged out of other devices).
The premium plan, which starts at $1.49 a month if you take out a two-year plan, is one of the best-value premium offering out there.
View Now at Nord

Along with a paid service, LogMeOnce offers a free ad-supported service that offers unlimited passwords across unlimited devices. You can also get a password generator, and the ability to store three credit cards.
View Now at LogMeOnce

While being part of a much bigger suite, Zoho Vault is offered as a free password service with unlimited passwords across unlimited devices, as well as premium features such as two-factor authentication and a password generator.
View Now at Zoho

Not a cloud-service, but a free, open source, lightweight and easy-to-use password manager for Windows. Not using Windows? There are unofficial ports for a variety of platforms (make of that what you will), including Android, macOS, iOS and iPadOS.
I’ve used KeePass in the past, but the absence of cloud syncing and automatic syncing across multiple devices makes it harder work to use.
View Now at KeePass

ZDNet Recommends More

[embedded content]
A small library that provides audio and video calling capabilities contains a bug that can allow attackers to join audio and video calls without being detected.
The bug —discovered by security firm McAfee, and tracked as CVE-2020-25605— impacts the software development kit (SDK) provided by Agora, a US company specialized in providing real-time communication tools.
Apps that use this SDK for audio and video calling capabilities include the likes of MeetMe, Skout, Nimo TV, temi, Dr. First Backline, Hike, Bunch, and Talkspace.
In a report published today, McAfee says that the Agora SDK does not encrypt details shared during the process of setting up a new call, even if the app has the encryption feature enabled.
Any attacker sitting on the same network as a targeted user can intercept the traffic in the initial phases of a call, extract various call identifiers, and then join the call without being detected.
Image: McAfee
McAfee said it discovered this issue last year, in April, during a security audit for temi, a personal robot used in retail stores, which also supports audio and video calling.
A subsequent investigation also found clues that this behavior also impacted other apps using the SDK, and the security firm said it notified Agora of its findings.

Steve Povolny, Head of Advanced Threat Research at McAfee, told ZDNet in an email last week that they notified Agore of their findings and that the company responded by releasing a new SDK in December 2020 that was not vulnerable to CVE-2020-25605.
“While we don’t know which of these apps have implemented the new SDK, we can confirm that Agora has released the SDK and has followed up with its developers to urge them to implement the update,” Povolny told ZDNet.
An Agora spokesperson did not return a request for comment.
Agora-based apps have tens of millions of downloads on the Play Store alone; however, McAfee said they found no evidence that the bug was abused in the wild to spy on conversations. More

Everyone needs a password manager. Period, full stop. It’s the only possible way to maintain unique, hard-to-guess credentials for every secure site that you, your family members, and your team access daily.

ZDNet Recommends

The six programs listed in this guide all offer a full set of features in exchange for a monthly or annual fee. Although some offer a limited free plan, our evaluation is based on the full feature set available with a paid subscription.
All of the programs run on Windows or Linux PCs, Macs, and mobile devices. To get started, you install a stand-alone app or browser extension and sign in to your account. The app does the work of saving sets of credentials in a database whose contents are protected with high-grade, 256-bit encryption. To unlock the password database, you enter a decryption key (your master password) that only you know. The browser extension or app handles the work of automatically filling in credentials as needed.
Different password managers have different user experiences and different feature sets, but all offer subscribers a similar set of core features: 
A password generator that puts together a combination of upper- and lower-case letters, numbers, and symbols. 
Secure sharing of passwords with trusted contacts. 
Form filling, including the option to automatically enter credit card details. 
Secure notes.
A sync engine that replicates the database across devices, using a cloud service or a local host.
Password managers that sync the saved password database to the cloud use end-to-end encryption. The data is encrypted before it leaves your device, and it stays encrypted as it’s transferred to the remote server. When you sign in to the app on your local device, the program sends a one-way hash of the password that identifies you but can’t be used to unlock the file itself.
What we looked for 
In putting together this list, we looked at third-party reviews and opinions from security experts, with a goal of finding the broadest possible selection of products from established developers. We supplemented that knowledge with our own hands-on experience.
Four of the password managers in our list offer free versions, typically with some limitations and an option to upgrade to a paid subscription for additional features. All offer both personal and business versions of their products, and some offer family subscriptions that allow multiple user accounts with the option to grant access to credentials for shared services. If you prefer open source software, look at BitWarden, which offers an excellent free version as well as subscription options.

Our capsule descriptions are not intended to be comprehensive but rather are designed to help you create your own shortlist. After you narrow down possible contenders, we encourage you to look at the feature table for each one to confirm that it meets your needs, and to take advantage of free trial options before settling on your final choice.
Because security is such an important feature of a password manager, we’ve tried to address the key question many of our readers ask: Where is your data stored? All of these commercial products offer a cloud sync option; some also include the option to save and sync files locally, so you don’t have to trust your online keys to someone else’s infrastructure.
And rather than summarize the encryption and data handling precautions each developer takes, we’ve included a link to their online security page so you can read that information and decide for yourself whether you trust their design and encryption decisions.

Free version supports unlimited devices per user

Security details are here.
LastPass, which has been a member of the LogMeIn family since 2015, is one of the best-known brands in a very crowded field, largely because for years its free edition offered a robust set of features and supported an unlimited number of devices per user. That policy changed in March 2021, when the company revised its offerings to require a paid plan for use on both mobile devices and one or more personal computers. The company’s personal and business product lines work on all major desktop and mobile platforms and browsers. The service is cloud-based only, with files stored on the company’s servers and synced to local devices.
The Premium version ($36 a year), besides enabling cross-platform support, adds a few extra features, such as advanced multi-factor authentication options, 1GB of encrypted file storage, and the capability to designate a trusted contact for emergency access. The family plan, which covers up to six users, costs $48 a year and includes a management dashboard. Business plans start at $48 per user per year. 
View Now at LastPass

Fewer than 50 passwords? This free version will do

Security details are here.
Dashlane doesn’t have the longevity of its chief rivals, but it’s been around long enough to earn a reputation for ease of use. Apps are available for Windows PCs, Macs, Android, and iOS. If your password database includes fewer than 50 entries and you only need to use the software on a single device, you can get by with the free version, which also supports two-factor authentication. Dashlane does not offer a family plan, but it does support sharing of passwords between accounts.
The $60-per-year Premium version removes limits on the number of saved passwords and synced devices and includes a VPN option. The $120-per-year Premium Plus bundle adds identity theft insurance and credit monitoring. Business plans include the same features as Premium, at $48 per user per year, with provisioning and deployment options as well as the capability to segregate business and personal credentials. (All prices require annual billing.) 
View Now at Dashlane

Allows an unlimited number of saved credentials

Security details are here.
Sticky Password was founded in 2001 by former executives of AVG Technologies, which was a pioneer in the freemium category for security software. True to their roots, this password manager offers a full-featured free version that works on all major device categories and browsers, allows an unlimited number of saved credentials, and supports two-factor authentication and biometric sign-in.
The $30-per-year premium version includes the ability to sync between devices, using either the company’s servers or a local-only option using your own Wi-Fi network. It also supports cloud backups and secure password sharing and includes priority support. If you’re really committed to the service, you can purchase a lifetime subscription for $200. 
View Now at Sticky Password

Business accounts cost $96 per user per year

Security details are here.
Although this product earned its reputation on Apple’s Mac and iOS devices, it has embraced Windows, Android, Linux, and Chrome OS as well; the 1Password X browser extension fills in credentials, suggests passwords, and provides 2-factor authentication in Chrome, Firefox, and Microsoft Edge. After an initial 30-day free trial, a 1Password personal subscription costs $36 per year; a five-user family subscription costs $60 annually.
1Password works best when its data files are synced from 1Password’s servers, but you also have the option to save passwords locally and sync the data file with your own network or a Dropbox or iCloud account. (The company boasts that it does no user tracking of any kind.)  1Password Business accounts add advanced access control, with activity logs and centrally managed security policies, cost $96 per user per year and include 5GB of document storage (compared to 1GB for personal accounts) plus a free linked family account for each user. 
View Now at 1Password

$60-per-year bundle adds KeeperChat encrypted messaging

Security details are here.
Founded in 2011, Keeper has probably the widest assortment of products of any developer in this guide, with separate offerings for personal and family use, business, enterprise customers, and managed service providers. Personal plans start at $30 a year for Keeper Unlimited, which (naturally) allows storage of an unlimited number of passwords and syncs them on an unlimited number of devices.
A $60-per-year bundle adds the KeeperChat encrypted messaging program, secure file storage, and a breach monitoring service that scans saved passwords to find any known to be compromised. The family version of each plan doubles the cost and supports up to five users. Keeper stores synced data files on the Amazon Web Services cloud. Student plans are half-off the listed prices. 
View Now at Keeper

Core features are “100% free”

Bitwarden brags that its core features are “100% free,” and that’s not an idle boast. That free version has none of the limitations associated with commercial software. Instead, the paid versions ($10 per year for a single user, $40 annually for a family of up to 6) adds advanced features like a built-in TOTP authenticator and two-step login with a hardware key.
The source code for Bitwarden is hosted on GitHub, with separate repositories for desktop, server, web, browser, mobile, and command-line projects. It has all the checklist features of commercial personal password managers, including secure cloud syncing. If you’re uncomfortable with storing your passwords in the Bitwarden cloud, you can host the infrastructure on your own server, using Docker.
View Now at Bitwarden

ZDNet Recommends More