The security experts at ii2P contend that with online data breaches occurring right and left, storing passwords and personal information in the cloud is just a bad idea. The company suggests a better storage location—right in your pocket! MyLOK ($89.95, direct) is a password manager that resides on a dedicated USB device with a built-in smart card for encrypted storage. Plug it in to any computer, enter your PIN, and you've got full password management and form-filling capabilities. Pull it out and your data goes safely back in your pocket.

Getting Started
While none of your data resides online when you use MyLOK, the necessary registration step requires connectivity. I had to temporarily turn off my Norton firewall to complete the registration; technicians at ii2P are working to eliminate this minor obstacle. Registration requires details such as the device's serial number and a couple of security questions. At this time, you also select a four-digit PIN to unlock the device. Of course you can change the PIN later.

Most modern computers have AutoRun turned off, so each time you mount the device you'll need to launch the main program manually. Double-click the icon that appears in the system notification area, enter your PIN, and you're ready to roll.

The control console that appears after you enter your PIN can be used to configure form fill-in and view a printable report of your stored credentials. Among other things, its configuration page lets you backup and restore your saved data and change the PIN or security questions. To protect your security, the console closes any time you click away to another window.

Secure Storage
The MyLOK device includes 8GB of standard USB storage (a 4GB version is also available) which holds the main program and anything else you care to load on it. Don't look for your passwords in this area, though. They're stored in 36KB of EEPROM secured by an onboard cryptographic processor chip. According to the company, 36KB is enough storage for about 300 sets of login credentials, more than most users will ever need.

I didn't attempt the tedious task of testing the device's capacity by saving 300 passwords. I would have if I could have imported my logins from other popular password managers, but MyLOK lacks import capability. LastPass 1.72 (free, 5 stars) can import from more than 20 other applications, while RoboForm Everywhere 7 ($19.95 direct, 4.5 stars) imports from LastPass and one other.

IronKey Personal S200 ($79 direct, 4 stars), also offers password management and uses a dedicated cryptographic processor. It self-destructs after ten incorrect login attempts MyLOK takes a less extreme approach. After several wrong PIN entries, it locks out PIN authentication.At that point you must reset the PIN by answering your security questions. Clearly you should pick questions that nobody else will be able to answer! After several wrong answers to the security questions, the device wipes all on-board data. The Defender F200 + Bio ($109 direct, 4 stars) can also be configured to wipe all data after a specified number of wrong guesses.

MyLOK's on-board processor will self-destruct if there's any attempt to break into it directly. Even then, the device doesn't become e-waste, as the processor can be replaced.

Password Management
MyLOK integrates with Internet Explorer and Firefox; MyLOK's icon will appear in the toolbar or title bar. Like all good password managers, it watches as you log in to secure sites and offers to save your credentials.

LastPass and RoboForm use an unobtrusive infobar for communication with the user. The new version of Identity Safe found in Norton Internet Security 2012 ($69.99 direct for three licenses, 4.5 stars) has also switched to the infobar style. At the request of users, MyLOK went the other way, from a toolbar to a popup window that collects information on how you want to store and organize the saved credentials.

The default name for a new set of credentials is the window title. If this is too long or too non-specific you can change it to whatever you like. You can also choose to store the credentials in an existing folder, or create a new folder on the spot. And you can choose whether to list this login profile in your MyLOK bookmarks.

A bookmarked site will appear in the MyLOK bookmarks menu, in a submenu matching the folder you chose. Selecting the profile will navigate to the site and fill in your credentials. If you choose not to bookmark the profile, MyLOK will still fill in the credentials when you navigate to the site manually. You can also bookmark sites that don't require login, so you can reach them easily any time you have your MyLOK plugged in.

MyLOK can save multiple logins for a single site without difficulty, but after it has done so, it won't fill them in automatically. You must remember to click the MyLOK icon and choose a login from the menu. LastPass, RoboForm, and Identity Safe all ask which login to use when you've saved more than one.

In testing, I found that MyLOK had difficulty with multi-page and non-standard login screens. In some, but not all, cases I was able to capture the information by entering the credentials and choosing "Register Credential" from the MyLOK menu. LastPass in particular handled more of these sites without trouble. MyLOK's designers plan to expand the products credential-capture abilities in the first quarter of next year.

Strong Passwords
RoboForm, Identity Safe, Kaspersky Password Manager 4 ($24.95 direct, 4 stars), and LastPass rate the strength of your master password, giving an incentive to use a password that gets a good rating. MyLOK's four-digit PIN will never be called strong. Fortunately, it's protected from brute-force guessing attacks by the limit on wrong guesses.

Identity Safe will also rate the strength of all your other passwords, once again encouraging use of strong passwords. LastPass's Security Challenge not only rates your passwords, but also identifies duplicates and encourages you to use a different strong password for every site.

MyLOK includes the option to generate random secure passwords, but it's not as flexible as some. LastPass notices when you seem to be signing up for a new secure site and offers to generate a secure password on the spot. MyLOK's password generator can only be used after you've already saved credentials for a site. You navigate to the site's password-change screen, select "Set New Password" from the MyLOK menu, accept the generated password, and paste it in. That's a little awkward. LastPass also detects manual password change events and offers to save the change.

RoboForm, Kaspersky, and LastPass let you apply parameters to the random password generator so as to match each site's password rules. You can specify length and choose which character types to include. RoboForm and LastPass can even suppress use of easily-confused characters like zero and 'O.' MyLOK just lets you set an overall maximum and minimum length. It doesn't even show you the generated password, so you may find you've used characters that aren't accepted by the site.

Form Fill-In
MyLOK also offers the ability to store personal information and automatically fill Web forms. You can create one or more identity cards which store contact information, physical address, business information, and any number of credit cards. Identities in LastPass and Identity Safe include just one credit card apiece, though LastPass will store additional credit cards separately. RoboForm is the most flexible, allowing storage of multiple data items for almost every field.

In testing, I found that MyLOK missed filling quite a few form fields. An ii2P representative explained that the company added the form fill-in feature as a convenience for users, and that it will be improved in the next release.

Application Passwords
Besides storing website logins, MyLOK will save and play back passwords for applications. You start by opening the application that requires login, then open the MyLOK control console and click the Desktop Application tab. After clicking the New Profile button, you'll choose from a list of running applications and enter the username and password. Once that's done, you can press a user-specified hotkey to fill in the credentials. MyLOK's implementation totally works, but it's a bit awkward compared to how the competition does it.

RoboForm's application password handling is simpler. It adds a small toolbar to the password dialog box that lets you save or fill in the login data. With Kaspersky, you enter the login data and then drag a special cursor from the application onto the login dialog. After that it automatically fills in the information when that same dialog appears.

The free edition of LastPass won't capture application passwords. For that, you need LastPass 1.72 Premium ($12 direct, 5 stars), and even then LastPass for Applications is a separate download. Capturing credentials works almost as it does in Kaspersky. You first drag a special cursor onto the login dialog, then enter credentials.

Safer Storage?
The company's contention that MyLOK is intrinsically more secure than cloud-based solutions deserves a detailed look. LastPass, PCMag's Editors' Choice for password management, keeps all your passwords and form-fill data in encrypted storage online. LastPass did have a security scare earlier this year, but no data was actually lost. It's not clear whether the event was an attempted breach or just a glitch. Regardless, the company responded by beefing up its already strong security.

RoboForm Everywhere keeps your passwords in the cloud, in encrypted form, but RoboForm Desktop 7 ($29.95 direct, 4 stars) stores your passwords on the local hard drive. Its companion product RoboForm2Go 7 installs on a USB drive and keeps passwords there. The passwords reside in encrypted local storage on the drive, which isn't as secure as MyLOK's EEPROM storage with onboard cryptographic processor. Identity Safe offers a choice. You can keep your data in local storage or move it online to your Norton account, in order to sync across multiple computers.

Safer Authentication?
As noted, all the other products mentioned here let you create a master password of whatever length you choose, using whatever characters you wish. RoboForm supports two-factor authentication using a fingerprint reader. LastPass does the same and supports several other methods for two-factor authentication.

MyLOK's four-digit PIN is the opposite of a strong password. Yes, there's a limit on guessing, but blind chance gives the guesser one chance in 2,500 of hitting the right PIN in four tries. You absolutely must not use a PIN that represents your birthday or any other fact that a malefactor could learn about you.

Resetting the PIN requires answering your security questions. It's absolutely essential that you avoid using any data someone else might know: mother's maiden name, first car model, your high school—all the usual security questions are absolutely unacceptable. Pick something that only you know, and don't share it with anybody else.

Personal Choice
There's no arguing with the fact that Internet hackers can't touch passwords stored on a USB device residing in your pocket. There's a possibility, however faint, that online storage could be hacked. Even so, none of the cloud-based products store your master password, so the most a hacker could get would be a database whose contents are thoroughly encrypted. The cloud-based services use proprietary techniques to ensure that any stolen data will be useless.

I'm confident enough in the cloud solution that I rely on LastPass 1.72 (free, 5 stars) for my own password management. But if you just can't get over that worry, if you require physical control of the data, MyLOK is a very good choice.

More Encryption reviews: