What is Roboform?
RoboForm is a very popular and highly regarded password manager, so we were a little disappointed to find that while it works admirably at managing your passwords and form-fill data (hence the name) on the desktop, its mobile implementation is very clunky (especially on Android devices.) This is something that will likely change when RoboForm fixes its Firefox for Android add-on, but for now we struggle to find a compelling reason to choose RoboForm over its FOSS or more featured commercial competition.
Is Roboform Secure?
As with most password managers that aren’t LastPass, the first thing to note about RoboForm is that it is a closed source commercial product. We therefore simply have to take it on trust that RoboForm protects your privacy the way it says it does.
With that out of the way, RoboForm protects your master password using AES, Blowfish, RC6, 3DES or DES encryption algorithms. AES is the default, but we appreciate the fact that those who prefer to go the non-NIST approved route can choose RC6.
As we can see, AES key length is based on the length of your Master Password
In sharp contrast to 1Password (for example), RoboForm is somewhat shy about revealing exact details about how its security works. We do know, however, that in use the Master Password is stored in RAM, but that “RoboForm will only decrypt data on the fly as required and will not store unencrypted data and / or master password 'as is' in RAM.”
In other words, it almost certainly derives an encryption key from the Master Password that it stores in RAM. We would prefer a few more specifics, but in principal this setup seems fine.
Importantly, RoboForm does not store your Master Password in any way. This means that if you forget it, then tough luck. But this is much more secure than any system that allows password recovery.
Unlike some other password managers, cross-device syncing is only available via the cloud (using SSL encryption), and no local syncing options are available. You do have the option, however, of authorising new devices using 2-factor authentication (2FA) only, in the form of one-time codes sent to your phone.
We have encountered worse Android permissions, but we still don’t see why a password manager app needs access to all this information
How to use RoboForm on a desktop
RoboForm on the desktop is available for Windows, Mac OSX, and Linux, and supports most popular browsers on most platforms, including Firefox, Chrome, Opera, Internet Explorer, and Safari. There is also a portable USB version for Windows (RoboForm2Go) which supports a more limited number of browsers, and a Windows Metro/RT app.
RoboForm can import previously saved passwords and form details from a variety of other browsers and password managers (if exported as unencrypted CSV files)
The RoboForm Editor allows you to manage your passwords and other saved information. Bookmarks and Applications allows to jump straight to a webpage and or desktop program and login automatically, Identities saves form-fill information (for various configurations), Contacts and Safenotes allows you to store confidential information securely
At the center of the desktop RoboForm experience is the Browser bar add-on. From here you can access all of the password manger’s features, search for saved details, and login with a single click
When you enter password details into a new website that RoboForm does not have your details for, its password/form entry capture will detect this, and offer save the details for you. We do find the Firefox bar (above) a little visually clunky, but it can be quickly toggled on and off by right-clicking anywhere on browser window and selecting ‘Show RoboForm Toolbar’
We prefer the implementation in Chrome, though, where the toolbar pops down when the RoboForm icon is selected
RoboForm’s features can also be accessed by right-clicking its Notification Bar icon
Hovering over this icon, instead, allows you to quickly search for saved passwords
RoboForm Start Page is designed to replace your browser’s default start page with a list of your favourite websites, which can be clicked on to automatically log you into the selected website. This page allows for a fair degree of customization
As with all good password mangers, RoboForm can easily generate strong passwords
RoboForm works not just with web passwords, but will offer to save the passwords of your desktop applications
RoboForm works well on the Desktop, performing its job with aplomb. We prefer the way in which the RoboForm taskbar works in Chrome to how it does in Firefox, but this is minor gripe.
How to use RoboForm on mobile
Mobile apps are available for iOS, Android, Blackberry 5.x, and Windows Phone. We tested the Android version.
It is possible to download the raw .apk file for Android directly from the website, which is a great bonus for those security conscious types who prefer to avoid using the Google Play Store. We wish that more security products offered this option.
The Android app allows you to access all your passwords, Identities, and Safenotes etc. Clicking on an entry will take you to its associated website in the apps built-in browser, and log you in automatically
The built-in browser isn’t bad, but it’s unlikely that you’ll want it to replace your more fully featured regular browser
And this where the problems start, because although RoboForm is supposed to include a Firefox for Android browser add-on, we could not get this to install (we tried on both a Samsung Note 4 phone and a Nexus 7 tablet.) There is also no support for Chrome, although an add-on is available for the Dolphin browser.
This means that for most (non-Dolphin) users, there is no browser or other Android integration, so accessing passwords outside the RoboForm app involves opening the app, finding the correct entry, long-clicking it and selecting ‘Show’, then cutting and pasting the details into where you need them. Cumbersome hardly seems to cover it!
There is also no support for fingerprint scanners in Android, although Touch ID is supported on iOS devices. RoboForm for iOS uses a version of Safari that is integrated into the app, but does not integrate into with Safari itself outside of the app.
RoboForm has told us that “we are aware of the issue with RoboForm for Android on Firefox browser and our developers are currently working on a permanent solution.” When the problem is fixed, RoboForm will likely be much more usable on Android devices, but for the time being, RoboForm does not provide a great experience for most users.
As with every dedicated password manager we have reviewed so far, RoboForm works extremely well on the desktop, and we commend it for supporting Linux systems. What is becoming clear as we perform more password manager reviews, however, is that mobile implementation is often the key factor in differentiating products in this keenly competitive market space. Unfortunately, this is an area where RoboForm fails to impress, and as it stands, offers little to recommend it over FOSS alternative KeePass. Good Firefox integration in Android may change our minds on this front, though… when it becomes available.