What password management solution do you use and why?
For a long time now, I have been using KeePassXC for desktops and KeePassDX for Android. I keep everything synchronized neatly with Syncthing, which can be configured to operate over your WiFi or the internet through their gateways. This allows me to share a single KeePass file with another individual, provided I tell them the password.
I have a co-worker who is loving 1Password and while it looks great, something irks me about paying monthly for a password manager. I looked into Bitwarden for a "local cloud" and have seen very mixed results as well as not being sure if I could trust my own security configurations to do so.
I am primarily wondering what everyone else is using in search of something a bit more convenient (I'm not opposed to using the cloud) that has an app like KeePass that I can use for desktop apps, and not just in the browser (though I don't use that function often, truthfully).
Edit: Passkey support was mentioned in this comment and made me realize how important such support will be in the coming years. For those of you with password management solutions supporting it, how has it been?
I use Bitwarden for my personal use, with a 10€/year subscription but have thought about hosting it myself, for fun. With the Chrome plugin and the Android app, I always have all my passwords, OTP, backup codes and other secure notes on hand.
At work we use Passbolt, installed on premise. It has great sharing and team features.
+1 for Bitwarden. It's great.
Bitwarden here as well, also with the $10/year subscription and an "organization" for sharing certain creds with my partner. I started out self-hosting with vaultwarden which was really easy to get going, but I decided I'd rather pay a professional to secure the environment.
I've been happily paying Bitwarden to hold on to my stuff for 5+ years now.
I’ve found the organization feature nice to make my games-related accounts available on my Windows PC, but not expose anything else.
I do the same but I have one problem with that setup. By assigning a login to an organization I am no longer the owner of that entry. I wish I could just share certain logins but still own them.
Also Bitwarden here for personal use. The free tier includes sync and also vault sharing between two people, which is enough for my wife and I. I also am able to participate in a different vault sharing with my dad.
+1 for Bitwarden. I saw it recommended on here last week and downloaded it. It is fantastic.
I'm also using and recommend Bitwarden. Self-hosting my own backend and the web UI has been dead simple and hassle-free so far, using the unofficial alternative API implementation Vaultwarden's docker image.
I also use Bitwarden and pay the $10/year subscription. The killer decision on this for me was the Emergency Access. My wife and I both share a lot between us in our personal organization, but there's bound to be some random 2FA email or bill somewhere that's tied to an individual email.
This way, we can retain our privacy, but if something happens to one of us, we can enable the emergency access feature to access the other's vault.
Another vote for Bitwarden, been using it exclusively for about 6 months. Works across all my devices, includes Apple, windows and android. I pay the 10 a year just because I want to support them. Previously used 1password which had no issues, just wanted to switch to an open source manager.
Agree with Bitwarden. I used 1Password previously and it was great. However, due to 1Password's introduction of telemetry (regardless of FUD around it, I felt this was a bad business move with unacceptable justification), among their other historical missteps, and the fact that Bitwarden is much cheaper- I decided to make the jump while I was looking at the field of options again and enjoy moving to something more open and still secure.
I still think 1P is a good product, and has a couple of things I like (an extra layer of "new device" security via the Secret Key, icons/popups right on username/pw fields for ease of entry), I like some things about Bitwarden better. Bitwarden seems to detect sites/domains/apps much better for me, even on iOS. Also like being able to set a shorter "PIN" to use for unlocking when filling out fields on the phone. I do wish there were better mixes of options for security though, but I think the various tradeoffs aren't a significant security danger or anything. Overall, Bitwarden seems to provide a more consistent experience on iOS for me, and works great in browsers and on all the platforms I use.
Curious current 1Password user here. In your view, what are their historical missteps?
Another +1 for Bitwarden. I used to use LastPass until they were acquired and I like Bitwarden a lot more. Great support across all the platforms I use and they made it easy to use a Yubikey which is nice.
Slightly off topic but can someone explain how do extensions like bitwarden perform client side encryption on browser extensions? Per my knowledge, extensions are written in pure JavaScript (I've written a few for my chrome recently). Does browser JS provide any built-in method to encrypt using AES, etc.? Or something more advanced is needed for this?
Thanks, this is cool!
Bitwarden because it was the only non-LastPass option that had a workable family plan. I need to be able to support my elderly parent and options like 1Password and others were just untenable to remotely support family members.
I also use Bitwarden self hosted with the Vaultwarden open source server implementation for privacy reasons. When LastPass started to have their security debacles over 10 years ago I started shopping around for an alternative that wasn’t focused on growth and had an option for self hosting to reduce what I perceived at the time to be my biggest risk. I pay $10 a year to support the development of the official clients that I use.
For two factor authentication and accounts commonly used from a terminal I use Pass with the otp plugin and synced with git.
This setup has solved most of my needs and Pass even has a reasonable community developed iOS client so I can access my OTP codes on the phone and keep my passwords and OTP secrets in separate systems.
If you don't mind: do you use a lot of TUIs, or what would be examples of the most commonly used/needed passwords in a terminal (and how often is that, approximately)?
I'm asking as, despite spending quite a large portion of my time per day on the command line, I was somewhat struggling to come up with examples here, except for set-up in new environments (perhaps programmatically, too)
Edit: typo
I was a
passuser for a while, and the main reason I used the command line option was due to some development tasks that rely on private repositories. So every time I do amake initor something like that, my IDE will fetch all the packages from their repos, including the private ones. The way our scripts are set up, they require our user credentials to be set up as env variables in the shell, so they can read them at runtime.I didn't want those credentials to be stored in plain text in .zshrc, so instead I made .zshrc load them at startup from pass. E.g.:
However, once I found out BitWarden also has a CLI client, I dropped pass altogether and switched over to BitWarden 100%. The convenience of the smooth multi-device operation of BitWarden (due to it being cloud-based) trumps the extra security (perceived security at least) of self-hosting pass in github for me.
That said, I struggle to see many other use cases for this other than software development or system administration.
Also on the Bitwarden train. Switched off of LastPass when they started increasing the price.
Shouldn't 2FA backup codes be stored elsewhere? The whole point of backup codes is to be able to regain acces to your accounts in case for some reason you can't use Bitwarden.
Indeed. I have a hard copy printed on paper, a second access to my 2FAs on an old phone, and a copy of my main 2FAs on my wife's phone just in case.
Using Bitwarden Since many years can vouch for it. I use the free tier its enough for me. In Desktop I use it through the Bitwarden Plugin In Firefox
Can save card details as well.
Some important notes such as passphrases.
Sometimes I also use the inbuilt password generator to generate a strong password.
Another vote for Bitwarden. I thought of selfhosting but I'm still learning and don't trust myself to keep something like that secure yet. The emergency contact option is a great option to have in case you lose/forget your master password.
+1 Bitwarden.
As a bonus, company uses it for work so I get a personal account for free (I was using Bitwarden already).
Used LastPass previously; moved to BW because it was cheaper and something-something which I can't remember.
Does Bitwarden let you quickly switch between your work and personal accounts (or multiple accounts, in general)? This is something I do with ease with keepass and last time I checked the other providers didn't have this feature.
In the app, yes, and according to your tolerance for secureness.
On iOS, I can switch quickly between personal and work, and Face ID unlocks both vaults if there has been any timeout.
Passbolt on-prem at $WORK here too.
You really shouldn't have your OTPs in the same app as your passwords.
+1 for Bitwarden. I self host via the vaultwarden container and keep it local only. I use a VPN back to my local network should I need to create a new login/pass or sync while away from home. I figure the less exposure, the better - and 99% of the time, whatever cached copy of the vault my phone app or browser extension has is all I need.
Edit: I also back the container up to multiple servers every night and shoot one offsite. If you're going to self host something like this, backing up the backup is paramount!
Using Bitwarden both personally and at work. The password sharing features work great if you've set up a organization - the only hassle is adding new users, which up until I left the company needed to be done manually.
Bitwarden for me
I use 1Password and I absolutely love it. Ever since Apple integrated 3rd party apps for keychain access I made the jump from Apple keychain and haven’t looked back.
Interesting you mention monthly for 1Password. I believe I pay $39 annually.
I've tried a few different solutions and 1Password is the smoothest and most convenient by a longshot. Totally worth the money, especially since they're building a passkey vault that doesn't require you to be locked into Google's, Apple's, or Microsoft's ecosystem. That's infrastructure I'm happy to fund.
Passkeys are a good topic I forgot to mention in the main post. Have you used theirs much yet? I believe they have already released a beta. If you have, what has the experience been like (especially when combatting the others as you mentioned)? The contention I'm seeing would be Google refusing to accept passkeys from a manager like 1Password, even though it would be preferable.
I’m using the beta and the passkey integration has been fine - zero issues. iOS doesn’t support it yet though, not until iOS 17, so I’m waiting for that, plus 1Password will have to release their own beta version of the app on top of that.
I've used Google's native implementation of passkeys, which works great! Thus far I've been too busy to opt into to 1Password's beta implementation.
Another 1Password user here. Our company uses (and pays for) it, and you get a free personal account.
Since the non-native version (they switched from a native app to Electron), it's been a lot more finicky, though with the extension not loading in browsers, it never suggesting the right password (always have to search for it) etc.
I believe it’s also not just a free personal account but also a free family account. I got my entire family on 1Password for free through the corporate plan. It’s a great idea since a common attack vector for business accounts is through personal accounts that may be connected in some way.
Another vote in the 1Password camp here; I normally tend towards self-hosting and open source software in general, but as the designated family tech support 1Password is by far the most user friendly option that hooks nicely into iOS and lets me easily act as a master-password reset initiator for if my family forgets it without needing to have direct knowledge of anything in their respective vaults. It also plays well with my other devices across Android, Windows, and MacOS. I don't personally have a problem with paying a subscription for good software that is well maintained and kept up to date, especially when it comes to wanting that company to be able to pay their engineers to stay on top of security.
I used Keepass(XC) for many years, synced with Dropbox then Nextcloud. I wanted a better experience on mobile and with integrated sync, so I tried both 1password (highly regarded in general) and Bitwarden (ticked all the boxes and open-source).
I found that Bitwarden had all the features I wanted. That's the one I recommend to most people who would never pay for the service, or very little.
Personally I decided on 1password, mostly because the UX felt much better, more polished all around. And I don't mind paying a bit more for that type of software.
The two things that I definitely won't self-host are email and passwords - email because I don't want to have to fight with DKIM et al, and passwords because I want to avoid the failure-mode where I'm locked out of important accounts because of something dumb I did.
1password has been working great for my household - works on all our devices, easy sharing for shared accounts, and even temp-sharing with other folks that I've used when working on sideprojects with friends.
I'm also a 1Password user and I love it. I pay a bit more annually, but have a family account. It is incredibly convenient. It's a strict upgrade from KeePassX which I used for years. It take minutes to sets up, and works across all my devices. While I understand that paying monthly isn't what some people want, I think of it as the price to not have to worry about anything. For the cost of half a billable hour, I get a yearly subscription for me, my wife, and one of our kids.
For business, I also use Bitwarden. It is also a good service, and perhaps slightly better for sharing passwords across a team.
Also a 1Password user here. I migrated from LastPass after their security incident. I’m very happy with the functionality. I recently got it to host my SSH keys for the Linux boxes in my home lab, so now when I ssh in it pulls the keys from 1Password instead of them being stored on my harddrive! Also sharing with the family is very easy.
Out of curiosity, which security incident?
(You know it's bad when you have to ask that)
The big one from last year where they technically had two incident (related), first hackers gained access to their dev environment due to a social engineer/phishing type attack. However more seriously, secondly (due to the fact they didn’t clean up properly after the first hack), several months later the same hackers gained access to all (some?) the product vaults. Obviously the vault are encrypted, but it was unacceptable to me the steps they took and the responses they gave.
LastPass Official Response
Proton Blog Coverage
I have a KeePass password database that I sync with syncthing
The one mistake I won't be making again is locking my credential store into an ecosystem, or any kind of closed solution. It's the most important set of credentials in your life, and it deserves a full set of control around it. That completely rules out LastPass and 1Password. What's possibly irking you about them is that their use is contingent upon ongoing financial transactions, and this situation may change upon their whims, not yours. In other words, you're doing a mental thread modelling.
I'm going with KeePass2 and its relatives including KeePassXC due to the portability of the KDBX database which lends itself well to multiple backups and at the same time strong security. BitWarden is interesting but is still a solution that needs hosting, which if you're self hosting, increases your own overhead.
For both bitwarden and 1password you can just export your vault. Bitwarden does it in json and 1password in 1pux and csv. I periodically export my vault from bitwarden and encrypt it with gpg before storing it in physical drives. If Bitwarden were to go up in smoke, I would only lose however many passwords was in between backups.
Indeed, that's what I am referring to by 'whims' - for now, you can export from 1Password. That functionality exists as long as it is convenient for them. It's indeed good practice to export periodically from Bitwarden (I do it at work) but as I've mentioned it's increased overhead.
I also use KeePassXC, but I use Nextcloud to keep my database file synced. KeePassXC just has a simple, clean interface without any of the bloat I’ve found in some other applications. My Nextcloud instance is self-hosted as well, which makes me feel a lot more comfortable as my passwords aren’t being held hostage by any company or cloud service I don’t have control over.
I use Google drive to keep it sync between devices, mostly because the only other device I have it connected to besides my laptop is this phone, and since it's Android, that's the path of least resistance.
This is exactly my set-up as well ... KeePassXC on desktops, DX on phones, all synced through a self-hosted Nextcloud server (which I also use for many other useful tools and features).
I have been doing it this way for 6-7 years, no problems, no complaints. I keep feeling vaguely tempted to check out BitWarden, but my current system continues to work so well that I never get motivated enough to investigate alternatives.
I'm also a big fan of KeepassXC. It's open source, works offline and cross-plattform (e.g. on my Linux Laptop as well), it allows me to use my YubiKey to enhance my encryptions passphrase using a challenged response mechanism, and I generally don't like relying on remote-services offered by third parties when it comes to password managers. I'd rather sync the password database with an independent tool. Also its browser integration and ssh-keychain-agent also work well.
On Android I quite like Keepass2Android, as it also supports KeepassXC's method of using my yubikey in addition to my passphrase.
firefox sync.
It's free, everywhere I need it, and it also syncs my pages and extensions.
If I for some reason wanted to save an app's login details, I can just manually add a password entry with that info and then look it up on my phone/pc when I need it.
Seconding Firefox here. I guess, technically, it's probably not the most secure or controllable option, but considering I'm just a random citizen and I like convenience, it's more than good enough.
Another FF sync user here.
It started off with me wanting to sync between Linux and Windows on my first dual-boot system and I have never bothered to switch to anything else, not that I would have ever felt the need to. It just works on basically every platform and doesn't require any additional software.
Even if it were less secure than a 3rd party password manager, I still have 2FA for all accounts that support it (which every major site does by now), so a password leakage wouldn't be the end of the world.
Yeah, I read a lot of contradicting information about whether browser password managers are significantly less secure than dedicated ones or not. But as I read reports that the most popular of dedicated ones was breached easily (LastPass), I wonder if using one that has fewer users (Firefox Sync) may prove more efficient in evading the interest of hacking groups.
For anyone who didn't know, you can also use iCloud Keychain for 2FA, removing the need for a separate authenticator app.
Long story short, keychain occasionally doesn't save the suggested password it generates and I almost lost my gmail account entirely. After I recovered the account I saved the password in Notes and manually copied it into keychain access, THEN I couldn't get the password change to stick so I ended up just having a note with my gmail password because I couldn't trust keychain.
I eventually moved to KeepassXC just like half the people commenting here and ultimately I've started moving away from the Apple ecosystem entirely. Apple makes this super convenient ecosystem that's great until something stops working... then it becomes the ultimate pain in the ass.
I love Apple. I also hate Apple.
I also use Keepass and use syncthing.
I do absolutely no programming/coding and just enjoy piggybacking off the makeshift things other people do and advertising; setting up Keepass + Syncthing to avoid monthly subscriptions a while back makes me feel the sense of pride and accomplishment I feel like one might get from building a shed, I'm just glad I wrangled my crappy attention span around enough to do it. Love the results.
I still use and love LastPass. Yes they’ve had some issues, but the sync is great, the iOS/android integration is great, etc.
Every time I try to switch everything else seems like such a freaking pain.
I’m with you. LastPass for years. I feel like last of a dying breed
No not at all, you’re not dying, I get annoyed when people say this about LastPass users.
You’re more like hippies from the 70s, living freely and sharing your information with anyone interested!
Just the hashed data, they still don’t have my master sword. And that shit is 32 characters long
The hashed data, and then all the unhashed data, like the URL for all sites, your account name, and your account email address, which might be the same as your username for many sites.
Bit late but
https://www.theverge.com/2023/9/7/23862658/lastpass-security-breach-crypto-heists-hackers
In my opinion a password manager is about trust, once it's gone it's gone.
I chuckled, well done.
What do you find painful when you try to switch? My family was able to switch to 1Password from LastPass with a trivial amount of effort. I think the only thing I don't have anymore is the right click context menu for fields - but I haven't really needed it.
zx2c4
pass, with my password vault replicated via a private, self-hosted git repo. I use the PassFF extension for integration with Firefox.It is for sure not for everyone, lol, and there are some notable downsides (primarily: while the passwords are strongly encrypted using gpg, the overall vault layout of "filesystem tree" leaks a ton of metadata if someone is able to steal your vault), but if you are comfortable with self-hosting and commandline tools and want to be self-reliant, it is very hard to beat.
Man, I don't. I have a passphrase like in that one xkcd combined with something about the site/service.
Can't wait to be educated about why this is a bad idea though.
I think the only theoretical problem is that if one of your site passwords is exposed and your password combination method is determined, your other passwords will be (relatively) easy to guess.
I did that for awhile but the ridiculously random choice of rules on password length (special hate to sites that have stupidly short limits like 8 or even 6 characters, wtf...), special characters required/selectively restricted, etc. It just meant I ended up with variations on the phrase and could never remember which variation for where!
That implies the password is looked at. Like password hacks is a mass process - exposing yourself to your workmates is a different issue entirely.
Why not just use a password manager though? It'd be far more convenient than having to manually recall passwords and having to type them out each time, and password strength wouldn't be determined by the how good your memory is.
The issue here is that if multiple of your passwords get leaked, not only would an attacker have the original passphrase, but they can also figure out the method you're using when appending to that passphrase.
No good reason. I briefly looked at password managers when they were just appearing and they didn't look that convenient at the time. Plus with 2FA, worst case is usually having to change a password, but the account will still be gud.
Also, I don't pay for anything unless I have to. But with BitWarden having a completely free option, I might look into changing.
Question: how does it work if you need to access an account while not having your vault?
E.g., say you're traveling, your phone dies, and you can only use the hotel's business computers to check your email?
Or, maybe a less drastic situation: you're traveling on business with your work laptop, you can't install third-party stuff on it, but you still have your phone? I presume you can always look up the RNGd passes and key them in manually?
Also, what accounts/devices can't be secured this way? Will a password manager be able to save and enter WEP keys? I know there's browser extensions for sites, but, what about other applications like Steam?
Basically, I'm trying to gauge how many passwords I still need to remember or record somewhere if I switch to a manager.
They have come a very long way from whenever you may have last considered them.
As mentioned by @steel_for_humans, it is always accessible via the browser.
There is essentially nothing that can't be. Even if you're just creating an entry to save a password with no user or whatever, if it has a password you can create one for it, no matter if it can autofill or not.
Depends on which one you choose. After research, it seems 1Password for example allows entering WiFi credentials for auto-filling. It still stands that it can store a stronger password even if you can't auto-fill.
Several password managers these days have it so their apps can autofill when keyed. The KeePass family of apps, for example, allow you to set a shortcut to trigger it where it will then read the titles of your entries to find a suggestion to present or allow you to select if it can't find one or finds the incorrect one. When it comes to mobile, almost all password managers can associate an entry with a specific app allowing you to autofill within the app itself.
It seems like your perception of them has not left your very first impression which you yourself admitted was "when they were just appearing." These days, they are not only extremely robust but provide security that you simply cannot match yourself, assuming the security of the service/manager is implemented correctly (and 9 times out of 10, it is).
The vault is always accessible at https://vault.bitwarden.com
Though mine is secured by a physical key (YubiKey) so THAT would be a problem :)
That'd be the main issue with it, you'd need to have the PW manager with you in order to log into accounts. But you shouldn't really log into accounts on devices that aren't yours anyways, especially for accounts as sensitive as email, as if that's compromised, so are all your accounts due to password reset.
You can yeah, I'd recommend generating passphrases instead of passwords for accounts you think you're going to be manually typing like this often, as it'd be easier to type.
Sure, bitwarden's not just for passwords, you can store files/notes on it as well.
I do the same thing! although mine sounds more stupid.
I am not sure if its a good idea to talk about it though
Dude I have been living that password advice ever since I saw it. I made up a word for each letter of the alphabet and start at a different letter each time I need a new password.
Like many people I have been using bitwarden for a long time. I do not pay for the subscription however, and keep my 2FA tokens in Aegis. Something never sat well with me having 2fa tokens synced with a password manager. I much prefer having only one device with them and an encrypted backup of all the tokens stored on another device and an external encrypted hdd.
I have been debating on trying pass but I don't think this will be a good option for everyone.
I am also quite intrigued with the development of "passkeys", I really hope they take off. I know so many people who have horrible passwords and I think passkeys may be a good solution for this problem.
I know passwords are a problem, but I can’t help but see passkeys as a trade off rather than an improvement. I’d love someone to explain if they’re a genuinely good option or just “better than our current systems”
The reason I’m sceptical is because I’ve heard that there are only three ways to authenticate — something you “know” something you “are” and something you “have” — and it feels like passkeys are swapping out the “know” domain for the “have” domain without making overall security more robust?
Then again, I’m also frustrated that I can’t add all three domains as extra mandatory security for things like password managers. Ultimately my passwords are only protected by another “master” password, and maybe 2FA on top, but that’s it.
Hunter2
I'm sorry, what do you use? I only see *******.
He said *******.
It might sound silly, but I create a S3cureP4ssword! for whatever I'm signing up for and memorise it. If I do forget, then I always have my recovery e-mail to fall back on. Your e-mail address's password functions as a master recovery password - so as long as that is something secure that you've memorised, you should be fine.
It can be trickier with apps that enforce 2FA, though
I keep a text file but with a caveat.
I have four different password schemes, each with about a half dozen variations. One of those schemes is 20+ characters long. I use this one to secure any account that involves money or identity. Everything else is secured by one of the variations of the other three schemes.
What I record in the text file, then, is not the password itself but the scheme and the variation. Anyone who got a hold of that text file would then have to first decipher which scheme is associated with the website and then which variation of the scheme. Thus, something like "Google: H$" is basically meaningless to everyone who reads it but makes perfect sense to me.
I haven’t got a physical keyboard at hand, so I can’t remember what number is under the $ symbol, but I’ve cracked your system.
Google: Hunter2
Thanks for your login deets! ^^/s
BitWarden self-hosted on my Unraid server
I also selfhost Bitwarden/Vaultwarden on my Unraid server. I usually leave it turned off unless I need to sync up a new password, too.
I use the very lazy and unsecure solution of just using the same password for everything so I don't need to worry about forgetting it.
But everything remotely important to me is protected by 2FA so honestly I don't really care if my passwords get leaked, the worst they can do is hack some random online accounts I don't care about. I guess if I started getting regular push notifications from hackers trying to log into my bank I'd probably have to do something, but so far the only thing I've lost control of is one of my Twitter accounts, and that wasn't an account I particularly cared about or I would have had 2FA set up on it.
Using the same password everywhere is still pretty risky, even with 2FA. If your second factor on any of these sites is SMS, it's vulnerable to SIM-swapping. For anyone that has a bit of time and is curious about how this stuff can be abused, I recommend this podcast interview with a former SIM-swapper: https://darknetdiaries.com/transcript/118/
Hmm, that does sound dangerous, although I don't think I have enough personal info online for someone to convince a company that they're me. Still, I guess I should see if my bank has some other form of 2FA they use.
Thanks
I count myself among the lucky few that hasn’t had any major issues due to leaked Personally Identifiable Information (PII) but I’ve seen what this can do. I can’t help but see this as such a cavalier attitude to have seeing how much damage can be done by a determined actor.
Definitely do this! I got myself a yubikey after using one at work and I can’t see myself using anything else again, until I can finally wrap my head around Passkeys, at least.
You might like pwdhash.com (save the page locally for paranoia's sake, or grab an app, or both!).
The concept is you feed it the website's URL along with a plaintext password. It'll hash out a different, garbled password for each site.
Security through obscurity but an upgrade on how you do it today perhaps?
1Password. Something that is convenient about it is that they have Linux compatible CLI tool so I can automate fetching secrets out for my personal projects.
This is a neat feature I was not aware of about it! That does sound very useful, especially as an alternative to something like HashCorp's Vault solution for those situations.
Actually, what's funny is that I do use Vault for my homelab. I am running Nomad and it grabs secrets out of a Vault instance running on the same box. I store the tokens for authenticating against Vault in 1Password and inject them into my shell via the CLI tool they have when I want to load secrets into the Vault.
a combination of keepassxc, nextcloud and strongbox.
I've been using Dashlane. It's been really good for me over the years. It used to be more expensive but I think it's more reasonably priced now.
I also use Dashlane, and this year upgraded to the family plan. I'm guessing other managers have these features too, but being able to turn off auto login per login, and require the master password before filling more sensitive passwords has been nice.
KeepassXC and KeepassDX for passwords, Aegis for 2FA, synced through a cloud drive.
Bitwarden ever since the first LastPass breach. Have no qualms. And don't knock financially supporting these services if you can! If youre hosting it yourself that's a different story, but they are doing the hosting so you should consider giving to help support the service you enjoy. You're ofc not forced to, but every little bit helps these things.
I just use firefox built-in solution. How bad is that?
Same but with chrome
Honestly it comes down to convenience, but I also trust Google's security a lot more than some random password app
Do those pull the passwords from passwords.google.com? Wouldn't that just pull encrypted passwords?
Thanks for the explanation. As I said, this really is mostly about convenience.
But one thing I don't understand, how could someone with access to my computer get my passwords?
To see them in chrome I need to log in to my user, sometimes use 2fa, which a thief would never have access to.
I get they could log in to my sites, but I can easily fix that bt changing the password.
Also also, how much of a threat is that anyway? Wouldn't a thief usually try to wipe the device and offload it ASAP so it can't be tracked back to them?
A text file on my PC. I don't trust
any cloud servicesomeone else's computer to safely and securely store my passwords, even if they're encrypted, and I don't trust myself to self-host some online password managerLooks like you're not alone doing this!
The most pervasive malware targets user desktops . Why?
According to the report, "the fact is that files most needed by the user are commonly stored there. And among them may well be a text file containing frequently used passwords."
If you like the text file method, you might want to look at something like Cryptomator, even though it's marketed for a cloud service you can create a local encrypted drive and throw your text file in there.
Enpass is a proper password management program that lets you store your passwords online or on your own computer.
Plaintext is a dodgy idea in this day and age especially on any device connected to the internet.
Check out ewallet. It does not keep your info on their servers, just encrypted on your device. It's better than a text file and it's a one time fee and doesn't use some one else's computer (I agree with you honestly).
Only downside imho is no 2 factor authentication but honestly, it is still far and above way better than what you are doing now.
I encrypt my passwords with a vigenere cypher then keep the list in an encrypted archive.
The archive is probably fine on its own and the cypher probably doesn't do much but I like having it for peace of mind.
Bitwarden has been fantastic for me. Zero complaints.
There's no password management system I'd ever trust with my logins. However I have a terrible memory.
Being a cryptanalysis nerd from an early age, I did something I'm rather proud of: made a password generating algorithm.
Start with a unique string - the name of your service works quite nicely.
DEADBEEF
Then extend it out until you reach an arbitrary length. Let's say 16.
DEADBEEFDEADBEEF
Now most password managers require a number, so let's append this with the number of vowels in our string.
8DEADBEEFDEADBEEF
Now let's divide this up into groups of six, putting a space between each
8DEADB EEFDEA DBEEF
And now let's reverse each group, capitalizing only the first letters
Bdaed8 Aedfee Feebd
Now we'll replace the first non-capitalized consonant in each group with a hashtag.
B#aed8 Ae#fee Fee#d
You now have an extremely secure password that meets all the standard complexity requirements and will be unique for every singe site you visit. If someplace requires you to update your password regularly, then add SPRING2023 somewhere in the algorithm and now you have four unique passwords every year.
Best of all, if you forget the password you can just recreate it with a few steps! My "master password" is a business card with 7 steps written on it, and that's enough to recreate my login almost everywhere.
This is what I used to do with my old passwords, basically rehashing your "master" password with identifiers to the site/account it's being used with. I still run across old accounts that I haven't integrated into my master database with this security "algorithm".
Then I discovered password generators. Can't beat 200+bit RNG
I'm grouchy and have a hard time trusting software with things as critical as my passwords.
What kind of generator do you use, and would you recommend it to a beginner in this area?
Just the one built in with KeePassXC. There are a few standalone generators recommended in this thread if you want to explore.
FWIW open source SW have many eyes auditing their code so it's probably safer than non-FOSS SW. Hard to trust anyone these days though.
I also use algorithms, and they're based on the site the account is on. Problem is sometimes sites want you to change passwords every x <unit of time>. So I keep a txt file (yep, traceable!... if you can crack it) with notes about how the algorithm changes.
I'm likely not super hardened or anything, but I woke up one morning in '19 and found out my eBay account was compromised, and then another site... and another... because I used a common-ish password with bits of variants if I had to use caps, numbers, symbols, etc. But since swapping to the algorithm method, I guess I'll see if I get hacked again.
I use keepass because it gives me a simple file I can move around
I was on unix pass for years but the mobile apps for it are not great, and I feel like I never understood gpg well enough to use it
I used to do exactly this, and it worked great for my use case. Then my wife finally realized she needed a password manager, and she's a little too "normie" to use syncthing and keepassXC/DX so I migrated to a 1password setup. It's a superior UX, to be frank, plus 1password has "shared vaults" so you can trivially share passwords with your significant other.
I am unlikely to go back to keepass/syncthing-based solutions despite the cost.
I am begrudgingly using 1Password 7 (the non-subscription version), and I know it's something whose time is running out.
I have zero interest in syncing my passwords to a computer that is not under my control, and the subscription version of 1Password does not allow the creation of private vaults.
I'd like to find a KeePass-compatible password manager, but can't find an iOS client which has had a security audit, nor is there an ability to prevent a single iOS app from communicating over a network (to prevent it from "phoning home").
If you don't mind not having 2 factor authentication ewallet is pretty good and a one time fee (per device though at least for my iphone and ipad I believe I just paid one fee... not sure, it's been a long time since I bought it for the iphone). It does not store your passwords anywhere on its servers (just on your device).
It's not as feature rich as the popular ones today but it still uses military grade encryption (according to a recent review of it I read) and they've been doing this since before smartphones took off (I originally had it for my HP ipaq PDA). I would say if you don't want all the bells and whistles and feel that encryption is good enough (as it doesn't do two factor authentication), it would be fine for you.
On the topic of "military-grade encryption," keep in mind that is just an industry standard and is in many ways only the basics. When services advertise security as "military-grade" it is marketing at best.
I'll check it out!
The biggest thing to look out for when evaluating password managers is audit results from a respected auditor (such as Cure53) and details about their encryption; the terms "military-grade encryption" is just marketing fluff, just as "aircraft-grade aluminum" or "surgical stainless steel".
Anyone can implement AES256 (which is "military grade"), but the real key is doing it right -- it's so much more than just the encryption that matters, it's making sure everything about the app from the ground-up is designed correctly (such as making sure app data cannot be read from memory, the handling of keys, etc.)
Ideally, even more modern forms of encryption, such as XChaCha20 or XSalsa20 should (hypothetically) be more hardened than AES256.
I use a veracrypt folder with a text file in it. Unparalleled security 👍
Bitwarden. Paid user for 4 years now. Works on all my browsers and devices across multiple platforms.
KeepassXC + SyncThing
I used pass + github in the past and it is nice, but has it's downsides.
KeepassXC has a more secure and mature ecosysrem.
Not a developer, nor paid to say this, just a very early user who has been happy with the product:
I use Strongbox Password Safe, which is a stand-alone application that can handle both Password Safe as well as KeePass formats. Both formats are open source so I'm not locked in to this product if it goes away, and both formats have been externally audited.
For keeping my devices in sync, I have used Dropbox, but recently I switched to iCloud Drive because Apple in the last year introduced Advanced Data Protection (which you have to manually turn on) which provides end-to-end encryption of lots of things in your iCloud account, including the contents of your iCloud Drive filesystem.
The Strongbox Password Safe application is available as both a subscription as well as a one-time "lifetime" purchase. I bought it a long time ago when the lifetime price was under $10; it's more expensive now, but it's also grown a lot and the developer is still actively updating it with new features.
https://strongboxsafe.com/
I keep all my credentials in a KeePass 2.0 database. I store the database in iCloud Drive.
On Windows, macOS, and Linux, I interface with this database using KeePassXC. Other users wanting to keep their database on some kind of cloud storage should take note of the "Use alternative saving method" setting. I have it enabled and set to "Directly write to database file". You want this, because the default behavior of deleting and re-writing the file on saves can cause unwanted behavior with services like iCloud or Dropbox. I pair this setting with "Backup database file before saving" to make up for the lost resiliancy, though I've never actually had to use the backup.
On iOS I use Keepassium. It has a good UI, supports Touch/FaceID, and integrates well with iCloud Drive and iOS' built in password auto fill feature.
There are also Firefox/Chromium extensions that can make this even more seamless experience akin to a paid service like LastPass. I haven't really tried these but I've heard good things.
This solution is "good enough" that I can't really imagine paying for a premium alternative. I feel more confident in using KeePass + cloud storage, because it means the company storing my sensitive data is not also managing the password for it.
Started with LastPass. When they decided to split free accounts and force either desktop or mobile, I left. Moved to Bitwarden. On the free tier. Like it much better.
Same here.
It was not a problem importing my data from LastPass into Bitwarden. It is worth noting that Bitwarden had a security breach in the past year which exploited its autofill capability. So, even though you should be able to use Bitwarden settings to autofill it really doesn't. You have to hover over the login fields and right click to go to Bitwarden.
Hadn’t heard about a Bitwarden breach. But I also never turned on the auto fill. I’d rather actively have to choose my credentials.
autofill still works for me. hope im not using a super old version or something lmao
I chose KeePassXC over Bitwarden for a nerdy reason:
KeePassXC can encrypt the vault using a combination of passphrase + rolling HMAC Challenge/Response from a hardware key. This is cool because even if the vault file was leaked, and the passphrase was keylogged, without a hardware key you can't decrypt the vault. It works great on computers and my Android phone.
This is in contrast to most hosted services which use hardware keys for authentication (the server will reject access without a key), but the actual data on the server disk is encrypted using (some derivative) of passphrase only. That's probably fine since you're trusting your host to protect the vaults for you, but it's an additional point of failure. Whether you think you can do a better job managing your own keys vs. a company is a personal call, and there's not one right answer.
I operate in some sort of hellscape of Apple keychain and Chrome password managers, they often aren’t in sync and there’s a bazillion that may have been compromised so it reminds me. I really should switch to a unified manager but I guess I’m just too lazy
I recently deployed Delinea Secret Server across our org. This was mostly driven by the LastPass breach last year.
For personal use I use BitWarden. It's not very fancy and the interface is lackluster, but it's fine for general/personal passphrase management.
Been using https://getvau.lt/ for a while. It requires a bit manual work compared to the various password managers but I like not being dependant on a specific service.
Aren't you relying on the service of getvau.lt? Sure, it's open source, but you'd still have a bad time if you need to login somewhere now and the site is down.
If I understand correctly, the passwords are generated by javascript. How do you know the code that was served to you is the same code that is published on GitHub? You would have to read and understand all the code or run it through a secure hash function every time you visit the website.
I selfhost a copy on my own server. It is really just a small Javascript, so I am not really afraid to lose it as such. I should probably have mentioned that.
OK, in that case, I can't see anything wrong with it.
For personal use I go with Bitwarden, and I regularly export my vault and import it into a KeePass vault as a functional backup.
For work we use LastPass and I absolutely put nothing in there. I use a KeePass vault for my own needs.
My wife and I have been using Enpass for years and are pretty happy with it.
I'm lucky enough to get Keeper free through my work and it manages TOTP for me (which I really like). Though the user experience requires a lot of work. The primary use case is in-browser, so just as an extension, though there is a desktop application. That said, I have quite a few problems with it, some of which, in no particular order are:
I previously used KeePass, but keeping my database synched between devices and having a different app for TOPT was a bit too much of a hassle for me, so in that regard Keeper has been a step up. And credit where it's due, their iOS app is pretty nice.
KeePass doesn't have TOPT? I'm pretty sure KeePassXC has one though, never needed another security app to handle OTPs.
I use mostly KeePassXC and KeePassium on ios.
I open my KeePass database from all my computers/mobiles from a network share only accessible through wireguard.
I use Enpass and have basically enforced it everywhere I can. The fact that you can store your encrypted vault on an online location (google drive, One Drive, Dropbox, even own loud) of your choosing is perfect for me. I keep pretty much everything there. Their prices are reasonable, too which helps.
Honorable mention for Passbolt, which I set up but couldn't manage. If you are better at managing Amazon ec2 instances than I am, then by all means. I think it's a great small business solution for passwords, for a company with someone that is good at managing servers.
Bruce Schneier originally made one that I've used forever. I like how you can keep the database on a google drive folder, and access it from your phone or whatever. I've become my family's password manager...
I use KeeWeb. It's pretty much the same as KeePass but I don't have to worry about synchronising my file as KeeWeb can directly download and upload to multiple different cloud services.
I use the same setup that you described, KeePassXC + syncthing. I also have a small, multipurpose personal vps, which has syncthing configured as well. This ends up working really nicely since it's a always running, so there's at least 1 device to sync to/from at all times. As a bonus, I also have the keepass database automatically backed up each day.
My only issue is that the mobile KeePassDX does not work very well on my phone - I have only 2gb of RAM, so the system regularly kills background apps, sometimes almost as soon as I leave them. I've had it close keepass after I put the login and password on a site, but before I grabbed the authentication code, forcing me to unlock the database twice. Oh yeah, and the system keeps killing syncthing too. I hope these problems go away after I upgrade to a more recent device...
Like a few others have mentioned, I use keepass. I have my personal laptop synced with my personal phone while my work laptop has a totally separate file for those work sites and things that I don't access from my personal laptop. I have my main database backed up in a number of locations in case my laptop gets corrupted or something.
I used to use Enpass. I liked that it let me pick where the encrypted vault is stored, and I got it back when it was a one-time purchase.
Unfortunately, the apps have gotten pretty glitchy, so I went looking for something new.
I just signed up with BitWarden.
I’d had my eye on them for a while now - I like the way the product is run. Here’s hoping it keeps working well ! 🤞
yall crazy I've been using the same password for the last 10 years. I just affix extra symbols based on a few factors like subject and some surface level stuff (e.g. first letter) and voilá, unique and not prone to password dumps.
You might like pwdhash.com as it sort of fits with this thought process.
I use KeepassXC on Linux (primary work OS) and Windows (wife’s computer), and Strongbox on iOS and macOS (my casual use OS). I sync the databases with Dropbox and manually sync the key files.
Strongbox supports iOS/macOS native auto-fill and I use the browser extension on Linux since that (work) database doesn’t have my passwords, but otherwise I’d be a bit hesitant to use any auto-fill extension.
I manage multiple databases to segregate the types of passwords that there contain.
I use ewallet cause I've been using before even the iphone was around.
Bitwarden (vaultwarden's implementation), selfhosted.
Backups of course, but as of now nothing has beat it.
I'm still using 1password, and I've been meaning to give (bit|vault)warden a spin to see if it can serve as a replacement. The reason I haven't put much effort into switching is because with 1password connect and 1password cli integrations, I have a lot of homegrown automation for my home lab, and other aspects of my digital life, both home and work. So it's not as simple as exporting from 1password to a replacement. I'll need time to investigate the integration options and see how much work it would be to swap it all out.
For instance, my configuration (environment variables) for my services on my docker swarm are unique entries in 1password. Deployment for those and even reimaging my devices (laptops/desktops) is 99% automated with 1password service as secrets and configuration storage. I can go from total failure (providing availability of parts) back to 98% productivity in 20 minutes for just about every device in my house.
KeePassXC on Mac & PC, KeePass2Android on Android - database on Google Drive. KeePassDX doesn't play well with syncing (and doesn't even support Cloud syncing).
Had a Lifetime License to 1Password before they went subscription model, dropped them after that. Agilebits as a company will also be a high-value target by baddies, and I don't want any of that action. My keys will be secure behind an account that nobody even knows has anything good in it.
Passkeys are cool and all, but until there is widespread adoption of the tech I'm happy and secure with the integration KeePassXC has with all of the platforms I use. And in the event that I'll need to use a better paid service/app I'll be able to easily port over the info to wherever it needs to go.
Tried most of the other popular paid/freemium (LastPass, Bitwarden, obscure self-hosting apps) options out there and I keep returning back to KeePassXC. 1Password would be the service I'd return to if I wanted a non-FOSS option though.
I'm curious about the issues you've had with KeePassDX and syncing? I haven't had it cause any trouble once, and I primarily find myself editing the database on my phone rather than my PC.
KeePass2Android allows you to access some cloud services directly for your DB while I've only seen DX work with local files. Merging different DB versions from multiple machines using builtin sync has been solid on KP2A. Maybe I should be doing something different with DX? KP2A looks ancient but the functionality can't be beat (i think).
After exploring DX one more time, I think I might be porting everything over to it. Figured out how to make it work with my setup, and I must admit it works and looks good.
I use KeePassDX synced to Google Drive. It works fine but nearly every time I open the app I have to navigate through the phone chooser to the Google Drive file as Android/Google Drive seems to block access after ten minutes or so, so the most-recent used list doesn't work.
Still happy with the setup.
I don't know why I saw only two replies mention Dashlane, but I've used it since it was in a closed beta and it's been wonderful overall. It has its moments of frustration now and then, but that's almost exclusively surrounding auto fill, which a lot of sites mess up with weird input fields and intercepting JavaScript callbacks.
It has its own 2fa authenticator it introduced recently that's very nice, it has passkey support on the web and Android with iOS coming soon, it can also store and auto fill payment information (this was the og feature and why it's called Dashlane), "secure notes" for storing random text (like backup codes) in an encrypted cloud storage location, and a great family plan.
Maybe someone will come and burst my bubble, but every year I look at whether I should switch before my family plan renews and I find no competitor is a compelling replacement. In some cases I find something basically just like dashlane so no point in spending effort to transfer my data for no added benefit. But in most cases, I find dashlane to simply be a superior product in terms of features and support.
ETA: On Android, you can actually let dashlane auto fill login field in many popular native mobile apps. Netflix, Gmail, DoorDash, Uber, and so many more. I find it's more common that I can have dashlane full in my credentials in a native mobile app than it is to need to fill it in manually.
Recently moved away from last pass.
Putting my tiny tin foil hat on isn’t declaring which tool you use adding to your surface area of attack and bad opsec?
It is negligible at best. It's either a cloud provider that would be extremely difficult to attack just for one individual, or in my case a physical file that would require my devices to be specifically targeted and subsequently scraped to find the database, only to still require brute forcing to break. It's a bit of a reach to say it's bad opsec.
I use KeePassXC and KeePassium for mobile.
It’s my first password manager so I don’t know much aside from “Yeah a service that does it for me on the cloud is a bad idea”, especially with what happened to lastpass.
Not sure if uploading the database to iCloud is smart, though, even if it has a password on it.
While I have my reservations (and I am actually considering using a cloud service now), the fact is they are still relatively secure. What happened to LastPass was very high-profile, however, that data was still encrypted when it was stolen. This means that while the event was still a massive security failure on their part, any given user's master password would have to be brute-forced to gain access to their information. Yes, this data is now in a location where brute-forcing is possible without restrictions, however, it will take them a very long time to crack any given one, much less all of them.
From what I understand about 1Password, their 2SKD (two secret key derivation) means that breaching and stealing the encrypted databases from their cloud will achieve nothing, as they would then have to target every single user to be able to retrieve their "Secret Key," which is a 34-character 128-bit entropy string that you save onto a device or wherever you prefer to keep it. They cannot simply brute-force your master password and gain access. I find this extremely useful personally, which is why I have been weighing cloud options since this post.
I self host Bitwarden.
I've only ever used KeyPass synched over, uh, scp
I appear to be the only one using pwsafe. It’s great — open source, syncs via iCloud, Dropbox, or whatever you want, with the whole vault encrypted securely and designed by Bruce Schneier (author of Applied Cryptography and inventor of TwoFish) whose paranoia and attention to detail I trust to not screw it up.