Help me ditch Chrome's password manager!
I've been trying to reduce my reliance on all things Google, and one of the big ones is password management. I've tried several times to make the jump, but every time I start researching options I'm overwhelmed by the selection. There are a lot of popular options out there, and I really don't have the time/energy to endure a misstep. So without a clear idea of which manager will check all of my boxes, I end up bailing on the process and keep using chrome's built in option.
So to start, here's what I like about Chrome:
- Automatically offers to store passwords without extra clicks
- Autofills automatically where it can, and gives me an easy choice when it can't
- Works everywhere I need passwords. (basically everywhere I browse the internet since chrome works everywhere)
- Minimal overhead. This is hard to beat since Chrome just includes it, so I'm fine with a little extra setup if necessary.
I used to use keepass portable on a thumb drive (I want to say circa ~2009ish), but it became really inconvenient as my usage shifted more to mobile devices.
I see this as a first step to also reducing my reliance on Chrome so I can start to consider other browsers. Right now I feel locked in to Google's ecosystem, but I know I can break it up if I don't get too bogged down by choice. Much appreciate any help. :)
Bitwarden is the usual suggestion. It does most of those, although it might be a bit clumsier than Chrome's on Chrome itself, since it's 3rd party, especially on mobile. But it does work in more contexts as well, for example you can store and retrieve passwords for apps on mobile, not just websites.
The free plan does most of what you want, so you can try it out.
Another thumbs-up for Bitwarden.
Fun fact, you can add custom fields to a site's entry in Bitwarden if you want it to autocomplete other stuff as well. Immensely useful for sites that don't follow usual patterns for usernames. I also use it to save fake 3-word entries for 'security questions' so that it's not as easy to be compromised because someone took the three seconds to google what my mother's maiden name is.
I even had one billpay site that made me enter my credit card details every month, but the usual autofill methods for that wouldn't work. So I added all the needed fields as custom fields in Bitwarden (name, zip, number, etc), then it would autofill the form every month.
I'll second Bitwarden. It is open-source which usually prevents it becoming shitty or getting sold. I switched from some other password manager when they changed up their pricing structure.
It takes some initial tinkering to get set up but nothing beyond most people and works near flawlessly on PC browsers (can be a little glitchy on Android).
I didn't mention open source in my original post because I was trying to cast a wide net, but it's a big plus.
Yet another vote for Bitwarden here. Switched from 1password for less cost and more open source and have been very happy- and in fact, I like Bitwarden more.
Another content Bitwarden user’s mention:
The core password manager offer is free and will stay free, including cross-device syncing… but for $1 a month you can also get a non-Google non-Microsoft authenticator app that works really well (plus a bunch of other features I don’t really need nor use).
I also quite like that in addition to bitwarden.com, they offer an alternative server (& location) with bitwarden.eu
Also a recent Bitwarden convert. Agree to all that was said above but I was also pleasantly surprised at how easy they make it to import from a previous password manager. I came from last pass and it only took a couple minutes, and little to no friction.
+1 to Bitwarden! You can easily self-host your own Bitwarden server using Vaultwarden, if you want to keep things even more under your control.
I use 1password, which does everything you mention after installing the browser extension. It is not free, but it is not wildly expensive.
My favorite feature is that my family has a set up where I have my passwords, my wife has her passwords, my grandparents have their passwords, and my family has our shared passwords (for anything kid related or for Nebula or utities or whatever). When I search for passwords, I can see mine and our shared ones, but I cannot see my wife's. I can also see my grandparents' vault but it is not my default set to search from.
One of the biggest reasons to believe that this system works well is that my grandparents use it. They are not technologically inclined. I just installed it for them and set it up and they press the "use password from 1password" button, or "save to 1password" when relevant.
If you are a power user or only have your own passwords to manage, a free one might be more appropriate. If you are in charge of other people's information, I think 1password is very nice.
I’m like 1Password a lot for many of the reasons you describe. The family feature (shared vault) is great for keeping my wife and I in sync and ensuring if something happens to one of us the other isn’t stranded.
I haven’t brought myself to upgrade my mobile app from 7 to 8, and I understand there was some early clunkiness which I hope has been resolved by now.
But I like that as a paid service there is incentive to continually improve while keeping things polished. I haven’t really used their support, but I feel like the app and its extensions are easily enough to use and pretty intuitive. I like that it suggests random passwords and I can adjust the complexity to meet various sites’ requirements, and then it just stores them easily for the future.
Been using for a few years now and highly recommend. It has helped me greatly increase my password diversity and overall personal security.
I was never as upset about version 8 as some vocal people on Reddit were, but in my opinion, all the initial stumbling blocks are completely gone now. Version 8 is now far better than version 7 ever was. Yes, it’s different, but once you get used to the new interface, it’s just as good or better. I only remember 2 feature regressions in the original v8 mobile app (apple watch support and reordering items), and those have been fixed for a long time now.
Sounds like it’s time to give it a shot; thanks!
Be very careful in your migration. I tried last month to migrate and it ruined my vaults by mixing my old iCloud vault together with the cloud vaults. Every migration duplicated the bad entries resulting in 4x duplicates mixed in before I realised it.
I tried working with support to fix it, but they were pretty much useless. I got tossed between reps every email reply and they all failed to read what anything past the most recent email.
I aborted the upgrade from 7->8 after that and decided to just deal with 7 until I can get a solid system in place to replace it.
Blerg! I’ve given some thought to BitWarden but never made the jump. I do wish the 7->8 transition hadn’t been botched; you’d think that would be easy enough to achieve especially for a paid service.
I've been using 1Password as well, and couldn't recommend it enough. I've had some doubts about their "let's make everything cross platform using Electron" initiative, but I think they've managed it well. I did try Bitwarden during 1Password's cross platform initiative, just to see if the grass was greener on the other side, but the user experience of the latter was so far ahead, it wasn't even a competition.
Just the other day, I helped my brother set up his recently purchased Macbook Air and he was using Bitwarden based on my recommendation (he's not accustomed to paying for software). I helped him install the app and the browser extension and I felt offended by how ugly they both were. I do think Bitwarden is a solid product underneath and I'd have no worries about its security as far as how secure a piece of software can be, but they really need to hire some designers.
I use 1password as well, but it was my first and only password manager, so I can't give a basis of comparison. My wife uses it as well but typically I have to set her up and occasionally troubleshoot, it's especially hard for her on mobile, but I can't even get her comfortable with fingerprint usage. But overall both of us having the shared vault and so I can keep the important logins with a good passwords and both of us able to login is great. Having 2fa on to be autofllilled means I turn 2fa on everywhere I can even if the account is not important.
So really has been a great product to use through several phones and computers and has made my life much easier. I plan to get my kids using it too as they are hitting an age where they are going to start needing logins for things now.
So while I can't compare to other free products I've been happy with the pay service for several years now.
I am by no means highly knowledgeable on the topic, but I've been using Bitwarden for a number of years and it would tick all your boxes. I use Firefox, setup is limited to creating an account and then installing the Bitwarden extension. It also works on mobile, either with the extension or an app that lets you fill in passwords for all apps too.
I also use the Bitwarden extension with Firefox. The only thing I don’t like about it is that when I login to a site it always puts up a fairly intrusive banner asking if I want to save the password, even if the password is identical to what it already has stored.
I use Keepass intensively. Synchronising is quite easy actually, because you just have to synchronise the file. I use Nextcloud, but you can use any cloudprovider or software like syncthing or rsync. Most mobile clients even have an option to synchronise from a cloud service. I don't synchronise the keyfile to make sure that even if my password and cloud are hacked, an attacker can't get in. It is probably overkill, but hey, why not. As for ease of use: I don't really use that sort of functionality much, but I'm pretty sure you can achieve some pretty smooth operation with browser plugins. That being said, Bitwarden is also an excellent option and it is what I normally recommend to others, since it is more user friendly.
+1 for keepass. I keep the password file in dropbox to sync it between computers and mobile. Occasionally I will get a conflicted copy, but Keepass' synchronize function can bring the changes in from the conflicted copies easily.
I don't have anything for browser integration, but on Windows it has auto type. On android, I switch to Dropbox, choose the KeePassfile, open it with the keepass client and unlock it, then choose the entry. A notification appears that can copy the username or password entry, so you can switch back to your app or website to put the info in.
KeepassDX has a special keyboard you can enable on Android. When you need to login to a website or app, switch to keepass keyboard and you can unlock and select the entry without the need to copy paste anything.
Thanks for the tip. I have been using KeepassDroid since the late 00's, and it is fine, but I installed KeepassDX. Even at first glance, it looks easier to use, and the keyboard integration is huge.
I like Keepass, a lot. It's way better than Chrome password manager. But I do caution others when making this suggestion because it does have upkeep. I personally had to migrate to Bitwarden because my non-technical wife was getting syncing issues with Keepass and didn't know what to do. This caused her to stop using it altogether, which defeats the entire. Just another factor to consider.
For multi-user usage, I can see syncing issues happening with KeePass but thankfully I haven't had any. I think the apps/programs I use for it can merge external changes for it and last saved entry wins. As a lone user, I don't get conflicts frequently (can't remember if I ever actually got one).
Ultimately it's great to have options for everyone and not have to rely on a single application that may not cover everyone's particular use case.
The last time I went down this rabbit hole I was seriously close to getting a Nextcloud instance going. I liked the idea that I could add other services down the road and further take control of things. I think I may still go that route someday, but don't have much capacity ATM. Bitwarden seems like a clear winner so far based on all the other comments.
Use syncthing to sync it up. Its simple and free.
No matter what keepass does take more time and effort than other options but I feel like it's worth it.
I rent a Hetzner server. It's a fair price and good service. Only downside is that you can't easily add other services like Collabora Online.
I use 1Password for my family and Bitwarden for work. They are similar, but I generally find 1Password easier to use, especially for people who aren't particularly technical; like @DeaconBlue I find it very easy for my family to use it than any other solution. It's simple enough that my wife, a professor, can use it (mainly a joke for anyone who has worked IT help at a university, but also... somewhat serious).
Bitwarden is also a good option. It's nearly as good; the sharing is a bit clunkier, the interface is less polished, the prompts to remember passwords are a bit different. It mostly could down to I like the feeling of 1Password just a bit more.
Overall either solution is probably a good one for most use cases.
I use Firefox, and its built-in password manager ticks your boxes, I believe. I couldn't tell from your post if you were implying that you're not ready to change browsers yet. Maybe consider using Firefox only for the password-protected sites, and Chrome still for the rest of the Internet?
I’m also quite happy with Firefox, it also can autofill passwords for Safari/other-apps in iOS without having to install any extra apps or add-ins, which means you don’t need to store passwords with Apple either.
Is Chrome's password manager safe to use?
It is and it isn't. The data stored on Google's servers is likely as secure as your Google account.
The problem is on your computer, the data is stored in your local account credential store without a secondary encryption password. Which means any malware running on your PC can trivially access the stored passwords.
Arguably your PC in this case is already compromised, and other password managers are vulnerable to keyloggers and such, but there is a higher barrier to entry. In practice, malware that steals passwords from Chrome is extremely common whereas targeting standalone password managers is more rare.
PrivacyGuides has an awesome page about password managers:
https://www.privacyguides.org/en/passwords/
Basically, if you want local, go with KeePass and compatible apps. If you want cloud sync, your options are Bitwarden, 1Password and Proton Pass.
I've been using Bitwarden now for a few years and I highly recommend it, I've never had an issue with it. Works great on pretty much all major platforms like Linux, macOS, Windows, Android, iOS. It does unfortunately add an extra click or two when saving passwords or auto-filling but I quickly got used to it. I think overhead can be minimal too as you only really need the browser extension for your computer and the mobile app on your phone. On Mac (and probably Windows and Linux), you can connect the extension to the Bitwarden program and use your computers fingerprint or face scanner to authenticate the auto-fill.
Regarding the extra clicks for the auto-fill, the way I use it, you just right click on a text field, click the Bitwarden option, and then the "Autofil details" option and then, if there's only one saved password for a site, it'll fill things in. If there's multiple, you can then choose that from the menu I mentioned earlier. The extra clicks from saving are basically just a confirmation message. If you have the extension running in your browser, when you log into a website with new credentials, the extension will ask if you want to save the new credentials.
There is also a keyboard shortcut to fill in the password with 0 clicks. :)
https://bitwarden.com/help/keyboard-shortcuts/
I use KeePassXC on my larger devices and Keepass2Android on the smaller ones. For ensuring they're always in sync, the kdbx file is stored on a cloud provider (pCloud in my case) which is accessible by all devices and can be cached if my internet connection is spotty.
The kdbx file is protected with a key file in addition to the master password so that only explicitly onboarded devices can use it, even if my cloud storage is compromised.
For actual usability, KeePassXC does have a browser extension to allow auto insert of username and passwords but I've had a mixed experience with it. I just resort to Alt+Tab to manually grab the password instead.
On Android, my experience is much better, Keepass2Android prompts to link the relevant password to the app when you use it there, so that it will auto fill next time. QuickUnlock also lets you only put in the last 3 characters of your master password to save time, but will occasionally ask to enter the full master password.
I know that some people here are not fussed on modular, but moving to Firefox as you're browser comes with an excellent password manager.
For the Firefox non-fans, what's your beef?
I wanted to put a plug in for Enpass. I've now compelled several people around me to start using it. I really like it and, if you are in the market, you should give it a look.
I would second most commenters who've recommended Bitwarden. I've been a paid user of Bitwarden for about 4/5 years now and it's incredibly satisfied with it.
The other contender is Proton Pass. I'm a paying Proton member, so I've been exploring it for a bit to reduce the costs on my end, and it seems to do most of the things that Bitwarden does. On a day to day basis, don't think I would miss if I stopped using Bitwarden. Just being lazy about it as the cost of bitwarden is just $10, so inertia isn't that high.
I've switched to Protonpass and found it pretty much seamless. I was able to import my Chrome logins into Protonpass and it works well for me on both desktop and mobile. I also like how it can generate email aliases for me so I don't have to give out my real email address to every website asking for it.
I like Proton's commitment to user privacy.
I also have Protonmail but still struggling to switch from Gmail.
I have a KeePass 2.0 database that I keep in my cloud storage provider of choice.
On desktop, I use KeePassXC (it has versions for Windows, Mac, and Linux, which is a big part of why I like it).
On my iPhone, I use KeePassium because it supports FaceID.
I see a lot of the same mentioned several times throughout the replies. I want to offer two additional options. I use Dashlane in my personal life and Keeper at my company. I find them both very easy to use across several systems. I don’t store my MFA tokens in either of them and use a separate application for that.
For Dashlane, I have the deadman drop function setup so my family can get access to my accounts if I am incapacitated or dead. I also have the family plan which has forced my wife to take a more serious approach to her data security.
Overall, I like them both for what I use them for. I used to use LastPass at my company but then they had a massive breach and we switched to Keeper.
ProtonPass, it's free, integrates near seamlessly between mobile and web browsers (something I've constantly had problems with using Firefox's password manager) and you get the backing of a reputable security based company. I've tried numerous password managers from Google to keepass, I'm sticking with proton pass for the foreseeable future.
I turn off this password manager everytime I reinstall a.PC for someone. People can't remember their passwords and I try to force them to by doing that. Password manager (of other type) won't solve that.
Personally I don't use password manager. I remember my passwords. I use three to four passwords and sort them by criticallity of their use. I use my standard password here. I use my higher level one on sites where money exchange takes place (where my credit card credentials are used) and I use my master password just for my email (I have one more password for internet banking). As I go higher on this ladder I use the password for less services - normal password almost everywhere -> email password just for email.
This system is far from perfect but even in case of breach, I think I'm covered to.some extent - if norma.password is breached, someone can make some comments written "by me". If higher one gets breached, I may lose a bit of money. If email one gets breached, I'm done (I'm counting on Google to not let someone sign from the other side of the planet - also I use this password only there, it can leak only from there or by me inputting it on keylogged PC or getting malware on myphone etc.).
No offense, but that seems like a very naive take. Not using a password manager won't magically give you a better memory. That typically forces people to use easier-to-remember passwords with worse security, making them less secure.
I did use a similar tiered password system for a while, but ultimately ended up switching to full time password managers.
The big problem is that as leaks and dumps became available, its very easy to build a profile of old passwords and try them on similar websites. So if any company at any password tier has a security problem, then that entire tier is insecure. I used a base password and would customize it based on the actual site - for example,
hunter2+tildesfor tildes andhunter2+redditfor reddit. But that obviously has similar flaws in that any human might be able to guess the system after seeing a leaked password - not to mention anyone attempting to bruteforce passwords would potentially be able to use old passwords as a starting point.I came to the conclusion that realistically, I can't remember enough unique and secure passwords to provide every email, bank, credit card, etc with the security that I should. A password manager (rather, a good password manager) is the best solution IMO. I can focus on remembering a few key secure passwords, and generate very secure passwords that I don't have to remember. I'm much less vulnerable to random brute force attacks and smarter attacks made with previously leaked passwords.
The other solution I considered was to randomly generate secure passwords, but to never write them down - always using the "I forgot my password" button whenever I need to login. That route very clearly has some usability issues - though I still might consider it valid for things you only need to log into very rarely.
I also have basically stopped using security questions (as intended). Security questions are a huge vulnerability and the source of many hacks. At the very least, its worth having a system where the answers don't match up with the questions. A hacker may be able to guess or figure out the make and model of my first car. But if I answer every car-related security question with the same unrelated answer (something completely out of left field, like "Frank Herbert's Dune") - then I'm in much less danger of someone doing some social engineering to gain access. Of course, using the same answer for every car-related question introduces the same vulnerability where if one instance of those are ever leaked, attackers have a starting point to attempt to guess for other sites. Which brings us back to the best solution for security questions to be randomly generated passwords stored in a password manager. Perhaps a different password manager than the rest of your passwords.
Yeah, I've been trying to convince my family members to stop using a handful of remembered passwords in favor of a password manager for ages. Using only three or four passwords across tens to even hundreds of websites is pretty the worst thing you can do for password security even if the passwords themselves are sufficiently complex, and they more often than not aren't. It's kind of surprising to see someone on Tildes advocating for that, given how tech-savvy most of the userbase here is. Pretty much anyone who tries to teach even basic password security will caution you not to reuse passwords.
Granted, Google Chrome's password manager is uniquely super insecure, so turning that specifically off is probably not the worst idea.
No offense taken. The thing is that once I need them to sign in to say email on newbrowser or phone or after reinstall, they know nothing. I keep resetting passwords all year long for many people. By not uaing managers I force them to know their passwords. And they are forced to make good passwords by their service providers, as those have requirements of length, difference in characters amd so on. I've seen many simple passwords in 20 years, nowqdays they can't use simple one (at least not on major services). The thing is that once passwords get saved anywhere (be it Chrome or some third party manager), they won't care anymore what the password is. And if they are kept logged in or got auto-input on forms, they will be unable to know even that one very important password to their manager. I keep seiing it all the time, people can"t remember nothing!
I also considered password manager, but stick to my leveled privileges system for now. If my password gets leaked, I can change it. Depending on which one it is, I can even afford to not care that much. Yes it will be PITA, but what if someone hacked into my... I don't know... Reddit account? Who cares? If they hacked into some higher level account I can lose money (sizeable chunk, but not all). If they hacked the top stuff, I'm screwed. And I have only one service for that one password in the top stuff, mind you. I also use 2FA if available.
I also thought vriefly about generating some hash as a password for each site, but I really don't care that much about many sites, really - local eshops and so on...
I think people that use this system understand this and are accepting the risk tradeoff. One benefit of memorizing a password is that you can use it from another device or interface where your password manager is not available.
Fair. Though most people will have their password manager as an app on their phone, so they'll have their passwords with them wherever they go.