28
votes
Which password manager do you use and recommend?
I currently use Lastpass, and while I'm overall happy with what I have right now, some issues (like slow firefox support, android functionality that only works arbitrarily) makes me want to look at other solutions.
I have heard about other popuar managers like Keepass and Bitwarden, but haven't made the plunge yet. So I thought I could kickstart a discussion on this topic.
Which password manager do you use or have you used? Why do you recommend it (or not)?
I've been using normal Keepass for years, will my database work with KeepassXC? I'm assuming it will.
Yep, KeePassXC is my solution as well.
I also recommend KeePassXC over its alternatives — especially any online service, such as LastPass, which I most decidedly do not trust to keep my secrets.
I use Keepass on Windows and Keepass2Android on Android.
Keepass lists ports on the website too if you want to change software for different looks as Keepass is functional but may appear dated to some. I haven't used Lastpass but Keepass is used by my whole family synced through Dropbox (that's the only reason I have it) but there are other methods for syncing. Keepass2Android is more than adequate on the phone.
https://keepass.info/download.html
+1 to this. I've been using Keepass for years and it's very easy on Android, which is the biggest selling point for me.
The thing I have always seen as a bit of a hassle with solutions like Keepass is the synching of the database (it's much more secure, of course).
Dropbox seems like a solution. Can you directly sync the Dropbox file with Keepass2Android or do you need to manually update the offline storage?
Keepass2Android has 2 versions, an offline or online, or you can use online syncing in both (from memory). You set up the online version to use the Dropbox from the outset, it saves to the file and then the desktop is synced also.
All you have in your Dropbox is an encrypted file. You can increase key iteration in the settings of Keepass which increases loading time but makes it more secure against dictionary attacks - https://keepass.info/help/base/security.html#secdictprotect
https://play.google.com/store/apps/details?id=keepass2android.keepass2android_nonet - offline version
https://play.google.com/store/apps/details?id=keepass2android.keepass2android - online
Note: I set that up years ago and have never had to change anything. There may be better options around these days. It still works so I have never done any more research except increasing the length and complexity of passwords.
I use Syncthing, which is open-source, decentralized, and secure. I primarily use it between Linux and Android. It can be a bit finicky when you’re setting stuff up, but aside from that, it’s pretty simple. I keep it running on my desktop, and when I want to sync, I just launch it on my phone, wait a few seconds, and it’s all synced.
The cloud is more convenient, but I prefer to keep my password database entirely offline.
I use pass since quite some time and am happy with it. It's a command line GPG and Git based password manager, but I generally use it via two graphical frontends: my own Emacs frontend (there are better alternatives) and the open source Android app. I have not used it in a team situation though.
Seconding pass.
I have it hooked up to $mod+shift+d in i3 with passmenu. It's actually much more efficient than a traditional password manager for me personally, not to mention its inherent lack of vendor lock-in.
I'm using
passtoo. It's nice and free and does everything I need.There are shortcomings though. For one, it depends on a program named
treethat looks like abandonware. Its bugs may cause problems inpass. I tried to contact the author oftreeby email with proposed patch, but there hasn't been any feedback.I use a dedicated private key for
passalone, and it would be very nice if there had been some way to set a separate passphrase time-out value for this key ingpg-agentconfigurations. I'm not sure if this is even possible for now.I don't think the frontends other than the default one rely on tree. Shouldn't be that hard to write a replacement adequate for pass or just use ls -R instead (though I haven't ever looked at the code for pass).
You're right. It's used by the default, text-based interface. As a default dependency, it gets pulled in automatically by the package manager, and personally I feel a bit annoyed by that, because abandonware.
Maybe that should be reported to the pass developer so that they can remove the need for tree? I personally always disliked its output anyways.
I think the issue has been raised previously on the mailing list, but it's not a high-priority thing.
I have used KeePass for around 6 months and after that I switched to Bitwarden. KeePass was amazing but I had problems with syncing and keeping backups. (No permanent device)
Bitwarden is also open source and amazing, only feature that I miss is TOTP (available for KeePassXC). That is a paid feature for Bitwarden.
Bitwarden has Browser addons, desktop and mobile apps. Overall I love it!
Bitwarden seems to be a good middleground between the security of Keepass and the ease of setup of Lastpass, so I'm eyeing it too.
I've heard in the past that Bitwarden uses third-party resources like Google Analytics in critical areas (like the password vault), but a quick google search tells me they moved away from that.
https://github.com/bitwarden/browser/issues/27
Also the F-Droid build has none of them. You can also self host it.
I need to use LastPass at work, but as a heavy command line user I've migrated to pass for personal use. The main advantage is that I can just backup my passwords using git and syncing different devices is really effortless. Passwords are just GPG encrypted files organized using folder structure so it's really easy to manage. The documentation is a bit lacking, but after the initial setup managing passwords is a breeze. On my phone I use pass for iOS, Android clients are also available.
Just so you're aware, LastPass has a CLI.
I've used Lastpass for years on Firefox and I have some complaints:
-The firefox addon has a lot of bugs, frequently.
-The iOS companion app required a paid pro account, unless they changed that recently, while the Android version doesn't
-if you accidentally set it to auto-login on some sites it rapidly becomes more of a hassle then logging in manually
Other then that it's perfectly serviceable, but I still dread the day they have a breach and refuse to store really essential passwords such as my bank account on it. For this reason I'm taking steps to move off of Lastpass and switch to KeePass.
I’m a happy user of 1Password. iOS integration and chrome extensions are solid. MFA support is great too.
KeePass by far is the best. I take issue with any password manager with cloud integration like LastPass as you're essentially putting yourself in the same position you were in, if someone accesses your LastPass accounts they have your logins and you're back to square one. With KeePass you use local databases and local files so if anyone wants your account info they have to remotely access your OS or physically be at your PC and know where that database and key file is stored.
I used to be a huge proponent of Enpass...then I ran into a bunch of issues (after like 2 years) with syncing to my own WebDav server and moved to Bitwarden.
I love Bitwarden. I pay for self-hosted (which gives me OTP support as well) and it's been an awesome product. It's kind of strange to run MS SQL and a .NET app in Docker on a Linux box and it requires a fair bit of resources on the server side (minimum of 3G of RAM), but the companion apps/extensions are super high quality and the project is OSS...which makes me feel less bad about throwing them some money to support a solid, modern password manager being developed in the open.
I know Enpass is working on (or may have already fixed) the bugs I had and are beta testing a major upgrade...and I loved Enpass when it worked well...but when it didn't it was frustrating. Their belief that you get to decide who (if anyone) you want to trust to sync your password DB to is awesome.
So, in short, if you're looking for always-online, Bitwarden.
If you're looking for offline which you can sync to a cloud storage provider, Enpass.
As others have suggested, I use KeePass. I have it setup to sync with Google Drive, so I'm able to stay up to date on either my laptop or Android phone. There are plugins that offer syncing to other services such as Dropbox, which I've tried before and it worked.
I use apples iCloud Keychain
Firefox sync. Does all I need (I use a small extension to generate random passwords).