25
votes
What password manager, if any, would you recommend?
After being skeptic of password managers for a long time, I've decided to take the plunge and get one installed. The burden of remembering dozens of passwords is simply getting a bit too much. So, I was wondering if anyone here has any recommendations of password managers? Maybe one you or a trusted friend use? Or maybe you think password managers are rubbish, and want to share you opinion?
Any suggestions are welcome, in the interest of fostering discussion/having the thread be useful to other people too. But in my specific use case, I want to be able to sync between devices. I'd prefer something open source, but it's not a requirement.
Bitwarden, it's open source and you can self host it or use their servers if you want to support them. If self hosted I recommend you use this alternative, simply because it's easier to deploy.
The reason I use bitwarden is because I wanted something open source with a nice UX and support for android, bitwarden fits the bill (I don't want to copy paste passwords all over). The way I have it set up is to fill fields only when I press the key combination (ctrl+shift+l), this way no form hijacking can happen and to require vault unlock every time I restart the browser.
On android it uses the accessibility api, which works on all browsers that I use (chrome, ff, ff preview) and also works on regular apps as well.
As a bonus it also does TOTP generation for you, although getting the private keys to generate the TOTP codes can be quite involved, specially for things like steam. People will tell you it's a bad idea, but it's your decision to use it or not, if you're going to use bitwarden to generate TOTP codes for you, you should also protect your bitwarden login behind 2FA.
For anyone who uses a lot of subdomains/local addresses, I recently moved to Bitwarden from 1pass for this specific reason. 1pass only matches on domain.tld, where Bitwarden has many more options, including regex matching.
Besides ignoring the above issue for years, 1pass has been in the news recently for some serious mishandling of feature offerings, which was what spurred me to make the change.
KeePassXC or KeePass + your own cloud provider like NextCloud. You can go serverless sync with Syncthing. KeePass databases are widely supported by a lot of applications, and there are browser extensions, fully open source and very well made.
I use 1Password and I like it a lot. It works well and the integrations make the more tedious parts of password management easy.
Agreed. 1Password user here too. The company, AgileBits, published some good technical deep dives of their approach to encryption / security years ago. As far as I can tell they're doing everything right, and they've won me over.
Another happy camper here. 1pass has been great.
You should just search "password manager" on Tildes, this has been discussed in detail in many threads. I use bitwarden btw, I wasnt sure about PMs at first, so a free one was the way to go for me.
Previous threads:
https://tildes.net/~tech/dgh/is_there_an_app_for_this_help_me_fix_my_terrible_security
https://tildes.net/~tech/bk6/what_would_be_a_good_security_setup_for_me
https://tildes.net/~tech/ap3/managing_my_passwords_with_keepassxc_and_friends
https://tildes.net/~tech/ans/is_a_password_manager_essential
https://tildes.net/~tech/4qb/which_password_manager_do_you_use_and_recommend
I switched from LastPass to Bitwarden about a year ago. It's open-source and self-hostable, and the subscription is cheap.
It's worked really well for me overall. I can't even really think of much significant to say about it, and that's a good thing for a password manager—it does what I need and stays out of the way.
Have you tried 1Password and if so, are you able to compare the two?
Another couple of tildistas convinced me to try Bitwarden. I've not gotten the occasion yet as I've converted all my companies to 1Password, and I have a pretty high opinion of them (partly due to authority from Troy Hunt).
I haven't tried 1Password, but it's triple the subscription cost of Bitwarden. I'm sure it's good too, but there wasn't anything that attracted me to it in particular over the other options.
I'm looking at switching from LastPass myself, but am leaning towards KeePassXC; may I ask what it was about Bitwarden that led you to choose it?
If I remember right, there were a couple of features that KeePassXC didn't have. One was an easy way to share certain entries with my wife, since we share accounts for some sites. The other was proper Yubikey support. KeePassXC doesn't support them properly in a few ways, including not being able to associate multiple different keys with the same database: https://keepassxc.org/docs/#faq-yubikey-2fa
Woah, as someone who is trying to get their wife into using a password manager and would like to start using Yubikeys in the future, those are both very good reasons. Thanks!
It's not open source and I understand it's not really optimal, but I've been using LastPass since 2013 or 2014 with no complaints. Works on every device, auto syncs, and can usually seamlessly auto fill, which I consider a must have feature (or else I won't use it because I'm lazy).
I used LastPass for a long time, both before and after their acquisition. I relatively recently switched to Bitwarden and it has ticked all the same boxes LastPass ever did for me so far, with the significant plus of being open source. Switching over was dead easy.
I use pass which is a wonderfully simple little shell script wrapper around GnuPG. My
~/.password-storedirectory is replicated using syncthing to every machine I need passwords on.This also works for accessing passwords on my phone - Syncthing has an Android app, and there's a pass-compatible Android app and PGP app that play nice together.
I recently switched from lastpass to pass [with self-hosted git for sync] and it's amazing. Really lightweight and intuitive, yet very powerful. Their firefox addon, while a little fiddly to get going, is MUCH better than the lastpass one.
All that said, it's probably not best for those less technically inclined or those without at least a little bit of familiarity with the concepts of PGP and the GPG tool.
Another pass user here. This is the first I've heard of a firefox addon. I'll have to check it out!
+1 on @NeoTheFox's recommendation. I wrote about how I set up KeePassXC here, and though it's a little out of date (I don't really use Dropbox anymore), it still might be helpful.
Off-topic meta: I originally wrote this as a reply to the aforementioned post, since their answer is basically the same as mine, but since it's a direct reply to the OP, I moved it into its own top-level comment. If there are any thoughts as to which way is better, I'd love to hear them.
Bitwarden just works. I've found varying degrees of friction with every other client. You can self-host, but I haven't done that yet. If you're trying a few out, I'd definitely start here.
I use 1Password on macOS, iOS, and Windows and like it a lot. Especially since 1P7 the Windows version got pretty good too
If you don't want a subscription,
EnPassis pretty nice for a one-off purchase, includes FaceID & TouchID integration for Macs & iOS devices, and you can choose your syncing provider of choice (for me, iCloud via CloudKit).I used Lastpass for 4 years and switched to Bitwarden for the last 2. Lastpass used to be great, but I had some scare bugs with their system. The worst was the android app wouldn't register my password; I swore off it since then. Bitwarden just works; it has a fine interface, but it is rock solid. I highly recommend Bitwarden.
I second @emdash's recommendation of EnPass as a user-friendly, non-subscription password manager.
For work, however, I like Codebook by Zetetic. One reason is that it has the option to sync directly between the desktop and mobile app over wifi, so syncing passwords doesn't require any 3rd party api or service, or even an internet connection.
It also has a cool feature they call "Secret Agent", which is a global keyboard shortcut to directly insert a given password anywhere as though it had been typed, instead of copying the password through the clipboard. You can also define actions with keypresses and wildcards, so you might define an action like
<tab><tab>#[email]<tab>#[password]<enter>as the Secret Agent action to login on a given website.This is perhaps less convenient than a traditional password manager extension would be for logging into most websites, but it's handy for quickly inserting your password into a terminal session (
#[password]<enter>), and especially convenient for auto-typing your username and password into a remote session with a dumb Windows VM which won't do clipboard sharing with your VNC client, for example (#[username]<tab>#[password]<enter>).The Codebook interface itself is a little clunky, at least on Mac, but the flexibility of Secret Agent for all the byzantine systems I have to login to during the day is fantastic. Perhaps others offer a similar feature, but I didn't see it when I surveyed the password manager landscape a few years ago.