Hi,
I am tired of remembering/generating passwords for each site. I have used pass. I don’t know why but I don’t like it that much. I had issues syncing the passwords via dropbox (I had merge issues before) or git (way too manual).
I would like to know how you solve/what do you use.
Bitwarden is my tool of choice for this. I haven’t been a fan of other more CLI-centric password managers as they usually don’t have browser integration. The usability of using an in-browser UI to generate a random password and the prompts to save it when I submit forms are very important IMO. Nothing has come close to that while also being open source.
One thing that irks me about Bitwarden is having to provide an email address and getting an installation id & key if I’d like to self host it for myself. Please correct me if I’m wrong but from what I understand, even for using it without the “premium” features one still needs to perform this step.
If so, I think I’ll stick with my pass + rofi-pass + Password Store for Android combo for now.
This is true, there are ways around it, if you work a little, since it is OSS. However, there are a few 3rd party tools, 2 of which are server implementations: bitwarden-go(https://github.com/VictorNine/bitwarden-go) and bitwarden-ruby(https://github.com/jcs/bitwarden-ruby).
There is also a CLI tool (https://fossil.birl.ca/bitwarden-cli/doc/trunk/docs/build/html/index.html)
Are you self-hosting it or using the hosted version? I’m somehow always sceptical of having hosted password storage, even if it’s encrypted and everything.
If it’s not encrypted, they see your secrets. If it is encrypted, they’re in control of your secrets. In self-hosted setup, you are in control of your secrets. If encrypted, you might loose them. If sync’d to third party (preferably multiple), you still might loose key. If on scattered paper copies, each in safe place, you probably won’t. For some failures, write-once (i.e. CD-R) or append-only storage can help where a clean copy can be reproduced from the pieces.
That’s pretty much my style of doing this. It’s not as easy as 1Password or something, though. There’s the real tradeoff.
It is encrypted, here is a link on how the crypto works in english: https://fossil.birl.ca/bitwarden-cli/doc/trunk/docs/build/html/crypto.html
I agree Bitwarden is not quite as user friendly(or as secure if using local vaults) as 1Password, but for an OSS app, it’s definitely at the top of the list on user friendliness of password managers.
I run a server locally on my LAN, and my phone/etc sync to it. I definitely don’t want my secrets out in the cloud somewhere, no matter how encrypted they might be.
Unix pass (https://www.passwordstore.org/)
I also use pass with keybase git.
[Comment removed by author]
I’m using 1Password with local sync over the built-in web server. 1Passwords also supports syncing via Dropbox, iCloud and, most recently, 1Passwords’s own servers. I want nothing of that but it means that I can’t use 1Password on Linux. What’s great about 1Password is that it is highly polished - using it adds very little friction. I understand that I could manage all passwords encrypted in Git but the integration would never be as good and there is a lot of risk that this would somehow not be as secure as it sounds.
I recently switched to Enpass, which is a conceptual clone of 1Password. Reason for switching was Linux support.
This is a closed-source app that has not yet received a lot of scrutiny. Using it for truly sensitive information requires quite a bit of trust. They claim to use sqlite with encryption – which I would trust but of course, there is a lot of code around it that would have to be trusted as well.
The first thing it tried to do when I ran it was reach out to Google Analytics. I said enough of that, and promptly uninstalled it.
1Password (at least the hosted version) has linux support via both 1password-x and 1password-cli. I quite enjoy the CLI and generally find that it has a better user experience than LastPass.
I started using KeePassX several years ago because I needed cross-platform compatibility. It requires more manual work than other options and I don’t have it sync’d with mobile. However, it is also reliable enough to discourage me from switching.
After a few years of using KeePassX I switched to KeePassXC and I’m glad I did. Nearly the same thing but better (eg. TOTP, UI/UX improvements).
It started as a community fork because development on KeePassX was too slow, take a trip to https://github.com/keepassxreboot/keepassxc/issues/43 for the details.
Same, still works fine and to my knowledge is still considered safe. So still stick with it for now.
gpg encrypted file somewhere. With a simple grep script if I need a password, and a vim plugin to edit gpg files if I need to add/update something.
I do something similar but I could not wrap my head around gpg yet: I have a 2GB pendrive that I always mount to /mnt/key and have /mnt/key/ssh /mnt/key/pop3… files encrypted with enchive. It have a
--agentflag to make it act as an ssh-agent.1Password as the source of truth for everything (sans browser extension) and Chrome autofill for day-to-day usage.
Edit: this thread is really great for telling people exactly how to spearfish you :0
pass. I don’t understand the syncing issues. If you write code and use git, then syncing passwords works exactly the same as syncing code. I even have it working on my phone.
how do you add or update passwords in your phone or ipad? i travel and i don’t always have access to a computer.
That isn’t actually in my normal usage pattern, but I just tried it and it works. The app lets me add entries to my
passdatabase, and then I can push to my git remote through the GUI. What happens if a merge conflict arises isn’t clear though. :-)I also use pass, but only have it locally on one machine. Until now I’ve been relying on Chrome’s password sync feature if I wanted a password on my phone too.
My setup isn’t ideal, so if you don’t mind elaborating on yours, please would you give more details?
Oh sure! I have an Android phone. All I did was install OpenKeychain and the unofficial Android Password Store app. I then imported my key into OpenKeychain and setup Password Store on my phone to use it. All Password Store needs is to pull from your git repo containing passwords. It only does this when you tell it to, so it keeps a local copy on your phone and you can sync whenever.
Fantastic info; thank you very much. :-)
KeePassX and syncing it one-way via SyncThing (i.e. I only ever edit the master and periodically sync downstream to laptops, phones etc). For generating new passwords on the non-main computer I do whatever method of remembering it and then manually enter it there. Good enough for me.
I wrote my own password manager that does cool things:
So, it’s actually kinda cool, and I do use it for new passwords and an SSH key. Old passwords are still in an 1Password vault, I’m using gonepass to read it on FreeBSD.
The problem with freepass is… I haven’t completed any UIs other than the rofi/dmenu/peco/fzf/… interactive “CLI” version.
I’ve started work on an iOS version and an Android version, figured out the hard part (calling into Rust from Kotlin and Swift), but did not complete the UIs. They only kinda open a vault and show entry names right now. I actually sold my Mac soon after starting the iOS version (now I’ve hack-installed Yosemite onto an ancient Mini, I wonder if that’s new enough for modern Xcode). And the Android… I actually can just continue development, but I’ve been lazy and busy with other stuff.
Took a quick glance at Github. The dialog for entering authentication is neat-looking. Reminds me of some ancient apps and games.
The password prompt is also an external program! That’s the version of askpass I had at the time.
I too had issues around syncing my own files using pass in the past and eventually settled on LastPass. In my opinion, it’s worth paying $24 a year for premium support which gives me 1GB of encrypted storage and more two-factor authentication options. Plus having the app seamlessly sync to my phone is great as I can just copy passwords to the clipboard for other apps on my phone. It’s been easy to use and I enjoy not having to worry about passwords anymore.
Edit: Sorry that this was seen as spam. I realized after the fact that it was a little zealous. I am by no means connected to or trying to endorse LastPass.
I have actually been really impressed with their android auto-fill as well, it actually works pretty well.
Does that work in Firefox as well? This is one pretty big pain point for 1password for me
Talking about Firefox on Android? I don’t think so, at least it doesn’t for me. I don’t think that’s LastPass vs 1Password though, I think each app has to implement it. Looks like Android P will bring it to browsers by default
I’ve been sticking with LastPass for a while as well. They have a good automatic sync and user experience on all platforms, and from what I understand, the data architecture is good - master password never touches their servers, always handled by Javascript in the browser or in the mobile app. I do try and remember to back up the password list periodically as well.
For websites: Firefox Sync :-) Everything that isn’t a website or is important enough to have more than 3 copies (laptop, workstation, phone) lives in a keepass file, hosted on a nextcloud instance.
Do note that Firefox Sync has a pretty nasty security flaw: your passwords are ultimately protected by your Firefox Account password — so you need to make sure that it’s a high entropy one (like
52ICsHuwrslpDl6fbjdvtv, not likecorrect horse battery staple). You also need to make sure that you never log into your Firefox Account online: Mozilla serve the login UI with JavaScript, which means that they can serve you malicious JavaScript which steals your password (this is worse than a malicious browser, because someone might actually notice a malicious browser executable, but the odds of detecting a single malicious serve of a JavaScript resource are pretty much nil).I use
pass, with git-remote-gcrypt to encrypt thepassrepo itself (unfortunately,passhas a security flaw in that it doesn’t encrypt filenames).I’m pretty sure the password isn’t used directly but derived into a crypto key using PBKDF2 on the client.
This does not protect you from physical access (if you ever let your computer unlocked). It took me 10 seconds to discover that firefox lets anyone see the plain password of every account.
https://i.imgur.com/lbxmMow.png
If you use a master password, you have to enter that to see the plain password in that dialog.
That makes more sense.
True! imho physical access should be countered with something else. Lockscreens, hard disk encryption etc.
Yes, of course if there is a physical access there is no much hope left: even with ssh, if ssh-agent is running or a terminal with a recent sudo and much damage can be done.
What did surprise me is how fast and easy it is to go straight to the password.
Yes, but that doesn’t add any entropy: if your password is ‘love123,’ it’s still low-entropy, even if it’s stretched.
Remember, too, that the client-side stretching is performed by JavaScript Mozilla delivers when you attempt to log in — as I noted, they could deliver malicious JavaScript at a whim (or under duress …).
LastPass, have used it since forever. Works well enough for being a free service. Use it with MFA and change my master every year, have had no security troubles ever. It’s easy to use and it integrates seamlessly with all browsers.
I use KeePass. I store my kdbx file on a remote box and have it available via mounted sshfs on my Linux boxes. For Windows machines I use the IOProtocolExt plugin to transfer the file via SSH. On Android I use Keepass2Android which has built-in SSH support.
Vim! With a little script that creates a mount namespace, mounts an encrypted directory with gocryptfs, and either spawns a shell or opens vim on a markdown file with passwords.
For syncing, I carry the laptop in a bag.
Is the bag cross platform?
That bag is very portable.
I use Password Gorilla on unix systems for managing passwords.
I don’t really trust the software or hardware I run so important passwords are on paper, which I tend to keep home (but sometimes take along if I’m travelling for days). If you find the right time and place to mug or rob me, you’ll get (part of) the keys. I’ll take that over “whoops, critical security vulnerability found in $popularSoftware, 10 million passwords leaked.”
Yours is most secure method. Next best is dedicated, embedded device. I had a hypothetical design that used hardware of an old electronic organizer. One could use it as a trusted path, secure initializer, password storage, TRNG, etc. Someone copied the idea visually for password management. Nothing else, though, esp like separation kernels or I/O mediation. Still might build it one day.
Local method varies over time. Im pretty sure Ive used this cloud service, though, to back them up. The provider has bern around decades. They and my passwords aren’t going anywhere soon. The cloud part is currently manual: doesn’t sync across devices yet but the devices sync to it opportunisticaly. They said they were working on real-time sync which Im pretty sure is for them sending copies to me for restores.
I’m surprised Revelation is not mentioned. It’s full featured, can import/export – the only drawback is that it’s not cloud-based and has no mobile/web interface. But for desktop use, it’s really good.
This is part of many Linux distributions - so easy to install.
Latest commit f574668 on 20 Sep 2013on the GitHub repository does not instil confidence that this is maintained.I use Apple iCloud and Safari.
I also do this.
apt-get install yapetI have to manually create an rc file so that it will always open the same locally stored encrypted credential storage file when I start it and provide a passphrase.
I have to carefully click+drag on my terminal window to get the right text selected (because passwords have word-boundary characters in them). Then, am in the habit of using the “copy” function from a menu, rather than rely on the xselection, because its moderate unreliability (I use shared clipboards between different OS’d hosts and guests a lot) gets magnified by hidden-value password fields.
Frequently, the ncurses interface doesn’t work properly if I try to use it over ssh (god forbid via some android terminal emulator).
It’s a PITA.
I mostly use Firefox Sync. That and Safari/iCloud. The Single Source of Truth is a paper booklet I bound myself. I used to use an encrypted org-file w/ Emacs, which was really nice, but it was not super convenient (and I did sync w/ Dropbox, just not my keys!).
As for generation, I start rolling 5 d6 and open diceware.txt . The OS X Password Assistant is pretty good, but my preference has shifted to diceware.
It’s fine to use Firefox Sync as long as you’re aware of the security issues & take appropriate countermeasures; see my other post. I’m worried that some people don’t realise how broken the Firefox Account model is, and rely on it more than it deserves.
Cool, thanks. How many bits of entropy are we talking about? The example you posted looked to be maybe 120? bits. Correct horse.. should be around 50 bits. Is 80 enough?
My main concern so far is the authenticity of the password prompt, it’s just totally unstyled and I can’t tell/remember if it’s really Firefox asking, especially when I haven’t really tried logging into anything (even though it syncs bookmarks too) so I often hit cancel.
I believe that keys should be 128 bits of entropy, so don’t consider 80 enough. It may be a bit overkill, but security is important — and recording or memorising a single super-password is easy enough anyway.
I use my own pw. Unixy and similar to pass (a wrapper over GPG), but with no information leaking and single-file DBs.
I use Keepass for both work (very sensitive for others) and private (very sensitive for me), where the kdbx file is stored in a Cryptomator vault that gets synced through a private NextCloud instance that is only exposed over my own p2p vpn. All of these components are open source (which is a requirement for me), cross platform (linux, bsd, windows) and are quite consistent (which I find important). Of course, Keepass is a bit more work to setup and less fancy GUI wise than say LastPass, but it suits me fine. It has autofill anyway, so I rarely have to copy paste the passwords myself.
The only thing I find a bit annoying is decrypting the vault every day, but I don’t feel syncing kdbx files over the internet is secure enough. How do others here feel about this? I always believe in layers of security (encrypted database + encrypted vault + tls + vpn + strong certificates and passphrases, everything under my own control) but there are also people that use Keepass only with Dropbox and only rely on the strenth of the kdbx file itself. Any thoughts? :)
For web stuff I use https://chrome.google.com/webstore/detail/bpasswd/dfehiejdcgoiofnfkdippnfadgdpnmlh?hl=en and find it works well (except for sites that in the infinite wisdom don’t allow me to paste in a password).
But… I’ve been thinking about switching to https://www.passwordstore.org/ (or the Go port of same).
For generating one off passwords I use https://github.com/ulif/diceware
I use vim and a text file but for some passwords, rather than store the password in clear, I have to run pwgen with -H and it regenerates the password.
I used Lastpass for years, it worked well but it’s gotten slow and their iOS app has always been a real annoyance as it seems to never keep my session active for more than a day so I was always typing my master password.
I recently switched to KeePass (KeePassXC on desktop and KeePass Touch on iOS) and it’s been great! Sync database with Dropbox, added protection with a key file (not on Dropbox), and the iOS app has worked flawlessly with touchid and has the added bonus of also using a pin. Being able to access my passwords offline has been a nice side effect too. And managing TOTP from KeePassXC means I reach for my phone less and is quite convenient.
Came here to see what software people use. I literally remember all of them. I’m not even joking. Is that stupid? Because it seems password managers only protect you against large sweeping attacks. But seem to have no benefit for targeted attacks.
I too am a Keepass/syncthing user. I use kpcli on desktops, KeePassDroid on Android, and I forget what my partner uses on Mac for our shared passwords. Perhaps not the lowest-friction setup but it’s completely under my control and I have high confidence in it.
On my Mac, I use MacPass (compatible with KeePass .kbd files) and I sync with Dropbox. On Android, I use KeePassDroid and Dropbox. I also use the password manager built-in in Chrome to sync passwords between my Mac and Android (to login in sites like Lobsters).
If you ever let your computer unlocked, it takes me 4 second to retrieve a passwords from chrome built-in password manager:
3-dot option button > settings > search for “pass” > click on the eye to see the password.
I did steal password this way, and anyone who can use a GUI can do it.
https://i.imgur.com/y7TkAy0.png
Yes, I’m aware of this threat.
Then I’m ok with it, carry on if you like.
Just to make it clear:
According to your screenshot, it looks like you are not using a Mac, but at least, it looks like the threat you mentioned doesn’t exist on Mac.
As you knew the vulnerability, you could block the threat.
I’ll recommend this way of doing for people storing passwords on chrome and Mac. It looks like they chose great defaults for this.
Thanks!
For stuff specific to me, I use iCloud Keychain (all my devices are macOS/iOS).
For company stuff (particularly when collaborating with others) I’ve tried KeePass/compatible stuff, and wasn’t super thrilled about it. I keep meaning to try
pass, though, which you’ve said you’re not keen about.I use Dashlane. I started using it way back when it was in beta, and when they released 1.0 I had an option to pay a one-time fee to get premium features for life. I like the browser integration, mobile app, and “security center. It tracks incidents and let you know if a password you have is potentially compromised. It also has an automatic password changer, although it only works on a limited set of websites.
I would not recommend to store any password “in the cloud” (dropbox, password managers), as it is heavily targeted to surveillance and attacks.
An advantage of git is that you can use it over SSH (again, I do not against GitHub for passwords).
Why not keeping the passwords on a usb flash drive at your keyring (the physical one)? You have then all your keys in a safe place with no leak ever possible while you are not at the moment where you want to log in. Then even if you loose your laptop, you do not loose any precious password.
Putting them on an encrypted file/drive partition might also be a more reasonable choice as long as you know where your computer is going.
i agree with what you wrote but how do you use thoses passwords in an iphone/android/ipad/tablet?
That is a big flaw, you can’t you are right.
KeePassXC on my personal laptops and desktop, KeePass DX on Android, and vanilla KeePass on my Windows workstation. I keep the database in sync with Syncthing. I have a separate LastPass account for work accounts.
Unimportant passwords I generate for each place and keep in a single unecrypted file without any extra frills. The few important ones I remember. I use uuidgen to generate passwords, mostly because it’s short to write and already available on a netbsd install.
My phone stays logged in to the few unimportant places that require a password, I don’t sync anything to it.
I don’t, security is overrated
I used to use pass, but I never liked gpg nor the leaking of the metadata. So I wrote a simple symmetric file encryption tool (based on monocypher, with argon2 password hashing) and I now store my passwords in a single file where even lines are sites, and odd lines the matching password. I keep this password file in my (public) dotfiles for more convenience too.
Nobody mentionned https://lesspass.com/, I was thinking of giving it a go to replace pass for non critical web password.
I mostly use iCloud, but I also use https://bitbucket.org/alfaromurillo/org-passwords.el for passwords that are not “consumed” through a browser.