My significant other wants to start using a password manager. I’ve been using pass for the last handful of years, but I’m afraid it requires too much technical savvy to be useful for them. I’ve therefore started looking at other solutions, but it seems like there are a vast number of solutions (lastpass, keepass, 1password, bitwarden, etc.), and I’m having a hard time figuring out what to trust and why.
So my question is: What password management solution do you use, and why? What are the benefits and drawbacks of your solution? How do you handle (and trust) synchronization, secret sharing and so on?
My vote goes to 1Password, for ease of use, built in security model (client side encryption), versatility in handling all kinds of data (notes, credit cards, etc) and reliability of the plugins to work with all websites and apps. Other password management apps that I’ve tried have frequently had problems with some websites. Sometimes 1Password still has edge cases where e.g. 2FA is not automatically filled in and you have to copy paste it manually. But I haven’t seen a better app yet.
Yeah, me too. I ended up at 1Password after trying a lot of both offline and online systems.
Have you had a chance to compare it with LastPass?
My work used LastPass and I couldn’t have created a worst UI if I’d tried. There was no easy way to generate a new password. It took three clicks in non-obvious places to get to it.
I used LastPass for several years before switching to 1Password a year ago. Wish I had switched earlier. LastPass’s UI design needs a lot of work and over time actually got worse with various annoying small bugs.
Hard no to LastPass. I used it years ago, audited it one evening on a lark, found a few vulns, reported them, a couple got fixed, a couple got me told to fuck off.
And also, LastPass: Security Issues
When I previously used LastPass, there were some weird differences between the browser version and the desktop version - there were some things that each of them couldn’t do.
One oddity worth noting - I don’t use the desktop app with 1Password. I’ve found their browser extension, 1PasswordX, to be more stable (it also has the benefit of working on Linux).
I believe with the addition of HaveIBeenPwned integration on the LastPass security dashboard, they’re pretty much similar feature wise (though maybe 1Password can store 2FA tokens). I’ve used 1Password because it felt way less clunky than LastPass and it doesn’t require me to install a random binary on my Linux machines in order to access my passwords.
I switched to 1Password from LastPass a couple years ago and haven’t looked back.
LastPass got unusably slow for me after I had more than a few hundred entries in it. I don’t know if they’ve fixed their performance problems by now, but I can’t think of anything I miss.
Long time 1Password user here. It’s by far the best tool I’ve ever used. And I believe it goes beyond the application itself, as the support team is also great. Given a matter as sensible as all my credentials to login into several different services, having good support is mandatory IMO.
1Password here too. Excuse the cliché, but it just works. The cost is minimal for me — $4/mo, I think.
I’ve been slowly moving some 2FA to it, but it seems dependent on 1Password itself detecting that the site supports it vs. something like Authy where I can add any website or app to it.
I just switched to 1Password after 5-10 years on Lastpass. There’s some quirks, it’s not perfect, I generally prefer it to Lastpass.
The only thing Lastpass truly does better is signup form detection. Specifically I like the model Lastpass uses of detecting the form submission, 1Password wants you to add the password prior to signing up, which gets messy if you fail signing up for some reason.
Oh yeah, this is a constant frustration of mine. ALso, whenever I opt to save thep assword, I seem to have a solid 4-5 seconds of waiting before I can do this. This seems to be 1Password X, FWIW. Back in the good old days of 1Password 6 or so when vaults were just local files, the 1P browser extension seemed to save forms after submission.
I’ve been able to get my whole family onto a secure password manager by consolidating on 1Password. I don’t think I would have been successful with any of the other options I’ve found.
I self host Bitwarden. Before that we’ve been thru Enpass and 1Password but nothing felt as secure. Just be sure to back up data regularly in either case!
The reason for going down self hosted solution was primarily privacy. The only drawback is that we can’t snyc without VPN (which we do not mind at all).
passas my standard password manger, but I’m thinking about switching to bitwarden, largely so that I can access passwords on my phone. I’m actually currently running self-hosted bitwarden-rs myself, although my instance only has a single test password in it so far. The main thing I’m concerned about is having access to my passwords if my self-hosted webserver goes down for whatever reason. I haven’t figured out if bitwarden-rs provides a convenient way to do this .
I use bitwarden-rs. I have found that you generally have access to passwords on already-sync’d clients if the server is down. Sometimes, either due to elapsed time, or because the client has tried some operation that requires access to the server, the client will insist on a connection to the server before it will proceed. I haven’t yet cared enough to run this down; my existing clients are give access just fine for short server outages, and that’s the case I care about. (i.e. I never have to go fix a server in order to log in to something. I have had to go fix a server in order to set up a new browser, as you might expect.)
If you’d like to stick with
pass, you might want to take a look at the apps. For me, using the Android app with Syncthing is working very well. I especially like it because I only sync a subset of my passwords which are on the “phone” directory, these are configured to be encrypted with my GPG key as well as another created specifically for my phone.
This adds the syncthing dependency, which I didn’t mind because I was using it already for other data, so it was very easy to configure. However, you can also synchronize using Git (at least on Android).
I use pass + git + GPG on my computers and Password Store (git built-in) + OpenKeychain on Android. The git repository is served from my server at home. No need for Syncthing, but in order to update any passwords I require being on my home network, however that is infrequent.
You can use Syncthing in combination with git, by replacing the
.gitdirectory with a
.gitfile with contents
gitdir: /path/to/.git. Then the git index will be excluded from Syncthing sync. You get the best of both worlds.
I use syncthing to sync my bare git repos, and push to them from other folders on my macbine. Works pretty well.
I don’t have access to home network/VPN on my laptop for at least 8 hours a day and no issues so far. Just note that you can’t save new passwords without a connection.
I use VPN for editing. Access is OK with a cached version.
I use bitwarden with a bitwarden_rs backend running on a raspberry pi. Encrypted backups every 4 hours.
It’s really great!
Same, only VPS
I use KeePass compatable password managers. At the moment that’s KeePassXC on the desktop. I use it because there’s a choice of clients all using this same database format; said format is a single file I can sync between devices myself (I use Syncthing); and because it’s good enough! And of course a local database allows me to make sure my secrets never leave my devices.
I previously used 1Password but I reached a point where I couldn’t tolerate relying and trusting a third party with my secrets. At the time their Linux and BSD support was essentially non-existant, although believe that’s recently changed for the better.
The biggest problem I have with KeePass is its limited data model. For example, items can’t be associated with more than one URL and trying to store anything other than website username-password pairs feels unnatural. But that’s not a major issue.
+1 for the KeePass universe
It is not as polished as the alternatives, but has tons of customizablilty, is open source, and has a wide range of compatible alternative “frontends” for the database.
I use vanilla KeePass 2.x on windows, and KeePassDX on Android. Both do their job well enough for me. KeePassXC is more polished, probably OP should try that instead of vanilla KeePass.
How do you sync between your devices? I’m using MacPass on macOS and KeePassium on iOS but I’m always a bit worried about the sync, because it doesn’t operate record by record but on the whole file instead.
I use syncthing. KeePass has some basic conflict resolution support in case it is needed.
Syncthing has file versioning, which I also use
The whole point of 1Password is that you don’t have to trust them at all. Your secrets are encrypted with a combination and your master password (in your head) and a random secret key (only stored on your devices) both unknown to 1Password.
Bitwarden does something similar, albeit without the random secret key, which can or cannot (I’m still not sure about that) an office attack easier if their server is hacked.
You still need to trust that that’s what actually happens and that they have not and will not be coerced into changing that. Now, I probably do trust AgileBits - I used 1Password for a long time. But a while back I decided that I don’t want to have to trust others when it comes to my password manager. YMMV :)
Another +1 for keepass - I use xc on desktop with the Firefox plugin and keepass2android on phone, with Dropbox handling the sync. Works perfectly for me :)
I’m also in KeePass land. I’m attracted by the fact that it’s free and open source. I currently use KeeWeb with database files stored in Dropbox across my MacBook and iPhone. I especially like the ability to store arbitrary info along with my password and use it remember what address/phone number I gave the account and the lies I’ve told as answers to my security questions.
For ease of use I remember less critical passwords (low impact if compromised or accounts with app-based 2FA) in the Apple keychain (iCloud) and keep the important ones only in KeeWeb.
I use the free version of Bitwarden for a year now and never had any issues. It syncs with all my devices and works on every platform. I‘ve thought about upgrading to premium, just because I want to support the cause, but the free version works just fine. As a second factor I use my phone and a Yubikey.
+1 to BW. I don’t self-host since it is e2ee (it’s mission-critical to me and I don’t trust my humble homeland enough). At $10/yr it’s a steal, especially now that they released Emergency Access.
I used to use LastPass and in 3 years of using it, it felt too… work-in-progress. The Android auto-fill worked only about once in five tries.
BW is really polished, with just the features I need and no more.
pass. I trained my SO to use it, but I do have the advantage that she does data science for work and knows how to code. I also store my SSH keys in
passin such a way that lets me add keys to my agent with only my GPG key password. See for example: https://github.com/BurntSushi/dotfiles/blob/master/bin/ssh-add-pass-key (and the host of other
I use the Password Store app on Android to access my passwords on the go. It’s not terribly convenient, but it works well enough.
passfor a couple reasons:
passdecided to quit maintaining it I could probably handle maintaining
passfor my own purposes.
passbecame defunct, I would still have all of my passwords.
Stated differently, I don’t see any reason why
passwon’t continue to work indefinitely. I should never be forced to migrate away from it for extrinsic reasons. This is in contrast to many other systems like 1password which take ownership of storing your passwords for you. It is definitely more convenient than my system, but for my purposes and given my own technical knowledge, it’s not convenient enough to justify it from my perspective.
Companies like 1password are just one acquisition away from shutting down or doing a complete 180. It’s happened sooooo many times that it actually makes sense to plan for it at this point and take evasive action. It sucks. I’d love to use a company I trust with a nice convenient system, but that just isn’t the way the cookie crumbles.
Android Password Store won’t be going away anytime soon :)
Good to hear! Thank you for your work. I just signed up as a backer. :)
I saw, thanks for your support!
1Password Family, protects everyone in the house and we can share passwords between us as needed. Costs a handful of pounds a month for what I view as an essential service. (I also use 1Password at work.)
Works everywhere I need it to (including eldest’s Chromebook), synced between everything and easy to autofill webpages with.
My own tool based on GPG: pw.
It is basically
pass, but with with fast/smart git sync, easy multi-machine/recipient support and with many annoyances fixed. I don’t recommend it for your significant other though, but you might like it.
I use Bitwarden, it’s very cheap and never got any issue with it. I tried Dashlane but too expensive.
Another Bitwarden user here. I’ve used the paid version for a number of years and it’s been great. I used lastpass before that (started in like 2009? I’m getting old).
Bitwarden. I’ve started switching my parents (both 70+) over to using it. It doesn’t seem like it’s too technically complicated, but getting them to have good habits is the larger challenge. My mother thankfully doesn’t have many bad habits because she avoids computers.
I use KeePassXC. My password database is secured by: a password, a key file on an encrypted USB memstick, and my Yubikey. Must have all three to open the database.
What’s your plan for when the yubikey fails? (Reading my question, it sounds snarky and it really isn’t meant to be. I have refrained from using a yubikey in a very similar scenario specifically because I couldn’t satisfy myself that I could survive a failed yubikey. I would like to use it, and if your plan sounds like it could work for me, I’d be interested in trying it.)
I haven’t had a yubikey fail me in years. But, in case of failure of the USB memstick or the yubikey, I’d probably be hosed. I don’t have any Plan B. I’d be interested in suggestions.
For the USB stick, it seems straightforward to just make a backup and give it to a friend or keep it in a safe deposit box. The yubikey is trickier because they’re designed to make the key material impossible to back up. For remote services, it’s sufficient to register a second yubikey. You could keep that elsewhere similar to the second USB stick.
For the scheme I was contemplating locally (which I think is the same as the one that keepass uses) that wasn’t an option. I gave up and used a more traditional smart card (generating the key offline and importing it to 3 of them… I didn’t have anything that could do a true M-of-N scheme), but I don’t know if keepass can do that.
FWIW, I’ve never had a yubikey fail on me either. But I’ve lost one once, when the clip that held it to my (physical) keyring broke. If I hadn’t had a second one enrolled in all of my load bearing services, I’d have been very upset.
Do you find three-factor inconvenient at all?
Very occasionally. It’s a small price to pay.
I just use the built in Mac/iOS Keychain. Safari stores passwords (and credit cards) there, and iCloud syncs it across my devices with end-to-end encryption. Easy.
Yeah I use Chrome which is the non-Apple-ecosystem equivalent, though it can fill passwords on my ipad now.
KeePassX and KeePassDroid (and no access to these passwords on my Ipad). Password database file shared via Dropbox. Lockfile shared out of band.
The lock file is a random secret key only stored locally, that you combine with your password, for increased security?
Another +1 to Bitwarden, been using it for years. Before that I used 1password until I moved off of mac, then LastPass which was just all around a bad experience.
Bitwarden is just a steal at $10/yr and the option to basically seamlessly self-host if need be is just great. I’ve been debating standing up bitwarden_rs, I had tried the Ruby bitwarden implementation and it was not so good.
pass(password-store) for all the important passwords, which are synchronized across devices via
syncthing. The android utility is quite good I think and no manager as a better CLI interface than
For general passwords, I use Firefox sync, which works fairly well across devices.
Lastpass but I’ve been itching to move to 1Password for a while. My hesitance is in the network effect: I have many passwords shared with other Lastpass users, so I’d end up having both Lastpass and whatever I’d be using installed. I wish there was a decentralized, host-agnostic password storage system that allowed sharing across major open source and proprietary password managers.
For something really low-fi, I recently discovered Password Card while searching for something more accessible and friendly to an elderly family member. We decided against implementing it, only because her attack surface is ~four passwords including Google and Facebook. It’s better for her to write it down on a sticky note and put it in her line of sight because her handwriting is sufficient encryption to thwart even the most sophisticated attackers except perhaps a nation-state with seasoned handwriting analysis experts. She even thwarts herself without her glasses on!
I’ve been using Buttercup, opening up KeepassXC when there’s an account I haven’t migrated over yet.
Buttercup seems super interesting with its change merging feature! Something I miss in the KeePass ecosystem.
my understanding was that vim’s blowfish encryption is an unauthenticated encryption in cfb mode, and really not recommended for things that you want to keep secure
Is it ensuring your passwords don’t stay in memory after blowfish decryption? Password managers go to great length to avoid this as much as possible.
I use LastPass (and pay for it).
It was the first password manager I heard about and I thought it sounded neat. It was easy to install the extension and the mobile app.
I’ve since heard rumblings that it’s not as secure as other solutions but frankly I don’t really care. Much like having a strong lock on a storage locker, the idea is that any normal bad actor will just move on to one with weaker locks.
Someone should write a graphical frontend to pass it seems.
I think that’s antithetical to the simplicity of pass, tho
I have been using KeePass for the last couple of years (since 2012, if not a bit earlier), with SyncThing keeping it synced across my devices.
It has been quite reliable. Sometimes I’ll get a sync conflict, but it’s rare enough that I fix it manually, and I like the fact that I don’t need Internet access - hotspot on airplane mode is enough - for it to work.
I wrote a small and simple password manager in Go. Cryptography is provided by x/crypto/nacl/secretbox, x/crypto/scrypt, and crypto/rand. It does what I want it to do. Synchronization is easy, just use rsync over ssh or sftp.
I highly recommend using a password manager – it increases security and convenience at the same time. And you can put all kinds of things in it, not just passwords/passphrases. For example I save DNSCurve keys, WireGuard keys, etc. You can put anything you want in there.
Also interested in hearing what non-technical people are known to like and use. Would love to get my wife to use a password manager but I don’t know what’s both secure and frictionless.
I also use my own custom password safe, kept in a plain text file and secured by ccrypt. Access is via a shell wrapper around vim on my desktop and imported via another script into keepass2android for my smartphone. The text file itself is in a completely unstructured format, containing not just passwords but all personal details that I need to track, for everything that I deem needs to be kept private. The script which wraps my access to the file also keeps a local RCS revision history of all changes to the file (also encrypted). The shell wrapper around vim disables features which might leak information out of vim, such as the search history (.viminfo) and the swap file. All my passwords (except a small handful) are unique, random strings generated from my own template. My template is currently:
The benefits of using a free-form (unstructured) text file are:
The drawbacks are:
“Secure and frictionless” pretty well describes 1Password, it’s well supported on most platforms now via 1Password X for Chrome, Firefox, Edge and Brave, and native apps for macOS, Windows iOS and Android, with a command line app for linux (and I believe they are working on a Rust based GUI app for linux, but I might be misremembering their podcast about it). All data is encrypted client side, autofill works incredibly well, and makes life easier than having to remember anything. I haver no affiliation with them, I just think they make a fantastic product that is worth the money.
i use gpg encrypted files in a git repo.
I did use pass as well but found it a bit rough around the edges, especially for my SO. So I tried to improve the UX of pass. Failing at mastering bash I started from scratch and built a compatible password store implementation called gopass.
It’s come along nicely and working very well.
I’ve been using
gopassfor a while. It’s working great for me.
Related question: What’s your backup plan if you forget your master password, for example after an accident leaving you with a temporary memory loss?
1Password family means my partner and I can reset each other’s keys. (I haven’t read the whitepaper in a while, but iirc everyone in the family’s private keys get stored encrypted by everyone else in the family. 1P themselves still cannot access your data since they don’t have an unencrypted copy of anyone’s keys, and you can’t indiscriminately access others’ data because the 1P server won’t just give it to you.
Keeping the number of accounts I need to keep track of in the first place low so that manual recovery is plausible!
It’s a good question though - I have had the experience of not having to type my master password for only a week or two, then coming back to it and not having a clue what it was. It was only muscle memory that saved me.
If I’m not mistaken and memory serves, 1Password generates a PDF form for your physical vault or safe deposit box that is an emergency backup plan with your master key.
Yeah, I have this. I also use a family plan, so my wife can get in; and, honestly, I wrote the password down and it’s in our secure storage with our passports and such.
Now I use Bitwarden. I started out self hosting their server on a VPS. That was very resource heavy and didn’t run all that well on a $10/mo Linode; I had to reboot the box every 6 weeks or so.
I stood up a bitwarden_rs instance in my basement and configured it to connect to a cloud VPS via wireguard. That cloud VPS has caddy configured as a reverse proxy. bitwarden_rs is light enough that it would most likely work just fine on a $5/mo Linode or DO VPS, but I like this better. I wrote up my reverse proxy setup and later described the steps I’ve landed on for exposing new VMs.
I am very happy with Bitwarden, and pay the premium personal subscription even though the bitwarden_rs server includes all of the premium features without paying. 1Password is a little bit nicer. If I were still spending all of my time on Mac/iOS/Android/Windows I might think about giving up my insistence on hosting my own data for synchronization and just use that. But Bitwarden is really, really good and I don’t have to give that up. The iphone and ipad apps are excellent, the electron thing for linux is pretty good, and their browser add-ons are good.
Also, much like I did with 1password all that time ago, I read the source to satisfy myself that their approach is broadly sane. But this time the source is open, so I didn’t have to pick it out of a web viewer.
I moved away from 1Password recently for most of the same reasons, although in my case I took the plunge into KeePass. I can’t justify it, but I also got the feeling (mainly from listening to AgileBit’s podcast) that internal company culture was changing and it made me uncomfortable.
Was that around the time they took VC money? I had stopped using it by then, but my instant reaction to that news was that I hoped it wouldn’t change the culture. Every time I interacted with them, you could really see Dave Teare’s fingerprints all over the experience, in a very good way. If taking VC made that change, it’d be sad.
I like KeePass. 95% of my preference for Bitwarden stems from a hope to get family members to use it too. The other 5% is vague and hopefully unfounded worry that my sync schemes were going to cause data loss if two clients wrote to the database at just the wrong time.
Yes, exactly around the VC investment unfortunetly. Can’t prove casuation but it’s hardly a leap to link it to (perceived) company changes.
As other have said: Keepass. The Keepass format will guarantee that you won’t be locked on a specific platform/software.
KeepassXC is pretty good, feature-wise: it works with hardware keys (e.g., Yubikey), supports OTP, and you may use it as an SSH agent for storing your SSH keys.
If your partner uses macOS or iOS, Strongbox has a better UI, and many features, too (it also supports Password Safe). It’s based on a freemium model, but it’s fully functional in its free version; the full version is reasonably priced, though, and helps support its indie developer. Source code is on GitHub.
Disclaimer: I have no relationship whatsoever with Strongbox, and I don’t know whether the code has been audited.
I use pass with git on my personal server and it works wonders and it’s like a god send for me. I have used bitwarden in the past amongst many others though and would reccomend bitwarden to anyone that isn’t technically savvy or just wants a ready to go password manager.
I’ve heard good things about 1password though, but never used it.
Very surprised there’s no love for vault. We use it.
Firefox + Firefox Sync + Mozilla Lockwise app for iOS. It’s a syncing, cross-platform password manager for free.
I use and endorse the use of 1Password, because it is the easiest for my non-technical wife to use. Any theoretical decrease in security due to the closed source nature of the client and service are entirely outweighed by the practical benefits of having my wife move onto strong passwords.
I’ve been using Bitwarden for the past year and have been very happy with it so far. I mainly use the iOS app and Chrome plugin:
I am posting my simillar query here ( because i am not able to make it as post) Is there any open source solution for sharing TOTP, HOTP (Multifactor Auth Systems) across team for accounts?
KeePassXC can save TOTP secrets, not just passwords, in its database file. You could put that database file in a shared folder (e.g. OneDrive or Dropbox) to allow all team members to access or change it.
I switched from LastPass to Bitwarden today and I’m really happy with my decision:
Exporting to CSV from LastPass and importing in Bitwarden was easy. I just had to delete one of the Secure Notes first because it was too big (it was my big text file of passwords from pre-LastPass).
I’m using the free version, but I’ll happily pay $10/year if I ever find myself needing one of the premium features.
Previously I use encrypted .org files. Now I have migrated to pass. I love that it’s being a plain text format. I cat put anything there however I want. And, it’s free software all around.
KeePassXC in the computer :) I rotate these about once every 2 years, unless a site gets their passwords exposed/hacked and I know about it.
I also store the passwords in the browser (Safari) for convenience.
The attack vector I am mostly trying to avoid with this combo (KeePassXC + Browser password manager) is the website leak, not so much my computer being invaded/stolen (I am planning on buying a YubiKey for a while now…)
I have no phone.
Work gives us a free 1password family account, so I have been switching over to that for ease of sharing and usability by family. (Think of those 5 people you would share Netflix with but still want to change the password from time to time).
Before 1password I was all in on Pass, working on multiple keys for certain shared directories and deploy tokens for each device. My chromebook stopped copying from/to the x clipboard, so I started having usability issues, but it still is my long term favorite and I expect to go back to it in the future.
For everything: https://www.passwordstore.org/
For Android: https://github.com/android-password-store/Android-Password-Store
For Mac: http://qtpass.org/
For Firefox: https://github.com/jvenant/passff#readme
I also use pass, and with the right UI setup it might be an option.
However, my wife uses firefox lockwise and loves it.
I use Enpass but am looking to switch because they moved away from their one-time payment model to a recurring subscription (even though I selfhost the data) and they’ve added an annoying red dot on a tab in the app that won’t go away unless you buy said extra subscription.
I’ll probably selfhost Bitwarden with the ruby server, but just need to get around to it.
Do you mean the bitwarden-compatible server written in rust, or is there a ruby one that I haven’t heard of yet?
If you mean the rust server, it’s been rock-solid for me.
I am using Bitwarden since couple of years and I am quite happy about that. I have also used KeepassXC in the past because Bitwarden URL was blocked by company firewall. The only feature that is truly missing is a way to check and remove duplicate entry.
I use the simple
passutility on the command line.
yapet, which I found in the Debian package list. I don’t want a web app, I don’t want a phone app, I want something I can keep on my terminal server and access from anywhere with an SSH connection.
yapetis some weird little thing nobody’s ever heard of, but it has a nice TUI that lets me actually see and manipulate entries, which is where things like
passfall down for me. I should probably look at various Keepass TUI’s again, last I did they were excessively flaky but that was a few years ago.
I use Firefox + LastPass and a few (duplicated) YubiKeys for 2FA.
Works great for me, regardless of if I’m on Mac/Windows/Linux or iOS.
(I’m sure a self-hosted bitwarden-rs would be more secure.)