1. 41

I’d so like a password manager that is (1) free & open source, (2) available at least on Linux, BSD, and Android, and (3) can sync/backup securely over ssh, ideally to multiple hosts. Am I looking for unicorns?

  1. 37

    I’ve been very happy with pass, a command-line tool that stores passwords and notes in a git repository. Being a directory of text files, it’s easy to use standard command-line tools on or tinker with programmatically. There’s a thriving ecosystem of plugins, tools, and clients.

    I also use autopass for autofilling in X applications. As time goes in, I fill in more and more autotype fields to check ‘remember me’ boxes and other non-standard fields. It’s really convenient. (One annoyance is that if any password files are not valid YAML, autopass errors to stdout without opening a window, so I hit my hotkey and nothing happens.)

    1. 11

      One more vote for pass, i’ve been a happy user for years now. Was missing a proper browser extension for it so I built one: Browserpass. It’s no longer maintained by me due to lack of time, but the community is doing a far better job at maintaining it than I possibly could so that’s all good!

      1. 10

        Pass looks pretty neat, but the reason I stick with KeePass(XC) is that Pass leaks metadata in the filenames - so your encryption doesn’t protect you from anyone reading the name of every site you have an account with, which is an often overlooked drawback IMO.

        1. 5

          Your filenames don’t have to be meaningful though. It would be relativity trivial to extend pass to use randomly generated names, and then use an encrypted key->value file to easily access the file you want.

          On the other hand, if someone already has that access to your device, accessing ~/.mozilla/firefox/... or analogous other directories with far more information is just as trivial, and has probably more informational value.

          1. 3

            Then youre working around a pretty central part of pass’s design, which I don’t really like. It should be better by default.

            wrt your second point, if you give up when they can read the filesystem, why even encrypt at all? IMO the idea is you should be able to put your password storage on an untrusted medium, and know that your data are safe.

            1. 12

              if you give up when they can read the filesystem, why even encrypt at all?

              Because in my opinion, there’s a difference between a intruder knowing that I have a “mail” password, and them actually knowing this password.

        2. 5

          The QR code feature of pass is neat for when you need to login on a phone.

          1. 2

            Huh, you made me read the man page and learn about this - it’s really cool! What’s your usage like for this though? Just use any barcode reader and then copy paste in the password box?

            1. 1

              A barcode reader I trusted, but yeah - its a good hack because I usually have my laptop which has full disk encryption.

              1. 2

                Yeah, when you said that all I could think of was the barcode scanner that I used to use where it would store the result of each barcode scanned in a history file… Not ideal :)

          2. 2

            Seems like the android version’s maintainer is giving up. (Nice, 80k lines of code in just one dep…)

            The temptation to nih it is growing stronger but I don’t have enough time :(

          3. 21

            I personally use Bitwarden, which I would say that fulfills all 3 points that you want, but I never tinkered with the SSH sync (although its privacy section ensures that its part of how it syncs). If you want a simpler and lower level alternative, probably pushcx’s advice of checking out pass works best for you.

            1. 5

              Strong +1. Been using Bitwarden for 1.5 years now and it’s everything I hoped it would be.

              • It’s open source, which is a must-have for a password manager for me.
              • I used it on ~every platform (Linux, Mac, Windows, Android, iOS) and it’s more than functional–a pleasure to use on most. More than I can say for any other password manager.
              • It’s a tiny team (of ~1?) but it’s very active and has solid contributions from random people. Responses to issues are prompt and effective.
              • There are several independent backend implementations (in Rust, Go, Ruby that I’ve seen, probably more now).
              • I’ve read through big chunks of the code and it seems solid–something I could contribute back to. My only complaint was that the sync API was designed to do separate requests per entry, so some metadata about the number of entries does leak unnecessarily. I haven’t checked if that was fixed, but it’s fairly minor.

              Overall the experience has only improved. I’m sure it has a bright future.

              1. 3

                Thanks for introducing me to this, it’s about what I am looking for. Time to ditch manually synced (& merged, of inevitable forks) KeePass.

                1. 2

                  Can also recommend Bitwarden, I have not tried the desktop application, but the mobile version on Android and browser extensions have worked without any issues for me so far across different browsers and operating systems.

                  Edit: Apparently, I posted the same comment twice, my mistake.

                  1. 1

                    Is this one open source?

                    1. 4
                      1. 3

                        It is indeed, but there’s a caveat with self-hosting it that irks me. Though apparently there are ways to work around it, as mentioned.

                        1. 1

                          Well, that’s cool! Thanks! :)

                        2. 1

                          a few people incl. me have been able to code a client-compatible self-hosted version as well, gives you a lot of insight and trust in it

                          https://github.com/vvondra/bitwarden-serverless https://github.com/jcs/bitwarden-ruby

                          1. 1

                            Nice! :)

                      2. 10

                        I recently switched to a self-hosted Bitwarden setup, and have been pretty happy with it so far.

                        The server is running on an old Raspberry Pi at home (so that my passwords don’t end up somewhere on the internet). I use bitwarden-ruby (thanks @jcs!) because the Pi likes it much more than the heavy-weight official Docker image.

                        The client apps (iOS and Linux desktop) do what they’re supposed to do in a neat and clean way.

                        This could be the unicorn you’re looking for. :)

                        1. 8

                          KeePass has clients that work the 3 operation systems in question, and I’ve had good luck using Syncthing to share the password file between computers, but the encryption of the database means that any good sync utility can work with it.

                          1. 4

                            I KeePassX together with SyncThing on multiple Ubuntus and Androids for two years now. By now I have three duplicate conflict files which I keep around because I have no idea what the difference between the files is. Once I had to retrieve a password from such conflict file as it was missing in the main one.

                            Not perfect, but works.

                            Duclare, using ssh instead of SyncThing would certainly work since the database is just a file. I prefer SyncThing because of convenience.

                            1. 2

                              Duclare, using ssh instead of SyncThing would certainly work since the database is just a file.

                              Ideally it’d be automated and integrated into the password manager though. Keepass2android does support it, but it does not support passwordless login and don’t recall it ever showing me the server’s fingerprint and asking if that’s OK. So it’s automatically logging in with a password to a host run by who knows. Terribly insecure.

                              1. 1

                                I had the same situation. 3 conflict files and merging is a pain. I’ve switched to Pass instead now.

                              2. 2

                                I use Keepass for a few years now too. I tried other Password managers in the meantime but I never got quite satisfied, not even pass though that one was just straight up annoying.

                                I’ve had a few conflicts over the years but usually Nextcloud is rather good at avoiding conflicts here and KPXC handles it very well. I think Syncthing might casue more problems as someone else noted, since nodes might take a while to sync up.

                              3. 8

                                I’ve been happy-enough with LastPass - I can’t point to any reason beyond inertia, so really what I’m curious about in this thread: are there any significant differentiators that could sway a person to switch?

                                1. 7

                                  A big reason for me would be moving away from proprietary stuff to secure my passwords

                                  1. 5

                                    To my knowledge at least by staying mainstream there’s a team of individuals working on the product. Ive used LastPass for years, and while there have been issues in the past … There is a large userbase and community scrutinizing it.

                                    Going the self hosted route negates alot of the large community, and trail by fire already accrued by legacy solutions like LastPass.

                                    They also provide an export mechanism …

                                  2. 4

                                    I’ve stuck with LastPass for a while. AFAIK, no security issues that I’ve judged to be significant. I appreciate that, compared to the other solutions that I know of, it seems to be widely compatible and simple to use on all platforms.

                                    Only minor beef that I have is that the browser plugins, or at least the Chrome one, seems to have gotten slower and a little bit buggier over time instead of better and faster.

                                    1. 1

                                      I use LastPass, but am not happy with it, as in the past, it had some pretty serious security issues:

                                      1. https://www.martinvigo.com/even-the-lastpass-will-be-stolen-deal-with-it/. They fixed it promptly, of course, but it worries me.
                                      2. https://news.ycombinator.com/item?id=8031720#8032186
                                      3. https://twitter.com/tqbf/status/836619941805764609
                                      4. https://twitter.com/taviso/status/843965519371812864

                                      I would switch to 1Password, but it does not have linux support (edit: it has a browser extension for linux, which is suboptimal, but probably better than Lastpass). I’ve almost talked myself into switching to Keepass, but I’ll have to find out how trustworthy the iOS version is.

                                    2. 7

                                      I’d also recommend pass. It’s just a bash script that manages files encrypted with GPG in a Git repository so should work anywhere bash, git, and gpg work. It uses git to sync so you can use SSH or any other transport git supports for syncing. There’s also a pretty decent quality open-source iOS app.

                                      1. 5

                                        I’ve been using Enpass for a couple of years now. I sync my phone/laptop/desktop via Google Drive (handily the Qt desktop version bakes in Drive support so I don’t need to run Google’s full Drive sync client on either my Macbook or desktop).

                                        I would prefer an open-source solution, but so far haven’t found any ringing alarm bells with Enpass. I like that it has a fingerprint auth option on Android, and that the Qt versions (after initial unlock with long master password) can be set to unlock with a PIN. I realise this isn’t the most secure setup, but it is convenient to use, and that has resulted in me using it for everything.

                                        1. 1

                                          I use this because it’s the only one that does Webdav syncing.

                                          I don’t trust Google or any of the other large cloud provider (1Password only does icloud sync) enough to let them have even an encrypted copy of my passwords. Still, Google won’t buzz off, Chrome continues to insist that it should be my password manager…

                                        2. 5

                                          Meta-point: it is frustrating that despite the importance of this issue (a bad password manager can make you less secure), your options for getting answers are:

                                          1. Teach yourself enough crypto and security engineering to look for vulnerabilities in the code.
                                          2. Follow a bunch of security experts on twitter/hacker news/elsewhere, and hope that they’ll say positive or negative things about various password managers.
                                          3. Ask on a forum, and pray that the right people will actually answer.

                                          Someone needs to consolidate this information and keep it up to date (I don’t think it should be me. I can probably handle point 1, but don’t know enough about the area to trust my ability to adequately synthesize the material and relay it).

                                          1. 1

                                            Someone needs to consolidate this information and keep it up to date

                                            I agree. I was saving threads I saw to help with that. Then my bookmarks started disappearing (overflowing?). Anyway, I’m keeping the idea in mind since I’ll probably use one or more people’s advice myself in near future.

                                            1. 1

                                              Reordered my steps. What I can do is 2, not 1.

                                            2. 5

                                              KeePassXC - Link

                                              1. 3

                                                Have a look at KeyPass as well. KeyPassX is a clone of KeyPass but the databases are fully compatible.

                                                1. 2

                                                  you should use KeePassXC, which is the current rewrite and actively developed
                                                  KeePassX is defacto dead
                                                  also they implement the new keepass DB format and have a package in ubuntu 18

                                                2. 3

                                                  KeePass XC with the password file stored in Google Drive / Dropbox / OneDrive. There is an open-source client for iOS too.

                                                  1. 3

                                                    Another vote for KeepassXC with KeepassDroid.

                                                    1. 2

                                                      I haven’t actually used this much, but I’ve been very curious about LessPass, which is meant to be “syncless”. I’m no security expert, so I’m not 100% confident in the exoticism here, but I’d suggest checking it out in any case as an alternative perspective at least.

                                                      1. 2

                                                        Another vote for KeepassXC with KeepassDroid.

                                                        1. 1

                                                          Pass is pretty awesome: https://www.passwordstore.org/

                                                          1. It is FOSS.
                                                          2. It’s available for all 3 systems.
                                                          3. It can sync and backup via git (so over ssh).
                                                          1. 2

                                                            the abandoned android port is depressing