What password managers can you recommend?

If you can handle what I call[0][1] "the KeePass way": on desktop, KeePassXC (Windows/macOS/Linux) on desktop; on mobile, KeePass2Android or Keepassium (iOS).

[0]: https://www.brycewray.com/posts/2021/06/two-paths-password-m...

[1]: https://www.brycewray.com/posts/2021/08/1password-hits-fan/

Bitwarden. The free version does everything I need from a password manager (which is to store, sync and generate passwords); decent browser extension, decent mobile app.

I hate what 1Password has become, and how user-hostile Agile Bits are. BUT after the last bait and switch they pulled I tested _every single password manager on the market_, and the bad news is that the others are all worse. The only two I found that I liked, but sadly lacked at least one feature that we need, were Secrets [0] and Elpass [1]. I think both might fail your requirements list too. I've begrudgingly had to stick with 1Password, but after the way they've treated the customers who have been giving them money for over a decade I'll be off the second someone makes a password manager that meets our requirements.

[0]https://outercorner.com/secrets-mac/

[1] https://elpass.app

I use pass. It's a Unix-style password manager created by zx2c4 of Wireguard fame.

https://www.passwordstore.org/

Pass uses GPG under the hood for encrypting the password store. I use an OpenPGP smartcard (a Yubikey in my case) to decrypt the password files. I synchronize the store across devices using Git. There are good autofill implementations for Firefox and for Android. When I need a password, the autofill prompts me to insert my Yubikey and enter in the unlock PIN, which I find more convenient than a master password. Crypto functions are offloaded to the Yubikey with a (theoretically) very difficult to extract private key, so unless somebody swipes that they can't get into my passwords.

I mostly followed this guide for setting it up: https://dehnes.com/software/2020/04/03/password_management_y...

I use Kee-pass. The password generator is good and I'm not aware of any breaches. I don't know how good the browser integration is. Mine is backed up to several locations that I also use it from, I suppose Dropbox would work.

Considering how important security is in a password manager, I don't trust any other than Bitwarden.

It's been audited [0] by external companies multiple times and both the client and the server are fully open source [1].

I know others may say that the encryption is too weak[2], but that's true for all other password managers too [3], since Argon2id is not mature enough to run as a WASM module in the browser yet (especially not on mobile).

[0] https://bitwarden.com/help/article/is-bitwarden-audited/

[1] https://github.com/bitwarden

[2] https://github.com/bitwarden/jslib/issues/52

[3] https://github.com/bitwarden/jslib/issues/52#issuecomment-78...

Bitwarden can be self-hosted. $10/year subscription cost is well, well worth it.

If you don't self-host, note that everything is encrypted before being stored at bitwarden. They don't have access to your passwords.

I was a happy 1Password user and warily switched to their subscription model. But It still does everything I want and now it even does more -- e.g. I can have shared vaults with my partner and other family members, which is more convenient than duplicating entries between machines or going to each others' computers to look something up.

Pass! https://www.passwordstore.org/

With git or whatever you want for sync, and whatever GPG-compatible security device you want for encryption.

I swear, pass is the piece of software that has improved my digital life the most per line of code in the software.

I use LastPass. I love that it has a mobile app for me to copy/paste on my phone and my wife's phone. It has a really good browser extension. I do pay the small fee for multiple devices.

1Password is consistently fantastic.

I hear you about problems with a server/subscription-based model, but a) it's the least of all evils, and b) I've come to enjoy financially supporting them (i.e. my subscription means they can keep making great software, which is definitely valuable to me).

I use KeePass databases synced with SyncThing. One database for passwords and private keys, another for TOTP 2FA (which I only ever update/unlock on my phone).

As for the software I use to access the database:

* On Windows/Linux, I use KeePassXC with the corresponding browser extension. I also use the built-in SSH agent integration so I don't need to store my private keys in ~/.ssh nor manually type in their encryption passphrase.

On Windows, auto-type works great for the most part, except in ancient applications that only support scan-code-based input and not Unicode-based input (shakes fist at IPMI consoles of brand new servers that _still_ use ancient noVNC versions without support for Unicode input). I build KeePassXC from source to include a not-yet-merged patch for scan-code support.

* On Android, I use KeePassDX (open source). It integrates with Android's autofill API, but also has a keyboard for typing the username/password/TOTP code into apps that don't support autofill.

* Back when I still used iOS, I used Strongbox (open source, but does not accept contributions). It integrates with iOS' autofill API.

For syncing, I use SyncThingTray on Windows/Linux and SyncThingFork on Android. On iOS, I used to have Strongbox connect via sftp to my server running SyncThing because I could not find a decent SyncThing client. (I'm not even sure it's possible to implement on iOS without resorting to abusing location services for background execution, like iSH or most SSH clients.)

What's the terrible experience you're finding lately with 1Password? I've found it to be more consistent and stable in the last little while (especially when paired with the more recent Safari releases)

Bitwarden - without question - pay the $10 a year. It's only 10 bucks and totalliy worth it...

Was in the same boat. KeePassXC is what you want.

I've been working on a concept where, instead of storing passwords in a manager I use a generator that creates pseudorandom passwords based on a few, easy to remember things. It's essentially a hashing algo created in javascript. You provide a site name, a password length and a pin code and it will consistently generate the same pseudorandom string. Nothing is stored and the generator can be publicly hosted.

https://github.com/madmonk13/keymaster

This is the first time I've publicly shared it and I welcome your feedback.

I use KeePassXC. I don't feel that web password managers are safe given the monstrous attack surface of browsers.

I've not understood why one wouldn't use Chrome or Edge's built-in password manager. Is there a compelling reason to use a separate password manager app?

Password Safe

https://www.pwsafe.org/

Designed by Bruce Schneier

https://www.schneier.com/academic/passsafe/

Mobile clients available and you can sync via Dropbox or iCloud.

I wrote my own with ridiculous Argon2 requirements (Takes 18 secs to open) combined with PKDF hybrid hashing system. (not chained) and strong AES256 CBC implementation with proper random IVs for each field and correct padding. You can encrypt any kind of data and files, it's encoded as 32k UTF-16 + sig XML losing only 1.3% over binary, but I like text files. Of course, some files come out smaller due to the Gzip compression.

It is Dropbox friendly meaning any change or addition in another person using the same vault in the same directory is automatically updated in all open vaults. This was originally for collaboration. You can have your own private vault too with a unique password, as many as you like. They just end up as XML files. It runs fast as uses databinding, can generate strong passwords, and makes copying/pasting easy. I am having trouble encrypting files over 1GB though.

I take great lengths to protect the key. If the file is open too long, it minimizes and locks, when you open it, it decrypts everything again. As soon as decryption is done, the key is stashed away using ProtectMemory function in the framework. I have done memory dumps to ensure the key is not visible when the app is idle.

Files works differently, Their meta data is encrypted but you are able to checksum then and preview them in memory without the key ever being exposed and the content never touches the disk and is zeroed afterward. You can currently play sound, view pictures, execute files (in memory!) and soon video.

I plan on browser integration by a cross-browser userscript and loopback routing (127.0.0.1) that recognizes when the cursor is in a field specified in the login's metadata. But I am am running into trouble because sites like to randomize the name of the login fields, so I a have to use some reliable heuristic approach.

Does anyone have any ideas on how to deal with that? If I can figure that out, and get video previews working I will open source it.

EDIT: Here's a preview of the app: https://imgur.com/a/rZGPCPZ

I don't get he drama about 1Password. What's wrong with it? I'm a little wary of 8 (Electron) but eh, I doubt it'll be bad. It costs me like $4-5/mo which is an mount I don't even bother keeping track of or budgeting.

I've used lastpass since 2016, it works for everything I need. Before that I struggled with Keepass and keeping it updated across all my various platforms, which I can only recommend if you use it from only a single location.

As stupid as it might sound, but my recommendation is a simple paper notebook. Certainly, it is less convenient; but in terms of security, one pretty much needs physical access to obtain it.

Otherwise, I think KeePass will do you just fine. I'd advice against any form of browser integration. Stick with the auto-type type feature instead. Connecting a full, decrypted password database directly to a _browser_ sounds scary.

Consider installing an add-on in your browser that changes the window title to include the page's URL. This way KeePass' window matching works a lot better.

I can recommend not using an online password manager. When it comes to a sensitive set of information, the first step in a terrible experience is giving another entity control of that set of information. Offline password managers have a reduced risk due to the not-always-on nature and your own control over its syncing.

So your choice of KeePass is pretty good. There is KeePass2 which is by the original author of the KDBX format. There is KeePassXC which is an alternative. KeePass2 has a lot of community plugins if that's what you're after.

I store my passwords in plain text in an offline virtual machine on Qubes OS. Copy them into browsers with a secure inter-VM copy mechanism (https://www.qubes-os.org/doc/how-to-copy-and-paste-text/).

BitWarden is good. Codebook is the commercial version of the earlier Open Source "STRIP" and underrated.

I use one of these password managers that folks have been sharing here but I'm curious why folks don't like using the ones built into firefox/chrome. Chrome at least allows you to provide a separate encryption password so they don't have any visibility into what the passwords are.

I was creating my own standalone hardware password manager: https://github.com/jareklupinski/zamek

Looking for inspiration and excited testers :)

Can you elaborate on

> they seem insistent on making the experience as terrible as possible lately

Can anybody reveal WHERE to buy the standalone / non-subscription version of 1Password? It seems like it's vanished off their site (it used to be that if you hunted for long enough, you could find it)

Am I the only one that thinks that password managers are a terrible idea?

Lets take all of a user's credentials (mixing the critical and the trivial) and put them into a single database and then use Javascript-based browser extensions to control access to the DB. What could go wrong?

The LastPass communications brouhaha from last week was just a whiff of the total shit show we're going to see when the client code from one of these password managers is modified with trojan code and we realize that some group has been slurping up credentials by the billions over the course of a few months.

Seems like the charitable take is that password managers are maybe the best approach to a horrible idea, and the real solution is that we ought to be racing to abolish passwords altogether as soon as possible.

MacOS with iCloud has shared Keychain 1st party. People should stop thinking this integration is an app, it's a function of your entire online environment including how your OS talks to it. FBG

Why are Dropbox and iCloud preferable to 1Password sync?

1Password is fantastic IMO but all these password managers make me nervous.

Stay away from online password managers, especially closed source ones.

Firefox's built-in password manager. It works on mobile too.

MYKI has been good to me, and I recommend it.

keepass tics all those boxes for you.

Enpass. https://www.enpass.io/

I believe the most popular password managers have been cracked already, that is why I did a LOT of research and built my own.

It was not easy, but it was fun, and if anyone wants to decrypt my files they have a lot of difficult hurdles to jump through.

Of course, keylogging is easier, but then they still have to run my software or at least seriously read the source code.