Which password manager is the most secure and why?

KeePass with the database stored locally on your device(s).

I then use syncthing to synchronize the database between my devices (laptop, phone, in-house server, backup).

The data is all under my control and does not reside on any third party computer or data storage. The only exposure to third parties is when the database is synced between devices... but at that point it is encrypted and ephemeral.

I have a memorized algorithm for my passwords which combines my user name, the website name, a counter, and a unique key. It includes uppercase, lowercase, numbers, and symbols. The passwords come out at 9-10 characters.

So I have no need for password managers, for writing down in a notebook, or anything else. Try it.

Passwordstore is probably the most secure, being that it's a short (1500-line) shell script offloads the actual encryption to GPG and network sync to git. There's just not a lot of surface area to attack there... and it also works for teams.

Moolipass [0]

It's hardware based using the device stores encrypted passwords and files (which can be dumped still encrypted to a PC). Sending keys requires interaction with the physical device and a smartcard is needed to activate the device. Yet you can synchronize the database using any folder sync system.

But the key is stored on a smartcard with a PIN you set. The smartcard can be cloned so you have multiple copies or read with off the shelf card reader to export the key if you know the PIN.

Version other password managers, your database is never decrypted on the PC in memory or otherwise.

The smartcard will lock after incorrect attempts.

You control your data entirely.

It requires the moolipass (with your database), the smartcard and physical interaction with the device to send a password.

Open source too!

[0] https://www.themooltipass.com/

I like the simplicity of passwordstore. But keepassx* are good too. I'll never trust an online solution, and probably almost never trust a browser extention.

I think offline hardware password managers are the most secure. Including offline backup.

For this, I developed Authorizer to use your old Android phone as your password manager. It can type the password over USB on your target device. Supports OTP. Smartcard and WebAuthn support are on the roadmap. Doing also a lot of modernization on the next weeks.

https://github.com/tejado/Authorizer

Here's a wild idea!

- Bitwarden

- Self-host

- Don't listen on public Internet IPs or regular LAN IPs

- Listen on Tailscale IP.

- Put TLS in front of it the Tailscale way.

- Run Tailscale on all your devices and access Bitwarden from your private network.

Try using Bitwarden, quite good and secure as well.

Small notebook with a memorized cypher.

Probably Password store with GPG key on Yubikey.

1. Less is more. I keep around 10-15 passwords in paper and digitally (on my laptop and on a couple of external hard drives). These passwords correspond to my most important digital assets like main email account, banking, etc. It’s easy to keep track of this amount of passwords on paper. I don’t have them on the cloud/internet and I only need them on my main computer (I don’t really do anything serious on my phone/tablet)

2. The rest of my passwords: I don’t really care. I have a couple of dummy email accounts on protonmail and gmail and all my useless digital identities (reddit, youtube, hn, chatgpt, etc.) share more or less the same password format. I do keep a simple backup (in plain text) of these passwords on my harddrive, but I couldn’t care less if they get stolen or whatever.

The safest way to store passwords is written down on a piece of paper. Maintain physical custody of it, never let it out of your possession.

If you need backups, use a non-networked copier, or an old style stand-alone point and shoot camera. Don't ever put the SD card in your computer. Keep all copies as secure as the original.

Banks have safety deposit boxes that can offer relative security. If you really want to be safe, manually encrypt your passwords.

[Edit] As others have pointed out, phishing is an issue. Be careful where you enter your passwords.