Ask HN: Password manager recommendation?

17 points by ryanmccullagh ↗ HN
New to this space...I have too many passwords to manage, and I'm no longer comfortable using the same password for multiple services.

I know in order to sync my set of passwords, they'll have to be stored centrally on another entity's server. Is this the usual case? Are these passwords going to be decrypted on the client only?

47 comments

[ 5.9 ms ] story [ 96.2 ms ] thread
I use Password Wallet (http://www.selznick.com/). It's not sexy, but has decent web browser integration, and it has never failed for me. (More specifically, it does a couple things well, not trying to do everything for everyone.)
1Password. I never used to like using password managers and 1password has changed that. Mobile app and web integration are both done well. With the ability to share vaults and keeps things separate and orderly.
Do you actually pay for the service?
I bought the mobile app and the license for my Mac. I don't use their cloud service and when I sync my mobile it is via the local wifi to my Mac and I don't use any cloud options like Dropbox or iCloud etc.
I have always been curious. What if the master password is compromised?
You have to change all your passwords.
Then everything is open to be viewed/compromised.

Since I personally don't use the cloud options that would mean the person must also have physical access to my device and have my pin for my phone or the password to my computer too.

Not that this isn't possible but for the added security of having different passwords for every login I'll take this balance of security.

Been using 1Password for a year now on OSX/Windows/iOS and haven't hit any issues yet. The Windows app has a lot of catching up to do in terms of UX (I know there is a beta, but isn't stable enough for everyday use)

What surprised me is that they still don't have a Linux version!

It can be made to work in Linux via 1pass lua script[1], but it's not super convenient. No plugin support and the UI is sparse, but workable.

Thanks agilebits for documenting your encryption methodology while still keeping it secure!

[1]: http://www.lucianofiandesio.com/1password-in-linux

I was able to get a Windows version running under Wine on the latest version of Mint. On their site (I believe in the FAQ) they link to a thread with instructions on how to do it. It works mostly fine, but there are some gotchas they list out.
I'm a fan of 1Password and use it on desktop (mac/win) and mobile (ios/Android), mandate it for some of our employees, and recommend it to family and friends. I am however not a fan of their push into to 1Password for clouds/teams/families/whatever. I demoed it and thought it was a vastly increased cost for marginal additional functionality compared to buying licenses. Worse is they appear to be devoting resources to the 'cloud' product while features of the stand alone software are put on the back burner. Could be a great business move from them. Who doesn't love MRR? (Well, besides customers). I still use and recommend it when the opportunity arises, but their new direction worries me.
I don't know how I "managed" without 1password. 1password saves me time every single day and greatly improves security as each login uses a unique and highly secure password. Finally use their iOS app for retrieving your passwords on the go.
I've been mostly using 1Password since my workplace provides an account that includes a personal vault, but I've also been looking at switching to Enpass for my personal passwords.

https://www.enpass.io

Some things I like about Enpass over 1Password:

- Has a Linux client.

- Offers free desktop clients, mobile clients require a 1 time purchase (not subscription based).

- Stores passwords locally. Sync is provided through a separate storage provider of your choosing (GDrive, iCloud, OneDrive, Dropbox, etc). I like this implementation much more than traditional cloud-based password managers because a hack of a single server (1Password's, for instance) won't compromise everybody's data and expose your (hopefully hashed) password database as collateral damage.

I'd love to hear from anyone who might have experience with both 1Password and Enpass on how it is to use Enpass on a daily basis compared to 1Password.

Just FYI, you can store locally as you described with 1Password. You don't have to use their cloud service. Or any cloud service for that matter since 1PW supports syncing over a local wireless network.
This actually looks good. Wondering why I haven't heard of this before.

Anyone has thoughts/knowledge on its security, on SQLCipher?

The nice thing about 1Password (is for the time being) the fact you don't have to use cloud services and can manage syncing locally or via Dropbox. They're making a big push to the web version which we use for work, but I have a personal account from forever ago that I still use the local WiFi sync with.

Great iOS integration, great OS X integration, awesome browser plugins, but the Windows UI is atrocious and Linux support is technically non-existent but there are ways.

LastPass, and I pay for it. Does the job, but the chrome plugin seems sluggish sometimes.

Happy customer.

There are mitigations and best practices for using any password manager, including Lastpass. I don't think any of them are immune from attack.
For clarity's sake, they were hacked once and in separate instances had vulnerabilities reported to them by security researchers, which were then fixed.

I don't know if it's more or less secure than other password managers, but it certainly isn't the last thing you should be using.

Another happy customer here.

Notable features that I like: automatic password changes, security challenge (warns me about weak/previously used passwords), primarily web-based (works equally well on Linux).

Me too, but looking for another solution.
KeePass for the important things - anything that involves money, directly or indirectly - email, banking, amazon, ebay, bitcoins.

1Password for everything else.

Why do you use two?
I don't trust anything integrated with the browser. I could probably use two separate databases of KeePass, but it's browser integration sucks.
The small team I am on uses 1Password for Teams and it works brilliantly.
I'm a huge fan of Pass. (https://www.passwordstore.org/). It's command line based but there are adaptations for various platforms. It works best in a UNIX-like environment, though.
I also use Pass. It integrates great with git, so you can store your password database anywhere, and sync on demand with `pass git pull`.

Also by using GPG as an encryption mechanism it allows you to use your gpg-agent so you only have to authenticate when you log in to your computer.

Basically it relies on existing tools to solve existing problems (sync, encryption) and concentrates on the added value: listing, storage and retrieval of passwords.

A greatly useful application of the unix philosophy.

I use KeePass (MacPass on OS X). It's open source and saves to a single encrypted file. I stick it in Dropbox and it's available everywhere I need.
On linux, I use KeePassX. It's basically the same thing IIUC. I sync mine via an svn repo.
I use a small constellation of context-specific KeePass files (Work versus Home, for example) as the overall huge number of password groups ("folders") started to get hard to manage, and I also wanted to start better managing the specific devices with access to some of the files.

I had been using various combos of Dropbox/OneDrive to sync several of my primary files, but recently moved to Resilio Sync (formerly known as Bittorrent Sync) Encrypted Share folders because I can have "dumb nodes" that can share the "torrent" of the encrypted share folder but not access the internals (individual files), such as an always available VPS in the cloud somewhere.

I have used Dashlane since the beta days, it works well. It is closed source, yet works well, the paid version ($40/year) syncs between devices while the free version is one device only. There are apps for Android, iOS, Mac, and PC. Features include autofill on websites and receipt logging when using credit cards. Their site says they decrypt and encrypt locally only, using an unrecoverable master password.
I love Dashlane!

I've been there since Beta, too, and it's in the highest price tier for password managers, but it's often lauded as having the best user experience on desktop & mobile, and one of the simplest managers for even non-technical people. The local decryption also makes it uniquely secure and less susceptible to attacks like the LastPass attack in 2015.

Great product and happy to support the Dashlane team! You can store passwords, secure notes, payment methods, and even IDs like passport or driver's license numbers, with great autofill support.

Before Dashlane, I used a KeePass database that I synced with Dropbox, so I could access it on macOS or iOS, but the clients varied in quality, and when I switched to Dashlane, the experience was fantastic with autofill available on both macOS and iOS.

Google password manager passwords.google.com works very well for me. I also use a veracrypt encrypted container with a plain text file containing my sensitive notes and passwords, stored on my Linux laptop and backed up onto an encrypted bucket on AWS S3 in case my laptop dies or is stolen or destroyed.

This works very well for me, and I'm in control of my passwords.

(comment deleted)
I'm using Vault (vaultapp.xyz). It's open-source, simple and free and meets all my needs. Disclaimer: I'm a developer for Vault.
I use Enpass and have been happy with it.
I use Zoho Vault free plan. Very much happy with it.
Is there one that does NOT use any off-device storage? Or one that provides options for how and where your data is stored?

What I mean by this is no cloud, no central server storage, no third party storage of your data at all.

In other words, if you have it installed on three devices there's file of some sort that you have to replicate between them yourself or some network-based (not internet, local network) approach to synchronization.

I know centralized storage is convenient but that's where you open yourself up for compromising your information in the even of a breach wherever your info is stored.

SplashID has that option. They promote a cloud-sync option, but you can opt for WiFi-Sync-Only instead, which will synchronize your phone to your desktop/laptop and never interact with the Cloud. There's also an option to never sync with any other device. I've been using it since the PalmOS days and have it working today across my Mac, Windows, iOS & Android devices.

https://www.splashid.com/

1Password has that option too. In fact if you happy with that option, you don't even have to pay them anything.

https://support.1password.com/sync-options/#sync-over-a-loca...

Btw, the closed source client is also a weak point in the whole architecture, but if you don't worry about that, then probably you shouldn't worry about letting them store your encrypted passwords.

KeePass (and family) store to encrypted files on your machine that never leave the device by default. It doesn't know or care about cloud or central server storage. (It simply provides a means to reconcile changes made in other files, such as synchronized conflict versions.)

Most people then choose the cloud storage of their own choice (Dropbox, OneDrive, Resilio Sync, etc...) to pass the files between devices as interested/necessary. KeePass doesn't know nor care that a sync provider is being used and its just like any other file to sync (which is why you can choose any file sync strategy under the sun).

1. 1Password IF your desktop machines are all macOS/iOS/Android.

Pros:

* Best UX

* Great keyboard support

* Non-cloud, local network sync option

* Sharing for families and teams via vaults which specify permissions of users (identified by their team specific email address)

* Login into multiple teams

* Intuitive web login form autocompletion and password generation for account creation

Cons:

* Closed source, so you still have to trust their binaries and their team

* No Linux version and only the Windows version is still beta, so the the whole team/family should be on Macs pretty much

2. Dashlane

Pros:

* Slightly cheaper than 1Password

* Reasonably nice UI

* Windows client

Cons:

* Annoying UX (auto-generated passwords are hard to find later, doesn't recognize a lot of login forms, etc etc)

* Almost no keyboard shortcuts

* Sharing is per-password with user emails (which might be the private emails, because they don't have proper team support)

* Closed source

3. Lastpass

Pros:

* Even cheaper than Dashlane and 1Password

* Enterprise plan has nice company-wide audit of password usage and hygiene

* Share passwords without revealing them (which is useless if you can hack their clients of course)

* Sharing is folder based

* Lastpass 4.0 got a modern look and feel finally, but it's still ugly compared to the others

Cons:

* Enterprise admin interface UI & UX is terrible

* Can't fill out a lot of login forms (even basic ones, like google, amazon IAM), especially if you have multiple accounts for them

* Closed source

4. KeePass - haven't used it for real, but I know about one, 30+ ppl company successfully using it on all 3 major platforms

Pros:

* Open source

* Cross platform

Cons:

* Haven't found a proper web login form filler integration for it

* Quite inconvenient compared to eg. 1Password

Not sure how sharing is supposed to work in it exactly. I think it's out of their scope.