Ask HN: Password manager recommendation?
New to this space...I have too many passwords to manage, and I'm no longer comfortable using the same password for multiple services.
I know in order to sync my set of passwords, they'll have to be stored centrally on another entity's server. Is this the usual case? Are these passwords going to be decrypted on the client only?
47 comments
[ 5.9 ms ] story [ 96.2 ms ] threadSince I personally don't use the cloud options that would mean the person must also have physical access to my device and have my pin for my phone or the password to my computer too.
Not that this isn't possible but for the added security of having different passwords for every login I'll take this balance of security.
What surprised me is that they still don't have a Linux version!
Thanks agilebits for documenting your encryption methodology while still keeping it secure!
[1]: http://www.lucianofiandesio.com/1password-in-linux
https://www.enpass.io
Some things I like about Enpass over 1Password:
- Has a Linux client.
- Offers free desktop clients, mobile clients require a 1 time purchase (not subscription based).
- Stores passwords locally. Sync is provided through a separate storage provider of your choosing (GDrive, iCloud, OneDrive, Dropbox, etc). I like this implementation much more than traditional cloud-based password managers because a hack of a single server (1Password's, for instance) won't compromise everybody's data and expose your (hopefully hashed) password database as collateral damage.
I'd love to hear from anyone who might have experience with both 1Password and Enpass on how it is to use Enpass on a daily basis compared to 1Password.
Anyone has thoughts/knowledge on its security, on SQLCipher?
Great iOS integration, great OS X integration, awesome browser plugins, but the Windows UI is atrocious and Linux support is technically non-existent but there are ways.
Happy customer.
http://lifehacker.com/lastpass-hacked-time-to-change-your-ma...
https://www.hackread.com/lastpass-hacked-this-time-for-good/
I don't know if it's more or less secure than other password managers, but it certainly isn't the last thing you should be using.
Notable features that I like: automatic password changes, security challenge (warns me about weak/previously used passwords), primarily web-based (works equally well on Linux).
1Password for everything else.
Also by using GPG as an encryption mechanism it allows you to use your gpg-agent so you only have to authenticate when you log in to your computer.
Basically it relies on existing tools to solve existing problems (sync, encryption) and concentrates on the added value: listing, storage and retrieval of passwords.
A greatly useful application of the unix philosophy.
I had been using various combos of Dropbox/OneDrive to sync several of my primary files, but recently moved to Resilio Sync (formerly known as Bittorrent Sync) Encrypted Share folders because I can have "dumb nodes" that can share the "torrent" of the encrypted share folder but not access the internals (individual files), such as an always available VPS in the cloud somewhere.
I've been there since Beta, too, and it's in the highest price tier for password managers, but it's often lauded as having the best user experience on desktop & mobile, and one of the simplest managers for even non-technical people. The local decryption also makes it uniquely secure and less susceptible to attacks like the LastPass attack in 2015.
Great product and happy to support the Dashlane team! You can store passwords, secure notes, payment methods, and even IDs like passport or driver's license numbers, with great autofill support.
Before Dashlane, I used a KeePass database that I synced with Dropbox, so I could access it on macOS or iOS, but the clients varied in quality, and when I switched to Dashlane, the experience was fantastic with autofill available on both macOS and iOS.
This works very well for me, and I'm in control of my passwords.
What I mean by this is no cloud, no central server storage, no third party storage of your data at all.
In other words, if you have it installed on three devices there's file of some sort that you have to replicate between them yourself or some network-based (not internet, local network) approach to synchronization.
I know centralized storage is convenient but that's where you open yourself up for compromising your information in the even of a breach wherever your info is stored.
https://www.splashid.com/
https://support.1password.com/sync-options/#sync-over-a-loca...
Btw, the closed source client is also a weak point in the whole architecture, but if you don't worry about that, then probably you shouldn't worry about letting them store your encrypted passwords.
Most people then choose the cloud storage of their own choice (Dropbox, OneDrive, Resilio Sync, etc...) to pass the files between devices as interested/necessary. KeePass doesn't know nor care that a sync provider is being used and its just like any other file to sync (which is why you can choose any file sync strategy under the sun).
Pros:
* Best UX
* Great keyboard support
* Non-cloud, local network sync option
* Sharing for families and teams via vaults which specify permissions of users (identified by their team specific email address)
* Login into multiple teams
* Intuitive web login form autocompletion and password generation for account creation
Cons:
* Closed source, so you still have to trust their binaries and their team
* No Linux version and only the Windows version is still beta, so the the whole team/family should be on Macs pretty much
2. Dashlane
Pros:
* Slightly cheaper than 1Password
* Reasonably nice UI
* Windows client
Cons:
* Annoying UX (auto-generated passwords are hard to find later, doesn't recognize a lot of login forms, etc etc)
* Almost no keyboard shortcuts
* Sharing is per-password with user emails (which might be the private emails, because they don't have proper team support)
* Closed source
3. Lastpass
Pros:
* Even cheaper than Dashlane and 1Password
* Enterprise plan has nice company-wide audit of password usage and hygiene
* Share passwords without revealing them (which is useless if you can hack their clients of course)
* Sharing is folder based
* Lastpass 4.0 got a modern look and feel finally, but it's still ugly compared to the others
Cons:
* Enterprise admin interface UI & UX is terrible
* Can't fill out a lot of login forms (even basic ones, like google, amazon IAM), especially if you have multiple accounts for them
* Closed source
4. KeePass - haven't used it for real, but I know about one, 30+ ppl company successfully using it on all 3 major platforms
Pros:
* Open source
* Cross platform
Cons:
* Haven't found a proper web login form filler integration for it
* Quite inconvenient compared to eg. 1Password
Not sure how sharing is supposed to work in it exactly. I think it's out of their scope.