Ask HN: Does anyone use an alternative to a password manager?

113 points by BinaryIdiot ↗ HN
As time goes on I find myself, both in my professional and my personal life, adding more and more usernames and passwords I need to remember. I have over a 100 accounts I need to keep track of and access typically access at a whim.

Since it's insecure to both use the same password over and over or to modify a single password per service (e.g. appending "fb" or "tw" etc to a password when using a different service) I have found that a password manager is literally the only thing working for me.

However, as break-ins become more and more frequent, I am concerned that my single point of failure, my password manager, could become compromised. I mean it seems almost inevitable, right? An attacker wouldn't even need to compromise the service or app you're using but your phone instead to gather the same data.

So I'm curious to those of you who use something other than a typically password manager: what do you use and has it been successful or a pain?

249 comments

[ 3.6 ms ] story [ 286 ms ] thread
Use KeePass. It's FOSS, has a great extension for FF, and stores your passwords in a local, encrypted file. No cloud necessary.
Similar setup, MacPass (a new implementation of keepass for the mac), ChromePass for autologins, and KeePass2Android on my phone. Works well, not perfect but enough for what I want.
This is what I use, but also use Syncthing to sync it between my laptop, phone, and raspberry pi and fileserver (for backup).

It works very well from my experience.

I also use Keepass, with a complex master password that I've memorized. I keep the file in my Nextcloud instance so that it's synced between my two Android devices and four Linux machines.
I thought this was a great idea to the point where I put together a Chrome extension to try it out a few years ago.

In theory it's solid but in practice, websites with arbitrary (and foolish) password requirements means your generated pass is likely to not be accepted. You can add fields for tuning the presence of non-alpha and capitalised characters but then that needs syncing and at that point - the benefits aren't really there.

I also use pass and sync it with my android phone using OpenKeychain to manage GPG keys and PasswordStore as the actual password browser. Copy/pasting randomised passwords on both desktop and mobile is easy once these are set up.
I decided to try pass a few months back. Absolutely love it. It is so simple, and builds off existing & proven tech of gpg & git. Can't recommend enough!
I have a file on the local drive of my office computer and a sheet of paper near my home computer (used by me and my wife). When the sheet of paper is full of handwriting, I bring it to office to synchronize both list.. When my house has been robbed last year they have not found the sheet, but if they had, I could have changed all passwords very quickly. In case of fire, the backup is safe in a remote location. It is easy to carry, duplicate or destroy. The security at office is ensure by the IT service. This may be imperfect, but I think my list of password would not be the main target of an attack. At home, my wife is often present and would quickly notice if a burglar steal the list. When I go on holidays, I take the home list with me. I think it is quite successful.
The actual attack to be worried about is that an adversary copies the sheet of paper without your knowledge. There's no need for an attacker to remove the physical list or to be a burglar. It could be someone you know.
Yes. I carefully lock my screen when I leave my office and the sheet of paper is not in plain sight.
> I think my list of password would not be the main target of an attack.

I used to have a little notebook with everything, tucked 'securely' out of the way. I mean, even in a robbery somebody isn't going to rifle through some junk on a shelf right? I came to think though, that in that situation of course a list of passwords is not the target but if the robber has a small amount of technical knowledge (getting more likely, these days) then the risk is that they recognize the value of something like a book of passwords and just take it along. All of a sudden, their technology aware friend has access to my bank account!

So, I use Keepass now with a long passphrase, and syncthing keeps copies of the database distributed across several devices in several locations for me and I have access from all the various operating systems that I use. I am thinking about giving the passphrase to a friend also, as I have known him for 30+ years but I do not work with him or live near him and see him only yearly or less.

Keepass-plus-syncthing is my weapon of choice also. Using your phone as one of the devices gets around the whole "bring your sheet of paper to work day".

It would be great if someone added this feature into Keepass so that you didn't have to use an additional tool. Each instance of a database would have its own key and set of linked databases. When you open the database it would sync with every one of its linked databases that is also open. This would (hopefully?) get around the problem of adding new passwords to different databases before syncing. I expect one issue might be that people tend to only log into one instance of their database at a time.

pen and paper
rofl. I have around 1300 passwords in Keepass, most of them are 20 characters including symbols. Good luck writing those passwords every time you need to login...
I used pen and paper for a decade now. I have a folder and preprinted forms where I note passwords with pens. The folder had like 20 sheets. This worked pretty well and is without doubt the most secure variant -- I always have my folder with me. Note that this only stores the important passwords. I use weak and dumb passwords for non-important services (similar to disposable email boxes).

Anyway I want to change to a paperless variant due to the increasing amount of "important" services.

I have a friend who does the same, but a folder with password is not encrypted. If it's stolen, or you just leave it somewhere by mistake, or if you leave it on a table while you piss, byebye security... A hacker only needs your old yahoo password to hack everything else. Please use at least Keepass, it has a master password, it is encrypted all the time if you want, it can have browser integration, it can upload the encrypted DB to the cloud..
That's true. However, in general I trust my environment so much more than "the whole Internet" which potentially can gain access to my systems. In fact, I don't think encrypting password managers (even in their simplicity such as https://www.passwordstore.org/) prevent typical use cases: If your home account is compromised, it is easy manipulate the workflow and subsequently decrypt your virtual password storage.
If your PC is compromised it's pretty much game over, using a password manager does not really worsen the damage in that scenario At that level of compromise they can probably add a root cert, MITM your connections, and grab your passwords anyway.

If you're concerned, you could use separate files for different levels of security, which would give you the theoretical ability to compartmentalize the loss. But again, if you're compromised to that extent it's game over, there is nothing you can do that will allow you to operate securely on untrusted hardware/OS, you simply can't let that happen.

It's not like that's an unreasonable goal, the combination of Ublock Origin, Windows Defender, and common sense have kept my systems clean for 10 years now.

The problem is if your computer is compromised - they might get a few sites that you visit after the compromise (and before you realise/format etc).

But with a password manager - they get 100% of usernames + passwords to every site you've ever used, even if you dont visit it after the compromise...

If you are more confident of your physical security, one option would be to use a book. If you search on Amazon for “password book” you can find the equivalent of an address book for the 21st century.

I recently got one for my parents (as they use and keep loosing post-it’s) and it has fields for username, password, secret question and notes.

I've used supergenpass[1] with some success, but the fact that some websites have special requirements for passwords means that I still have to memorize more than one password.

1: https://chriszarate.github.io/supergenpass/

I use a simple 'cipher' that makes new passwords easy to remember and remains relatively secure without the need of a book/service.

I have a file of the first word that comes to mind for every letter in the alphabet. Then my password is created based on some features of the site.

I.e. eBay has 4 letters so I could choose: 'Elephant_4_Yankee'

The delimiter is up to you and you could just as easily choose every second letter or whatever.

Yes, it does mean my Netflix password is a bitch to put in but I know it off by heart.

Second this. Domain should generate chiper for a password. You get unique password for every website and you dont have to remember it
If I’m understanding your suggestion correctly, it contains an attack vector where Provider B can obtain your password for Provider A by getting you to sign up for a new account and presenting the same “cipher” as Provider A.
Only problem is this would allow some pretty simple dictionary attacks if you use the method described.
I used a small script to generate my passwords : I choose a simple password, I append the domain and I hash the string. I take the first 15 characters of the hash as a password. I find it quite convenient and easy to remember !

sha256("password"+domain)

This seems like one of the simpler solutions on here, what's your process of dealing with sites that require special characters etc?
I add a special character at the end when it's needed
This works, but doesn't scale.

The problem is, the login form doesn't remind that a) a special character was required and b) what characters that particular site thinks are "special".

FWIW, it's really rare for a mixed-case alphanumeric password to be rejected. Typically it's only banks and corporate logins. Those are sufficiently special-case to make an exception.
Downvoted! :) Amusing for actual lived experience to be denied!

(Data: I have 72 logins currently cached in Firefox. Every single one of those sites accepts 10-character mixed case alphanumeric passwords with no extra special character requirements. About once a year I come across a site that needs one.)

I've checked my password manager and I think your stats roughly match what I see - about 1 in 100 sites seem to have smartass requirements to passwords, others (correctly) don't care.

Still, I'd say it's inconvenient to have "special cases" to remember about. Even if they're something important, like banking.

---

Someone had mistaken downvote with "I disagree" rather than "unhelpful". Upvoted you, as I think your comment was helpful and contributed to the discussion.

But this is going off-topic (and discussing votes is something we should refrain from)

So... your passwords are 15 characters of the combination 0-9, a-f?
Yes. But I do add a special characeter and/or a maj at a certain place when it is needed
Smart of you to use a throwaway account :)
Why not use base64 instead? 64 random characters are much better than 16.

    $ perl -e 'use Digest::SHA "sha256_base64"; print sha256_base64("master_password mail.google.com"), "\n";'
    g/sOxZfr2DFE12r8Gs/D0bhwat5kku41L+kFmuCCQOo
That's what I ended up for MemPa (described above). The idea is that I can't read binary sha256 output, and everything I know that can translate in hex can also translate in base64 leading to shorter secrets.

For the special chars, I chose the Safari way of encoding, i.e. I only extract alpha-numberics from base64, and add a "-" every 3 chars. This also improves readability. I assume that if Apple chose this way of doing, either they studied it and/or sites will conform to that.

I am at the moment also trying out password managers and searching for the best one. Lastpass so far has the best features, great password generation. But on Android it lacks a good and decent integration in finding and selecting the correct password for an app. Seriously bad. 1Password is better in this regard, but you can not swipe the 1password "click here to fill out with 1password" away. So also definetly a dealbreaker. But 1password is great at only showing the correct password for your app, after selecting it once.

Regarding the user interface don't get me started on keepass. It was recently forked into keepassxc but the chromeipass/ foxipass integration does not work all the time. Also love it if a website just shows your username already and you have to fill out the password and can't use hotkeys. (I am looking at you google) Lastpass can do it successfully, but keepass...

The Android interface was last tested a few years ago by me and it only had a notification area you had to always show. I don't know if it is much better at the moment.

Regarding your password security: Lastpass itself encrypts your passwords and hashes them thousand times. You can also manually adjust the hashrate to even more. So even if lastpass would get cracked. You would have to try out every possible hashing number with every possible password combination. So thats a plus. Well compromising your pc and installing root would be your least concern. It would be easier to steal your phone, get your fingerprint and unlock your database this way.

You can never be 100% secure. But have to choose your best way of doing it.

Also i am open to suggestion regarding a great password manager for android. Will have to try out keepass and dashlane again.

I would suggest Bitward[0]. I used Lastpass (premium) for 3 years but when I switched from Chrome to Firefox Nightly a few months ago I learnt that Lastpass didn't have a web-extension for Firefox (it was the old extension which wasn't compatible anymore). I waited a few months hoping they would release it quickly since there's very little difference between a Chrome and Firefox extension but nope. So I canceled my plan, exported my data to Bitwarden and went with it instead. I haven't been disappointed.

[0] https://bitwarden.com/

There is a lastpass extension, including the binary version, for firefox:

LastPass Firefox Toolbar Version: 4.2.3 Built: Mon Dec 04 2017 13:51:36 GMT-0500 (EST)

Binary Component: true (Native Messaging version 4.1.44, built Nov 16 2017 23:33:27)

Is it broken upstream in the nightly build, but not in the stable build?

Chromipass/Foxipass is pretty bad, but Kee for Firefox is amazing.
> a website just shows your username already and you have to fill out the password and can't use hotkeys. (I am looking at you google)

I don't know about mobile (especially Android), but at least on Google's authentication page, even though it only visually presents the username field, the password field is already there and is filled out by 1Password.

Yep - a text file, encrypted with ccrypt. Happily, Emacs knows how to open and save ccrypt-ed files.
Why would you use an encrypted file when you have free, open source password managers like Keepass? Every time you login somewhere, you open the file, search for the site, copy the password and paste it in the browser? What do you do when you need a password on your phone? What do you do to clean your memory after the paste operation to reduce the likelyhood of memory trojans reading it?
> What do you do when you need a password on your phone?

dl the file from dropbox and decrypt it via termux /s

Actually I SSH into my home server :)

At work, and with shared family accounts, I use 1Password; it works nicely and has a Web interface so I can use it from FreeBSD.

My personal workflow though is heavily Emacs-centric; I use Emacs for editing, programming, IRC, email, file management, PIM (orgmode), and (soon) Slack.

How much do you get paid / hour? Cause that takes times. 5 minutes here, 5 minutes there and I guarantee you that if you do the math, you're wasting a lot of time doing stuff that password managers (online/offline/closed or open sourced) can do automatically.
Always going to be a security/convenience tradeoff to some extent. If you expect to be targeted by The Baddies (tm), you want to tradeoff convenience for security. Spend some time every day memorizing long random strings and hope you never get hacked using the Wrench method[0].

If you're not expecting to be specifically targeted, then "modify a single password per service" can be surprisingly secure. Don't just add "tw" "fb", but memorize a more complicated algorithm that's not obvious from inspecting two or three leaked passwords. e.g. Basic Caesar Cipher on the odd characters of the passwords using some part of the service name (fb, tw) as a key. Memorize a single algorithm that you can do mentally. Use something completely different for primary accounts (probably bank + main email that allows you to reset other accounts' passwords).

Some people will disagree and say "just use a secure password manager", but there is a valid argument that managers are not necessarily the best solution, depending on your use case.

[0] https://xkcd.com/538/

> there is a valid argument that managers are not necessarily the best solution

What is that argument?

"Depending on your usecase" - e.g. you use many devices, need your passwords on all of them, and don't trust any of the current password managers to do their job (which is valid due to the many breaches and vulns).
Is the reality that your home-grown solution is genuinely going to be more secure than one of those current password managers? I doubt it.

However, I agree that for some people existing password managers seem either too complicated (KeePass) or expensive (1Password). In that case, I recommend:

1. Generate a password randomly using a 'diceware' type methodology

2. Use a standard prefix in front of all your passwords.

3. Write the password without the prefix in a notebook that you carry everywhere.

It's still not as good as 1Password because the passwords are not encrypted. But it's better than using a predictable algorithm that you have to remember. And of course, it's better than the system this often replaces - using the same 8 character password everywhere.

But I still strongly recommend paying for 1Password. How much do you pay for a padlock for your bike, or a burglar alarm for your house?

I never claimed it was more secure than a password manager. Just 'surprisingly' secure. You get something easy to remember with a lot of entropy that's difficult even for someone targeting you to exploit and which mitigates against the more common attack of cracking passwords en-masse from a leak and retrying them.

Yes, it has its own attack vectors, but they don't include things like ads stealing your info from your password manager [0] and apps stealing your passwords from your clipboard [1], both of which are legitimate reasons why you might want an alternative to a password manager.

"home-grown solution" has very negative connotations in infosec and rightfully so. I don't like seeing it in these kind of contexts as it blurs an important distinction between "Don't write your own random number generator if you're creating an app like Signal" (don't do it) vs "Find a solution to deal something as shitty as passwords in a way that works for you" (do it).

Your recommended method might also suit some people better (e.g. people who already carry a notebook around everywhere and guard it carefully).

There are no silver bullets out there. Work out what your needs are and then find a reasonable solution. It might be a password manager. It might not be.

[0] https://www.theverge.com/2017/12/30/16829804/browser-passwor...

[1] https://arstechnica.com/information-technology/2014/11/using...

We really need passchange.js: an open source collection of headless JS scripts that can programmatically change your password on a given website. Then you would continuously rotate _all_ your managed passwords as well as your master.

Not a panacea, but significantly minimizes the length of a theoretical breach.

Dashlane can change your password on a lot of sites. Unfortunately they do it server-side.
This would be a great feature for 1Password to adopt.

I’m not sure what you mean by “as well as your master”, though. If your master password is programmatically changed, how would you be able to access any of your stored passwords?

I have been working on-and-(mostly-)off on something like this for a while: https://github.com/scoates/celobox

Wish I had more time to spend on it.

This is a fantastic idea, just a simple config file which describes how to change a password for a site, which different programs can then interpret differently.
Thanks. Yeah; that's the idea for bootstrapping. At some point, I'd love it if sites themselves published APIs or at least manifests (similar to /robots.txt or favicon or a URL in a HTTP header, etc.) of how to programmatically change passwords.

A real problem I ran into is that a full browser is required for many operations, now. Instagram.com, for example, is completely opaque to non-DOM+JS browsers. Right down to the shamefully empty `<noscript>` block.

I don't think this is a good idea.

Please don't get me wrong, it would be great to have a service to centralize all your passwords including rotation, but this already exists. It's Google/Facebook if you choose to use oauth to sign in into other sites.

If this kind of api/js would exist and work, an attacker could exploit it to automatically change user's password.

Note that changing password is often used also as a simple mechanism to log out all the sessions (simple = easy to understand for the end user).

In summary, I really hope all website would do all they can do to protect their change password endpoints from automatic tools.

For me, passwords need to exist and need to be remembered, because if this is not the case, then many other security assumptions fail. With this I don't want to say that the current state of affairs is good, I definitely think that we need to invest in more mechanisms to help users remember their passwords, or reuse them in secure ways.

I have a folder in which each text file contains the username and password(s) for a particular domain/service. The hard drive is encrypted and its backups (on geographically spread external drives) are also encrypted.

I let Keychain (MacOS) remember the passwords, so I never really think about them.

I have a couple scripts, 'add' and 'get', which respectively add or get an entry associated with some keys to a text file.

An example line in the text file looks like this:

    facebook password: [base64:U2FsdGVkX1/T8CoWmfDOoaapE5lGj/fqHE3s8NohnriGajnPrCzWikCneU/u7]
Anyone thinking of trying to crack that, well good luck. I removed and twiddled a few characters from it, as if it wasn't hard enough already. Oh but here's how to decrypt if you really want to try:

    echo "$data" | openssl enc -d -aes-256-cbc -a -salt -pass env:MY_PASS
That's not a script, it's just an excerpt. You'll have to guess the password. You should probably do something else with your time.

Since the text file is encrypted, I store it on Dropbox. Then I can access this from any computer where I log into Dropbox, provided I know my main password for decryption.

Later I can type 'get facebook pass' on the command line and the get script will retrieve the best matching entry, decrypt the value, and put it in my copy paste buffer ready to paste.

The biggest problem with this system is sometimes when two or more entries are a close match to whatever keywords I input, it may pick the wrong match. I need to improve it to show a list to pick from in those cases, or work on better ways to remember the right keywords for each item. Also my matching heuristics could be improved.

I use this in conjunction with a command line script for generating strong passwords. Most accounts have different passwords at this point and they are all strong. One problem with the script is I sometimes have to tweak the resulting password by hand to match whatever (generally dumb) rules are in place at a new site... when I say dumb, I mean for example, '!' not allowed, etc.

For sharing web passwords with my phone, I just allow Safari to remember them and then trust iCloud, for better or worse.

Overall this is not a pain, and pretty successful. But if someone got terminal access in my account on my computer, it would be game over... so I try not to allow that.

Why generate symbols that are not permitted anyway? You'd lose nothing by emitting the base16 encoding of the symbol.
The problem is that there is no character-type pattern - most especially not your base16 suggestion - that will satisfy every site. Many sites require special characters. Others forbid them. It's literally impossible to satisfy both with a single non-parameterized generator, and as soon as you start adding parameters those effectively become hidden parts of the domain name. Worse, many sites don't even tell you what the requirements are on normal entry (only on change). If you can't remember what particular tweaks were necessary then it's back to the good old "forgot my password" dance - making your email password your effective password for all such sites. It's easy for app developers to be careless or "clever" about their password rules, but it's a pain for users and it's bad for security.
Have you even used the internet much? Some sites do require symbols. And some sites have ridiculous rules that your suggestion would also not help with. Also, restricting yourself to the 16 characters in hex encoding makes your passwords that much easier to guess.
> Also, restricting yourself to the 16 characters in hex encoding makes your passwords that much easier to guess.

No. Entropy does not change by adding redundant bits.

The bits are not redundant. When you have a larger alphabet, you get more possibilities for the same length of password. Sure you could also have a password that consists only of 1 and 0, but then you would have an unreasonably long password. Just as you would also have for a hex password, to a lesser degree. To carry it to an extreme you could have your password consist of just one character repeated a secret number of times, and yeah, sure, in your little theory world the amount of entropy could still be the same, but practically speaking it's a stupid idea, just like using hex characters.

You really are confused about this stuff.

You also seem completely unaware that many sites have password rules that require special characters that don't exist in your scheme... lol!

I do something similar: passwords created by a script, stored in an encrypted file that's only unwrapped when I'm fetching or storing something. It's important that the entire file is protected, requiring a password every single time. Like you, my biggest gripe is sites with special snowflake "make it hard to remember but keep it low entropy" password policies that preclude the original generated password. IMO we as a community need to start shunning such sites the same way we do for rogue SSL/TLS cert providers. As long as they exist, it's harder for even security-aware sites to move forward.
I let Google Chrome generate my passwords (You can enable password generator from chrome://flags/ ) and save them to the browser.

If I need to see the password for some reason you can find it from browser settings.

You're talking about mitigating the risk of break-in by using an alternative to a password manager.

I'd rather propse to use a self-hosted password manager on a VPS or in a cloud service.

As long as that password manager is hosted securely, VPS for example, and uses your login password to help decrypt the stored passwords.

Perhaps some HMAC required too.

Anyone know if this exists in the open source world?

KeePass is FOSS, and you can keep your database local or host it wherever you want (your server, Dropbox, Spideroak, etc.)
bitwarden.com allows you to self-host a docker image
Some years ago my solution was a notebook in a physical safe. Not recommending this, but I already had the safe and I reasoned that for the assets I was protecting, it was unlikely that a thief or anyone who might gain physical access would be interested.
To mitigate the single-point-of-failure steganography (hidden containers) would help. That would offer compartmentization and deniability. One tool that implements this: https://github.com/bwesterb/pol
I use a script that generates passwords based on a master password and a "site tag" (originally used for web based logins, but the site tag can be any word really, eg "somepieceofsoftwareyouuse").

You can find a web version here: https://milliways.cryptomilk.org/passhash.html You can save the page locally (it's only a piece of javascript), or extract the functionality to build your own command line tool with nodejs from it, like I did.

(not my code, and I shamelessly grabbed the pieces from the js code for my own fork of it)

This way I have a new password for every use case but only need to remember one master password, which should be pretty hard to reverse engineer. I hope.

I wrote a simple python program a while ago where it takes my master pw, domain of the site, and an answer to a personal question to create my password for a given site using a custom cypher.

Has actually worked really well for me, though the annoying part comes when you need to login to something on your phone and the cypher program is on your desktop PC.

Though this likely wouldn't be an issue if I had an android phone and could easily make a small application for it.

I use a formula that I can figure out in my head and I just remeber that. I don’t know any of my passwords, but I can figure out my password when I need it.

It has problems on sites that have shitty password rules. But for those sites, i just mash the keyboard then rely on the forgotten password link.

I use a small truecrypt file containing text files with passwords generated randomly which is available online on some of my servers. Not perfectly secure nor the best ease of use but good enough for me and not using a third party.

Note: as TC has been discontinued, using VeraCrypt would be a good idea.

(comment deleted)