215 comments

[ 850 ms ] story [ 976 ms ] thread
> Yubikey support in browser (Personal) BitWarden: no

huh? I use my yubikey in the Bitwarden browser extension.

Otherwise, a very extensive collection of comparison data. Not surprised to see Bitwarden come out on top.

I'm also currently using it with a Yubikey and on personal account.
"Yubikey support" is a meaningless phrase, anyway.

Bitwarden supports 2FA with Yubico OTP - although there's a bug so it works only for QWERTY layouts. Or you can use Yubikey's static password feature for your master password, I guess.

There's also OpenPGP Card and PIV, which, to my knowledge, is not used/supported by any password manager software except for `pass` and some compatible implementations.

No u2f support? :(
U2f support is badly hampered by half-assed browser support. Only chrome enables it by default, Firefox disables it by default, and no love from safari. Even LastPass in the browser uses yubico’s proprietary otp algorithm rather than u2f.
It seems that Apple is working to add support for hardware tokens. It is all a bit vague, but the latest Safari Preview notes state [1]:

Added support for CTAP HID authenticators on macOS

It also gives me "Web Authentication" under "Experimental features" in the Develop menu.

https://developer.apple.com/safari/technology-preview/releas...

Isn't that WebAuthn suppport? That is different from U2F.
Yes and no. U2F is basically the MVP of WebAuthn. If you're doing this today you should ignore U2F and just implement WebAuthn.

Firefox has WebAuthn out of the box, and there's a hack behind a pref to half-arse U2F if you still need that.

It doesn't, though. I've been trying to implement WebAuthn and, as far as I know, CTAP 2 doesn't work on any browser yet.
U2F support in Firefox should work out of the box if the developers use the WebAuthn API and not the old JS library: https://hacks.mozilla.org/2018/01/using-hardware-token-based...
That was not my experience on google and github.
Google and Github both built their U2F support for Firefox before WebAuthn was released, and as you've pointed out, the U2F support in Firefox is gated out by default. Presumably Google, Github, and other companies that coded to U2F will migrate to WebAuthn eventually.
Yes, my initial evaluation was flawed because I was looking at the free version of Bitwarden, but supports neither U2F nor attachments, but the evaluation grid said that it didn't support U2F but did support attachments. I've updated the grid to fix this. It now says that YubiKey is supported for Bitwarden and has a separate pricing line for personal use without attachments or YubiKey vs. with them.
we decided that Bitwarden is the best choice for our company, and we’ve begun the process of migrating from LastPass to Bitwarden.

  whois lastpass.com
  LogMeIn, Inc.
  whois bitwarden.com
  WhoisGuard, Inc.
What is your point?
WHOIS Privacy on the website wasn't a consideration on the table the company used. Maybe it's not important in 2018, or is enabled by default, or an oversight, or they're using the spam filtering. But:

It’s at the bottom of the page.

So why the discrepancy?

It’s at the bottom of the page. 8bit solutions LLC and they’re in Florida.
Using WhoisGuard for their domain is so not a problem. Namecheap gives you that for free and by default, and it cuts down on spam mail from other registrars.

Bitwarden is open source and self-hosted. This is a better trust model than any of the other offerings by a mile.

I have no criticism of the service or WhoisGuard, just the idea of that kind of site using it.
No keepass? Disappointed.
Given their particular usage case, which includes not just shared, synchronized access to secrets but managed, tiered levels of access, it seems to be a bit beyond what I've seen of Keepass.
Absolutely. I'm using keepass on Windows, Linux and Android in parallel with Google drive sync. Just fantastic!
The one issue I had with Keepass is that on iOS (and this is Apple's fault!) it is not possible to choose different cloud storage providers to keep the password database file on.

This silly thing alone would preclude me ever buying an iOS device! (My wife ran into it when I tried to get her up and running with Keepass, she gave up...)

I love keepass's simplicity, no browser plugins with pop up dialog boxes or UIs that conflict with the browser's own password management, just, a list of accounts and passwords.

It’s not Apple’s fault as it’s possible to change the cloud storage to store your password with 1Password for iOS.
Plenty of iOS apps offer multiple cloud storage solutions.

In fact, iOS's own Files app can be used to access different cloud providers (I have iCloud, Dropbox and Google drive set up).

Do you have any good references pointing to Apple limiting Keepass in that regard?

I'm using Chrome's built-in password manager. What are the drawbacks besides it being Google?
You're forever locked into Google Chrome!

I realize this is becoming an increasingly minor problem in the modern world, but it still bothers me. I don't know what future situations I'll find myself in, and I don't want to be locked out of all my accounts.

• What if a new browser comes out that's actually better than Chrome? (I don't want to admit to myself how unlikely this actually is.)

• What happens if I'm using a Windows 10 S device, or a locked-down library computer, or a Wii U, or some other weird gadget with a non-Chrome browser?

> What if a new browser comes out that's actually better than Chrome? (I don't want to admit to myself how unlikely this actually is.)

Firefox has a nifty feature where it doesn't send ALL your data to Google, you could try that.

I should mention, I'm currently using Firefox on Windows and Safari on macOS; Chrome is gone from my life. I really like Firefox following their Quantum update; it feels super speedy!

But, I was kinda putting myself in the mindset of the GP. They're currently using Chrome's password manager, so they clearly prefer Chrome, and while Safari and Firefox have advantages, there's no overwhelming need for anyone to switch right now. For the sake of a democratized web, I hope that changes some day in the future.

I recently starting using Firefox again, and getting my passwords out of Chrome was by far the most difficult part of the process for me. A few things I learned:

Chrome has a feature to export passwords to a CSV file, but I had to enable it via a chrome:flag, so who knows if/when support for this will disappear. This created a bit of a sense of urgency for me, as Google aggressively removes features that they don't want to support.

My employer MITMs all web traffic, so I would never log into my Google account from work. They also have an ridiculously strict password change policy (every 3 months). But having a password manager on my phone lets me store passwords for my various work-related accounts somewhere, which makes each password change fairly easy, and also lets me log into certain work-related apps/sites (e.g. Slack) from home.

If you have multiple accounts on a single website, it's a bit easier to do in a password manager (at least Keepass or Bitwarden).

Chrome is a web browser, so it only remembers passwords to websites. If you have passwords that don't map to a website - e.g. hard drive encryption password, a pgp/ssh key, a wifi password), it's a bit easier to do in a password manager.

Some password managers have OTP generators built-in, which can be convenient.

Does firefox not import passwords from chrome as part of the profile import? It's... certainly supposed to.

EDIT: Oh, you probably didn't mean getting them out and into firefox, you probably wanted to use something different to avoid the same issue (but with firefox) if you switch browsers again in the future.

Actually, at the time, I would've been perfectly happy to have just imported the passwords into Firefox!

But I don't think it is able to import them, at least not on my machine. I'm using the latest Chromium/Firefox on the latest Ubuntu, and I just had another look. When I select the option to import data from another browser, I get a dialog that says:

Import Preferences, Bookmarks, History, Passwords and other data from: Chromium

When I select Chromium, I see a list of things I can import:

Select which items to import: [x] Cookies [x] Browsing History

For some reason, "Passwords" does not appear in the list, and when I browse to a site in Firefox, it doesn't use the password that Chromium had stored.

Maybe this is an OS-dependent thing?

No integration with iOS.
Well, you can use Google Chrome on iOS, although you'll get worse performance since Apple doesn't allow third party browsers to take advantage of Javascript optimizations.

So, I'd say the point stands! You'd potentially be using a worse web browser in exchange for access to your passwords!

It's not cross-platform. Works great if everyone in your org only uses Chrome and Android, but fails for iOS users, or non-Chrome browsers.
(1) Attack surface. (2) Security abstraction. (3) Trust.

(1)This is the same-old argument as "there are more copies of Windows installed then Mac" [semantics aside, there is some truth to it]

(2)Don't shit where you eat. You don't use the same tool to protect that you use. [e.g. Windows Defender vs external gateway/firewall]

(3)Between compliance with the government [in contrast to Apple fighting the government with encryption on iphones], and YOU being the product not Chrome; I don't trust Google to keep my secrets 'secret'.

A big one would be lack of secure notes.
> Mac OS, Windows, Linux, Android, and iOS ... full functionality can’t be dependent on an app which is only available on Mac OS and/or Windows. In other words, lack of full Linux support is a show-stopper for us. This ruled out 1Password...

...Huh? 1Password supports all of those platforms (including Linux) https://1password.com/downloads/linux/

That page says, "Requires Google Chrome or Firefox," and the download link takes you to the Chrome web store. I'm not sure the poster considers that full support.
How many Linux users don't have chrome or firefox installed?

I think the article would be a bit more accurate to say there's not native client support for Linux.

There are applications besides web browsers that require passwords. For example, password-protected documents, or encrypted archives. A password managers that requires, or only supports, web browsers is incomplete.
A password manager that is only usable in a web browser may be annoying to use for non-web-related tasks, but presumably you can just switch to your web browser, open up the password manager, and then search for what you need within it. It's not like the password manager is restricted to only giving you access to the passwords for the current site.
None of my headless servers have Chrome or Firefox installed.
They offer a CLI for this case.
Regardless, 1password X does not provide the full functionality of the native apps, so it's fair to say a Mac or Windows app is required for full functionality anyway.
That's somewhat fair, although the 1Password X page (which is what AgileBits calls their in-browser version) describes it as being comparable to the native versions, which to me goes against OP's statement that

> full functionality can’t be dependent on an app which is only available on Mac OS and/or Windows.

The existence of 1Password X means that full functionality is not _dependent_ on a MacOS/Windows app. The argument that there should be a graphical (because there _is_ a multi-platform CLI), native app for Linux, which does not depend on any browser, is a perfectly valid one -- but it is also an argument that I don't believe they've made.

1Password X is definitely not comparable to the native versions, and the statement was "full functionality can’t be dependent on an app which is only available on Mac OS and/or Windows."

> The argument that there should be a graphical (because there _is_ a multi-platform CLI), native app for Linux, which does not depend on any browser, is a perfectly valid one -- but it is also an argument that I don't believe they've made.

I think they're making that argument.

I have no experience with the mac app but 1Password X is certainly better than the native windows app.
There is substantial functionality which is only available in the native app, not in 1Password X, and therefore completely unavailable on Linux.

If the 1Password X claims that its functionality is comparable to the native version, then it is lying.

How is this different than just trusting the browser to handle saved passwords in an encrypted manner?
It really doesn't. I'm a full time linux user and I can tell you the support from both lastpass and 1password is abysmal. I have to copy and paste my passwords from both of those platforms using their half-baked browser plugins that rarely work with linux clipboards.
It's interesting to me that you've had trouble using the 1password browser plugin on linux; it isn't quite as handy as having a native app as you do on OSX, but I've never had any trouble at all with it.
I also find 1password browser plugin fairly crap. Sometimes it doesn't play nice with chrome, sometimes it doesn't show the correct logins so I have to open the plugin, navigate to it, and then do two copy pastes.
Interesting. Browser plugins, by nature, include source code. I wonder if there's an easy fix. Can you describe the issue in a little more detail?
I took a shot at building a browser plugin for 1pass [1] a little while back.

Turns out, the hardest thing is not the crypto or the browser to app communication, but parsing the HTML to accurately find the login forms. If I remember correctly, the browser plugin on Mac actually sends the entire HTML to the app for parsing. The parser is probably quite complicated and they avoid reimplementing it in extensions that way.

[1] https://medium.com/@paulsc/making-a-1password-client-15dd39a...

Of course that also protects the IP :)

Also, great post. I love reading reverse engineering stories.

Interesting. Lastpass works perfectly for me on Debian based Linux, and I have friends that use it on arch. I can't speak to use on other distros though.
Same, Lastpass works just just fine for me on Solus in both Firefox and Vivaldi.
I think that parent is referring to standalone apps, not in browser extensions.
I use 1Password via the CLI (https://support.1password.com/command-line/) on Linux (well -- FreeBSD) Desktop all the time. I wrote a wrapper for the CLI (https://github.com/dcreemer/1pass) to make it a bit more ergonomic to use with things like FZF.

I used to use "pass" like others here, but did not like the Android experience.

*edited to add: and we use the 1Password team account at my day job -- and are satisfied customers. I'm sure other products work well too -- just my one data point.

afaict, the 1password cli app is just a client for their API and has no offline mode, so if I can't reach 1password's servers, I can't access any of my secrets.

I believe the browser addons do not share this shortcoming, though.

You are correct - that's the main reason I wrote the 1pass wrapper mentioned above. It mirrors the data locally (in a gpg-encrypeted cache).
Both Lastpass and 1password browser plugins worked totally fine for me on Linux. My only complaint re: 1pass is the lack of native Linux app — you can't do mildly complicated things in the browser extension like edit credentials. On the other hand, LastPass doesn't have a native app.
LastPass doesn't have a native app because it doesn't need one -- when the browser plugin and web vault are working properly, they provide all available functionality on every platform. The problem is that the plugin does not always work properly; see my other comment about copy/paste problems on Linux, a bug which LastPass has known about for many months and not fixed.
You're correct that the Linux support for 1Password is severely lacking, which is why I called that out in my evaluation.

LastPass, on the other hand, is in a different category. It _claims_ to have full Linux support, and for a long time they did, but more recently -- as you point out -- copy/paste in their browser plugins stopped working properly when the binary component of the plugin is enabled on Linux. Since the binary plugin component is required to work with attachments, Linux users have been forced to choose between working copy/paste and the ability to manipulate attachments. They've known about this bug for many months and have not fixed it. In fact, this is one of the unfixed bugs which drove us to finally evaluate alternatives to LastPass.

(comment deleted)
Unfortunately, 1Password may find its engineers compromised by their government, by virtue of being Australian.
I thought they were based out of Toronto, Canada.
They have literally one support person in Australia.
As they note on the table, support is poor, but it exists
A comparison matrix would help.
It's in the article. Click on "Result".
Does the one further down on the page hosted on JSFiddle count?
Here's a plug for DPG (zero storage password manager). I wrote it years ago and it meets my needs well.

https://github.com/w8rbt/dpg

(comment deleted)
I rarely see it mentioned, but when 1Password changed to a subscription model I switched to Enpass (https://www.enpass.io) and I've been very happy with it.
they don't make it very obvious, but note that 1password doesn't require a subscription. i use it with vaults shared and kept in sync via dropbox for example.
Same. I recently purchased an upgrade and consider it well worth the price, although I'm considering switching to the subscription model / family plan to make it easier to support my parents and in-laws. However my main concern is that you can't disable browser access when using ay of the subscription plans:

https://discussions.agilebits.com/discussion/80105/cant-disa...

yup, i don't use 1password.com because of those security concerns.

not sure if it would work for your situation, but it's possible to set up different vaults for different groups of people and share them via separate dropbox folders (or even just different share settings on the vault files). i have 5 vaults set up that way.

I'm confused as to what the security issue is here.

> Limiting the access of unencrypted passwords to only properly setup 1PW applications would seem to eliminate the possible (probable?) web based attack vector to a 1password.com account.

This doesn't make sense. What's a "properly setup 1PW application"? Presumably that's an instance of 1Password that has been given both the master password and account key for the account. But when you use the web-based portal, you have to give it, yep, the master password and account key.

Anyone who is able to access the passwords using the web portal can already set up a local instance of the 1PW application that syncs with the same account.

Ultimately, asking to "disable browser access" is basically the same thing as asking to "disable the syncing API", which would obviously defeat the entire point of having the family account.

Right - I don't want 1Password to handle syncing and I don't want Dropbox handling / offering decryption of the encrypted store.

I trust the local 1Password apps enough to supply them my master password to unlock vaults locally.

I trust Dropbox enough to not sync the encrypted store somewhere I don't want it ending up.

It's a separation of concerns argument. I likely won't hold up to any targeted attack on my personal property given how careless I am with local devices but I should be somewhat protected against a your typical dragnet / mass attack against either service remotely.

I switched from Enpass to Bitwarden because Enpass isn't open source. Enpass is easier to setup with dropbox though, only thing I miss about that.
Has anyone gone through the process of switching? I use Keeper for personal stuff, and I suppose there's always the chance to switch if one turns out to be technically or politically much superior, but there are dozens and dozens of passwords in there to transfer...
I switched from LastPass to 1Password. It was a quick and simple export -> import process.
As a current LastPass user, what prompted you to switch?
Not the person you asked, but I also switched from LastPass to 1Password. The reasons were (1) 1Password's more integrated/more convenient 2FA support, and (2) AgileBits seems to care more about design.
...just checked and there is literally no export option for Dashlane on linux.

I will start switching to a replacement shortly. I wish I'd known sooner.

I switched from LastPass to Bitwarden, I do not miss a single thing and quite a few irritating things have been fixed.
Agree - switching to Bitwarden was super easy.
I tried last week to switch from 1Password (local) to LastPass, because I wanted Chromebook support. The import process was awful, and I gave up and went with 1password.com (cloud). It's working well.
I tried migrating to bitwarden from lastpass about 1m ago, but it's missing a bunch of QoL & maturity that 1password has, so I'm sticking with 1p for now.

Also it has no automated tests, which makes me somewhat wary.

I like the functionality comparison but I'm really curious how they stack up to each other security wise.
Bitwarden recently completed a 3rd party Audit[1] and Bitwarden is the only one to be completely open source[2] (server and client).

[1] https://blog.bitwarden.com/bitwarden-completes-third-party-s... [2] https://github.com/bitwarden/

It also has pretty much zero automated (unit, integration, etc) tests as of a few weeks ago.
But you only know that because you can see the source.
They may have non-public tests to discourage forking. IIRC, Sqlite similarly has some proprietary tests only available to paying customers.
I've been using masterpassword [1] which is stateless and requires no sync. I wonder what the HN crowd thinks of its features. Another option with the same paradigm is lesspass [2].

1. https://masterpassword.app/ 2. https://lesspass.com/#/

There's a few issues with the master password derived password system, including:

What if you need to change your password for a site to a different one?

What if the site changes its URL?

There's a counter on Master Password, so if the password expires or you need to change it, you just +1 and it's new.

They also have settings depending on password requirements (no special characters, etc.).

I'm unsure what the URL really has to do with it, you could just generate a new password for the new URL and change it.

Sometimes different URLs share credentials (LDAP). Changing isn't necessarily an option?
I guess in a situation like that you'd just choose the base URL you'd remember best.
In my system, you have a number of additional pieces of information that are used to generate the password, including a counter and a salt. If you need to change your password, you would typically just increment the counter. You can also do this if the password policies don't allow your password for some reason.

This does mean that you need to remember what the version is. Fortunately this information doesn't need to be kept secret. I also have a system that generates emojis based on your settings, so as long as you remember the emoji that goes with the site, you can just increment it until you get the right one, so it's down to you whether you store the version number somewhere or remember the emoji.

I use URLs by default, but you can enter anything you want into the 'purpose' field. It's still pretty raw, but it's at https://github.com/kybernetikos/sinkless

Most of the complaints people have about deterministic systems don't really hold up in practice for me. Protecting them by 2fa would be better of course, which deterministic can't do and lots of the good password managers do, but I really dislike having to worry about syncing state beyond just emailing it to myself.

One thing that would be awesome would be if someone came up with a standard machine readable way of describing the limitations on passwords for sites (allowable characters, number of characters, any restrictions on previous values / sequences etc), and all good sites could embed that information, and poor sites could be looked up in a third-party service.

A good critique of these systems is here: https://tonyarcieri.com/4-fatal-flaws-in-deterministic-passw..., discussed on HN here: https://news.ycombinator.com/item?id=13016132

The general consensus of security experts seems to be that they're a bad idea.

I think my setup using `password-store` works great, and arguably is more secure since I rotate my passwords regularly as well.

The main reason I argue my system is more secure is that it has a physical gpg yubikey token to decrypt my password database.

In the 'deterministic password managers', there's no easy way to require that you have physical access to my yubikey in order to decrypt the passwords. You could keylog the master phrase in the case of deterministic ones and have a persistent pwn... heck, just typing the master password into a public slack by accident pwns most deterministic password managers (as pointed out in the above article)

On the other hand, even if someone keylogs my yubikey's user pin, well, they still need to either have the yubikey or to trick me into unlocking the yubikey again for their malicious attacking software. If I accidentally type my user pin into slack, I really don't have to worry all that much.

Is there a technical restriction that makes yubikeys incompatible with stateless password generators or is it just that no one has implemented it yet?
My yubikey is state. A stateless password manager cannot rely on it to secure the actual passwords or else it is no longer stateless.

If the yubikey is only used to secure the master passphrase that derives the other deterministic passwords, then relatively little has been gained because the actual derivation of the passwords happens separately and the original concerns are still largely present.

Even if the master password is secured with a yubikey, many of the other flaws are still present, and if you need a yubikey to access your passwords anyway, you might as well encrypt the passwords directly rather than going through this awkward extra step that reduces security.

I've been using lesspass for a while, I would highly recommend it. It is extremely simple yet very effective.
One feature I didn't see mentioned—LastPass has a Bookmarklet that can be used in leu of a proper extension. This means that if I ever decide to start using a random niche web browser, I won't have to start copying and pasting from a web vault in order to log in to sites.

The freedom to do this is important to me regardless of whether I ever actually use it.

I'm surprised there was no mention of recent security audits.

BitWarden just famously had one.

Many of these have had audits, not just this Bitwarden audit. There are some disquieting things in that audit, for what it's worth.

I don't understand how this information is actionable. It would be worth knowing whether something has _ever_ been audited (again: most of the major password managers have been), but just knowing an audit has been done isn't sufficient to know whether it's secure.

Sure, but if it has been audited, it's more likely that security issues were found and resolved than if it hasn't gone through one.

Our company went through an audit and did quite well, and we fixed most of the findings. However, I know for a fact that there are things we can do to improve that weren't covered.

Not all audits are created equal, no audit will catch everything, and there's no guarantee that findings were patched sufficiently. However, I feel much better knowing that an audit was done, which means the author cares at least somewhat about security.

I think Scott knows that most of these other password managers have been audited, and I know he knows audits are of varying quality and are virtually never conclusive, so I'm not sure what he's trying to say by pointing Bitwarden's audit out.
I thought the checklist was aiming to be comprehensive and that the omission of the audits was an oversight.

The one for bitwarden being, as you said, disquieting, makes its omission a little suspicious.

We didn't use the word "comprehensive", "complete", or "thorough", and obviously we didn't include every password manager in our evaluation, so I'm not sure what reason you have to believe that we were aiming to be "comprehensive."

We were aiming to evaluate the features / issues we care about against the password managers we were most likely to want to use. We published the results of our evaluation because we thought it might be useful to some people, not because we thought or intended for it to be all things to all people.

We didn't include security audits in our evaluation because, we are skeptical of their value and do not consider them a significant differentiator.

For example, in our experience trying to keep our own application secure, our HackerOne bug-bounty program has identified far more issues than the white-box security audits we've commissioned, at far lower cost.

1Password cites several on their support page:

https://support.1password.com/security-assessments/

Did you click on the "full report" links, those are just simple page attestations.

The latest appears to be a private bug bounty program, where 9 high priority issues were discovered. Who knows what they where, or whether any of the low priority issues should have been classified differently.

Without transparency, we just trust an empty attestation.

In the end I've just been using the Unix pass password manager [1].

It's just cobbling together of GPG and git with shell scripts but it works like a normal git repository so you get all your synchronization, from that, your security from GPG which are all things I know and trust without introducing other components that I don't know / understand.

[1] https://www.passwordstore.org/

For developers/tech-savvy people it is more or less perfect. I love the fact that it is based on git giving you a history and great control over synchronization. I use it to store all kinds of things such as passwords and files containing environment variables that can be sourced directly from the output of pass (source <(pass dotenv/project)). It even exists a great open-source iOS client: https://github.com/mssun/passforios
I love the iOS app, but things like this concern me (not quite a dealbreaker though): https://github.com/mssun/passforios/issues/223
It's insane that people working on a password manager thought it was a good idea to put passwords in UserDefaults. Apple expressly states in its documentation that sensitive information should be stored in Keychain; how does someone setting out to make a password manager miss that?
What's crazy is Apple makes it super easy to use Keychain. APIs are great and there are good examples of how to use them.
I love this as well. It supports OTP and there is an awesome Android app for it called Password Store, and a browser extension called Browserpass.
OTP as in Open Telephony Platform?

Edit: it turns out OTP is one time password, that's neat!

I'm only familiar with that through Erlang and consider it an architectural pattern for supervision trees, would you be willing to expound a teeny bit more on what you mean?

Search for TOTP or HOTP, basically one time passwords, usually shown to end users as QR codes stored in an authenticator on a mobile phone.
And because it's using GPG one can easily have secrets unlocked with a Yubikey and only when the blinking button is touched. On a PC and Android both using the same Yubikey token.

For me the combination of features in pass is just perfect! But it's from the same person that created Wireguard so it's no surprise...

My one concern with pass is that it doesn't encrypt filenames; it's a real pity, as that's an information leak itself.
Have you tried to use pass-tomb?
I'm not the parent poster but the added friction and configuring for pass-tomb made me choose to just use keepassxc instead. IMO, this kind of feature should be the default.
I mitigated this by storing username in the gpg file itself using the 'user:' tag, while having the file named jdoe or something similar instead of a login name.
When I switched to pass one thing I felt the lack of was a keyboard shortcut triggered HUD style search interface on os x. I've been working on a project to do this in case anyone else is in the same boat - https://github.com/mnussbaum/PassHUD
And since it's just gpg+git you can share some passwords using a git repo. We use this with my team at work
For me an important selling point of 1Password was that their software looks like native Windows software and native iOS software while Bitwarden is just Chrome wrapper or something like that for desktop and C# for mobile and I don't want to support that kind of cross-platform software.
1Password felt like Mac/iOS software ported to other platforms.
Their windows app definitely needs some love. Actually kinda wish it was a direct port, UI and all.
Are you just concerning the "look" or some technical disadvantage of such cross platform apps.
What did you find changed in lastpass after the logmein acquisition? We've been using lastpass since before the acquisition, and i can't say i've noticed any substantial changes (either positive or negative)
Not sure if its related to the acquisition, but if you're a firefox user the app has gotten very slow in past few years. I think the issue is related to the move to chrome extensions but really that shouldn't be an excuse. Lots of add-on have done this move and haven't had a problem.
In the last few days it's had a good improvement. Copy username/password directly from the window is back (had to previously edit and view password, then copy) and speed is just as good as I see on chrome.

I'm using Windows an Linux and these improvements have come in the past week or so for me. Perhaps they recently updated, I haven't checked.

Worth taking another look if you can.

More bugs and the support was horrible. I moved my entire company from LP to 1Password. I'm impressed with the quality of 1Password. They get huge props from me for telling me, in the upgrade dialog, what the changes are, before I agree to upgrade.
>More bugs and the support was horrible.

^^^Yes, this.

In 2018, we reported nine different substantive security holes to LastPass. At least two of them were security issues. All of them took far too long to fix; some of them still aren't fixed.

There's a tenth bug which impacts many of our users on a regular basis which we haven't bothered to report to them because by the time we started running into it, our users were like, "Meh, whatever, that's just LastPass being LastPass." It's not good when you stop reporting bugs to a vendor because you've become convinced that they just don't care.

They've had 12 outages of varying severities and lengths in the past six months.

Pretty much every time I reported a bug to them -- and believe me, most of my bug reports were extremely detailed and often included videos or screenshots demonstrating them -- their first response was, "Try uninstalling and reinstalling your plugin." I hate that. HATE, HATE, HATE it.

I don't have access to my account anymore, but once I scrolled through my tickets, that I had created over the years. There were like 50 of them. Hardly any of those I felt good about after they were closed.

I've had maybe 2-3 with 1Password, and all but one was resolved quickly and satisfactorily. The one that wasn't: them telling my Basic Authentication dialogs would not be supported any longer. (The same response from LP, just before I quit them.) I can't really hate on either for this, since BA seems to be quite insecurely done and changes all the freaking time in Chrome (it broke regularly when LP supported it, due to Chrome changes).

Glad to see Bitwarden up on top. They tick all the boxes for me - open source, transparent security (including recently published audit), feature-rich, optional self-hosted, and easy to use.
Used to be a keepass user until I found bitwarden. It does everything better, more simply. Sync is handled so much better and the browser extensions are super intelligent at picking up login fields.
Is Bitwarden a native app?
There is one, yes, as well as browser extensions and a web vault.
It probably has the most comprehensive set of apps out of any of the password managers.
Except there isn't much info on who 8 bit solutions is. It seems like a 1 man effort and apparently he doesn't want to reveal much.

A few requests aren't exactly answered.

https://github.com/bitwarden/website/issues/12

https://community.bitwarden.com/t/who-is-hosting-bitwarden/1...

This is informative: https://opensource.com/article/18/3/behind-scenes-bitwarden

My impression is that Kyle cares more about spending time writing software than about hyping his company. ;-)

It's an unfortunate flaw in a founder, but not a fatal one if he hires people to do the communication that he doesn't want to be doing. It feels to me like he's moving in that direction.

It's not about hyping.

Just a general "About" page of where it's located, who's behind and a photo of CEO with added bonus if there's a photo of their office.

It's a very security oriented product. Not showing who they're can be taken as hiding.

In this day in age it is common for a two-year-old SaaS startup not to have an office. I mean, I suppose it's possible that they have one, but my assumption is that the entire company is remote.

I don't see why their location is particularly important, but if you care, you can look on Kyle's LinkedIn profile, which I was able to browse my way to in about 45 seconds from a standing start from their web site.

The article I just linked to makes it perfectly clear "who's behind" Bitwarden, and you can find it out easily with a few seconds of Googling like what I just did. They're not trying to hide anything from anyone who cares to spend 30 seconds trying to find out.

I care a lot more about the fact that hundreds of vulnerabilities have been submitted to LastPass's bug bounty program and they haven't chosen to disclose any of them, whereas a much smaller number have been submitted to Bitwarden's program and they've disclosed several. P.S. I, personally have reported three different security issues to LastPass, none of which have been fixed (https://medium.com/@QuantopianCyber/hi-george-a16d88a37355).

It's clear to me that LogMeIn, which owns LastPass and has a big-deal, flashy "About" page, is much less security-focused than Bitwarden. What you're asking for feels more like security theater than anything that's actually relevant to security.

I wonder, why not a single word has been spoken about Keepass/X, which is available on all platforms (not sure about iOS, though), can work with UbiKeys, afaik, has huge im- and export support and is free from any corporate interests.
If you want the Qt one, make sure to use KeyPassXC, the active fork of KeePassX.

https://keepassxc.org/

I use keepassxc on MacOS, Windows, Linux, along with MiniKeePass on iOS. It's synced through my free Dropbox account. I just make sure to set the preferences so that every change to the key database results in a file save.
I daily use the exact same setup for all three, but with the Android equivalent.

...so it's not like this app is unheard of, per this thread's parent comment. Super odd that they didn't include it haha

> synced through my free Dropbox account

I was always a bit paranoid about this, even though I did it myself.

The decentralised alternative is to use something like SyncThing[0]. It's what I use and is only slightly more involved.

[0] https://syncthing.net

I use syncthing for some backups, no idea why I've never considered it for keepass. Probably cause I don't want to mix the two and clients don't offer it already integrated. Or are there any? It for sure wouldn't make building the project more easy, and the password manager is the one thing i still want to build form source to at least imagine I have full control over it.
What about Resilio Sync? They have a discount for one-time license. And it was formerly BitTorrent Sync. I'll have to check out Sync Thing.
Well, SyncThing is open source as well as being free.
I use keepassx and yeah it could use some tlc, but overall I consider stability a feature in security software. How does one tell if xc isn't just a bunch of wannabes making keepassx with blackjack and hookers until they break it? At least keepassx has taviso's off-handed Twitter comment that it "looks sane".
What I like about keypass is that it's not networked and not running in the browser, making the attack surface a lot smaller.

Keypassxc having such features(and apparently the old network protocol was vulnerable lol) is for me a strike against it.

When I migrated from Ubuntu to mac os, I started using macpass, for convenience, and in order to avoid decrypting my passwords when switching to another password manager. Macpass is free, fully compatible with keepass and has on top of it, a much nicer UI than keepass on Linux or Windows.

https://macpassapp.org

Couldn't find any mention of a 3rd party security assessment? Open source doesn't necessarily guarantee security though I'm really glad to see this is open source.

Given macOS's security track record - especially with High Sierra - and how particularly verbose Mach-O binaries tend to be, I'd be kinda worried about something relying so heavily on proprietary APIs (and potentially the system keystore?) Though I'm sure using Keepass with Mono (that the Macpass site lightly implies is the only Keepass macOS alternative) isn't exactly an impenetrable fortress either haha

Got that Hopper license around here somewhere...

MiniKeePass for iOS works with Keypass/X and Keypass/XC files
A number of features we looked at are only relevant in an enterprise (i.e., business) environment. For example, for just personal use, you probably won’t care about linked personal accounts, fine-grained access control, or what abilities company administrators have, but all of these questions were important to us.

They were not evaluating pw managers from point of personal user but as a company. You don't want to share one file with all passwords with all company.

In iOS I’ve been using Strongbox, which has been excellent for my needs so far (cloud sync and iOS integration). Also supports TouchID.
Just idle curiosity, but I'd be curious to see BitWarden's commit on GitHub:

> ...at one point during our evaluation we submitted a bug report about Bitwarden through its Github project; one of the product’s maintainers committed a bug fix seventeen minutes later, and just a few days after that the fix was released to the public.

Nice. That's some response time.
That tells me that their testing is either extremely excellent , or extremely nonexistent. Rumors seem to point towards the latter, which is concerning for security software.
I don't know about the rumours, but "a few days" is a long time to test a bug fix.

It should ideally take from a few seconds to a few minutes. That's not extremely excellent, it's just good practice.

More than that and it hints towards heavy reliance on manual testing, and that's something I'd be worried about.

EDIT: Despite the parent comment's misguided logic, it seems his/her fears are actually in the right place.

An issue was opened about 6 weeks ago asking where the tests are and it received zero responses from the maintainers: https://github.com/bitwarden/core/issues/399

It was a cosmetic, not a security-critical bug, so there's really no reason why it needed to be released right away.

Also "a few days" was just a guess. I noticed that it was a problem, then I noticed a few days later that the fix had been release. I don't actually know exactly how long it took to release the fix after it was committed.

For enterprise software, a couple days is indeed strange. For OSS, it's standard in good communities I'd say. When I filed bug fixes against Tomcat, I often had fix within that day (though it was released only during the typical release schedule of Tomcat)
Is Bitwarden a native app on mac? Or it's an electron app? Can we use it with dropbox sync instead of their web sync?
no use of your own (dropbox) sync...
If someone is still looking for a good one, I use Keepass and can very much recommend it.
anyone use passbolt[0]?

interested to know your experience good/bad/etc...I am considering installing on a vm at home to use for family.

[0] https://www.passbolt.com/

i was using dashlane for a while. The features were great, but one thing really bothered me:

On macOS everytime I opened safari it launched a dashlane.com page reminding me to install the plugin. I did not want the plugin, and after much googling never was able to prevent this behavior. I had to uninstall it.

Switched to KeepassXC, its good.

i find it hilarious, hilarious i tell you, that he felt the need to put a quasi-legal disclaimer at the bottom of his medium post. i suppose it is demanded by the field he is in (investment banking) but it just strikes me as nonsense.

too bad the article is quite thin.

Question about bitwarden: I found this issue saying there are no tests. https://github.com/bitwarden/core/issues/399

Also in the comments here someone said there are no tests. Does anyone have any info about that? I am interested in the software but no tests would be worrying. (Had no time to browse the code yet.)