Ask HN: Password manager with best experience on Linux?
I've been really happy with 1Password, but it seems 1Password does not have a Linux client. They have what seems to be a browser extension (1PasswordX), but so far I've hated the 1Password browser extension on OSX, so I can't imagine using that full time on Linux.
With that said, I'm super happy with 1Password's UX on OSX. It sits in the tray, can be activated with a toggle, allows me to search a password name, and then keeps that site/etc active while you toggle back and forth between the app and 1Password Mini. Copying in this manner is quick and easy. This, plus excellent support for Windows/OSX/Mobile makes 1Password a joy.
What are you using on Linux and do you enjoy it? Any problems with it?
79 comments
[ 3.1 ms ] story [ 151 ms ] threadFree for teams of 2 (perfect for my wife & me) and has a linux app. Runs great on my thinkpad running pop_os!
And how is the experience?
For 16-18 I used Lubuntu. This required a bunch of little customizations and 3rd party apps to get it close to OSX (the standard for me).
Pop_os didnt require me writing scripts to get the touchbar or brighness keys to work. Plus, since it was bundled with nvidia drivers, it was by far the most seamless install experience. The defaults fit my workflow better than Lubuntu at a minimal cost. It's very slick without taking away functionality.
It’s core is opensource and you can run your own server if you want.
For my less critical accounts even the 2FA token is stored in it.
Then gnome keyring with PAM auth upon user login.(again, lazy)
If your password gets leaked I can just: recognise that it's base64, decode it, see your salt and then all of your other passwords are essentially open to me?
Edit: Oh, is the salt different for each site? I don't get why you'd ever do this instead of generating an entirely new password though, you aren't solving the storage problem.
This doesn't solve all the other problems with this system, like what if there are multiple logins on the same domain? what if the site has esoteric password requirements? what if the requirements change? if your salt leaks you don't have a list of sites to know to go change your password. etc etc. Not my favorite solution for practical reasons, but it's cryptographically reasonable at least.
At some point guessing the original input becomes tedious, when you’re trying to remember if your github password has name “github.com2” or “github.com-3”
Edit:
Completely forgot about another huge usability issue. Some sites enforce weird rules for what symbols are allowed, or what length your password should be. Every time your function generates something that doesn’t pass validation, you’re forced to pretty much revert to your pre-password-management behavior. Obviously you won’t remember that a year later when you suddenly realize that generated password doesn’t work.
Secondly, different sites have different requirements, so your generated passwords might not work everywhere.
Finally, a password manager lets you store more than just a password for each site, and it can let you store passwords and secrets for things other than websites.
Well I know Lesspass[0] has a 'counter' so that if you need to change a pass you simply increment it by one and you get a new hash
https://lesspass.com/#/
* Are you sure your algorithm can't be reversed?
* What do you do if your normal username is taken?
* What do you do when the site's name changes?
* How do you handle forbidden and mandatory characters?
* How do you handle forced rotation?
* What about extraneous crap like security questions, phone PINs, emails, related sites, &c.?
* How do you access it on other devices?
* How can you track down old accounts to close them down?
If you go on listing the issues, you wind up writing the requirements document for a password manager.
One difference, though, is that most of the issues can be addressed by some sort of persistent data store that does not need high security. Once you've taken the passwords themselves out of what your password manager stores, I think this is the only thing on your list that requires storing highly sensitive data:
> What about extraneous crap like security questions, phone PINs, emails, related sites, &c.?
For the rest, such as some sort of per site version serial number to handle password rotation, or a map from current site name to original site name for sites whose names have changed, it is also sensitive data, but it is on a level of sensitivity like a contact list or browser bookmarks for which your ordinary OS security mechanisms for file protection should be sufficient.
I originally used LastPass for a long time, but it went downhill fast with its sale to LogMeIn and the retirement of the old Firefox extension.
Switching to BitWarden was a delightful experience and I haven't been disappointed with it yet.
If I need to get my password for eg. GitHub outside of Firefox, I just type `$ pass -c dev/github`, decrypt, and it's in my clipboard for 45 seconds.
[0]: https://www.passwordstore.org/
[1]: https://addons.mozilla.org/en-US/firefox/addon/passff/
[2]: https://github.com/zeapo/Android-Password-Store
You make it sound custom, so I wonder if you know that pass's source repository and at least Archlinux's package includes passmenu which lets you access your passwords with dmenu.
https://www.gopass.pw
I use it for the same reason to encrypt different folders with different keys (work vs. private).
I've been wanting to switch to a Yubikey with USB-C, since both my laptop and phone have that port and I don't have to rely on NFC, but this has been working fine so I can't really justify the cost.
Thank you.
Someone has an opinion/solution for the problem of exposing the list of everything you are using a password for? The fact that pass doesn't encrypt that makes me somewhat uncomfortable about hosting the remote git repo on an Internet accessible machine / service. Keeping the data "offline" (if such a thing exists) makes the sync across devices more challenging...
I cannot wait to finally get off of 1password completely, though. Their latest mini update is an absolute joke. They break app functionality or they shove a detour in my workflow several times a year. Usually connectivity between the miniapp and full app break and when you're someone who enters passwords all day long you really start to notice how much slower you are when your workflow changes. I've had to reinstall the app multiple times this year because some $bug broke connectivity between the browser and the full app.
1pass's android app STILL does not have a password generator built inso you'll never want to create accounts using it but the rest of its functionality is pretty good. This is a huge annoyance of mine. I shouldn't have to go grab my laptop to make an account just to make sure I'm not using one of my in-memory passwords. Whatever password manager I pick would need full android integration.
https://blog.1password.com/why-i-switched-to-1password-x/
Unless I'm just missing a part of the UX, which is totally possible.
I now use Linux about 60% of the time, and was worried about needing to switch password managers. But I was happy to learn that I can mostly rely on 1PasswordX in firefox on Linux. It is really good.
Most importantly, I can share select passwords with my wife who uses Windows/IOS.
[1] https://www.passwordstore.org/
* It's browser plugin (https://addons.mozilla.org/firefox/addon/keepassxc-browser/)
* Syncthing (https://syncthing.net/) to synchronize across devices and mobile
* Keepass2Android Offline for Mobile access (https://play.google.com/store/apps/details?id=keepass2androi...)
Then the experience is close to Lastpass but only using opensource components.
The one downside is that the iOS client is unmaintained. I know nothing about crypto so I'm unfortunately not in a good position to contribute.
[0]https://github.com/keepassxreboot/keepassxc/releases/downloa...
or passit looks kind of cool, but I haven't used it. https://gitlab.com/passit
https://github.com/keeweb/keeweb/
I tried 1Password and switched halfway to Bitwarden; I think there's a quant firm that reviewed password managers and recommended Bitwarden, which I trusted more than those consumer-grade sites.
I also like the command-line app that I can integrate into dmenu and the fact that it allows self-hosting.
I use bitwarden_rs[0] server written in Rust which is much lighter implementation you can run on cheapest 512mb instance. Official bitwarden[1] server is using docker and mssql which requires a lot of RAM.
You can run it on Linux through Firefox extension as well as on any operating system, including iOS and Android (native app). iOS and Android apps have system Password Manager integration which allows you to skip running app manually in most cases.
[0]: https://github.com/dani-garcia/bitwarden_rs
[1]: https://github.com/bitwarden/server
I’m usually concerned about these forks getting way behind or getting abandoned after sometime. At least mainline Bitwarden has paid subscription tiers to support ongoing development and maintenance, which may provide some predictable income for that.
Security-wise, I used nginx over my custom domain to enforce HTTPS and put bitwarden app itself behind a firewall.
As a bonus, bitwarden_rs also enables all premium features for you ("You are a premium member!" label is by default in every client).
It's cross-platform with decent user experience. The only thing that bothered me was using a lot of NPM packages from random vendors. It is a minor thing. I assume they do NPM audit and everything. worth to take a look.
I use this. Check it out to see if it meets your requirements.