Ask HN: What password managers can you recommend?

45 points by torstenvl ↗ HN
I used to be a happy 1Password user, but they seem insistent on making the experience as terrible as possible lately. I've tried BitWarden and Enpass, but their integration is worse and they suffer from some of the same problems as 1Password (subscription/server-based, not really in control of own data, etc.)

Are there any password managers that

- Integrate into browsers on all major platforms

- Have decent password generators

- No major security breaches in past ten years

- Local-first / sync via standard sync mechanisms (Dropbox, iCloud, sync thing, etc.)

EDIT: Based on responses below, I'm going to try KeePass[.*] and see how it goes. First hiccup is that 1Password import doesn't seem to work, but I'll keep at it.

135 comments

[ 3.1 ms ] story [ 196 ms ] thread
Bitwarden. The free version does everything I need from a password manager (which is to store, sync and generate passwords); decent browser extension, decent mobile app.
You can also self-host it (either the original or a more lightweight fork called Vaultwarden. although i don't know how trustworthy it is)
+1 Bitwarden. I wish they dog fooded more so they can see how bad their browser extension is though.
On firefox, their browser extension is excellent for me; what issues do you have?
Not him, but:

* Android app logs itself out every time I use it.

* Lacked versioning of passwords (last time I checked).

* The workflow to add new passwords / reset passwords on websites is clunky. This hasnt improved for years.

Agreed on the third point. But the first two have been fixed for quite some time now.
1) Never experienced that

2) The older versions are available online if you click on the number to the right of "Password History"

3) Agree, that can use some polish

I use FF too.

Common problems are:

1a/ If I am trying to transfer money between two banks, a Plaid iframe pops up requesting the credentials of another bank's website. Since the bank's credentials are typically configured on another domain, you need to search for it, copy the username, paste the username, then re-search, copy the password, paste the password. I wish the drop down had more 'memory'.

1b/ Similar problem of needing to re-search to get the password if I am trying to copy and paste username and password for a desktop app where it doesn't auto-detect a domain.

2/ When registering on a new website, its 3 clicks to generate a new password for the form. Why can't there just be an auto-fill with a fresh unique password like iOS offers? If the website rejects the password (for being too long or invalid characters), its 4 clicks to create a new one.

1a: I don't use plaid, but I suspect that adding the plaid domain to valid domains for your bank's passwords might work. I consider any time I need to copy/paste to be a big issue because it significantly increases the chances of successful phishing.

1b: yes desktop app seems like an afterthought

2: This is annoying and should be fixed. I didn't think of it because I so rarely register for new websites.

I use Bitwarden, but the lack of auto type on Desktop as well as the limited selection of symbols of the password generator annoys me a lot
What symbols do you want? Kanji and Russian Cyrillic also?

The limited subset is that they're easily typeable on a normal English keyboard without having to resort to on-screen keyboards or alt sequences.

from KeePass at least:

- Upper-case

- Lower-case

- Digits

- Minus

- Underline

- Special

- Brackets

In the Bitwarden password generator you can use uppercase, lowercase letters, digits and !@#$%^&*. Is the lack of brackets or a minus really an issue for you?
Does seem weird to ignore []{}-_,()'`"
there are more special characters, e.g. the following three: =/:
Re: lack of autofill (at least for the browser extension), Ctrl-Shfit-L will fill in forms with the top candidate. Not quite autofill, but I find it faster than clicking.
I am speaking for the desktop application which can't auto fill/ auto type in different applications such as Element
This would be really helpful, it's always annoying having to deal with logging into different game clients when they randomly seem to log out
I'm happy with the free version, but I'm paying the 10$ to reward the devs
Same here. My self, wife and kids all use it. I have my father and mother using it.

I default to it for anyone looking for this solution.

I use Kee-pass. The password generator is good and I'm not aware of any breaches. I don't know how good the browser integration is. Mine is backed up to several locations that I also use it from, I suppose Dropbox would work.
Browser integration for KeePass is non-existent. What I found a few years ago when I tried, is that you install a plugin to KeePass that basically exposes your database to queries from other approved applications. The browser plugin will be one of those applications.
Was in the same boat. KeePassXC is what you want.
1Password is fantastic IMO but all these password managers make me nervous.
What's the terrible experience you're finding lately with 1Password? I've found it to be more consistent and stable in the last little while (especially when paired with the more recent Safari releases)
I've not understood why one wouldn't use Chrome or Edge's built-in password manager. Is there a compelling reason to use a separate password manager app?
I thought they were stored on-disk in a non-encrypted SQLite database. So anyone with physical access to your computer has all your passwords.
I believe they are encrypted with you Windows credentials.
Yes, with DPAPI. In addition, you can choose a master password on Firefox.
Do Chrome and Edge support autofill on other browsers? iOS apps? The answer might be yes just not sure. They are also missing features like secure notes, documents etc.
Yes:

* Sometimes you need to fill passwords on app login screens on your phone, for example. At least 1Password for your phone can do this.

* I sometimes need to fill passwords in non-browser apps. I can use a global shortcut to easily open my password list and copy what I need without touching the mouse.

* I want to store things that aren't passwords securely.

Etc

(comment deleted)
I don't use it because I need passwords on multiple mobile and desktop machines.
The reason I don't is that those are not the only browsers I use. And I want my passwords available to me everywhere.
What if you use multiple browsers?
Why are Dropbox and iCloud preferable to 1Password sync?
I’m curious about this too. 1Password used to sync to a file that could be backed up to iCloud/Dropbox/drive and I wished they’d kept it that way, but it at least partially suggests they may have stuck with full client-side encryption (I have not verified)
Yeah they still claim to have full client side encryption for the cloud service. Maybe it's the subscription pricing model that's the issue for people?
Because they work at a standard level of abstraction (the file system) and can be replaced if necessary. I can replace Dropbox with Box or Syncthing or OwnCloud or rsync or sftp coupled with crontab or an FSEventsD monitor or whatever I want, at any time I want.

1Password's proprietary sync isn't open source and isn't open standards. It is designed to lock me into reliance on a company that has inarguably demonstrated that it hates its users.

My password manager works just like this! It just monitors shared folders and keeps everything in a compressed/32k encoded XML file that you can open with a text editor.

It's 1 file per vault, but multiple people can use the same vault and all are update simultaneously.

I use LastPass. I love that it has a mobile app for me to copy/paste on my phone and my wife's phone. It has a really good browser extension. I do pay the small fee for multiple devices.
A few HN posts from the last week regarding LastPass:

Ask HN: How did my LastPass master password get leaked?: https://news.ycombinator.com/item?id=29716715

LastPass users warned their master passwords are compromised: https://news.ycombinator.com/item?id=29716715

Note that master passwords were not compromised, the the warnings were triggered in error[1]. That's not to say that other concerns around security aren't valid.

[1] https://www.theverge.com/2021/12/28/22857485/lastpass-compro...

The warnings might have been triggered in error, but the evidence is certainly there for masters to have been compromised. Until recently their publicly available support forum running phpBB was using the master password for customer logins.[1]

[1] https://news.ycombinator.com/item?id=29706579

I'm trying to differentiate between "there has been evidence of a breach" and "there are less-desirable security practices". As I understand it, the phpBB / master password practices—which are indeed, not good, but also not fully understood exactly how they did it—are also not evidence that the masters have been compromised.

Again, that it could be an attack vector is interesting and relevant, but different from "has been breached" per OP.

Another vote for LastPass, though I haven't cross-shopped in a while. It generally "works", including on iOS. (You can enable auto-fill directly in Mobile Safari in Setting > Passwords > AutoFill, so I rarely have to open the app anymore.) Chrome extension experience on desktop is similarly "fine".

The LastPass app itself is just "ok" from a UI perspective, but again, I use that part rarely.

Bitwarden - without question - pay the $10 a year. It's only 10 bucks and totalliy worth it...
I wrote my own with ridiculous Argon2 requirements (Takes 18 secs to open) combined with PKDF hybrid hashing system. (not chained) and strong AES256 CBC implementation with proper random IVs for each field and correct padding. You can encrypt any kind of data and files, it's encoded as 32k UTF-16 + sig XML losing only 1.3% over binary, but I like text files. Of course, some files come out smaller due to the Gzip compression.

It is Dropbox friendly meaning any change or addition in another person using the same vault in the same directory is automatically updated in all open vaults. This was originally for collaboration. You can have your own private vault too with a unique password, as many as you like. They just end up as XML files. It runs fast as uses databinding, can generate strong passwords, and makes copying/pasting easy. I am having trouble encrypting files over 1GB though.

I take great lengths to protect the key. If the file is open too long, it minimizes and locks, when you open it, it decrypts everything again. As soon as decryption is done, the key is stashed away using ProtectMemory function in the framework. I have done memory dumps to ensure the key is not visible when the app is idle.

Files works differently, Their meta data is encrypted but you are able to checksum then and preview them in memory without the key ever being exposed and the content never touches the disk and is zeroed afterward. You can currently play sound, view pictures, execute files (in memory!) and soon video.

I plan on browser integration by a cross-browser userscript and loopback routing (127.0.0.1) that recognizes when the cursor is in a field specified in the login's metadata. But I am am running into trouble because sites like to randomize the name of the login fields, so I a have to use some reliable heuristic approach.

Does anyone have any ideas on how to deal with that? If I can figure that out, and get video previews working I will open source it.

EDIT: Here's a preview of the app: https://imgur.com/a/rZGPCPZ

Bitwarden can be self-hosted. $10/year subscription cost is well, well worth it.

If you don't self-host, note that everything is encrypted before being stored at bitwarden. They don't have access to your passwords.

Same. 10/yr is not worth self hosting IMO, unless for security/paranoia reasons.

Having a reliable, stable PW manager with a good app and TOTP capabilities feels like a steal at that price.

Normally I'd agree, but a single docker command makes is so easy to run. I still recommend the $10/year jsut to help support them.
Bitwarden is just as user-hostile. They go out of their way to make it harder to own your data, when it should just be local-first vaults.

Import/export is irrelevant. I want to own my data, not just be able to check out a copy whenever I want.

Curious what makes you say this. I recently started using it and it has prominent import and export functionality.
(comment deleted)
How so? It's easy to run vault warden if you want local, and their android app supports connecting to your local vault warden. You can also export your data.

How could they be less user-hostile?

(comment deleted)
(comment deleted)
(comment deleted)
(comment deleted)
BitWarden is server-based and not local-first. Stop trolling for software that does not meet the parameters of the OP just because you disagree with those parameters.
Er, not sure how I'm disagreeing or trolling. You claim I'm trolling without mentioning specifically why. Which parameter of the OP isn't being met?

You can install the android bitwarden, which maintains a local DB. You can use it offline, and you can sync as you need with a server as needed or never at all. Which fits my definition of "local first". To double check I just put my phone in airplane mode, opened my local vault, and saw my password DB, which I could edit.

You can sync by telling it to, and there's plugins for all major browsers. You can use a bitwarden provided server, run your own, or not have one. You can export and sync via dropbox, icloud, syncthing, etc. Not sure why you would do that instead of clicking sync and letting the client upload to your own server or a bitwarden server.

Not sure how this could be consider user hostile. The rust server in particular is open source, single command to install, runs happily in provided docker container, etc. Exports are available in .json, or .csv. You can export from a web vault, browser extension, desktop client, mobile, or even command line.

I'm not trolling, I use bitwarden on android, and vaultwarden (rust server compatible with warden) on the server and it works great. I'm quite fond of it's security, track record, security assessments, open source, SOC certifications etc. I also like having the local DB on a device I control and doesn't depend on any cloud, remote server, etc so I can have my password db accessible without any internet access.

not that calling that "trolling" is exactly appropriate, but OP is clearly asking for sync over standard file sync methods, without having to run any extra server software, and "but you can export/import every time" is not exactly a good way of doing that...
A bit hard to guess without knowing the use case and reasoning. Keeping 10 devices synced on a DB that changes often = poor. Protection against some cloud service going down and leaving you stranded seems reasonable. Every server/cloud could explode, decide to charge me $1m a year, or be confiscated by the government and I could still use my phone and then export it to use a 2nd standalone device if I needed to. Even transfer it over USB if needed.

But even with 10 devices and a fast changing DB, using rsync or similar sounds pretty painful. Not sure where the ground is that good for rsync, but bad for import/export. I've friends that are particularly security conscious and only sync sometimes, and only over a VPN... but use bitwarden.... just like they would if they used rsync.... which you could use.

BitWarden's architecture requires a server when there is no technical reason to require one. That enforces a dark pattern whereby users must either (a) acquiesce to BitWarden owning their password database or (b) go through the pain of running their own dedicated server.

You say you are "Not sure why [I] would do that instead of..." This is exactly my point. You fundamentally disagree with my requirements.

I'm genuinely, sincerely glad that BitWarden works well for you. It doesn't work well for me because it is not local-first and requires a server. As a result, all these BitWarden posts are off-topic for the OP.

If you have a recommendation that meets the criteria in the OP, I'd be very grateful to hear it. However, please don't come here just to get all fighty and argue that my requirements are wrong.

Er, I don't understand. You install bitwarden on your phone, you use it, never use a server. Not even required to have internet. The app isn't some crippled client, it can create a vault, encrypt the vault, edit the vault, etc. No cloud or server is required, only if it's useful for you to sync with other devices.

Seems weird to call it a dark pattern because they optionally provide a way to sync through a server to keep N clients in sync that's easier to use than trying to rsync between N clients. Having used rsync to keep a work computer, home computer, laptop, and 2 phones synced with a password DB (Keepass) for years, I greatly prefer the sync through server solution, but that's not forced on you.

I hate what 1Password has become, and how user-hostile Agile Bits are. BUT after the last bait and switch they pulled I tested _every single password manager on the market_, and the bad news is that the others are all worse. The only two I found that I liked, but sadly lacked at least one feature that we need, were Secrets [0] and Elpass [1]. I think both might fail your requirements list too. I've begrudgingly had to stick with 1Password, but after the way they've treated the customers who have been giving them money for over a decade I'll be off the second someone makes a password manager that meets our requirements.

[0]https://outercorner.com/secrets-mac/

[1] https://elpass.app

I've been a happy 1PW user on Windows 10 for a few years, but admit I haven't paid a lot of attention. I haven't noticed any big changes. What are you guys referring to?
They've made a laundry list of user-hostile changes in the last few years, enough to turn me from a very vocal advocate recommending 1P to everyone I know, into someone with a visceral dislike of the company and everything they do. They've repeatedly removed features that people relied on (self-managed sync), done all sorts of dark patterns to trick people into subscribing and the app just keeps getting worse. My biggest bugbear on that last point is that it's no longer possible to tab to the generate password button - something that was possible in every version up until the latest one. And to top it all off, the next version is going to be yet another stinking Electron turd eating up your system resources.
They made generating passwords more difficult. You can no longer tell it how many, e.g., special symbols to use, only to use them or not. This means regenerating new passwords over and over until one fits site requirements, and/or manual tweaking that might unintentionally reduce entropy.

They stopped supporting the mobile extension. I can no longer invoke 1Password from Safari on iOS. If I'm lucky, then Safari's own AutoFill will recognize what I'm trying to do, and connect to 1Password that way. Otherwise I have to manually copy login credentials from the 1Password app to Safari. Either way, that is not an acceptable solution.

They make it increasingly difficult to find and use the non-subscription version of their software.

The new desktop software is a giant Electron mess.

And the developers respond to any and all criticism with the polite corporate-speak version of a giant middle finger.

> They stopped supporting the mobile extension. I can no longer invoke 1Password from Safari on iOS.

They did provide an alternative, to be fair -- they're shipping a Safari web extension that you can turn on, which gives you about the same behavior as in a desktop browser.

Honestly, I find that the built in iOS autofill stuff works fine for my purposes. I recognize that's probably very specific to the exact sites I'm using, though...

> they're shipping a Safari web extension that you can turn on, which gives you about the same behavior as in a desktop browser

I'm sorry, but this is not accurate. The extension they're shipping is intentionally crippled unless you pay the monthly ransom and give Agile Bits sole control over your passwords.

https://ibb.co/XC0PkD9

Huh, I didn't realize the extension didn't support standalone vaults. That's pretty shitty of them, then.
1) Pressure to move from standalone purchase to subscription pricing

2) For some reason, using the above as justification to also try pressuring folks from moving from stand-alone vaults to cloud native vaults, which people worry is less secure

3) Switching to electron app rather than fully native app

4) When users voice above criticism, responding with BS, rather than engage in a fair, honest and transparent way

Bottom line, they raised a ton of cash, and it seems clear they are focused on decreasing costs and increasing profitability, at the expense of what made their loyal long time users love them

People are mad because it used to be self-hosted and free, but now it's mostly something you pay for. I just pay for it and yeah, it's great.
This can't go uncorrected - it was never free and nobody has ever complained that it isn't. I've been giving them money for over a decade.
What features were missing?
Can you elaborate on

> they seem insistent on making the experience as terrible as possible lately

I was a happy 1Password user and warily switched to their subscription model. But It still does everything I want and now it even does more -- e.g. I can have shared vaults with my partner and other family members, which is more convenient than duplicating entries between machines or going to each others' computers to look something up.
BitWarden is good. Codebook is the commercial version of the earlier Open Source "STRIP" and underrated.
Pass! https://www.passwordstore.org/

With git or whatever you want for sync, and whatever GPG-compatible security device you want for encryption.

I swear, pass is the piece of software that has improved my digital life the most per line of code in the software.

1Password is consistently fantastic.

I hear you about problems with a server/subscription-based model, but a) it's the least of all evils, and b) I've come to enjoy financially supporting them (i.e. my subscription means they can keep making great software, which is definitely valuable to me).

I use pass. It's a Unix-style password manager created by zx2c4 of Wireguard fame.

https://www.passwordstore.org/

Pass uses GPG under the hood for encrypting the password store. I use an OpenPGP smartcard (a Yubikey in my case) to decrypt the password files. I synchronize the store across devices using Git. There are good autofill implementations for Firefox and for Android. When I need a password, the autofill prompts me to insert my Yubikey and enter in the unlock PIN, which I find more convenient than a master password. Crypto functions are offloaded to the Yubikey with a (theoretically) very difficult to extract private key, so unless somebody swipes that they can't get into my passwords.

I mostly followed this guide for setting it up: https://dehnes.com/software/2020/04/03/password_management_y...

There is Browserpass extension for Chromium as well.
Pass is not very user friendly. Adding a new device to your tree is a painful experience. Losing your Yubikey or your main gpg key is a painful experience. That being said, there are variants to pass that make multi key trees easier to manage and that's what I'm using.
>Adding a new device to your tree

Are you talking about `git clone`?

No, I'm talking about having different GPG keys for different devices. I want my passwords on my phone, and on each of my computers. I would prefer to have separate keys for each of them.
If you can handle what I call[0][1] "the KeePass way": on desktop, KeePassXC (Windows/macOS/Linux) on desktop; on mobile, KeePass2Android or Keepassium (iOS).

[0]: https://www.brycewray.com/posts/2021/06/two-paths-password-m...

[1]: https://www.brycewray.com/posts/2021/08/1password-hits-fan/

In my experience Keepass2Android has very bad usability on Android compared to Bitwarden
Am not an Android user, so in that app's case I was relying on the many favorable comments I've seen about the app here and on appropriate places on Reddit.
I use KeePassXC. I don't feel that web password managers are safe given the monstrous attack surface of browsers.
I don't get he drama about 1Password. What's wrong with it? I'm a little wary of 8 (Electron) but eh, I doubt it'll be bad. It costs me like $4-5/mo which is an mount I don't even bother keeping track of or budgeting.
Am I the only one that thinks that password managers are a terrible idea?

Lets take all of a user's credentials (mixing the critical and the trivial) and put them into a single database and then use Javascript-based browser extensions to control access to the DB. What could go wrong?

The LastPass communications brouhaha from last week was just a whiff of the total shit show we're going to see when the client code from one of these password managers is modified with trojan code and we realize that some group has been slurping up credentials by the billions over the course of a few months.

Seems like the charitable take is that password managers are maybe the best approach to a horrible idea, and the real solution is that we ought to be racing to abolish passwords altogether as soon as possible.

Yes, you're pretty much the only one that thinks password managers are a terrible idea. The alternative is using the same password on every site, which is proven not to work. Even ignoring breaches, you're sending the administrators of your favorite forum or whatever your email password. That rarely ends well.

If you generate random 16 character passwords and commit them to memory for every site (likely thousands you'll encounter over your lifetime), then fine, you don't need a password manager. For most other humans, it's a net win.

Having said that, passwords are a fundamentally flawed idea. Everyone should be using WebAuthn. Password managers turn "something you know" into "something you have". Webauthn skips the guessable backdoor and just goes right to "something you have". Much safer, and much easier to use!

I think you're mixing a few aspects of a password management solution. Not all password managers are online (LastPass). Not all password managers require an extension.

If you use an offline password manager you don't need to use a browser extension. If your password manager requires a browser extension, it's increasing the risk profile.

Password managers are not a terrible idea. Certain implementations of password managers are a terrible idea.

This is a huge problem.

How do we reliably be sure we are entering credentials in the right place?

I am thinking we need to look at a bunch of different factors, but what?

I agree, that's why I've never used anything except KeePass.

Biometrics will take over, I definitely love FaceID on my iPhone. It just works and the fail rate is near zero on my 12 mini. FaceID that works similarly to Microsoft Authenticator for approvals should be all I need but we're not quite there yet. Effectively, given that I need FaceID to open MS Authenticator, we are already there.

Biometrics are not passwords though, biometrics are usernames. They can be forged from something as simple as a regular photograph and you cannot change them.
Biometrics are usenames and passwords in one. You may fool a poor biometric implementation, but I'd challenge anyone to try to break into my iPhone via FaceID.
I can recommend not using an online password manager. When it comes to a sensitive set of information, the first step in a terrible experience is giving another entity control of that set of information. Offline password managers have a reduced risk due to the not-always-on nature and your own control over its syncing.

So your choice of KeePass is pretty good. There is KeePass2 which is by the original author of the KDBX format. There is KeePassXC which is an alternative. KeePass2 has a lot of community plugins if that's what you're after.