Ask HN: What password managers can you recommend?
I used to be a happy 1Password user, but they seem insistent on making the experience as terrible as possible lately. I've tried BitWarden and Enpass, but their integration is worse and they suffer from some of the same problems as 1Password (subscription/server-based, not really in control of own data, etc.)
Are there any password managers that
- Integrate into browsers on all major platforms
- Have decent password generators
- No major security breaches in past ten years
- Local-first / sync via standard sync mechanisms (Dropbox, iCloud, sync thing, etc.)
EDIT: Based on responses below, I'm going to try KeePass[.*] and see how it goes. First hiccup is that 1Password import doesn't seem to work, but I'll keep at it.
135 comments
[ 3.1 ms ] story [ 196 ms ] thread* Android app logs itself out every time I use it.
* Lacked versioning of passwords (last time I checked).
* The workflow to add new passwords / reset passwords on websites is clunky. This hasnt improved for years.
2) The older versions are available online if you click on the number to the right of "Password History"
3) Agree, that can use some polish
Common problems are:
1a/ If I am trying to transfer money between two banks, a Plaid iframe pops up requesting the credentials of another bank's website. Since the bank's credentials are typically configured on another domain, you need to search for it, copy the username, paste the username, then re-search, copy the password, paste the password. I wish the drop down had more 'memory'.
1b/ Similar problem of needing to re-search to get the password if I am trying to copy and paste username and password for a desktop app where it doesn't auto-detect a domain.
2/ When registering on a new website, its 3 clicks to generate a new password for the form. Why can't there just be an auto-fill with a fresh unique password like iOS offers? If the website rejects the password (for being too long or invalid characters), its 4 clicks to create a new one.
1b: yes desktop app seems like an afterthought
2: This is annoying and should be fixed. I didn't think of it because I so rarely register for new websites.
The limited subset is that they're easily typeable on a normal English keyboard without having to resort to on-screen keyboards or alt sequences.
- Upper-case
- Lower-case
- Digits
- Minus
- Underline
- Special
- Brackets
There is the option to enable auto-fill on page load though https://bitwarden.com/help/article/auto-fill-browser/
I default to it for anyone looking for this solution.
1: https://keepassxc.org/
2: https://syncthing.net/
* Sometimes you need to fill passwords on app login screens on your phone, for example. At least 1Password for your phone can do this.
* I sometimes need to fill passwords in non-browser apps. I can use a global shortcut to easily open my password list and copy what I need without touching the mouse.
* I want to store things that aren't passwords securely.
Etc
1Password's proprietary sync isn't open source and isn't open standards. It is designed to lock me into reliance on a company that has inarguably demonstrated that it hates its users.
It's 1 file per vault, but multiple people can use the same vault and all are update simultaneously.
Ask HN: How did my LastPass master password get leaked?: https://news.ycombinator.com/item?id=29716715
LastPass users warned their master passwords are compromised: https://news.ycombinator.com/item?id=29716715
[1] https://www.theverge.com/2021/12/28/22857485/lastpass-compro...
[1] https://news.ycombinator.com/item?id=29706579
Again, that it could be an attack vector is interesting and relevant, but different from "has been breached" per OP.
The LastPass app itself is just "ok" from a UI perspective, but again, I use that part rarely.
It is Dropbox friendly meaning any change or addition in another person using the same vault in the same directory is automatically updated in all open vaults. This was originally for collaboration. You can have your own private vault too with a unique password, as many as you like. They just end up as XML files. It runs fast as uses databinding, can generate strong passwords, and makes copying/pasting easy. I am having trouble encrypting files over 1GB though.
I take great lengths to protect the key. If the file is open too long, it minimizes and locks, when you open it, it decrypts everything again. As soon as decryption is done, the key is stashed away using ProtectMemory function in the framework. I have done memory dumps to ensure the key is not visible when the app is idle.
Files works differently, Their meta data is encrypted but you are able to checksum then and preview them in memory without the key ever being exposed and the content never touches the disk and is zeroed afterward. You can currently play sound, view pictures, execute files (in memory!) and soon video.
I plan on browser integration by a cross-browser userscript and loopback routing (127.0.0.1) that recognizes when the cursor is in a field specified in the login's metadata. But I am am running into trouble because sites like to randomize the name of the login fields, so I a have to use some reliable heuristic approach.
Does anyone have any ideas on how to deal with that? If I can figure that out, and get video previews working I will open source it.
EDIT: Here's a preview of the app: https://imgur.com/a/rZGPCPZ
If you don't self-host, note that everything is encrypted before being stored at bitwarden. They don't have access to your passwords.
Having a reliable, stable PW manager with a good app and TOTP capabilities feels like a steal at that price.
Import/export is irrelevant. I want to own my data, not just be able to check out a copy whenever I want.
How could they be less user-hostile?
You can install the android bitwarden, which maintains a local DB. You can use it offline, and you can sync as you need with a server as needed or never at all. Which fits my definition of "local first". To double check I just put my phone in airplane mode, opened my local vault, and saw my password DB, which I could edit.
You can sync by telling it to, and there's plugins for all major browsers. You can use a bitwarden provided server, run your own, or not have one. You can export and sync via dropbox, icloud, syncthing, etc. Not sure why you would do that instead of clicking sync and letting the client upload to your own server or a bitwarden server.
Not sure how this could be consider user hostile. The rust server in particular is open source, single command to install, runs happily in provided docker container, etc. Exports are available in .json, or .csv. You can export from a web vault, browser extension, desktop client, mobile, or even command line.
I'm not trolling, I use bitwarden on android, and vaultwarden (rust server compatible with warden) on the server and it works great. I'm quite fond of it's security, track record, security assessments, open source, SOC certifications etc. I also like having the local DB on a device I control and doesn't depend on any cloud, remote server, etc so I can have my password db accessible without any internet access.
But even with 10 devices and a fast changing DB, using rsync or similar sounds pretty painful. Not sure where the ground is that good for rsync, but bad for import/export. I've friends that are particularly security conscious and only sync sometimes, and only over a VPN... but use bitwarden.... just like they would if they used rsync.... which you could use.
You say you are "Not sure why [I] would do that instead of..." This is exactly my point. You fundamentally disagree with my requirements.
I'm genuinely, sincerely glad that BitWarden works well for you. It doesn't work well for me because it is not local-first and requires a server. As a result, all these BitWarden posts are off-topic for the OP.
If you have a recommendation that meets the criteria in the OP, I'd be very grateful to hear it. However, please don't come here just to get all fighty and argue that my requirements are wrong.
Seems weird to call it a dark pattern because they optionally provide a way to sync through a server to keep N clients in sync that's easier to use than trying to rsync between N clients. Having used rsync to keep a work computer, home computer, laptop, and 2 phones synced with a password DB (Keepass) for years, I greatly prefer the sync through server solution, but that's not forced on you.
[0]https://outercorner.com/secrets-mac/
[1] https://elpass.app
They stopped supporting the mobile extension. I can no longer invoke 1Password from Safari on iOS. If I'm lucky, then Safari's own AutoFill will recognize what I'm trying to do, and connect to 1Password that way. Otherwise I have to manually copy login credentials from the 1Password app to Safari. Either way, that is not an acceptable solution.
They make it increasingly difficult to find and use the non-subscription version of their software.
The new desktop software is a giant Electron mess.
And the developers respond to any and all criticism with the polite corporate-speak version of a giant middle finger.
They did provide an alternative, to be fair -- they're shipping a Safari web extension that you can turn on, which gives you about the same behavior as in a desktop browser.
Honestly, I find that the built in iOS autofill stuff works fine for my purposes. I recognize that's probably very specific to the exact sites I'm using, though...
I'm sorry, but this is not accurate. The extension they're shipping is intentionally crippled unless you pay the monthly ransom and give Agile Bits sole control over your passwords.
https://ibb.co/XC0PkD9
2) For some reason, using the above as justification to also try pressuring folks from moving from stand-alone vaults to cloud native vaults, which people worry is less secure
3) Switching to electron app rather than fully native app
4) When users voice above criticism, responding with BS, rather than engage in a fair, honest and transparent way
Bottom line, they raised a ton of cash, and it seems clear they are focused on decreasing costs and increasing profitability, at the expense of what made their loyal long time users love them
> they seem insistent on making the experience as terrible as possible lately
With git or whatever you want for sync, and whatever GPG-compatible security device you want for encryption.
I swear, pass is the piece of software that has improved my digital life the most per line of code in the software.
I hear you about problems with a server/subscription-based model, but a) it's the least of all evils, and b) I've come to enjoy financially supporting them (i.e. my subscription means they can keep making great software, which is definitely valuable to me).
https://www.passwordstore.org/
Pass uses GPG under the hood for encrypting the password store. I use an OpenPGP smartcard (a Yubikey in my case) to decrypt the password files. I synchronize the store across devices using Git. There are good autofill implementations for Firefox and for Android. When I need a password, the autofill prompts me to insert my Yubikey and enter in the unlock PIN, which I find more convenient than a master password. Crypto functions are offloaded to the Yubikey with a (theoretically) very difficult to extract private key, so unless somebody swipes that they can't get into my passwords.
I mostly followed this guide for setting it up: https://dehnes.com/software/2020/04/03/password_management_y...
Are you talking about `git clone`?
[0]: https://www.brycewray.com/posts/2021/06/two-paths-password-m...
[1]: https://www.brycewray.com/posts/2021/08/1password-hits-fan/
Lets take all of a user's credentials (mixing the critical and the trivial) and put them into a single database and then use Javascript-based browser extensions to control access to the DB. What could go wrong?
The LastPass communications brouhaha from last week was just a whiff of the total shit show we're going to see when the client code from one of these password managers is modified with trojan code and we realize that some group has been slurping up credentials by the billions over the course of a few months.
Seems like the charitable take is that password managers are maybe the best approach to a horrible idea, and the real solution is that we ought to be racing to abolish passwords altogether as soon as possible.
If you generate random 16 character passwords and commit them to memory for every site (likely thousands you'll encounter over your lifetime), then fine, you don't need a password manager. For most other humans, it's a net win.
Having said that, passwords are a fundamentally flawed idea. Everyone should be using WebAuthn. Password managers turn "something you know" into "something you have". Webauthn skips the guessable backdoor and just goes right to "something you have". Much safer, and much easier to use!
If you use an offline password manager you don't need to use a browser extension. If your password manager requires a browser extension, it's increasing the risk profile.
Password managers are not a terrible idea. Certain implementations of password managers are a terrible idea.
How do we reliably be sure we are entering credentials in the right place?
I am thinking we need to look at a bunch of different factors, but what?
Biometrics will take over, I definitely love FaceID on my iPhone. It just works and the fail rate is near zero on my 12 mini. FaceID that works similarly to Microsoft Authenticator for approvals should be all I need but we're not quite there yet. Effectively, given that I need FaceID to open MS Authenticator, we are already there.
So your choice of KeePass is pretty good. There is KeePass2 which is by the original author of the KDBX format. There is KeePassXC which is an alternative. KeePass2 has a lot of community plugins if that's what you're after.