Ask HN: Alternatives to 1Password

123 points by vasachi ↗ HN
1Password was silently removed from Russian App Store and Play Market.

Are there any good alternatives? Or do I have to use Kaspersy's password store?

176 comments

[ 2.9 ms ] story [ 213 ms ] thread
Bitwarden if you want a third-party managing your credentials, keepass if you're ok handling the syncing of your password database.
Bitwarden also works with self-hosted servers.
I would say that I found Bitwarden much better than keepass for selfhosted too.
I think it strongly depends on the ecosystem one is in and the usecase. Android support for keepass is pretty solid with keepass2android.
Are you using the official server or vaultwarden? Do you mind getting more into the experience of it?
This is true, I am using Vaultwarden now rather than actual Bitwarden.

In Docker it took seconds to get running. Hardening it took a little longer, but fail2ban was still only 6 lines of config.

I have to try that, the official server wants to spin up a few containers, a MSSQL and needs 2-4GB RAM and 25GB disk space. lol...
This uses sqlite and I see it using about 30Mb.

MSSQL is never the correct answer.

Mssql is good if you need a 1TB+ db and replication and are too lazy to set up postgres replication. And if you can’t afford oracle. ;)
KeePass' UI is quite clunky, but last time I checked you couldn't even do proper keyboard navigation with Bitwarden, or auto-type outside the browser...
I'm not sure I quite understand your comment.

> Keyboard navigation

I use the `bw` command, and haven't had issues with the keyboard.

> auto-type outside the browser.

Is this mobile or desktop that we are talking about here? Mobile worked correctly for me. Integration for all of these password managers on desktop isn't great, and using the fingerprint to unlock, similar to 1Password, would be nice.

I mean the desktop UI, I haven't tried the mobile.

By keyboard navigation I mean basic stuff like using arrow keys, shortcut keys for menus, etc... It all felt very much mouse-centric.

And Auto-type is KeepassXC' global shortcut key to invoke auto-type in any application, even terminal windows. AFAIK most password managers don't even think of supporting this.

Bitwarden has a cli app. With this you can automate everything.

Regarding keyboard navigation in the ui. If your are into that just use the cli and create some helpful scripts for rofi, alfred, ueli or whatever you are using if you want to have a ui.

Bitwarden is so insanely good that this minor downside shouldn't keep you from using it.

My mum is really bad with PCs. Yet bitwarden has solved all her password problems. Especially on mobile. With KeepassXC she was just frustrated.

I thought other way around: Bitwarden UI is simplistic.
You can use a lot of different clients for KeePass. I use KeePassXC and Strongbox (highly recommend for iOS or macOS)
There is also the reimplementation of Bitwarden's server, vaultwarden. https://github.com/dani-garcia/vaultwarden. It's worth a look if you're self hosting.
+1 for bit/vaultwarden. Nice mobile apps, nice browser plugins, nice web interface. Regular updates, easy to install. Using it for a year + (two years?) no issues. Super grateful.
Another +1 for Bitwarden.

I moved away from 1Password after the developers essentially ridiculed their customers in their support forum. I realized that it's a hostile, aggressive and short sighted company. That they are engaging in this racist action against Russians helps assure me that I made the right decision.

Bitwarden has been a drop-in replacement for all intents and purposes.

What racist action are you referring to?
For my money it's hollow virtue signaling, not racism, but he's referring to OPs original post, that Agile Bits removed 1Password from the Russian play store.
> I moved away from 1Password after the developers essentially ridiculed their customers in their support forum. I realized that it's a hostile, aggressive and short sighted company.

I don’t know about this incident of them being racist, but if I leave that aside, your words sound exactly like what I would say about the company! This isn’t something new with Agile Bits ridiculing customers or potential customers on its forums. There have been instances of this several years ago too when people questioned the licensing model and asked about the changes. They essentially behave as if users are stupid and that they (Agile Bits) are the only ones who know what’s best in every case. It’s quite condescending.

The incident you’re referring to is exactly the incident that made me move on :)
My leading contender is KeePassXC. https://keepassxc.org
Short addition: Keepass just stores everything in one encrypted .kdbx file. You can then sync that file to your other devices (phone, other computer etc) using your cloud, nextcloud or if you don't trust any of that using a local filesync solution like Syncthing.

I have explored syncing of these Keepass files with Nextcloud and Syncthing and both just works fine and I can recommend it.

+1 KeePass + dropbox/gdrive/ "getting an FTP account, mounting it locally with curlftpfs, and then using SVN or CVS on the mounted filesystem."
You also can add a local secret file just for extra safety. I also love that I can store Git and SSH authentication and do auto-type outside the browser as well
> Keepass just stores everything in one encrypted .kdbx file

I've always wondered if this might be a potential vulnerability. If a file leaks some day and attacker gains an access to the file, he has infinite time to try to break a password and you cannot do anything about it. Using online password storage in theory could limit amount of login trials. Also, changing password in kdbx file has no effect as attacker still have physical access to previous file with previous password.

If they access you device your side may be compromised (and a keylogger or cache inspector may defeat most password managers, offline or not).

And even if they get it because your online backup of it is leaky, it is encrypted using AES256 with a passphrase of whatever length you want to use, correct horse battery staple let you to generate complex enough and long, but memorable, passphrases. If your passwords are important enough to try to dedicate a lot of computer resources to break it, you can put a passphrase that can stand brute force attacks for centuries.

> If a file leaks some day and attacker gains an access to the file, he has infinite time to try to break a password and you cannot do anything about it.

Yes, good point. However, in the database security settings, you can set a decryption time between 100ms and 5s. I've set mine at 5s; I don't mind waiting 5 seconds for it to open, yet it will greatly hinder an opponent's efficiency.

There's also an optional key file. It can be anything as long as it doesn't change. The attacker has to get it, too, or he's in for a serious ride.

Thanks for tips, I didn't know about it. I need to try it out
The nice thing with password managers is you only have to remember the one password. That means it's easy to make that password very strong. And then it just comes down to your key derivation.

https://keepass.info/help/base/security.html#secdictprotect

The documentation here is pretty unclear. I'm not a keypass user and I don't see what the default settings are. The recommendation though is "1 second" with Argon2 though, which seems like a good default.

I did a quick search, https://research.redhat.com/blog/article/how-expensive-is-it...

> cracking an eight-character passphrase [..] encrypted with Argon2 created on a modern laptop would require up to 75,121 powerful machines running for ten years and cost over 4 billion dollars.

So 8 characters with settings leading to ~2 seconds on a laptop (twice the recommendation from keepass) will cost 4 billion. So we can say 2 billion for 1 second (obviously we're hand waving a lot).

And that would still take 10 years.

So basically, if you have a government adversary who really fucking hates you and has a lot of time and money to kill just bruteforcing your volume, go ahead and add a few more characters and consider bumping up the setting to 5 seconds instead of 1. I think every character you add should (hand waving, data dependent) increase the search space by 10x.

> The nice thing with password managers is you only have to remember the one password. That means it's easy to make that password very strong.

And the BAD thing about password managers is that you need to type that password every time you want to access your database. Of course you can set some strong, complicated password, but you need to remember it and you need to type it sh*tload of times :) But I see your point

Not true. You can have forgone a password. You can have a keyfile and put it on a USB stick. Use a hardware token (I use a Yubikey) or a combination, say keyfile + a short PIN.
You seem to be ignoring the possibility that the server behind the online storage is hacked and some files downloaded for offline cracking.

When it comes down to it, everything is in a file somewhere.

Use https://www.lesspass.com/#/ - I've found the approach very fresh. Of course, you have to be sure that master password is not leaked, but the same is true for any stateful password manager.

The real problem though is that it does not support hardware security tokens at the moment.

Ah nice, I had this idea and was thinking of implementing it. This is probably a very scary idea for a lot of people, but the reality is that it's no different with regards to security than other approaches, but it's vastly simpler (which should be a win).

I can't speak to this specific implementation, but the reality is that if your master password is leaked you have to rotate every credential no matter what.

This has been implemented many times over the last 20 years. Another implementation is PasswordMaker.
> Of course, you have to be sure that master password is not leaked, but the same is true for any stateful password manager.

I don’t think this comparison is accurate. With a vault-based password manager, an attacker would need the master password AND the vault. The vault is usually protected separately, either because it’s a file that’s non-public (e.g. Keepass), or because it’s a web service that’s rate-limited or otherwise monitored (e.g. 1Password Cloud).

The vault is almost always protected by the master password. That single password is what's used both to retrieve the vault and to decrypt it.

The only difference is going to be if the remote vault requires a separate auth factor. And that's a legitimate thing to consider. But I think (but I haven't thought much about it tbh) if you have a secure master password then the situations where this matters are limited.

> That single password is what's used both to retrieve the vault and to decrypt it.

Not sure how you mean that: if I used Keepass for example, which uses a file vault, and I told you that my master password was `p4ssw0rd`, how would that give you access to my vault and hence to any of my passwords?

Sorry, I had assumed you were referring to systems where the vault is distributed.
I've looked into this approach in the past. For me it really breaks down if any of your sites require you to ever change or rotate your password. Then you have to memorize or record the differences.
Apple’s password management is getting better and now includes 2FA. I wouldn’t be surprised to see it spun out as a separate app sometime soon.
I'm currently moving to it, but may be I miss something, but it's absolutely primitive.

Is it possible to store anything but website/username/password there? I can shoehorn my ssh password like "ssh 1.2.3.4"/"username"/"password" into that scheme, but it's ugly.

Is it possible to store bank card PIN code? I'm storing it as fake website right now which is far from ideal.

I need to access all the necessary information from iPhone.

It also doesn't keep history. I consider that an important feature; it has saved me some grief now and then when a password change at $JOB mysteriously didn't propagate to some infrequently-used system.
On Mac you can open the Keychain Access app and add whatever secrets or encrypted notes you want, in the local keychain or the iCloud Keychain.
Shameless plug, and I don't sell them anymore (but you can build your own): https://finalkey.net/ is a hardware dongle that stores passwords on-device, rather than on some server online.
I'm wondering what HN thoughts are for SafeInCloud? I don't sync passwords ever, but I'm curious as to the feedback from the HN community in general.
I’ve been using CodeBook for several years and have been pretty happy with it. One time cost (per OS) and can sync over WiFi or to Dropbox/google drive. No browser plugins, instead it provides a global hot key activation which authenticates you (Touch ID or password), lets you search for the account then auto-types the password. On iPhone it integrates well for providing passwords to sites and they just recently added a feature which will also auto-copy 2FA TOTP into clipboard if one exists.

https://www.zetetic.net/codebook/

There's pass, a CLI password manager that's version controlled and encrypted with your PGP key: https://www.passwordstore.org/

There are also (unofficial) iOS and Android clients that sync to a git repo.

Can back this up, the android client is a little finicky but otherwise love this setup. Made by the same person behind wireguard.
"Password Store" Android app by Harsh Shandilya is actually quite good.
that's the one i have, and for whatever reason, my set up does not allow me to create passwords on the android app. I have struggled with SSH multiple times (i always need to create a new ssh key rather than importing a stronger one), etc.

That said, haven't checked for fixes in a while - the actual functionality of the app itself (when in working condition) is very good.

I had issues creating passwords and syncing them too, until I changed my git repo url to be `ssh://git@github.com/…` and set up an SSH key. Worth a shot.
I wouldn't recommend it to anyone using Windows though as the one available Windows client is rather poor. I've been thinking of switching to something else after I got a Windows-based gaming PC.
gopass.pw should work on Windows, too. It's a drop-in replacement for pass.
Pass is the best! As an alternative to the git sync you can also sync via nextcloud or syncthing :-)
It's great, but how can one trust the unofficial clients? They aren't from a well-known developer, and AFAIK, you can't check that the build is from the same code as the GitHub repo.
> same code as the GitHub repo

If you have access to the code then (on Android at least) you could build and install the APK yourself.

I've tried pass 2 different times on 2 different versions of MacOS and both times it ends up eating tons of CPU and battery. I was never able to figure out what was happening so I just uninstalled the whole thing.
pass is just a shell script. it does not consume any resources. maybe you are referring to something else ?
Can you use your browser's native password manager? Chrome supports syncing of passwords. Just dump a bunch of gibberish into the password field when you register and let the browser do the rest.
IDK if this is still the case, but I remember a few years ago it was shown that Chrome was just storing your passwords in plain text on your machine.
Firefox has a way to set a primary password, however IIRC there are some major issues with it. However, it is worth considering what you are trying to protect against and for most single user systems I'm not convinced it is worth using something other than the built in browser password manager (unless you have a number of other applications that require passwords and don't have an easy way to store them). Encrypting paritions with sensitive data is a better way to protect data when the system is off. Unless you clear cookies all the time there is quite a bit that can be done just with cookies, although protecting passwords should at least prevent loosing access to accounts. In some cases a password manager can help with the possibilty of a computer being stolen while on. Uploading unencrypted files right away is easier if someone gains remote access but, while depending some on the specific OS and password manager, it is usually not too difficult to start reading passwords as they are used and intercepting the primary password of the password manager the next time it is used might not be all that hard either.
There's nothing wrong with storing passwords in plaintext on the machine.
One vulnerability in your browser allowing file system access and now all your passwords are known to the hacker.

You run the wrong executable and there go all your passwords again, being uploaded to who knows where. But you 100% trust the authors of all the software you run and you know they would never be vulnerable to a sole chain attack a la SolarWind.

Don't keep passwords you can't afford to be public in plain text in a predictable location on the file system.

In every single case you've described the attacker can:

a) Already ready your passwords from memory/ webpages/ any other of the million ways

b) Access your cookies and session tokens

If the attacker is in a position to read the plaintext file off of the disk it really won't matter if it's encrypted. You're welcome to do so, I'm sure there are extremely niche scenarios where it may help, but it's not really worth mentioning imo.

Not all of your passwords will be in memory. I don't know how you read a password from "webpages".

Session tokens do not exist for websites you are not currently accessing. The password file will contain all the saved passwords, whether you are logged in or not.

> I don't know how you read a password from "webpages"

When you enter your password to login.

> Not all of your passwords will be in memory.

They almost certainly will be, but the key will be if they aren't.

> I don't know how you read a password from "webpages".

Like a billion ways. Inject JS, log keys, install malicious extension, blah blah blah

> Session tokens do not exist for websites you are not currently accessing.

I'm just enumerating the billion ways that encryption is made pointless.

> he password file will contain all the saved passwords, whether you are logged in or not.

And the attacker can just access it lol

Maybe in a world where full disk encryption wasn't ubiquitous you could talk about an offline attack, and you could tell me you share your computer with someone who's not tech savvy but is an asshole. But it's all gonna be pretty niche.

I’ve been looking at alternatives for a while, here are my notes: https://taoofmac.com/space/apps/1password

(In short, I’ve switched to Secrets while keeping an eye on new KeePass apps, because I don’t want to use or run any kind of service)

This was a great write-up and very helpful. Been looking to make the switch over to something like this myself.
I'm afraid there is nothing public we can trust in today's world. We see how big companies are just throwing away their users and data. So, watch to pass (CLI password manager) or KeePassXC as they sync nothing but store local, which means they can't beat you.
I use gopass and Gopass Bridge for password filling in firefox. It works great, and for the keys I'm using yubikeys gpg mode, so my passwords are actually locked with a hardware key.
I've been using pass with passff to do the same for a few years. Works well. Any idea how gopass and gopass bridge compare?

I am tempted to try gopass, but if pass is good enough for Jason Donenfeld it's good enough for me!

Not sure, I went straight to gopass. IIRC the CLI for gopass is slightly easier to integrate with other applications than pass, but that's just based on what I heard.
Pass and Keepassxc. I don’t trust online websites.
KeePassXC is the way to go. Install F-Droid on your Android smartphone, get KeePassDX. This way, you have a desktop and Android client.

I'd recommend setting a very strong password, with a key (you can generate one when you create the database) and a long decryption time.

If you need help setting strong passwords, I recommend EFF Dice-Generated Passphrases[1].

[1]: https://www.eff.org/dice

Do you have any recommendations on syncing the database file between devices?
I just keep my KeePass database synced in $generic_cloud_storage. Since the database is encrypted and decrypted on the client side using a password and a key file, and I'm not keeping the key file synced (I copy it manually to my devices), I haven't found it to be an issue to keep the database in cloud storage even though I obviously wouldn't trust the provider with my cleartext passwords.
^^ Just to emphasize:

USE A KEY FILE in addition to a password.

Your paranoid self can sleep well at night (as long as your key file is not being synced).

Basically any file sync client. Just keep the keepass database in the folder that gets autosync'd and sync the folder to each device you need keepass on
Keepasswandroid can integrate with any cloud storage and will perform merge when needed
I've been happily using syncthing for 2 years now. Syncs my password files between 3 computers and 2 phones.
There's manual syncing, and automatic syncing.

Manual: All clients I've seen have the capability to merge databases. So you have one copy of the database in whatever online file storage service, plus each device will have its own local copy. Pull down the online db, do a bidirectional sync between the two databases, push back online.

Automatic: some clients natively support webdav, dropbox, etc as the master copy of the db file and will transparently do the change syncing for you.

Syncthing! Has Windows/Linux/Android/iOS clients. Works perfectly.
I had so many issues with this, it feels like you have to keep track of whret you do changes and when it has synced it. Otherwise it won't merge and you will have to do it manually.

Bitwarden is so much easier sadly.

Honestly, I think I had syncing conflicts maybe once or twice, and even then the merge feature worked without any hiccup.

Maybe it does help the fact that I have my NAS always online, and I treat my mobile devices mostly as "read-only" - i.e, if I have to create a new password it will almost surely be on my desktop / laptop.

Keepass2Android and KeePass2 official syncs reasonably well. Or the XC implementation if you prefer
I use rsync on termux and zerotier for remote access. Mounting sshfs on android is also great if you don't need any passwords when offline.
I keep my password database in a Google Drive directory. Clients exist on Windows, Mac, Android, IOS.
Keepass2Android can sync and merge from a variety of file sync services.
Self-hosted Nextcloud supports WebDAV. It's been working great for me.
We have the family password database in Google Drive. It works suprisingly well, and it haves file versioning.
I'm currently using KeePassDroid on my smartphone, in case you also tried it could you tell me why you prefer KeePassDX? I've never heard of it before
I used KeePass/KeePassXC/KeePassium with iCloud Drive. This setup works, but it's cumbersome to sync. I'm migrating to iCloud Passwords right now.
I've been using BitWarden. It is perfect.
I wouldn't use any of the Kaspersky's software, as their owner, Eugene Kaspersky, is literally an ex-KGB officer (if there's such a thing as ex-KGB).

https://en.wikipedia.org/wiki/Eugene_Kaspersky

Well, it was mostly a joke. But at least the possibility of Kaspersky removing their apps from Russian app stores is quite low.
Just use Google's password manager. Especially if you use Android and Chrome.

So convenient and Google is trustworthy to that extent.

I’ve been using an app called Secrets for iOS and macOS for close to a year. A one time purchase, easy syncing, and other items like secure notes and software licenses can be stored. They also have import from 1Password. Excellent experience so far, almost a complete 1:1 analog of 1Password. Command + \ to auto-populate fields works, maybe not as smoothly. For the money Secrets charges I’m satisfied knowing that after a year, I’m saving.
Personally I'm not sure that low price is a decision factor for secrets management. :)

I'm willing to pay good money for a good product in this area. (I've said elsewhere I'd probably even be happy to pay 1P subscription if they didn't also do everything they could to prevent me using anything but their cloud.)

Forefox Sync works for me.
I love my setup, (It's not Free).

KeePass with the database file hosted on Dropbox

on my Macbook I use Strongbox on my iPhone also use Strongbox

Strongbox supports biometric auth, and is really nice to use, and supports having the keepass database on many different cloud providers

For enterprise setups I use vaultwarden (a rust based open source bitwarden). Can do password sharing and so on

For personal use keepassxc and syncthing. Keepassdx on android.

Edit: enterprise is self hosted. Keepassxc with syncthing doesn't need hosting

+1 to Bitwarden, and in particular the Vaultwarden implementation.

I've been self hosting it for a number of years now and have never had to think about it ever again - it works, has clients for all my platforms, never had any issues.

I looked at self hosting Bitwarden/Vaultwarden, do they require me to have a mail server?
Not a self hosted mailserver. SMTP is sufficient.
Correction: can also be used without any email support.
I use Vaultwarden this way. When I login to the web interface (basically never) I get the following notice because I never verified my account's e-mail address:

> Verify your account's email address to unlock access to all features.

Also I am unable to change my account's e-mail address. That's the only "locked feature" I'm aware of. I also don't know of any other issues from not setting up SMTP.

edit: Oops, I thought you were ohCh6zos asking a clarifying question

This answers my followup question, so thank you!
Moved from LastPass (premium) to Bitwarden. Could have stayed on the free tier but decided to pay to support them, it’s a fraction of LastPass!
Ditto. I figure I’ll move to vaultwarden if the official implementation ever makes a decision I strongly disagree with.
I would advise to switch the support is so much better and nicer. Plus lighter on the server
I guess VaultWarden may start monetizing at some point if it gets too popular?
I tried this move but I really missed the way LastPass asks you to save a new password created on a new service. On Bitwarden I felt like I had to save the account first before progressing to actually creating the account. LastPass "just knew" and would prompt me after going to the next screen. Has this changed it all since I last tried it a year or so ago?
For me it varies. On some sites Bitwarden prompts to add the new password, but not every site. Still I would say it prompts most of the time, but YMMV.