Ask HN: Alternatives to 1Password
1Password was silently removed from Russian App Store and Play Market.
Are there any good alternatives? Or do I have to use Kaspersy's password store?
Are there any good alternatives? Or do I have to use Kaspersy's password store?
176 comments
[ 2.9 ms ] story [ 213 ms ] threadIn Docker it took seconds to get running. Hardening it took a little longer, but fail2ban was still only 6 lines of config.
MSSQL is never the correct answer.
> Keyboard navigation
I use the `bw` command, and haven't had issues with the keyboard.
> auto-type outside the browser.
Is this mobile or desktop that we are talking about here? Mobile worked correctly for me. Integration for all of these password managers on desktop isn't great, and using the fingerprint to unlock, similar to 1Password, would be nice.
By keyboard navigation I mean basic stuff like using arrow keys, shortcut keys for menus, etc... It all felt very much mouse-centric.
And Auto-type is KeepassXC' global shortcut key to invoke auto-type in any application, even terminal windows. AFAIK most password managers don't even think of supporting this.
Regarding keyboard navigation in the ui. If your are into that just use the cli and create some helpful scripts for rofi, alfred, ueli or whatever you are using if you want to have a ui.
Bitwarden is so insanely good that this minor downside shouldn't keep you from using it.
My mum is really bad with PCs. Yet bitwarden has solved all her password problems. Especially on mobile. With KeepassXC she was just frustrated.
https://keepass.info/help/base/autourl.html
Windows: https://github.com/anonymous1184/bitwarden-autotype
Linux: https://github.com/mattydebie/bitwarden-rofi
OSX: https://github.com/blacs30/bitwarden-alfred-workflow
I moved away from 1Password after the developers essentially ridiculed their customers in their support forum. I realized that it's a hostile, aggressive and short sighted company. That they are engaging in this racist action against Russians helps assure me that I made the right decision.
Bitwarden has been a drop-in replacement for all intents and purposes.
I don’t know about this incident of them being racist, but if I leave that aside, your words sound exactly like what I would say about the company! This isn’t something new with Agile Bits ridiculing customers or potential customers on its forums. There have been instances of this several years ago too when people questioned the licensing model and asked about the changes. They essentially behave as if users are stupid and that they (Agile Bits) are the only ones who know what’s best in every case. It’s quite condescending.
I have explored syncing of these Keepass files with Nextcloud and Syncthing and both just works fine and I can recommend it.
I've always wondered if this might be a potential vulnerability. If a file leaks some day and attacker gains an access to the file, he has infinite time to try to break a password and you cannot do anything about it. Using online password storage in theory could limit amount of login trials. Also, changing password in kdbx file has no effect as attacker still have physical access to previous file with previous password.
And even if they get it because your online backup of it is leaky, it is encrypted using AES256 with a passphrase of whatever length you want to use, correct horse battery staple let you to generate complex enough and long, but memorable, passphrases. If your passwords are important enough to try to dedicate a lot of computer resources to break it, you can put a passphrase that can stand brute force attacks for centuries.
Yes, good point. However, in the database security settings, you can set a decryption time between 100ms and 5s. I've set mine at 5s; I don't mind waiting 5 seconds for it to open, yet it will greatly hinder an opponent's efficiency.
There's also an optional key file. It can be anything as long as it doesn't change. The attacker has to get it, too, or he's in for a serious ride.
https://keepass.info/help/base/security.html#secdictprotect
The documentation here is pretty unclear. I'm not a keypass user and I don't see what the default settings are. The recommendation though is "1 second" with Argon2 though, which seems like a good default.
I did a quick search, https://research.redhat.com/blog/article/how-expensive-is-it...
> cracking an eight-character passphrase [..] encrypted with Argon2 created on a modern laptop would require up to 75,121 powerful machines running for ten years and cost over 4 billion dollars.
So 8 characters with settings leading to ~2 seconds on a laptop (twice the recommendation from keepass) will cost 4 billion. So we can say 2 billion for 1 second (obviously we're hand waving a lot).
And that would still take 10 years.
So basically, if you have a government adversary who really fucking hates you and has a lot of time and money to kill just bruteforcing your volume, go ahead and add a few more characters and consider bumping up the setting to 5 seconds instead of 1. I think every character you add should (hand waving, data dependent) increase the search space by 10x.
And the BAD thing about password managers is that you need to type that password every time you want to access your database. Of course you can set some strong, complicated password, but you need to remember it and you need to type it sh*tload of times :) But I see your point
When it comes down to it, everything is in a file somewhere.
The real problem though is that it does not support hardware security tokens at the moment.
I can't speak to this specific implementation, but the reality is that if your master password is leaked you have to rotate every credential no matter what.
I don’t think this comparison is accurate. With a vault-based password manager, an attacker would need the master password AND the vault. The vault is usually protected separately, either because it’s a file that’s non-public (e.g. Keepass), or because it’s a web service that’s rate-limited or otherwise monitored (e.g. 1Password Cloud).
The only difference is going to be if the remote vault requires a separate auth factor. And that's a legitimate thing to consider. But I think (but I haven't thought much about it tbh) if you have a secure master password then the situations where this matters are limited.
Not sure how you mean that: if I used Keepass for example, which uses a file vault, and I told you that my master password was `p4ssw0rd`, how would that give you access to my vault and hence to any of my passwords?
Is it possible to store anything but website/username/password there? I can shoehorn my ssh password like "ssh 1.2.3.4"/"username"/"password" into that scheme, but it's ugly.
Is it possible to store bank card PIN code? I'm storing it as fake website right now which is far from ideal.
I need to access all the necessary information from iPhone.
https://www.zetetic.net/codebook/
There are also (unofficial) iOS and Android clients that sync to a git repo.
That said, haven't checked for fixes in a while - the actual functionality of the app itself (when in working condition) is very good.
I believe i'm falling foul of this issue with actually encrypting things: https://github.com/android-password-store/Android-Password-S...
If you have access to the code then (on Android at least) you could build and install the APK yourself.
You run the wrong executable and there go all your passwords again, being uploaded to who knows where. But you 100% trust the authors of all the software you run and you know they would never be vulnerable to a sole chain attack a la SolarWind.
Don't keep passwords you can't afford to be public in plain text in a predictable location on the file system.
a) Already ready your passwords from memory/ webpages/ any other of the million ways
b) Access your cookies and session tokens
If the attacker is in a position to read the plaintext file off of the disk it really won't matter if it's encrypted. You're welcome to do so, I'm sure there are extremely niche scenarios where it may help, but it's not really worth mentioning imo.
Session tokens do not exist for websites you are not currently accessing. The password file will contain all the saved passwords, whether you are logged in or not.
When you enter your password to login.
They almost certainly will be, but the key will be if they aren't.
> I don't know how you read a password from "webpages".
Like a billion ways. Inject JS, log keys, install malicious extension, blah blah blah
> Session tokens do not exist for websites you are not currently accessing.
I'm just enumerating the billion ways that encryption is made pointless.
> he password file will contain all the saved passwords, whether you are logged in or not.
And the attacker can just access it lol
Maybe in a world where full disk encryption wasn't ubiquitous you could talk about an offline attack, and you could tell me you share your computer with someone who's not tech savvy but is an asshole. But it's all gonna be pretty niche.
(In short, I’ve switched to Secrets while keeping an eye on new KeePass apps, because I don’t want to use or run any kind of service)
I am tempted to try gopass, but if pass is good enough for Jason Donenfeld it's good enough for me!
https://www.passbolt.com/
It's gully open source, with a AGPL license.
https://github.com/passbolt/
I'd recommend setting a very strong password, with a key (you can generate one when you create the database) and a long decryption time.
If you need help setting strong passwords, I recommend EFF Dice-Generated Passphrases[1].
[1]: https://www.eff.org/dice
[1]: https://keepassxc.org/docs/KeePassXC_UserGuide.html#_databas...
[2]: https://syncthing.net/
USE A KEY FILE in addition to a password.
Your paranoid self can sleep well at night (as long as your key file is not being synced).
Manual: All clients I've seen have the capability to merge databases. So you have one copy of the database in whatever online file storage service, plus each device will have its own local copy. Pull down the online db, do a bidirectional sync between the two databases, push back online.
Automatic: some clients natively support webdav, dropbox, etc as the master copy of the db file and will transparently do the change syncing for you.
https://www.ctrl.blog/entry/keepass-vs-bitwarden-server.html
https://syncthing.net/
Bitwarden is so much easier sadly.
Maybe it does help the fact that I have my NAS always online, and I treat my mobile devices mostly as "read-only" - i.e, if I have to create a new password it will almost surely be on my desktop / laptop.
https://en.wikipedia.org/wiki/Eugene_Kaspersky
So convenient and Google is trustworthy to that extent.
I'm willing to pay good money for a good product in this area. (I've said elsewhere I'd probably even be happy to pay 1P subscription if they didn't also do everything they could to prevent me using anything but their cloud.)
KeePass with the database file hosted on Dropbox
on my Macbook I use Strongbox on my iPhone also use Strongbox
Strongbox supports biometric auth, and is really nice to use, and supports having the keepass database on many different cloud providers
For personal use keepassxc and syncthing. Keepassdx on android.
Edit: enterprise is self hosted. Keepassxc with syncthing doesn't need hosting
I've been self hosting it for a number of years now and have never had to think about it ever again - it works, has clients for all my platforms, never had any issues.
> Verify your account's email address to unlock access to all features.
Also I am unable to change my account's e-mail address. That's the only "locked feature" I'm aware of. I also don't know of any other issues from not setting up SMTP.
edit: Oops, I thought you were ohCh6zos asking a clarifying question