KeePass with the database stored locally on your device(s).
I then use syncthing to synchronize the database between my devices (laptop, phone, in-house server, backup).
The data is all under my control and does not reside on any third party computer or data storage. The only exposure to third parties is when the database is synced between devices... but at that point it is encrypted and ephemeral.
In my opinion, there is a big difference between a closed source solution from a company that stores the passwords on their own systems, and open source software that stores the passwords in a local file.
For this kind of thing, I specifically want something that stores the data locally, that is not part of the browser, and that is open source. Those things together make me more confident that the software is probably ok and can be trusted.
I do the same: the format used for the KeePass database is supported by software on Windows, Mac, Linux, iOS and Android. I have the database in a git repo and mostly used it from my laptop. From time to time, I put a copy on google drive to make it easy to access from a phone. This has been working well for me for years already.
The safest way to store passwords is written down on a piece of paper. Maintain physical custody of it, never let it out of your possession.
If you need backups, use a non-networked copier, or an old style stand-alone point and shoot camera. Don't ever put the SD card in your computer. Keep all copies as secure as the original.
Banks have safety deposit boxes that can offer relative security. If you really want to be safe, manually encrypt your passwords.
[Edit] As others have pointed out, phishing is an issue. Be careful where you enter your passwords.
I prefer to avoid the word "safest" in this context without a specific threat model. Yours is likely different than mine, as I'd generally regard that method as less safe than a password manager. YMMV
1. Less is more. I keep around 10-15 passwords in paper and digitally (on my laptop and on a couple of external hard drives). These passwords correspond to my most important digital assets like main email account, banking, etc. It’s easy to keep track of this amount of passwords on paper. I don’t have them on the cloud/internet and I only need them on my main computer (I don’t really do anything serious on my phone/tablet)
2. The rest of my passwords: I don’t really care. I have a couple of dummy email accounts on protonmail and gmail and all my useless digital identities (reddit, youtube, hn, chatgpt, etc.) share more or less the same password format. I do keep a simple backup (in plain text) of these passwords on my harddrive, but I couldn’t care less if they get stolen or whatever.
Passwordstore is probably the most secure, being that it's a short (1500-line) shell script offloads the actual encryption to GPG and network sync to git. There's just not a lot of surface area to attack there... and it also works for teams.
I like the simplicity of passwordstore. But keepassx* are good too. I'll never trust an online solution, and probably almost never trust a browser extention.
These are important notes, but I think the key part is that if you’re self-hosted, you presumably have access to the machine without Tailscale aswell, though it may be less convenient. So these aren’t as big of a deal as if, for example, you lost your Google account and you couldn’t access your LastPass login.
How do you keep Tailscale from destroying your battery on iOS? I am trying to do this but it always kills my battery and it’s a pain to only enable and manually sync Bitwarden.
This is my experience with Tailscale wrt battery as well. It also sometimes doesn't disconnect either via the app or Settings and I'm forced to restart the phone hoping it doesn't reconnect on boot.
It's hardware based using the device stores encrypted passwords and files (which can be dumped still encrypted to a PC). Sending keys requires interaction with the physical device and a smartcard is needed to activate the device. Yet you can synchronize the database using any folder sync system.
But the key is stored on a smartcard with a PIN you set. The smartcard can be cloned so you have multiple copies or read with off the shelf card reader to export the key if you know the PIN.
Version other password managers, your database is never decrypted on the PC in memory or otherwise.
The smartcard will lock after incorrect attempts.
You control your data entirely.
It requires the moolipass (with your database), the smartcard and physical interaction with the device to send a password.
I think offline hardware password managers are the most secure.
Including offline backup.
For this, I developed Authorizer to use your old Android phone as your password manager. It can type the password over USB on your target device.
Supports OTP.
Smartcard and WebAuthn support are on the roadmap.
Doing also a lot of modernization on the next weeks.
I have a memorized algorithm for my passwords which combines my user name, the website name, a counter, and a unique key. It includes uppercase, lowercase, numbers, and symbols. The passwords come out at 9-10 characters.
So I have no need for password managers, for writing down in a notebook, or anything else. Try it.
I don't believe they would determine or even expect it is following an algorithm.
For example on HN my password could be 1YCju7i8!
It isn't, but let's pretend it is.
That is a counter at the front, YC is from the website address, j from my user name, and u7i8! It's the unique key. I use the same key everywhere so it's easy to remember.
and to an extend how do you keep track of which unique part is active in which site if e.g a website gets hacked and resets your current password, because in case of a password manager i just create a new one and be done, on top of my mind i would have the question for you: would you recreate all websites with a new unique part or just create a system for outliers?
not to offend, just had several of these incidents in my years and for me a password manager is much more piece of mind
38 comments
[ 5.3 ms ] story [ 88.2 ms ] threadI then use syncthing to synchronize the database between my devices (laptop, phone, in-house server, backup).
The data is all under my control and does not reside on any third party computer or data storage. The only exposure to third parties is when the database is synced between devices... but at that point it is encrypted and ephemeral.
https://apps.apple.com/us/app/keepass-touch/id966759076
A version (port/adaption) of syncthing for ios is out there too.
https://forum.syncthing.net/t/syncthing-for-ios/16045
I don't use iDevices so I don't know how well the above apps work.
https://authpass.app/
Works great.
So it’ll work, but not conveniently.
I don't think there is a perfect solution, today lastpass, tomorrow another. I guess you trade control for convenience.
For this kind of thing, I specifically want something that stores the data locally, that is not part of the browser, and that is open source. Those things together make me more confident that the software is probably ok and can be trusted.
If you need backups, use a non-networked copier, or an old style stand-alone point and shoot camera. Don't ever put the SD card in your computer. Keep all copies as secure as the original.
Banks have safety deposit boxes that can offer relative security. If you really want to be safe, manually encrypt your passwords.
[Edit] As others have pointed out, phishing is an issue. Be careful where you enter your passwords.
Use a password manager with autofill on the correct URL.
2. The rest of my passwords: I don’t really care. I have a couple of dummy email accounts on protonmail and gmail and all my useless digital identities (reddit, youtube, hn, chatgpt, etc.) share more or less the same password format. I do keep a simple backup (in plain text) of these passwords on my harddrive, but I couldn’t care less if they get stolen or whatever.
how do you deal with actually entering (hopefully) somewhat long and complex passwords? Copy and paste from passwordstore every time?
- Bitwarden
- Self-host
- Don't listen on public Internet IPs or regular LAN IPs
- Listen on Tailscale IP.
- Put TLS in front of it the Tailscale way.
- Run Tailscale on all your devices and access Bitwarden from your private network.
Tailscale is a 3rd party platform that can also disappear, locking you out of your password manager.
Maybe use nebula instead. This reduces your 3rd party dependencies.
99% of my usage is still local, but being able to get to this on the outside does occasionally come in handy
It's hardware based using the device stores encrypted passwords and files (which can be dumped still encrypted to a PC). Sending keys requires interaction with the physical device and a smartcard is needed to activate the device. Yet you can synchronize the database using any folder sync system.
But the key is stored on a smartcard with a PIN you set. The smartcard can be cloned so you have multiple copies or read with off the shelf card reader to export the key if you know the PIN.
Version other password managers, your database is never decrypted on the PC in memory or otherwise.
The smartcard will lock after incorrect attempts.
You control your data entirely.
It requires the moolipass (with your database), the smartcard and physical interaction with the device to send a password.
Open source too!
[0] https://www.themooltipass.com/
For this, I developed Authorizer to use your old Android phone as your password manager. It can type the password over USB on your target device. Supports OTP. Smartcard and WebAuthn support are on the roadmap. Doing also a lot of modernization on the next weeks.
https://github.com/tejado/Authorizer
So I have no need for password managers, for writing down in a notebook, or anything else. Try it.
For example on HN my password could be 1YCju7i8!
It isn't, but let's pretend it is.
That is a counter at the front, YC is from the website address, j from my user name, and u7i8! It's the unique key. I use the same key everywhere so it's easy to remember.
I don't think a hacker would figure it out.
I think you have a valid point in multi site leaks if the attacker was focused on my account. I will think about it