Ask HN: How do you manage your passwords in 2023?

89 points by pentab ↗ HN
I have yet to find a password management solution which is:

- secure

- easy to use

- accessible on multiple devices (home PC, work PC, and ideally phone)

I currently use a mixture of KeePassX (synced manually using SSH) and stored passwords (e.g., in my browser). But I keep thinking that there MUST be a better solution.

178 comments

[ 3.2 ms ] story [ 97.5 ms ] thread
I still use KeePassXC and sync with cron jobs to Chroot SFTP-Only servers wrapped in a further encrypted file, then conversely use cron to pull the file to devices. I do not personally foresee ever using any of the commercial solutions. I also use this to sync bookmarks.

If KeePassXC one day becomes unmaintained I will make my own custom tool, probably using sqlite+openssl+bash. I only log into one semi-sensitive thing on my phone so I don't bother syncing to that device.

ditto.. KeePassXC + contemporary cloud store
I recommend syncthing
How do you avoid merge conflicts? Do you only ever edit your KeePassXC files on one machine?
Do you only ever edit your KeePassXC files on one machine?

Most of the time, yes. I can edit the copy and push it back to the SFTP server but that push is manual. I have done that from time to time. I do not share the file with anyone else so I always have confidence which version is up to date. I also have rsnapshot copies of the files.

Some versions of KeePass support a synchronisation which gets around collisions
I find KeePassX plus Owncloud to be perfect for my needs. I have all my passwords with me and even if there are some synchronisation issues every once in a while, it works out sufficiently well and is very low-maintenance.
Give KeePassXC and the browser extension a try.
1password or Bitwarden. I personally like 1password UI better but it’s a personal choice.
I roll my own. I use emacs on an encrypted password file stored on my local PC.
How do you keep the password file encrypted on file write and file open? Do you decrypt to the file system to a temp file first?

Thank you

Not GP, but using a similar setup (.org.gpg files for textual private data, on top of encrypted partitions as well), and Emacs comes with an EasyPG interface; doesn't need an intermediate temporary plaintext file. It can also handle an encrypted .authinfo, .authinfo.gpg, and encrypted bits of configuration (.el.gpg).

That's one of the nice things about common/basic/widespread standards and tools: good compatibility and support.

Handling non-GPG encryption in a similar way should be possible too, but won't work out of the box.

Emacs has lisp for that, it prompts for a password on open. On save it encrypts it if it was changed.
I use 1Password. It isn't perfect, but it's quite good.

My big goal now is to come up with a better solution for 2FA that works for me and my wife's shared accounts.

Aren’t you using 1Password for generating one time passwords? Or do you deliberately want to keep them out of it?
I haven't been, but I should look into it.

But the shared accounts that are my pain point only offer SMS OTP.

I had this same issue. Use a shared vault with OTP. Anyone with access to the vault can see the same 2FA code.

As for shared SMS, look into Google Voice. They automatically forward SMS texts to email as an option. I created a "shared" email account and gave my family access to that.

A lot of sites won't allow you to use a Google Voice number for your 2FA. There are services now that will validate if a number is VOIP, and then the site you're on can choose to filter those at the application level.

I did find a way around this, in that I had a real number, added all my 2FA accounts to it, and then ported the number to Google Voice, but this isn't a long term solution. Idk how long Google Voice will stick around, but I have found a couple backup options that are low cost if I need to keep the number long term.

1Password with shared vaults and OTP fields works well for this.

I understand the idea of putting both factors in one place is odd, but I feel it strikes the right balance between the convenience and security.

> the idea of putting both factors in one place is odd

This is AKA "one factor", right?

If your password is compromised they still don't have access to your OTP, so 2 factor. If your password manager is compromised then they have both, 1 factor.

I'm no math wiz but pretty sure that makes it a 1.5 factor

Right, presumably with a password manager you’re using a totally random string as your password too, coupled with different passwords for each site. so there are a combination of factors that make it still much more secure than just “both factors in one place” since neither factors can easily be guessed.

The main threat vector would be, as you mentioned, compromise of the actual password manager.

As far as I can tell, 1Password’s end to end encrypted architecture makes this less probable.

That would reduce the main risks to our actual devices.

Sort of.

TOTP MFA is crap anyway because it has no passcode and it is so trivial to sync and it’s common for people to do so. So in scenarios where people close to you are a risk, or you’re dealing with other peoples data, it’s pretty weak control. It’s great for preventing spray attacks and mitigating some compromise scenarios.

It’s likely members of your household, friends, coworkers have access to shared devices or shared vaults in 1Password. That makes that type of MFA more like 1.5 factor vs 2 factor.

1Pasword is itself a two factor app. The password is something you know and the secret key is something you have. Definitely counter-intuitive, but like how your operating system can contain both your password and your 2FA app, or your desk can contain your computer and your hardware key.

Whether you want to be one bad front-end UI deployment away from both factors being exposed, fair question...

i'm staying on 1password 7 to avoid their subscription fees, and using sync'ed, shared vaults to have access on my devices too (and share vaults with others as necessary). there's some duplication in apple keychain and firefox for convenience.

i use 1password's built-in 2FA (TOTP), but only for a couple accounts as i find it unwieldy generally. i'm also keeping an eye on how passkeys develop over time.

I use 1password OTP for everything that I don't care about that people can't do real damage (YNAB, LinkedIn, etc). But anything important like my email account or bank accounts I keep on my phone using Raivo.
I hope their desktop app is better now, last time i took a look, the whole vault is decrypted in memory and even when it timed out and request user for password, I was still able to inspect memory and retrieve the plaintext passwords
I use - and pay for - BitWarden.

It does all the things you ask for. With the paid version I can share passwords with my spouse for relatively unimportant things (like Netflix) in a reasonably secure manner.

I could self host and run it myself. But I'm not a multi-person team with decades of security engineering experience. So I gladly let someone else take on that burden.

You don't need to be a multi-person team or have a lot of security experience to host Bitwarden.

I'm very positive Bitwarden won't get hungry for money looking at their revenue models, but there's always Vaultwarden you can self host. It's pretty popular and secure. I'll be deploying soon for myself.

I'm sure that's true. But when it comes to the think with my bank's passwords - I'd rather trust a team of professionals.

This morning I loaded up the dishwasher, switched it on, and completely forgot to add a cleaning tablet. I don't want the responsibility of forgetting to update a critical patch or misconfiguring an obscure YAML file.

Without a security background, it’s hard to evaluate whether what you are doing is secure or not. You don’t know what you don’t know; unknown unknowns etc
This is a valid point. I feel savvy with a lot of things but this is not an area where I'm willing to take risks.
Given that the cloud password managers are much bigger targets, self-hosting may actually lower your risk.
I'm in the same boat. Another great reason to use Bitwarden is the ability for my wife to recover my passwords if something happens to me. We share most things but there are certain semi-important things that only I have the password to. If something happens to me my wife can get access to those semi-important things fairly easily.
If you have a Mac use keychain. I never understood why Mac users use external tools.. I mean really? Why? Perhaps if you manage a team at work ok.. but single user subscriptions?

For Linux and windows i would use keepassx.

I would use Keychain with it’s iCloud sync if I didn’t occasionally use non-Apple devices.
There are several issues with the macOS/iOS Keychain:

- it does not understand that some accounts are used on multiple domains, does not allow you to modify domains, or have more than one. For example something like microsoft.com, live.com, microsoftpassword.com. I believe maybe microsoft cleaned it up and use now only one domain, but websites like that still exist.

- multiple accounts for the same website, just need to have a title to name them. Say you have 2 AWS account and each has a user root. How would you identify them?

- password sharing is a big issue as well, within the family.

I briefly moved to Keychain from 1Password when they went Electron, but the experience of actually managing credentials is so bad in comparison that the experiment lasted less than three months.

At minimum, Apple needs to make Keychain a standalone app instead of a half-baked settings dialog for it to even be considered an option imo.

It’s a legacy OSX component that exists by the grace of benign neglect. Apple will suddenly “fix” it someday.
Bitwarden does all my password and OTP management. Works on any browser and operating system, it's open source and audited. All the services I use have 2FA enabled, and I try to avoid SMS second factor as much as possible.

My email and Bitwarden itself are secured by two Yubikeys, one is always on my person on my keychain, the other is physically stored away from my house. I have an AirTag on my keychain because losing your keys is a pain in the butt.

This is a cheap yet very secure system for most people that care about security but are not persecuted by police or government agencies.

I used LastPass for 13 years. Now I use Roboform.

It just works.

1password everywhere. Employer pays for it, and I have a separate vault for personal and work credentials, meaning I don't have any work credentials on personal devices and work has no claim over my personal credentials. Works on my iPad, MacBook, windows workstation and android phone seamlessly.

My only complaint is that it doesn't let me use a yubikey as a primary method of authentication on windows - all my other devices have biometric authentication.

Default macOS/iOS password manager. Chrome doesn't use it, but everything else does.
Yes I’ve moved to this from Dashlane, it’s much better and integrates flawlessly with all my devices. Why do I need another piece of software when the MacOS default is so good?
Does it support notes, attachments, etc.? Last time I checked it didn’t seem to, which makes it unviable if you use those features in your password manager.
It does support secure notes but you have to use macs keychain access app.
Sorry, I meant notes associated with each site/password. Sometimes you want to record not only a site’s username and password, but also some extra data, so having a notes field comes in handy.
Yes it does, I keep my recovery codes there.
This is what I do. As well as SSH keys.
I use KeepassXC distributed via NextCloud.
Would recommend Syncthing (with e.g. simple file backups) instead to not have to rely on a central server. Even allows fully encrypted nodes.
1Password on Windows/Mac/Linux/Mobile

Used keepass and pass for years but got fed up with them. Switched to 1Password this year and never looked back.

One of my major goals for 2023 is to migrate as much as feasible from passwords to tokens or at least passkeys. NitroKeys or YubiKeys for that. Process has already begun, but I definitely hope to see that accelerate big time (at long, long last) this year. Feels like there is serious industry momentum from the big players this time, and that cost, UX, support in frameworks to make it easy for non-sec webdevs, may all finally start to reach the tipping point. US Government is onboard now too, having dumped lots of obsolete terrible advice for a refreshingly great set of modern guidelines and updating government service sites in general for good uniform login with hardware token support. Ideally I'd like to see that become more universal for various web GUIs/access for services too (OPNsense in particular, which I now use for firewall/gateway services and is probably one of the more security critical bits of my infra).

Passwords though will have a very long tail even in the most optimistic scenarios, so yes password managers aren't going anywhere for a while yet. What I use right now is 1Password 7 with a slow migration towards Bitwarden clients and a self-hosted Vaultwarden server. I still have a standalone license and still have shared vaults in Dropbox, I will not be moving to the electron based 1P8. So end of the line on that decade+ journey I'm afraid, I'm disappointed with what happened with them but so it goes. Bitwarden/Vaultwarden seem solid to me so far though, and have client support across a range of devices. Nebula or Wireguard make keeping a bunch of selfhosted services accessible in a reasonably secure way pretty easy, and almost more importantly once setup have been rock solid reliable for me. Wrapping my head around them and making sure I had it all figured out certainly took a bit of time early on, but once setup it's Just Worked™ without being touched a single time ever again. No specific 3rd party dependencies is attractive.

If you have family/friends/coworkers to deal with though obviously the needs of the group are going to have to factor in on some level, and you may find you need to either run a few different things or compromise somewhat/pay more.

I have over 1,000 logins in Bitwarden. I got a new Yubikey last year and found maybe a dozen sites which support it.

I hope this is the year that WebAuthN goes mainstream - but it'll be a long time before a plurality of sites support it.

>I hope this is the year that WebAuthN goes mainstream - but it'll be a long time before a plurality of sites support it.

Oh for sure, like I said passwords will undoubtedly have a long tail. Even more so for internal apps/hardware, I routinely deal with old stuff that I have to keep old browsers around to access since newer ones no longer will work, or reenable old SSH negotiation or whatever. I'm just hoping 2023 is when we start to see a critical mass, and further that it ends up being a non-linear adoption curve that goes better then we might expect. If it becomes a standard check box item for insurance or security assessments or interacting with other companies/government and gets integrated as default into widely used frameworks it might go quicker. I also expect adoption not to be randomly distributed, with important tech services more likely to pick it up or use it already. If financial and medical does as well then that'd hit a lot of the most vital ones even if it's not a plurality.

Realistically it'll probably take another few years after hitting the tipping point to truly ramp, since there are clearly remaining hardware and software rough edges to sand down/refine. But if 2023 proves the start of an S-curve I'll be happy.

Ah this is what I wanted to hear about Yubikeys. The dozen site that support it. It feels like a huge PITA to have two system to login. I'll pass till it becomes more mainstream
Strongbox on desktop and mobile. It uses keepass file format to store databases but I prefer the ui.
1Password, it “just works” most of the time, the desktop and mobile UI is nice and polished and it works pretty well on iOS. I’m happy to pay for that. Previously was using LastPass and 1Password is definitely nicer and more polished.
I'm all in on Bitwarden at this point. It's the place where I keep all my credit cards, secure notes and about a 500 logins. A vast majority of these logins have passwords generated by Bitwarden itself.

I'm confident even if BW goes down I can still recover my data since the vault works offline too. While the browser extension could use some UX work the mobile apps have been top-notch and sharing passwords with my spouse has been a bliss.

I bought myself a dedicated server earlier in December and will be migrating to Vaultwarden pretty pretty soon.

Please document your migration (and backup strategy!)
Sure. When I do the migration, I will come back to this and keep you posted!
How good is for iOS/OSX? I use enpass and if I don't open it all the time (and retype the master pwd!) then it not catch most logins and now I have a lot of that into the Apple system instead.

I wonder which one is truly transparent (I work mostly on Mac/iOS but still need other platforms)

I’ve been using Bitwarden for 2 years now, and I feel like completion has continuously improved. It uses the built-in auto fill feature on iOS and it works pretty well. Whenever I see a login form, I see the auto fill toolbar appear. I click on it, unlock Bitwarden with FaceID and it auto fills fine.

I had quite a few apps in the beginning where I needed to manually open BW to copy paste my username/password, but it doesn’t seem like it occurs to me anymore.

I use BitWarden on iOS and it is pretty much same as the default iOS auto fill (which is iCloud?). It uses the system auto fill service and the detecting of password fields to show the auto fill option and filling the password is done by that service, not BitWarden. You can actually use two active auto fill services (say BitWarden and iCloud, I did when I was testing the waters), you will get a prompt to choose which one you want to use.
Note that file attachments are not stored in the json file that contains the vault, so if you care about those you still have to back them up some other way.
I'm aware of this but thanks for reminding! You can also do a full search for such specific entries like this btw:

>attachments:*

Sounds like you're very happy with Bitwarden, and confident that if they go down you wouldn't lose access to your secrets.

Can I ask why the desire to switch to Vaultwarden? I assume if a significant slice of the userbase did this, the project would suffer—so I'm asking this question genuinely as an avid Bitwarden supporter myself.

I hope they don't have to rely solely on VC funding, seems that VCs motives would be precisely orthogonal to my own in terms of privacy and feature roadmap.

I trust bitwarden enough as of now and I don't see any privacy issues with them..... yet!

The main reason I'm switching is for the fun in it and having my data under my complete control. And, to save some money, for me and some friends, for whatever it is worth.

I run Vaultwarden and still buy a license. I wish they’d offer an optional self-hosted license specifically for those who want to support the project while hosting their own server.
Are you buying a license just to support BW? Or is there any other benefit?
Not them, but vaultwarden doesn't accept the license file, so it's surely just to support. I'm planning on doing the same thing at some point.
Speaking of the browser extension UX, for those who don't know, the keyboard shortcut for filling in your login details is ctrl-shift-L.
KeepassXC for password management and Syncthing for syncing across devices. Everything I'd available offline and syncs on network availability. Working well for years now.
My setup too. However, this year I would like to give a go to self hosted Bitwarden in a RaspberryPi. Just for the satisfaction of it.
Set up yesterday vaultwarden in docker on a rockpro64, it's interesting, but I think it will not do it, as I don't see myself having the ability to keep it on consistently without issues, but I decided to give it a go since I am away from home until the 27th of January without ability to start the sbc if it goes offline, so will be a good way to test reliability
I use keepass with gdrive, works even fine on linux via rclone and is very easy to setup
Syncthing and keepass are a perfect combination, if you also combine them with some kind of offsite automatic backups.
Firefox. It's not perfect especially on Android (I have to manually copy the password instead of it auto-filling) but it's good enough.
have you tried firefox sync? recently gave it a try and on android it works seamlessly. Cross browser integration is an extra step though.
Yes, that's what I meant. I use two PCs and two Android phones and Firefox Sync keeps my passwords across all devices.
Same. It is not perfect but works.
Fwiw it's the app's fault when that doesn't work, not Firefox's or Android's. (I too encounter it frequently and it's annoying. I still have and use the Lockwise precursor app, because it's easier to copy from than Firefox when this happens.)
I've been using and paying for Bitwarden for almost two years now. However recently I purchased a Raspberry Pi, so now I've completely shifted to self-hosting Bitwarden (using Vaultwarden[0]) on it. On top of it, I've attached a custom subdomain to the server through Cloudflare Tunnel, so even behind non-static IP address it works well (with SSL).

No privacy or security issues now since I own all my data, no subscription fees, and no complaints till now with the self-hosted setup. Definitely would recommend!

[0] https://github.com/dani-garcia/vaultwarden

I switched from LastPass to Bitwarden. I'm still not even 1/3 the way through from changing all my passwords and OTP tokens (Obviously I changed bank passwords, etc, right away.)
Have fun changing those passwords. It took me at least three days. Absolutely miserable experience to conclude my 7 year relationship with LastPass.
What?! You can’t import/export between them?

That’s what I did when I left LastPass for 1Password, was fairly straight forward from what I remember.

I had to reset them regardless because of the breach so didn’t even bother looking into exporting/importing.
You can import/export, and it worked well. But you still have to change every one, and reset your OTP token generators if you stored them in LastPass as well
I was a 1Password customer before, but work pays for a family plan now, so it makes too much sense.
Huge fan of 1Password.

Used it personally for nearly a decade and introduced it at work. Happy 1Password Business users and that gives all our employees free personal accounts (that we can’t see or touch) as an added benefit.