Ask HN: How do you manage your passwords in 2023?
I have yet to find a password management solution which is:
- secure
- easy to use
- accessible on multiple devices (home PC, work PC, and ideally phone)
I currently use a mixture of KeePassX (synced manually using SSH) and stored passwords (e.g., in my browser). But I keep thinking that there MUST be a better solution.
178 comments
[ 3.2 ms ] story [ 97.5 ms ] threadIf KeePassXC one day becomes unmaintained I will make my own custom tool, probably using sqlite+openssl+bash. I only log into one semi-sensitive thing on my phone so I don't bother syncing to that device.
Most of the time, yes. I can edit the copy and push it back to the SFTP server but that push is manual. I have done that from time to time. I do not share the file with anyone else so I always have confidence which version is up to date. I also have rsnapshot copies of the files.
Thank you
That's one of the nice things about common/basic/widespread standards and tools: good compatibility and support.
Handling non-GPG encryption in a similar way should be possible too, but won't work out of the box.
My big goal now is to come up with a better solution for 2FA that works for me and my wife's shared accounts.
But the shared accounts that are my pain point only offer SMS OTP.
As for shared SMS, look into Google Voice. They automatically forward SMS texts to email as an option. I created a "shared" email account and gave my family access to that.
I did find a way around this, in that I had a real number, added all my 2FA accounts to it, and then ported the number to Google Voice, but this isn't a long term solution. Idk how long Google Voice will stick around, but I have found a couple backup options that are low cost if I need to keep the number long term.
I understand the idea of putting both factors in one place is odd, but I feel it strikes the right balance between the convenience and security.
This is AKA "one factor", right?
I'm no math wiz but pretty sure that makes it a 1.5 factor
The main threat vector would be, as you mentioned, compromise of the actual password manager.
As far as I can tell, 1Password’s end to end encrypted architecture makes this less probable.
That would reduce the main risks to our actual devices.
TOTP MFA is crap anyway because it has no passcode and it is so trivial to sync and it’s common for people to do so. So in scenarios where people close to you are a risk, or you’re dealing with other peoples data, it’s pretty weak control. It’s great for preventing spray attacks and mitigating some compromise scenarios.
It’s likely members of your household, friends, coworkers have access to shared devices or shared vaults in 1Password. That makes that type of MFA more like 1.5 factor vs 2 factor.
Whether you want to be one bad front-end UI deployment away from both factors being exposed, fair question...
i use 1password's built-in 2FA (TOTP), but only for a couple accounts as i find it unwieldy generally. i'm also keeping an eye on how passkeys develop over time.
It does all the things you ask for. With the paid version I can share passwords with my spouse for relatively unimportant things (like Netflix) in a reasonably secure manner.
I could self host and run it myself. But I'm not a multi-person team with decades of security engineering experience. So I gladly let someone else take on that burden.
I'm very positive Bitwarden won't get hungry for money looking at their revenue models, but there's always Vaultwarden you can self host. It's pretty popular and secure. I'll be deploying soon for myself.
This morning I loaded up the dishwasher, switched it on, and completely forgot to add a cleaning tablet. I don't want the responsibility of forgetting to update a critical patch or misconfiguring an obscure YAML file.
For Linux and windows i would use keepassx.
- it does not understand that some accounts are used on multiple domains, does not allow you to modify domains, or have more than one. For example something like microsoft.com, live.com, microsoftpassword.com. I believe maybe microsoft cleaned it up and use now only one domain, but websites like that still exist.
- multiple accounts for the same website, just need to have a title to name them. Say you have 2 AWS account and each has a user root. How would you identify them?
- password sharing is a big issue as well, within the family.
At minimum, Apple needs to make Keychain a standalone app instead of a half-baked settings dialog for it to even be considered an option imo.
My email and Bitwarden itself are secured by two Yubikeys, one is always on my person on my keychain, the other is physically stored away from my house. I have an AirTag on my keychain because losing your keys is a pain in the butt.
This is a cheap yet very secure system for most people that care about security but are not persecuted by police or government agencies.
It just works.
My only complaint is that it doesn't let me use a yubikey as a primary method of authentication on windows - all my other devices have biometric authentication.
https://chrome.google.com/webstore/detail/icloud-passwords/p...
Used keepass and pass for years but got fed up with them. Switched to 1Password this year and never looked back.
Passwords though will have a very long tail even in the most optimistic scenarios, so yes password managers aren't going anywhere for a while yet. What I use right now is 1Password 7 with a slow migration towards Bitwarden clients and a self-hosted Vaultwarden server. I still have a standalone license and still have shared vaults in Dropbox, I will not be moving to the electron based 1P8. So end of the line on that decade+ journey I'm afraid, I'm disappointed with what happened with them but so it goes. Bitwarden/Vaultwarden seem solid to me so far though, and have client support across a range of devices. Nebula or Wireguard make keeping a bunch of selfhosted services accessible in a reasonably secure way pretty easy, and almost more importantly once setup have been rock solid reliable for me. Wrapping my head around them and making sure I had it all figured out certainly took a bit of time early on, but once setup it's Just Worked™ without being touched a single time ever again. No specific 3rd party dependencies is attractive.
If you have family/friends/coworkers to deal with though obviously the needs of the group are going to have to factor in on some level, and you may find you need to either run a few different things or compromise somewhat/pay more.
I hope this is the year that WebAuthN goes mainstream - but it'll be a long time before a plurality of sites support it.
Oh for sure, like I said passwords will undoubtedly have a long tail. Even more so for internal apps/hardware, I routinely deal with old stuff that I have to keep old browsers around to access since newer ones no longer will work, or reenable old SSH negotiation or whatever. I'm just hoping 2023 is when we start to see a critical mass, and further that it ends up being a non-linear adoption curve that goes better then we might expect. If it becomes a standard check box item for insurance or security assessments or interacting with other companies/government and gets integrated as default into widely used frameworks it might go quicker. I also expect adoption not to be randomly distributed, with important tech services more likely to pick it up or use it already. If financial and medical does as well then that'd hit a lot of the most vital ones even if it's not a plurality.
Realistically it'll probably take another few years after hitting the tipping point to truly ramp, since there are clearly remaining hardware and software rough edges to sand down/refine. But if 2023 proves the start of an S-curve I'll be happy.
I'm confident even if BW goes down I can still recover my data since the vault works offline too. While the browser extension could use some UX work the mobile apps have been top-notch and sharing passwords with my spouse has been a bliss.
I bought myself a dedicated server earlier in December and will be migrating to Vaultwarden pretty pretty soon.
I wonder which one is truly transparent (I work mostly on Mac/iOS but still need other platforms)
I had quite a few apps in the beginning where I needed to manually open BW to copy paste my username/password, but it doesn’t seem like it occurs to me anymore.
>attachments:*
Can I ask why the desire to switch to Vaultwarden? I assume if a significant slice of the userbase did this, the project would suffer—so I'm asking this question genuinely as an avid Bitwarden supporter myself.
I hope they don't have to rely solely on VC funding, seems that VCs motives would be precisely orthogonal to my own in terms of privacy and feature roadmap.
The main reason I'm switching is for the fun in it and having my data under my complete control. And, to save some money, for me and some friends, for whatever it is worth.
Definitely worth the slight effort, for all the gains.
No privacy or security issues now since I own all my data, no subscription fees, and no complaints till now with the self-hosted setup. Definitely would recommend!
[0] https://github.com/dani-garcia/vaultwarden
That’s what I did when I left LastPass for 1Password, was fairly straight forward from what I remember.
Used it personally for nearly a decade and introduced it at work. Happy 1Password Business users and that gives all our employees free personal accounts (that we can’t see or touch) as an added benefit.