Ask HN: Best Password Manager without cloud login?
Without exhaustively testing all the vendors, my personal judgement is that 1Password is about the best across many axes. However when they forced the subscription model (with VC-rationalized justifications) I abandoned them and went to BitWarden. BW is very much not as good but it's more than just good enough.
One defect that has bothered me about BW is that to unlock the vault, locally, you have to be able to contact the BW server. (I'm using the BW free cloud, not self hosted.) Right now, for the past 30 minutes, I've been unable to unlock my local vault due to being unable to login to the BW server. BW status page says all green. It could very well be a local/regional connectivity issue and not their systems actually being down. Doesn't really matter, this situation is unacceptable.
I do want to sync between a few devices, without hoops, so I do need their cloud service for that (don't I?). I cannot run an available enough self hosted service. I'm perfectly ok with BW and the way sync is done, it's just the vault unlock dependency which I can no longer tolerate.
Does the community here either know how to configure BW to retain sync but not have this cloud dependency on local unlock (sorry for basic tech support question!), OR do people have recommendations for a different provider that is either free or perpetually licensed? Obviously one can't run a cloud service for free, but I'm thinking iCloud or wifi or other kind of sync.
I am confident that KeePass can do this but I am also confident the UX and the DIY-ish nature of it is not for me.
I'm ok with a ios+mac-only solution, I can do something different/disjoint for the rare other usage I might have.
26 comments
[ 2.9 ms ] story [ 75.5 ms ] threadhttps://samarama.net/samuraisafe/app.html
https://keepassxc.org/
Especially because KeePass ecosystem is maintained by some kind of fly-by-night, pseudonymous Eurohackers, who knows what undesirable foreign influence is operative here. I already have very uneasy suspicions about the integrity of their supply chains and password generation capabilities.
I'm very happy to fall into the arms of Big Tech whom we already trust for everything else (and if you personally refuse to maintain accounts with Google or Microsoft, remember that every single corporation and government does so anyway, with all your data at stake.)
Because we are forced to give them our data does not mean at all that we trust them. They should never have been allowed to get that big in the first place.
> The convenience and tight integration is so important.
Freedom and competition are important, too.
https://strongboxsafe.com
"One defect that has bothered me about BW is that to unlock the vault, locally, you have to be able to contact the BW server."
If my device is offline I can still unlock the vault and access my passwords.
I don't remember 100% but I thought a long time ago I had a local-only kind of BW setup. At some point I had to (or was dark pattern encouraged to) create a BW account on their cloud. Ever since then, my local vault has my email address associated with it.
Right now, if I open the app fresh, I get the "login page". There don't seem to be any other pages/dialogs that one can open at this point. "Log in or create a new account".
The field to login is an email address. The choices are to log in on bitwarden.com, bitwarden.eu, or self-hosted. There is no option to unlock local vault without contacting one of the 3 server options. I use bitwarden.com. If the server can't be reached, the vault does not unlock.
There's another option to "Create account". That requires an email and password setup. There's no server selection on that pane.
There's no option to not use an "account" and just unlock the local vault. There's no option to create a vault, apart from creating an "account".
Create a system or pattern based on url or brand and mentally hash it into a password.
Doesn't sound very secure. Also when you realize that you anyway have to trust cryptography, I believe it starts making a lot of sense to have an actual cryptographic key and encrypt it with one good random password you learn by heart.
I use pass https://www.passwordstore.org/, which encrypts my passwords with my GPG key, which comes from my Yubikey, which I unlock with a password. That means that I only need to remember one password, and it feels a lot more secure than your pattern based on url or brand.
If anyone's found something that is slicker than 1Password at this (and which can handle typical developer problems like needing half a dozen or more different logins to the same site) I'd love to know about it.