WingNews logo WingNews GitHub [2]
top | item 29797022

Ask HN: What password managers can you recommend?

45 points| torstenvl | 4 years ago | reply

I used to be a happy 1Password user, but they seem insistent on making the experience as terrible as possible lately. I've tried BitWarden and Enpass, but their integration is worse and they suffer from some of the same problems as 1Password (subscription/server-based, not really in control of own data, etc.)

Are there any password managers that

- Integrate into browsers on all major platforms

- Have decent password generators

- No major security breaches in past ten years

- Local-first / sync via standard sync mechanisms (Dropbox, iCloud, sync thing, etc.)

EDIT: Based on responses below, I'm going to try KeePass[.*] and see how it goes. First hiccup is that 1Password import doesn't seem to work, but I'll keep at it.

127 comments

order
[+] jstx1|4 years ago|reply
Bitwarden. The free version does everything I need from a password manager (which is to store, sync and generate passwords); decent browser extension, decent mobile app.
[+] schleck8|4 years ago|reply
You can also self-host it (either the original or a more lightweight fork called Vaultwarden. although i don't know how trustworthy it is)
[+] itake|4 years ago|reply
+1 Bitwarden. I wish they dog fooded more so they can see how bad their browser extension is though.
[+] dabber21|4 years ago|reply
I'm happy with the free version, but I'm paying the 10$ to reward the devs
[+] tcfhgj|4 years ago|reply
I use Bitwarden, but the lack of auto type on Desktop as well as the limited selection of symbols of the password generator annoys me a lot
[+] senectus1|4 years ago|reply
Same here. My self, wife and kids all use it. I have my father and mother using it.

I default to it for anyone looking for this solution.

[+] drcongo|4 years ago|reply
I hate what 1Password has become, and how user-hostile Agile Bits are. BUT after the last bait and switch they pulled I tested _every single password manager on the market_, and the bad news is that the others are all worse. The only two I found that I liked, but sadly lacked at least one feature that we need, were Secrets [0] and Elpass [1]. I think both might fail your requirements list too. I've begrudgingly had to stick with 1Password, but after the way they've treated the customers who have been giving them money for over a decade I'll be off the second someone makes a password manager that meets our requirements.

[0]https://outercorner.com/secrets-mac/

[1] https://elpass.app

[+] santoshalper|4 years ago|reply
I've been a happy 1PW user on Windows 10 for a few years, but admit I haven't paid a lot of attention. I haven't noticed any big changes. What are you guys referring to?
[+] beckler|4 years ago|reply
What features were missing?
[+] Sanzig|4 years ago|reply
I use pass. It's a Unix-style password manager created by zx2c4 of Wireguard fame.

https://www.passwordstore.org/

Pass uses GPG under the hood for encrypting the password store. I use an OpenPGP smartcard (a Yubikey in my case) to decrypt the password files. I synchronize the store across devices using Git. There are good autofill implementations for Firefox and for Android. When I need a password, the autofill prompts me to insert my Yubikey and enter in the unlock PIN, which I find more convenient than a master password. Crypto functions are offloaded to the Yubikey with a (theoretically) very difficult to extract private key, so unless somebody swipes that they can't get into my passwords.

I mostly followed this guide for setting it up: https://dehnes.com/software/2020/04/03/password_management_y...

[+] sam_lowry_|4 years ago|reply
There is Browserpass extension for Chromium as well.
[+] mariusor|4 years ago|reply
Pass is not very user friendly. Adding a new device to your tree is a painful experience. Losing your Yubikey or your main gpg key is a painful experience. That being said, there are variants to pass that make multi key trees easier to manage and that's what I'm using.
[+] taxcoder|4 years ago|reply
I use Kee-pass. The password generator is good and I'm not aware of any breaches. I don't know how good the browser integration is. Mine is backed up to several locations that I also use it from, I suppose Dropbox would work.
[+] jdmichal|4 years ago|reply
Browser integration for KeePass is non-existent. What I found a few years ago when I tried, is that you install a plugin to KeePass that basically exposes your database to queries from other approved applications. The browser plugin will be one of those applications.
[+] tmikaeld|4 years ago|reply
Considering how important security is in a password manager, I don't trust any other than Bitwarden.

It's been audited [0] by external companies multiple times and both the client and the server are fully open source [1].

I know others may say that the encryption is too weak[2], but that's true for all other password managers too [3], since Argon2id is not mature enough to run as a WASM module in the browser yet (especially not on mobile).

[0] https://bitwarden.com/help/article/is-bitwarden-audited/

[1] https://github.com/bitwarden

[2] https://github.com/bitwarden/jslib/issues/52

[3] https://github.com/bitwarden/jslib/issues/52#issuecomment-78...

[+] bloopernova|4 years ago|reply
Bitwarden can be self-hosted. $10/year subscription cost is well, well worth it.

If you don't self-host, note that everything is encrypted before being stored at bitwarden. They don't have access to your passwords.

[+] silisili|4 years ago|reply
Same. 10/yr is not worth self hosting IMO, unless for security/paranoia reasons.

Having a reliable, stable PW manager with a good app and TOTP capabilities feels like a steal at that price.

[+] torstenvl|4 years ago|reply
Bitwarden is just as user-hostile. They go out of their way to make it harder to own your data, when it should just be local-first vaults.

Import/export is irrelevant. I want to own my data, not just be able to check out a copy whenever I want.

[+] dxf|4 years ago|reply
I was a happy 1Password user and warily switched to their subscription model. But It still does everything I want and now it even does more -- e.g. I can have shared vaults with my partner and other family members, which is more convenient than duplicating entries between machines or going to each others' computers to look something up.
[+] gspr|4 years ago|reply
Pass! https://www.passwordstore.org/

With git or whatever you want for sync, and whatever GPG-compatible security device you want for encryption.

I swear, pass is the piece of software that has improved my digital life the most per line of code in the software.

[+] abfan1127|4 years ago|reply
I use LastPass. I love that it has a mobile app for me to copy/paste on my phone and my wife's phone. It has a really good browser extension. I do pay the small fee for multiple devices.
[+] basseq|4 years ago|reply
Another vote for LastPass, though I haven't cross-shopped in a while. It generally "works", including on iOS. (You can enable auto-fill directly in Mobile Safari in Setting > Passwords > AutoFill, so I rarely have to open the app anymore.) Chrome extension experience on desktop is similarly "fine".

The LastPass app itself is just "ok" from a UI perspective, but again, I use that part rarely.

[+] mmettler|4 years ago|reply
1Password is consistently fantastic.

I hear you about problems with a server/subscription-based model, but a) it's the least of all evils, and b) I've come to enjoy financially supporting them (i.e. my subscription means they can keep making great software, which is definitely valuable to me).

[+] chenxiaolong|4 years ago|reply
I use KeePass databases synced with SyncThing. One database for passwords and private keys, another for TOTP 2FA (which I only ever update/unlock on my phone).

As for the software I use to access the database:

* On Windows/Linux, I use KeePassXC with the corresponding browser extension. I also use the built-in SSH agent integration so I don't need to store my private keys in ~/.ssh nor manually type in their encryption passphrase.

On Windows, auto-type works great for the most part, except in ancient applications that only support scan-code-based input and not Unicode-based input (shakes fist at IPMI consoles of brand new servers that _still_ use ancient noVNC versions without support for Unicode input). I build KeePassXC from source to include a not-yet-merged patch for scan-code support.

* On Android, I use KeePassDX (open source). It integrates with Android's autofill API, but also has a keyboard for typing the username/password/TOTP code into apps that don't support autofill.

* Back when I still used iOS, I used Strongbox (open source, but does not accept contributions). It integrates with iOS' autofill API.

For syncing, I use SyncThingTray on Windows/Linux and SyncThingFork on Android. On iOS, I used to have Strongbox connect via sftp to my server running SyncThing because I could not find a decent SyncThing client. (I'm not even sure it's possible to implement on iOS without resorting to abusing location services for background execution, like iSH or most SSH clients.)

[+] torstenvl|4 years ago|reply
I'm leaning toward Strongbox on iOS as well. I'm struggling a little with finding a good Mac experience. Strongbox doesn't support KeePassHTTP or any other browser integration beyond macOS/Safari AutoFill, and KeePassXC seems a little rough around the edges. I might try MacPass.
[+] dhritzkiv|4 years ago|reply
What's the terrible experience you're finding lately with 1Password? I've found it to be more consistent and stable in the last little while (especially when paired with the more recent Safari releases)
[+] gmoore|4 years ago|reply
Bitwarden - without question - pay the $10 a year. It's only 10 bucks and totalliy worth it...
[+] durakot|4 years ago|reply
Was in the same boat. KeePassXC is what you want.
[+] madmonk|4 years ago|reply
I've been working on a concept where, instead of storing passwords in a manager I use a generator that creates pseudorandom passwords based on a few, easy to remember things. It's essentially a hashing algo created in javascript. You provide a site name, a password length and a pin code and it will consistently generate the same pseudorandom string. Nothing is stored and the generator can be publicly hosted.

https://github.com/madmonk13/keymaster

This is the first time I've publicly shared it and I welcome your feedback.

[+] wepple|4 years ago|reply
This is great, I used to do a similar thing but all in my head (so obviously not as complex permutations)

In practical use, how do you typically remember whether or not a site allows special characters or has a length requirement? Also do you ever have trouble remembering what you named a particular thing? Might be easy for something with an FQDN, but for an encrypted vault or ssh key may be harder

Edit: on second thought, the use of only a numeric pin (with suggested length of 4) seems not good from a security perspective. For an offline attack against, say, a true crypt partition I could offline attack a fairly large pin space with a number of different names fairly trivially. Even in an online attack, if I assume you’re sticking with a 4-digit pin and using the site name “Facebook” then I have a 1/10000 chance, which drops to 1/2500 if Facebook lets me have 4 attempts. The PIN should be a pass phrase IMO

Edit2: please take these criticisms as genuine feedback, as I think this is an excellent idea and I’d like to use it myself. I’m curious why no true cryptographic hash algorithms were used? I only skimmed the code, but I’m concerned that under a model where 1 or especially 2+ passwords are leaked (inevitable in this day), there would be non-zero leakage of intermediate stages if not the original pin. The other challenge I see is the integrity of the JS - would folks self-host this? Otherwise you could possibly use Subresource integrity to load the JS from an untrusted source, and the user would manually verify the SRI key or something

[+] torstenvl|4 years ago|reply
Before I started using 1Password I used to do the same thing.
[+] c7DJTLrn|4 years ago|reply
I use KeePassXC. I don't feel that web password managers are safe given the monstrous attack surface of browsers.
[+] putlake|4 years ago|reply
I've not understood why one wouldn't use Chrome or Edge's built-in password manager. Is there a compelling reason to use a separate password manager app?
[+] SamuelAdams|4 years ago|reply
I thought they were stored on-disk in a non-encrypted SQLite database. So anyone with physical access to your computer has all your passwords.
[+] kristiandupont|4 years ago|reply
The reason I don't is that those are not the only browsers I use. And I want my passwords available to me everywhere.
[+] sushisource|4 years ago|reply
Yes:

* Sometimes you need to fill passwords on app login screens on your phone, for example. At least 1Password for your phone can do this.

* I sometimes need to fill passwords in non-browser apps. I can use a global shortcut to easily open my password list and copy what I need without touching the mouse.

* I want to store things that aren't passwords securely.

Etc

[+] abfan1127|4 years ago|reply
I don't use it because I need passwords on multiple mobile and desktop machines.
[+] thebean11|4 years ago|reply
Do Chrome and Edge support autofill on other browsers? iOS apps? The answer might be yes just not sure. They are also missing features like secure notes, documents etc.
[+] Ottolay|4 years ago|reply
What if you use multiple browsers?
[+] firepacket|4 years ago|reply
I wrote my own with ridiculous Argon2 requirements (Takes 18 secs to open) combined with PKDF hybrid hashing system. (not chained) and strong AES256 CBC implementation with proper random IVs for each field and correct padding. You can encrypt any kind of data and files, it's encoded as 32k UTF-16 + sig XML losing only 1.3% over binary, but I like text files. Of course, some files come out smaller due to the Gzip compression.

It is Dropbox friendly meaning any change or addition in another person using the same vault in the same directory is automatically updated in all open vaults. This was originally for collaboration. You can have your own private vault too with a unique password, as many as you like. They just end up as XML files. It runs fast as uses databinding, can generate strong passwords, and makes copying/pasting easy. I am having trouble encrypting files over 1GB though.

I take great lengths to protect the key. If the file is open too long, it minimizes and locks, when you open it, it decrypts everything again. As soon as decryption is done, the key is stashed away using ProtectMemory function in the framework. I have done memory dumps to ensure the key is not visible when the app is idle.

Files works differently, Their meta data is encrypted but you are able to checksum then and preview them in memory without the key ever being exposed and the content never touches the disk and is zeroed afterward. You can currently play sound, view pictures, execute files (in memory!) and soon video.

I plan on browser integration by a cross-browser userscript and loopback routing (127.0.0.1) that recognizes when the cursor is in a field specified in the login's metadata. But I am am running into trouble because sites like to randomize the name of the login fields, so I a have to use some reliable heuristic approach.

Does anyone have any ideas on how to deal with that? If I can figure that out, and get video previews working I will open source it.

EDIT: Here's a preview of the app: https://imgur.com/a/rZGPCPZ