Ask HN: Alternatives to 1Password

+1 to Bitwarden, and in particular the Vaultwarden implementation.

I've been self hosting it for a number of years now and have never had to think about it ever again - it works, has clients for all my platforms, never had any issues.

KeePassXC is the way to go. Install F-Droid on your Android smartphone, get KeePassDX. This way, you have a desktop and Android client.

I'd recommend setting a very strong password, with a key (you can generate one when you create the database) and a long decryption time.

If you need help setting strong passwords, I recommend EFF Dice-Generated Passphrases[1].

[1]: https://www.eff.org/dice

There's pass, a CLI password manager that's version controlled and encrypted with your PGP key: https://www.passwordstore.org/

There are also (unofficial) iOS and Android clients that sync to a git repo.

Bitwarden if you want a third-party managing your credentials, keepass if you're ok handling the syncing of your password database.

I wouldn't use any of the Kaspersky's software, as their owner, Eugene Kaspersky, is literally an ex-KGB officer (if there's such a thing as ex-KGB).

https://en.wikipedia.org/wiki/Eugene_Kaspersky

I’ve been looking at alternatives for a while, here are my notes: https://taoofmac.com/space/apps/1password

(In short, I’ve switched to Secrets while keeping an eye on new KeePass apps, because I don’t want to use or run any kind of service)

People say a lot of nice things abotu Bitwarden, and it's got both self-hosting and hosted options.

TIL 1Password are also looking into a self-hosted option; maybe it'll happen if more people sign on to their survey: https://survey.1password.com/self-host/.

There's a new kid in town: https://www.ctrlc.hu/~stef/blog/posts/sphinx.html

pro: it has much stronger security guarantees than the rest, it's self-hosted, but you can use other peoples servers!

cons: there is no UI frontend for macs, and UI integration in browser could also be improved.

(i'm the author, ama)

Can you use your browser's native password manager? Chrome supports syncing of passwords. Just dump a bunch of gibberish into the password field when you register and let the browser do the rest.

Last year, CtrlBlog reviewed these password savers and found KeePassXC to be usable for a self-hosted password saver server and widest-platform client usages.

- Windows

- KeePassXC Offline for Android

- iOS

- Linux

   I don’t need to use KeePass, though. There are over a dozen different forks of the KeePass project to choose from. I decided on KeePassXC for my Mac, Linux, and Windows computers; and KeePass2Android Offline for my Android phone. I decided on these two because they feel more modern and I’ve confirmed that they won’t easily suffer from synchronization conflicts.

https://www.ctrl.blog/entry/keepass-vs-bitwarden-server.html

Moved to Bitwarden + Vaultwarden. It's pretty good! Firefox plugin doesn't work in private browsing. Browser plugins don't auto-sync. Other than that, I was pretty happy to ditch 1password as Agile Bits circles the drain.

As there are many (and good) answers here, I may have missed one point - which I will raise: Check the fallback / fail scenario(s).

Here is my example: I've been using 1password since 2008ish. I've purchased every upgrade since then and even had more than one license. All was fine: Data was local, there was some backup method and some plain text export.

Some time ago, 1Password decided to go cloud and change to a subscription for using the software for new users. The client I have on my mac still works fine, but the only option was to "rent" the password management that stored my data on their servers.

The owners sugarcoated this in every way (pet peeve: Talking in their mails about something completly different like recipes, then "by the way, subscription only in 3,2,1 ...").

I will not buy into being fully dependent on someone else when it comes to access to all of my online and offline systems. And you should not, too. Same goes for any company.

So any of the suggested tools here should do two things: Work independent on an online/sync-connection (and be able to access/modify data untill online connection has been reestablished). And be able to export data in a format that can be transformed/read by most of the others.

I switched to my own local instance of Bitwarden (Vaultwarden) and use the client for any device I own. Switch took about half a day and I never looked back.

For enterprise setups I use vaultwarden (a rust based open source bitwarden). Can do password sharing and so on

For personal use keepassxc and syncthing. Keepassdx on android.

Edit: enterprise is self hosted. Keepassxc with syncthing doesn't need hosting

I made my own.

After trying for a test period the usual famous ones, and not being happy with anything (cloud crap, no memory encrypt, no clipboard cleaning - to just name a few) I decided to take a look at a few that were open source, learned their overall intricacies and started to code my own. At beginning nothing fancy, just a SQLite DB and simply focus on name field, system-wide shortcut for my manager to pop-up and then selecting the entry. Manager would type in the username, TAB to password field, then type the password there as well and press ENTER. That was the most rudimentary one and whenever some new web/app was not working I would see why and increase from there its code/logic.

After like 3 months I was happy with all I had the need for and very rarely, something like every 6 months, I would touch its code for maximum 2 days to make it work. It's being over 5 years at this point and use it daily on my several dozens web sites / desktop apps I need. During this time I never did a full refactoring or change its underlying business logic.

So my advice for you @vasachi, if you can, do the same. The satisfaction will be huge.

Apple’s password management is getting better and now includes 2FA. I wouldn’t be surprised to see it spun out as a separate app sometime soon.

Use https://www.lesspass.com/#/ - I've found the approach very fresh. Of course, you have to be sure that master password is not leaked, but the same is true for any stateful password manager.

The real problem though is that it does not support hardware security tokens at the moment.

Passbolt is open source and can be self hosted if you don't want (or can) run their cloud version.

https://www.passbolt.com/

It's gully open source, with a AGPL license.

https://github.com/passbolt/

I’ve been using CodeBook for several years and have been pretty happy with it. One time cost (per OS) and can sync over WiFi or to Dropbox/google drive. No browser plugins, instead it provides a global hot key activation which authenticates you (Touch ID or password), lets you search for the account then auto-types the password. On iPhone it integrates well for providing passwords to sites and they just recently added a feature which will also auto-copy 2FA TOTP into clipboard if one exists.

https://www.zetetic.net/codebook/

I use gopass and Gopass Bridge for password filling in firefox. It works great, and for the keys I'm using yubikeys gpg mode, so my passwords are actually locked with a hardware key.

I’ve been using an app called Secrets for iOS and macOS for close to a year. A one time purchase, easy syncing, and other items like secure notes and software licenses can be stored. They also have import from 1Password. Excellent experience so far, almost a complete 1:1 analog of 1Password. Command + \ to auto-populate fields works, maybe not as smoothly. For the money Secrets charges I’m satisfied knowing that after a year, I’m saving.