KeePass with the database stored locally on your device(s).
I then use syncthing to synchronize the database between my devices (laptop, phone, in-house server, backup).
The data is all under my control and does not reside on any third party computer or data storage. The only exposure to third parties is when the database is synced between devices... but at that point it is encrypted and ephemeral.
I do the same: the format used for the KeePass database is supported by software on Windows, Mac, Linux, iOS and Android. I have the database in a git repo and mostly used it from my laptop. From time to time, I put a copy on google drive to make it easy to access from a phone. This has been working well for me for years already.
I have a memorized algorithm for my passwords which combines my user name, the website name, a counter, and a unique key. It includes uppercase, lowercase, numbers, and symbols. The passwords come out at 9-10 characters.
So I have no need for password managers, for writing down in a notebook, or anything else. Try it.
Passwordstore is probably the most secure, being that it's a short (1500-line) shell script offloads the actual encryption to GPG and network sync to git. There's just not a lot of surface area to attack there... and it also works for teams.
It's hardware based using the device stores encrypted passwords and files (which can be dumped still encrypted to a PC). Sending keys requires interaction with the physical device and a smartcard is needed to activate the device. Yet you can synchronize the database using any folder sync system.
But the key is stored on a smartcard with a PIN you set. The smartcard can be cloned so you have multiple copies or read with off the shelf card reader to export the key if you know the PIN.
Version other password managers, your database is never decrypted on the PC in memory or otherwise.
The smartcard will lock after incorrect attempts.
You control your data entirely.
It requires the moolipass (with your database), the smartcard and physical interaction with the device to send a password.
I like the simplicity of passwordstore. But keepassx* are good too. I'll never trust an online solution, and probably almost never trust a browser extention.
I think offline hardware password managers are the most secure.
Including offline backup.
For this, I developed Authorizer to use your old Android phone as your password manager. It can type the password over USB on your target device.
Supports OTP.
Smartcard and WebAuthn support are on the roadmap.
Doing also a lot of modernization on the next weeks.
How do you keep Tailscale from destroying your battery on iOS? I am trying to do this but it always kills my battery and it’s a pain to only enable and manually sync Bitwarden.
1. Less is more. I keep around 10-15 passwords in paper and digitally (on my laptop and on a couple of external hard drives). These passwords correspond to my most important digital assets like main email account, banking, etc. It’s easy to keep track of this amount of passwords on paper. I don’t have them on the cloud/internet and I only need them on my main computer (I don’t really do anything serious on my phone/tablet)
2. The rest of my passwords: I don’t really care. I have a couple of dummy email accounts on protonmail and gmail and all my useless digital identities (reddit, youtube, hn, chatgpt, etc.) share more or less the same password format. I do keep a simple backup (in plain text) of these passwords on my harddrive, but I couldn’t care less if they get stolen or whatever.
The safest way to store passwords is written down on a piece of paper. Maintain physical custody of it, never let it out of your possession.
If you need backups, use a non-networked copier, or an old style stand-alone point and shoot camera. Don't ever put the SD card in your computer. Keep all copies as secure as the original.
Banks have safety deposit boxes that can offer relative security. If you really want to be safe, manually encrypt your passwords.
[Edit] As others have pointed out, phishing is an issue. Be careful where you enter your passwords.
I prefer to avoid the word "safest" in this context without a specific threat model. Yours is likely different than mine, as I'd generally regard that method as less safe than a password manager. YMMV
[+] [-] gvb|3 years ago|reply
I then use syncthing to synchronize the database between my devices (laptop, phone, in-house server, backup).
The data is all under my control and does not reside on any third party computer or data storage. The only exposure to third parties is when the database is synced between devices... but at that point it is encrypted and ephemeral.
[+] [-] rvdginste|3 years ago|reply
[+] [-] mouzogu|3 years ago|reply
I don't think there is a perfect solution, today lastpass, tomorrow another. I guess you trade control for convenience.
[+] [-] elteto|3 years ago|reply
[+] [-] joshSzep|3 years ago|reply
So I have no need for password managers, for writing down in a notebook, or anything else. Try it.
[+] [-] woopwoop24|3 years ago|reply
[+] [-] philihp|3 years ago|reply
[+] [-] psychphysic|3 years ago|reply
It's hardware based using the device stores encrypted passwords and files (which can be dumped still encrypted to a PC). Sending keys requires interaction with the physical device and a smartcard is needed to activate the device. Yet you can synchronize the database using any folder sync system.
But the key is stored on a smartcard with a PIN you set. The smartcard can be cloned so you have multiple copies or read with off the shelf card reader to export the key if you know the PIN.
Version other password managers, your database is never decrypted on the PC in memory or otherwise.
The smartcard will lock after incorrect attempts.
You control your data entirely.
It requires the moolipass (with your database), the smartcard and physical interaction with the device to send a password.
Open source too!
[0] https://www.themooltipass.com/
[+] [-] julienpalard|3 years ago|reply
[+] [-] davesmylie|3 years ago|reply
how do you deal with actually entering (hopefully) somewhat long and complex passwords? Copy and paste from passwordstore every time?
[+] [-] tejado|3 years ago|reply
For this, I developed Authorizer to use your old Android phone as your password manager. It can type the password over USB on your target device. Supports OTP. Smartcard and WebAuthn support are on the roadmap. Doing also a lot of modernization on the next weeks.
https://github.com/tejado/Authorizer
[+] [-] CaptainJustin|3 years ago|reply
- Bitwarden
- Self-host
- Don't listen on public Internet IPs or regular LAN IPs
- Listen on Tailscale IP.
- Put TLS in front of it the Tailscale way.
- Run Tailscale on all your devices and access Bitwarden from your private network.
[+] [-] locutous|3 years ago|reply
Tailscale is a 3rd party platform that can also disappear, locking you out of your password manager.
Maybe use nebula instead. This reduces your 3rd party dependencies.
[+] [-] edsimpson|3 years ago|reply
[+] [-] stanislavb|3 years ago|reply
[+] [-] yeganathans|3 years ago|reply
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] world-set-free|3 years ago|reply
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] aborsy|3 years ago|reply
[+] [-] cheri9|3 years ago|reply
[deleted]
[+] [-] tkiolp4|3 years ago|reply
2. The rest of my passwords: I don’t really care. I have a couple of dummy email accounts on protonmail and gmail and all my useless digital identities (reddit, youtube, hn, chatgpt, etc.) share more or less the same password format. I do keep a simple backup (in plain text) of these passwords on my harddrive, but I couldn’t care less if they get stolen or whatever.
[+] [-] mikewarot|3 years ago|reply
If you need backups, use a non-networked copier, or an old style stand-alone point and shoot camera. Don't ever put the SD card in your computer. Keep all copies as secure as the original.
Banks have safety deposit boxes that can offer relative security. If you really want to be safe, manually encrypt your passwords.
[Edit] As others have pointed out, phishing is an issue. Be careful where you enter your passwords.
[+] [-] rhaps0dy|3 years ago|reply
Use a password manager with autofill on the correct URL.
[+] [-] joshka|3 years ago|reply