KeePassXC can be synchronized to/from any public or private cloud platform using your existing sync tools specific to each platform. [1] The benefit being cloud-agnostic and avoiding vendor lock-in.
I just use Firefox sync. It integrated with iOS and Android. You just install the app and use the system settings to set Firefox as the default password store for the system. It works in all apps, as far as I can tell. I wish it integrated with Linux& gnome a bit better, but I just work around that by bookmarking the browser link to the password page in Firefox.
I trust Mozilla more than any random app that advertises on random podcasts. I like that it warns me when sites I use have been compromised, and that it is generally easy to use. That said, I am not a security expert, so I am interested to see if anybody has any concerns about this setup.
I mostly use Firefox Sync as well. The main downside is that it is super basic. It can only store basically URL, username, password. There is no option it store TOTP secrets, backup codes, binary data or arbitrary information. If it text you can cheat and make "fake" entries, but it isn't good UX.
Absolutely BitWarden unless you want to do KeePass+SyncThing and can do your own research and keep track of the app specific issues in how they handle sync conflicts.
I've been so satisfied with it that I showed it to my manager, he started using it as a private customer, and we adopted it as the company wide password manager some months later.
Throughout the years I've tried most of the more popular ones on the market, some times forced via work and other times because I was curious.
- KeePassXC: tried this when I was looking for a self-hosted, open-source alternative to LastPass years ago. Was surprised at how well it worked, but syncing was too much of a hassle so I gave up fairly quickly.
- 1Password: my favorite of the bunch so far, great UI and UX, works seamlessly across all my devices with all the stuff I want and need: credit card info, logins, 2FA, automatic hidden email generation via Fastmail, easy sharing and family accounts work really well, CLI for use in scripts and now builtin SSH-key management. Not a huge fan of the subscription model, but probably the service I am most happy to pay for.
- LastPass: was forced to use this at my previous job, absolutely hated it. The UI and UX feels ten years behind 1Pass and Bitwarden, it's slow and not nearly as featureful as the alternatives. I switched from them when they were bought out by LogMeIn, but it doesn't look like the product has meaningfully changed since then.
- BitWarden: played around with this for a while, but didn't switch from 1Pass mostly because I am not willing to host something like this myself and it costs the same as 1Pass with less features and polish.
Personally, I would recommend 1Pass for a "it just works" and Bitwarden hosted yourself if you want the same but on your own premises via https://github.com/dani-garcia/vaultwarden.
> 1Password: my favorite of the bunch so far, great UI and UX
Weird, I can't stand the 1Password UI/UX. I've used it at work for two years now, so I can get around ok at this point, but for a long time I struggled to find even basic functionality. Also the keyboard navigability is garbage.
> BitWarden: played around with this for a while, but didn't switch from 1Pass mostly because I am not willing to host something like this myself and it costs the same as 1Pass with less features and polish.
The SaaS Bitwarden offering is less expensive than 1Password at all tiers, plus there's a (functional) free tier.
I will say, 1Password does seem to be the most secure of the SaaS options. But this is just my vague impression -- I haven't looked into it closely, nor am I qualified to.
I really like 1password but the the only thing that keeps me away right now, and I would love to hear that it's changed, is that the only way to use 1Password outside of macOS/iOS requires the subscription service.
> - BitWarden: played around with this for a while, but didn't switch from 1Pass mostly because I am not willing to host something like this myself and it costs the same as 1Pass with less features and polish.
This alone makes me doubt the reliability of your assessment.
A quick google:
1password free: nope.
1password personal: 36 usd yearly
1password family: 60 usd yearly
Bitwarden free: almost every important feature available.
1Password for me - not overly happy that they moved over to a subscription based pricing, but I’ve been using it for years now and it works well across all of my devices.
Is 1Password any less vulnerable, architecturally, to a massive hack akin to what happened recently to LastPass? I'm in the same boat as the OP and wary of putting all my stuff somewhere else that will result in a similar breach a few months from now.
As someone historically adjacent to the security industry, and having worked with some of the best, all I can say for sure is that questions like these really bring out some of the worst, most bespoke, and operationally insecure password management strategies that fail miserably to understand the problem.
I use 1pass. I don’t know if they’re actually better. I wouldn’t recommend rolling your own here, however, even if you can’t think of why your solution would have flaws.
It takes a special kind of mind to accept the limitations of your perspective, and this is a field ripe with that exact kind of bias.
KeepassXC is a thick client password manager. Password store might be even more secure.
If you want “seamless sync of your secrets” by a trusted 3rd party with an online vault, well, then, Bitwarden or 1Password. But the architecture is roughly the same as that of lastpass (though they also encrypt URLs, and might have better KDF, and operational security).
In particular, you should assume that 3-letter agencies snapshot data in cloud placed at their feet, have your vault, and may attempt to crack it should that be needed.
Isn’t the solution obvious? Just don’t store the entire password in the manager. Add a memorized manual prefix or suffix to the randomly generated/filled in password when you log in. Trust nobody. It’s not too much extra work and protects against anything like this in the future.
I use and generally recommend 1password. I've used it on every major mobile and desktop OS browser. (I've had some issues on Android, but it was not a standard Android OS.) The UX is generally nice.
First, they encrypt with the secret key AND the master password. This is the most important thing, and I was shocked to learn Lastpass doesn't do it.
Second, the master password runs through PBKDF2 with 100000 rounds, but a precursory Google search suggests the very earliest versions used around 10000. Lastpass's problem was a low 5000 rounds, and did not update the number of rounds. I don't know if 1password updates the number of rounds.
Third, they use a zero-knowledge proof protocol called "secure remote password". When I was sharp in cryptography, this is what made me choose 1password over the others. I don't understand all the details anymore, and I don't know if it is "post-quantum secure."
Fourth, the UX is nice and I can recommend it to anybody who is literate. (This is not a cynical take-- I don't know how good the UX is for someone who is not fluent in a language 1password uses.) (Also, 1password recently released "1password 8", a new UI. I have not tried it and cannot speak to it.)
Fifth, 1password's biggest (only?) controversy was moving to a subscription model. I actually prefer this. (I want devs to be paid in perpetuity to keep this secure! I assume 1password has security holes somewhere, and I want 1password to pay their folks to find them first.)
Unfortunately, the monthly price "billed annually" is $3/month, but it seems the true monthly price is hidden behind a signup wall. I feel comfortable assuming the price is less than $10 per month.
Sixth, and most importantly: If your payment lapses, you can still access all your passwords, but you no longer get sync. (But I have not tried this in practice.)
The UX is simple enough so every person in my family from wife to kids can use it. Because ensuring your family's cybersec is important as well. Teach your kids good cyber hygiene from day one.
1Password deals with the infra and software stack which is a time saver for me.
I just switched to Bitwarden after seeing it recommended on HN a bunch of times. Bought a subscription right away.
I previously stored everything in Firefox, transfered it easily to Bitwarden. Linux app seems to work fine, tested in Firefox, Chrome, Android phone, smooth transition.
The only thing that I've noticed is that you have to change existing passwords manually by editing records in the vault, the Firefox extension does not prompt you to update password once it detects a succesful login with another one.
I had no trouble with the built-in csv exporter, but had to do some manual fixes in the text editor before it could be satisfactory imported into bitwarden
For a while I used an encrypted excel spreadsheet (AES-256 but no idea about other tuning) and stored in OneDrive. Could open just about anywhere since Office is everywhere and OneDrive pretty ubiquitous (I’m guessing no Linux though except Wine?). I have moved to BitWarden now because so many passwords a spreadsheet is cumbersome and prone to fat fingers.
Doesn’t this mean that you can never change your password for a given site? E.g. if some retailer leaks a bunch of data and is storing passwords in plain text or something, I want to be able to rotate my password for that website.
[+] [-] LinuxBender|3 years ago|reply
[1] - https://keepassxc.org/docs/#faq-cloudsync
[+] [-] hk1337|3 years ago|reply
[+] [-] hcal|3 years ago|reply
I trust Mozilla more than any random app that advertises on random podcasts. I like that it warns me when sites I use have been compromised, and that it is generally easy to use. That said, I am not a security expert, so I am interested to see if anybody has any concerns about this setup.
[+] [-] kevincox|3 years ago|reply
In practice I use https://www.passwordstore.org/ to fill the gaps.
[+] [-] nullify88|3 years ago|reply
[+] [-] manuel2258|3 years ago|reply
[+] [-] eternityforest|3 years ago|reply
I just use BitWarden and it's close to perfect.
[+] [-] BirAdam|3 years ago|reply
I did a write up on it for anyone interested.
https://www.abortretry.fail/p/vaultwarden-on-an-rpi
[+] [-] humanlion87|3 years ago|reply
[+] [-] thefz|3 years ago|reply
[+] [-] elteto|3 years ago|reply
[+] [-] karaterobot|3 years ago|reply
[+] [-] sondr3|3 years ago|reply
- KeePassXC: tried this when I was looking for a self-hosted, open-source alternative to LastPass years ago. Was surprised at how well it worked, but syncing was too much of a hassle so I gave up fairly quickly.
- 1Password: my favorite of the bunch so far, great UI and UX, works seamlessly across all my devices with all the stuff I want and need: credit card info, logins, 2FA, automatic hidden email generation via Fastmail, easy sharing and family accounts work really well, CLI for use in scripts and now builtin SSH-key management. Not a huge fan of the subscription model, but probably the service I am most happy to pay for.
- LastPass: was forced to use this at my previous job, absolutely hated it. The UI and UX feels ten years behind 1Pass and Bitwarden, it's slow and not nearly as featureful as the alternatives. I switched from them when they were bought out by LogMeIn, but it doesn't look like the product has meaningfully changed since then.
- BitWarden: played around with this for a while, but didn't switch from 1Pass mostly because I am not willing to host something like this myself and it costs the same as 1Pass with less features and polish.
Personally, I would recommend 1Pass for a "it just works" and Bitwarden hosted yourself if you want the same but on your own premises via https://github.com/dani-garcia/vaultwarden.
[+] [-] NoThisIsMe|3 years ago|reply
Weird, I can't stand the 1Password UI/UX. I've used it at work for two years now, so I can get around ok at this point, but for a long time I struggled to find even basic functionality. Also the keyboard navigability is garbage.
> BitWarden: played around with this for a while, but didn't switch from 1Pass mostly because I am not willing to host something like this myself and it costs the same as 1Pass with less features and polish.
The SaaS Bitwarden offering is less expensive than 1Password at all tiers, plus there's a (functional) free tier.
I will say, 1Password does seem to be the most secure of the SaaS options. But this is just my vague impression -- I haven't looked into it closely, nor am I qualified to.
[+] [-] nowherebeen|3 years ago|reply
Why can't you use Dropbox or Google Drive to sync? Seems fairly easy.
[+] [-] tim333|3 years ago|reply
[+] [-] hk1337|3 years ago|reply
[+] [-] cosmotic|3 years ago|reply
[+] [-] arepublicadoceu|3 years ago|reply
This alone makes me doubt the reliability of your assessment.
A quick google:
1password free: nope.
1password personal: 36 usd yearly
1password family: 60 usd yearly
Bitwarden free: almost every important feature available.
Bitwarden personal: 10 usd yearly
Bitwarden family: 40 usd yearly
Yeah, not even close
[+] [-] 3guk|3 years ago|reply
[+] [-] joegahona|3 years ago|reply
[+] [-] SpeedilyDamage|3 years ago|reply
I use 1pass. I don’t know if they’re actually better. I wouldn’t recommend rolling your own here, however, even if you can’t think of why your solution would have flaws.
It takes a special kind of mind to accept the limitations of your perspective, and this is a field ripe with that exact kind of bias.
[+] [-] aborsy|3 years ago|reply
If you want “seamless sync of your secrets” by a trusted 3rd party with an online vault, well, then, Bitwarden or 1Password. But the architecture is roughly the same as that of lastpass (though they also encrypt URLs, and might have better KDF, and operational security).
In particular, you should assume that 3-letter agencies snapshot data in cloud placed at their feet, have your vault, and may attempt to crack it should that be needed.
[+] [-] marcrosoft|3 years ago|reply
[+] [-] vhodges|3 years ago|reply
[+] [-] tmd83|3 years ago|reply
[+] [-] obblekk|3 years ago|reply
Easy, end to end encrypted, always up to date, free.
https://open.substack.com/pub/magoop/p/how-to-manage-500-pas...
[+] [-] davidcollantes|3 years ago|reply
[+] [-] lynndotpy|3 years ago|reply
First, they encrypt with the secret key AND the master password. This is the most important thing, and I was shocked to learn Lastpass doesn't do it.
Second, the master password runs through PBKDF2 with 100000 rounds, but a precursory Google search suggests the very earliest versions used around 10000. Lastpass's problem was a low 5000 rounds, and did not update the number of rounds. I don't know if 1password updates the number of rounds.
Third, they use a zero-knowledge proof protocol called "secure remote password". When I was sharp in cryptography, this is what made me choose 1password over the others. I don't understand all the details anymore, and I don't know if it is "post-quantum secure."
Fourth, the UX is nice and I can recommend it to anybody who is literate. (This is not a cynical take-- I don't know how good the UX is for someone who is not fluent in a language 1password uses.) (Also, 1password recently released "1password 8", a new UI. I have not tried it and cannot speak to it.)
Fifth, 1password's biggest (only?) controversy was moving to a subscription model. I actually prefer this. (I want devs to be paid in perpetuity to keep this secure! I assume 1password has security holes somewhere, and I want 1password to pay their folks to find them first.)
Unfortunately, the monthly price "billed annually" is $3/month, but it seems the true monthly price is hidden behind a signup wall. I feel comfortable assuming the price is less than $10 per month.
Sixth, and most importantly: If your payment lapses, you can still access all your passwords, but you no longer get sync. (But I have not tried this in practice.)
---
1password security whitepaper: https://1passwordstatic.com/files/security/1password-white-p...
1password security overview: https://support.1password.com/1password-security/
Secure Remote Password (SRP) overview: https://blog.1password.com/developers-how-we-use-srp-and-you...
[+] [-] drabadur|3 years ago|reply
[+] [-] andrewinardeer|3 years ago|reply
The UX is simple enough so every person in my family from wife to kids can use it. Because ensuring your family's cybersec is important as well. Teach your kids good cyber hygiene from day one.
1Password deals with the infra and software stack which is a time saver for me.
[+] [-] atomashevic|3 years ago|reply
I previously stored everything in Firefox, transfered it easily to Bitwarden. Linux app seems to work fine, tested in Firefox, Chrome, Android phone, smooth transition.
The only thing that I've noticed is that you have to change existing passwords manually by editing records in the vault, the Firefox extension does not prompt you to update password once it detects a succesful login with another one.
[+] [-] rolenthedeep|3 years ago|reply
[+] [-] RcouF1uZ4gsC|3 years ago|reply
The LastPass exporter IME is very unreliable.
[+] [-] ctenb|3 years ago|reply
[+] [-] millyleaves|3 years ago|reply
[+] [-] nytesky|3 years ago|reply
[+] [-] supergenpassfan|3 years ago|reply
https://chriszarate.github.io/supergenpass/mobile/
It combines an easily recalled password with domain to generate a longer password. I feel quite safe using this as no data is stored anywhere.
[+] [-] cweagans|3 years ago|reply
[+] [-] spencera|3 years ago|reply
[+] [-] akoshodi|3 years ago|reply