Ask HN: How do you manage your passwords in 2023?

I'm all in on Bitwarden at this point. It's the place where I keep all my credit cards, secure notes and about a 500 logins. A vast majority of these logins have passwords generated by Bitwarden itself.

I'm confident even if BW goes down I can still recover my data since the vault works offline too. While the browser extension could use some UX work the mobile apps have been top-notch and sharing passwords with my spouse has been a bliss.

I bought myself a dedicated server earlier in December and will be migrating to Vaultwarden pretty pretty soon.

I use 1Password. It isn't perfect, but it's quite good.

My big goal now is to come up with a better solution for 2FA that works for me and my wife's shared accounts.

I still use KeePassXC and sync with cron jobs to Chroot SFTP-Only servers wrapped in a further encrypted file, then conversely use cron to pull the file to devices. I do not personally foresee ever using any of the commercial solutions. I also use this to sync bookmarks.

If KeePassXC one day becomes unmaintained I will make my own custom tool, probably using sqlite+openssl+bash. I only log into one semi-sensitive thing on my phone so I don't bother syncing to that device.

I use - and pay for - BitWarden.

It does all the things you ask for. With the paid version I can share passwords with my spouse for relatively unimportant things (like Netflix) in a reasonably secure manner.

I could self host and run it myself. But I'm not a multi-person team with decades of security engineering experience. So I gladly let someone else take on that burden.

1Password, it “just works” most of the time, the desktop and mobile UI is nice and polished and it works pretty well on iOS. I’m happy to pay for that. Previously was using LastPass and 1Password is definitely nicer and more polished.

KeepassXC for password management and Syncthing for syncing across devices. Everything I'd available offline and syncs on network availability. Working well for years now.

1Pass, a family account, primarily for the sharing features, and the good integrations into iOS.

The biggest challenge with passwords was finding a tool for the whole family, which is more important than the most secure. If not, then it won't be used and we'll be back at the days of sharing "the family password" on everything. Yes, that password is on HIBP.

As a couple we have a shared vault that most things go into. We have equal access, she's a full admin.

As a family we have a shared vault for lower-tier things that the kids also need access to.

They all know to create passwords in 1Pass and save them into their vaults. It's not always perfect, but it's a great start. Generally we'll do 2FA within 1Pass, which is another weakness, but again, some 2FA is better than no 2FA, and OTP is vastly better than SMS.

Also saves a lot of problems with the kids (in this case ages 10+) not knowing their iCloud, Roblox, etc passwords. They're all saved, either of us can look them up.

The kids have had their accounts hacked and socially engineered, and also seen friends share their passwords which turn out to be their passwords to everything, and so get their more important stuff hacked (eg. as a teen their Snapchat seems pretty vital).

Overall 1Pass has a great security track record, their support has been friendly and useful, and I've had friends of friends I respect work their who are pretty trustworthy.

It's not the best app (but having used some others it's also pretty good).

Personally I have Yubikeys for 2FA for critical services that support them.

I also don't want to have to support this myself. Password access is pretty critical, and has a low SLA, must work. I've done on-call tech-support for over a decade, I don't do it at home. So, no home-hosted stuff.

1password everywhere. Employer pays for it, and I have a separate vault for personal and work credentials, meaning I don't have any work credentials on personal devices and work has no claim over my personal credentials. Works on my iPad, MacBook, windows workstation and android phone seamlessly.

My only complaint is that it doesn't let me use a yubikey as a primary method of authentication on windows - all my other devices have biometric authentication.

I find KeePassX plus Owncloud to be perfect for my needs. I have all my passwords with me and even if there are some synchronisation issues every once in a while, it works out sufficiently well and is very low-maintenance.

Huge fan of 1Password.

Used it personally for nearly a decade and introduced it at work. Happy 1Password Business users and that gives all our employees free personal accounts (that we can’t see or touch) as an added benefit.

I exclusively self host vault warden behind a VPN and firewall with a custom domain. Changes are automatically managed and deployed through GitHub CI/CD.

I have wireguard VPN on all my devices tunneled into my server. I also self-host the VPN since vaultwarden runs on a local Docker intranet.

If people are interested, I was going to write a step by step blog.

Less technical, but I also get yubikey and duo 2factor push auth out of the box with Vaultwarden! (Open source rust implementation of Bitwarden)

Firefox is enough for me.

On mobile you can enable the option to auto fill passwords for apps, and let you use the fingerprint sensor to access the list quickly > select the account > auto fill :)

I've been using and paying for Bitwarden for almost two years now. However recently I purchased a Raspberry Pi, so now I've completely shifted to self-hosting Bitwarden (using Vaultwarden[0]) on it. On top of it, I've attached a custom subdomain to the server through Cloudflare Tunnel, so even behind non-static IP address it works well (with SSL).

No privacy or security issues now since I own all my data, no subscription fees, and no complaints till now with the self-hosted setup. Definitely would recommend!

[0] https://github.com/dani-garcia/vaultwarden

For a long while I've trusted and used various KeePass ports/forks on my phone and laptops and stored the password file in cloud storage.

With the recent LastPass exposure, the supply-chain attack on PyTorch, needing to be vigilent and avoid granting apps access to my cloud drive, I've actually just been reviewing my setup and workflow.

Here's what I'm planning to change...

Phone: Switching from MiniKeePass to KeePassium. I've found it's not too difficult to build KeePassium from source and install without needing an Apple Developer subscription. This means I can properly audit the code and control/verify all updates.

Laptops: Start building KeePassXC from source. In the short term, I'll be more diligent in obtaining updated versions from trusted sources and using PGP to verify the package.

File sync: Start storing the password file on a self-hosted file server. Having recently setup Tailscale on all my devices, it's now convenient to manage Samba and remove cloud storage from the system. In case the SMB share is inaccessible, I'll fallback to the backups kept by KeePassium and use cron+rsync to maintain an secondary copy on my laptop.

Backups: I'm planning to periodically backup to a hardware keypad encrypted USB drive. In comparison to a regular USB / external drive, the hardware encryption makes it harder for somebody to quickly make a copy of the password file and take it away to be brute-forced.

Would welcome any pointers on things I may not be considering or suggestions for improvement!

1Password on Windows/Mac/Linux/Mobile

Used keepass and pass for years but got fed up with them. Switched to 1Password this year and never looked back.

Firefox. It's not perfect especially on Android (I have to manually copy the password instead of it auto-filling) but it's good enough.

Default macOS/iOS password manager. Chrome doesn't use it, but everything else does.

I’m still in LastPass!

How at risk am I?

If I move to something else, are those services not just at risk too at some point?

I’d hope LP would be doing more at this point.

IDK! Help!

I moved to iCloud keychain from LastPass, then changed my most important passwords (financial, social media, major tech accounts, any place with recent credit card info)

If you’re using Apple stuff almost exclusively (safari, iOS, osx) it seems to offer best integration. I have light password sharing needs. It can airdrop passwords to people In my contacts, but they won’t get password changes.

I made sure to make my device and Apple ID passwords very strong. I’m not sure which it encrypts with. But with FaceID, it’s not a big deal to make a iPhone passcode and actual long pass phrase and not a PIN number.

My main concern is I don’t feel I have a lot of transparency in how it works. And using passwords outside the Apple ecosystem will be difficult.

If you have a Mac use keychain. I never understood why Mac users use external tools.. I mean really? Why? Perhaps if you manage a team at work ok.. but single user subscriptions?

For Linux and windows i would use keepassx.

Any thoughts on Bruce Schneier's Password Safe?

https://www.schneier.com/academic/passsafe/

Stored encrypted using gpg, in a git repo which is synced using syncthing: https://www.passwordstore.org/

Since I'm using all Apple devices after a short foray with 1Password I've switched to an app called Strongbox on macOS and iOS. It's the only app I know of that uses Apple's AutoFill API on macOS and thus works without any extension in Safari and feels like the native Keychain.

On top of that, it supports syncing the database via iCloud, WebDAV, SFTP, Dropbox and a few other services. And it uses a bog standard KeePass2 database for storage, so you can use it with KeePassXC on Windows or any other KP2-compatible app. This also means that there's always a way to get to your data should Strongbox disappear.

Before I used password managers I would just keep a monolithic text file with all the relevant information for sites and password and also keep notes. I was using vim encryption at the time. This was a bad idea because the vim encryption doesn't really follow cryptography best practices for example the encryption isn't authenticated.

The first password manager I started with is LastPass in 2014 when it was recommended to me by a password security expert in academia. I used a memorable human generated passphrase with enough twists to get about 80 bits of entropy, so if my old encrypted data is in the wild (doubtful), I'm not really concerned about the recent breach.

I've since been all in on 1Password since 2017 after LastPass was getting progressively worse and I sought out a new password manager. I've examined the security design whitepaper and most of the choices when it comes to cryptographic protocol design is pretty good, no real homebrew and should stand the test of time, but there's still better choices that can be made about protocols such as PAKE that'd be better in 2023. Anyways, 1Password UI is pretty good.

I also make backups of 1Password using the command line interface incase they decide to kick me off their systems or something happens where I can't make payments for years. The backups are then encrypted using the scrypt tool.

If I was to get off password managers completely, I wouldn't bother with these password management tools like Keepass etc. as they constrain you to their UIs and don't do an adequate job of doing things like browser autofills. I'd rather just go back to a plaintext file and encrypt/decrypt with scrypt or age.

    openssl rand -base64 25 | cut -c1-25

Then https://www.passwordstore.org/

This GUI for it under Windows https://github.com/geluk/pass-winmenu

And this iOS app on phone https://github.com/mssun/passforios

Just 1Password with a long, randomly generated password. The more complicated you make your password management system the more likely you are to have an issue.

I have started using pass (https://www.passwordstore.org) since last year and I'm quite happy with it. The main advantage of using pass is the feeling that I've control overy passwords and I also understand the process. If you decided to give it a try, make sure to have a look on available extensions.

KeePass Password Safe on desktop and Keepass2Android Password Safe on my Android. Database is sync on my own server.

I store my credentials in plain text files on an encrypted disk image, and I back them up onto an ironkey. Secure and easy to use? Seems so! But it's not especially easy to access on multiple devices, and that's by design. As a rule I don't want my personal data living on hardware which belongs to my employer, and phones are too easily lost or stolen. For everything else, there's scp or thumb drives.

Online password managers never made much sense to me; one by one, they eventually all get hacked. And why not? A centralized service storing thousands of people's credentials makes a great big juicy target. Their security is undoubtedly better than mine, but my personal laptop is not likely to be worth anyone's time.

For the same reason, I don't let browsers store passwords either.

Strongbox on desktop and mobile. It uses keepass file format to store databases but I prefer the ui.

I was a 1Password customer before, but work pays for a family plan now, so it makes too much sense.

One of my major goals for 2023 is to migrate as much as feasible from passwords to tokens or at least passkeys. NitroKeys or YubiKeys for that. Process has already begun, but I definitely hope to see that accelerate big time (at long, long last) this year. Feels like there is serious industry momentum from the big players this time, and that cost, UX, support in frameworks to make it easy for non-sec webdevs, may all finally start to reach the tipping point. US Government is onboard now too, having dumped lots of obsolete terrible advice for a refreshingly great set of modern guidelines and updating government service sites in general for good uniform login with hardware token support. Ideally I'd like to see that become more universal for various web GUIs/access for services too (OPNsense in particular, which I now use for firewall/gateway services and is probably one of the more security critical bits of my infra).

Passwords though will have a very long tail even in the most optimistic scenarios, so yes password managers aren't going anywhere for a while yet. What I use right now is 1Password 7 with a slow migration towards Bitwarden clients and a self-hosted Vaultwarden server. I still have a standalone license and still have shared vaults in Dropbox, I will not be moving to the electron based 1P8. So end of the line on that decade+ journey I'm afraid, I'm disappointed with what happened with them but so it goes. Bitwarden/Vaultwarden seem solid to me so far though, and have client support across a range of devices. Nebula or Wireguard make keeping a bunch of selfhosted services accessible in a reasonably secure way pretty easy, and almost more importantly once setup have been rock solid reliable for me. Wrapping my head around them and making sure I had it all figured out certainly took a bit of time early on, but once setup it's Just Worked™ without being touched a single time ever again. No specific 3rd party dependencies is attractive.

If you have family/friends/coworkers to deal with though obviously the needs of the group are going to have to factor in on some level, and you may find you need to either run a few different things or compromise somewhat/pay more.

Hash of a salt stored in my brain unlocks the password vault.

This doesn’t work well on mobile though since hashed aren’t typable.

One of my New Years todos today is to set up a mnemonic for my phone.

That, paired with disappearing messages and making individual apps require a touchID will make it very difficult for folks to be… nebby.

Biometrics are easy to spoof or steal, whereas a fourteen digit mnemonic of the Shakespeare lines you used to quote will be easy to type, easy to remember, and take years and/or a Targeted effort to crack.

(Also I hope it goes without saying that nothing from Bill ever unlocked my box - examples are fictionalized.)

I just use iCloud. I’m fully in on iCloud now that they support custom domains, even moved my gsuite over this holiday season.

The password manager is enough for me and just works (tm) with all my devices. It even supports 2fa. I used LastPass until the most recent hack. I prefer iClouds keychain so far.

The only problem is using Chrome. There are no extensions for keychain so I have to copy paste the password into Chromes manager if I want to use it. But Safari works for most of my purposes anyways.

I’ve only been on this setup for about a week but so far I love it. It’s so simple and works, I doubt I’ll ever move.

Bitwarden does all my password and OTP management. Works on any browser and operating system, it's open source and audited. All the services I use have 2FA enabled, and I try to avoid SMS second factor as much as possible.

My email and Bitwarden itself are secured by two Yubikeys, one is always on my person on my keychain, the other is physically stored away from my house. I have an AirTag on my keychain because losing your keys is a pain in the butt.

This is a cheap yet very secure system for most people that care about security but are not persecuted by police or government agencies.

I use KeepassXC distributed via NextCloud.

I developed Authorizer to have a cross-platform solution without any server/cloud-service. It is an offline hardware password manager based on PasswdSafe for Android. The concept is to use an old Android phone as your password manager. It can type the password over USB and Bluetooth on your target device. Supports OTP.

Smartcard and WebAuthn support are on the roadmap. Doing also a lot of modernization on the next weeks. https://github.com/tejado/Authorizer

So all these people are posting with likely their normal accounts and announcing their security posture to the world… feels insecure ironically.

I miss having a solution that was locally synced across multi platform.

I use keepassxc to store my password. The Android app syncs with a file stored on my home server via SSH. No need to sync it manually, the Android app automatically checks for remote changes and copies the file over when you make changes on the app.

The password file on my server resides in a folder that's synced across all my computers using syncthing. My home server also runs an OpenVPN server so all my devices can talk to each other.

Everything is self hosted and runs on open source software. I'm pretty happy with my setup.

KeepassXC sync'd with onedrive. I use a certificate key that I only move with USB, and a Yubikey to limit the attack area if someone were to gain access.

Keepass2android works very well. For the longest time I avoided the browser extension since it's a weak spot, and instead relied on auto-type. I finally caved in since most websites nowadays use a UI that asks for the user name first and then the password because reasons. The browser extension is very finicky and doesn't complete half of the time.

I memorize all my passwords; they’re different but they all follow a similar format, so it’s not difficult to keep them all straight. There’s a couple variants of the format that I can cycle through when I need to change a password. The format involves the name of the service and a “salt” string, as well as some special character and uppercase/lowercase patterns. It’s quite nice to be able to keep everything in my head without needing to worry about a password manager!

bitwarden for the everyday, lower value stuff, keepassxc on private storage for the more sensitive things like bank accounts, etc.

Once passbolt adds offline storage of a copy of the vault to their extensions I may switch to that as I am a big fan of their system, it is just annoying for a home gamer to find their internet is down and then going to log in to their router to fix it finding the password manager doesn't work.

Jumped to KeePassXC (for Linux) + KeePassDX (for Android) after the latest LP fiasco, syncing the databse with Syncthing everywhere it's needed.

It's... fine, actually! And it all being open-source and using an open/documented/versioned database format decreases risks, also the browser extension is perfectly serviceable (certainly not worse than LP's abortion).

In short, I have absolutely no idea why I haven't made the jump long ago.

All in on Minimalist Password. One of the few macOS-native apps left with enough of the right features (OTP, custom fields, iOS apps) without bloat, and no subscription (syncs via iCloud). The only drawback is no Chrome/Brave/Firefox extension yet (Safari only) but it's on the roadmap for this year I believe.

Edit: I see you didn't specifically mention Mac or Windows, but this one is Apple ecosystem only, currently.

Buttercup[1] is a highly usable password manager that supports multiple storage backbends.

It has clients for desktop on Linux, Mac, and Windows, and it's got Apple and Android mobile clients. There's also a browser plugin. I've had a great experience so far.

I also use KeepassX, though it's a lot less usable / portable.

References: 1: https://buttercup.pw

Bitwarden for me - I’ve paid for the past 2-3 years after Lastpass put their prices up too high for me to justify. And I’m glad I deleted my lastpass account when I moved over!

Bitwarden is secured with my yubikey, with a 2FA code in another Authenticator app. Then, all my other OTP codes are within Bitwarden. For $10 a year, I am very happy with the service.

Keepassx

I have copy of keepass dbs on phone, private notebook and employer notebook. Once a month I doing backups, and I am updating these databases. Fresh passwords, for current month I'm holding unencrypted in email draft/todo list/google keep till full backup procedure.

I needed something cross platform, as i use mix of android, windows, macos, and iOS devices. Also i want ease of use, vault unlocking woth fingerprint methods.

Bitwarden clients really provide ease of use and I use it in combination with a Selfhosted bitwarden server called vaultwarden.

1Password. Has all the features I want, really like the UI, and available everywhere I need it.

1password or Bitwarden. I personally like 1password UI better but it’s a personal choice.

I wrote a small blog post on my journey and shared it not too long ago: https://news.ycombinator.com/item?id=34181689

Strongbox protected with Yubikey NFC as 2FA on iPhone and Mac - sync via iCloud..

I switched from LastPass to Bitwarden. I'm still not even 1/3 the way through from changing all my passwords and OTP tokens (Obviously I changed bank passwords, etc, right away.)

It seems like there are basically two camps: Trusting/convenience-oriented people use BitWarden, while more careful people prefer KeePass-based solutions.

Personally, I think Enpass is the best of both worlds. The ecosystem isn't open source by default, but there are open source tools that get technical assistance from Enpass folks. And the experience is quite good, usually slightly less polished than BitWarden or 1Password, but sometimes slightly more polished (TOTP is a lot easier on Enpass than with 1Password). Lastly, it's local-first and offers a lifetime purchase for about $90.

I’m using Bitwarden. I was a KeePassX user but I was missing: multiple devices support, sharing selected passwords with family members. Bitwarden solves those.

KeepassXC, Syncthing to sync. KeePass2Android on phone.

If I can piggyback on this question, what do people do about those infernal security questions? Browsers don't help much with them.

Does anyone use any password manager and do regular backups? I use 1password but it's scary that all passwords depend on it.

Bitwarden

I have a 1Password subscription but I find it too much of a hassle to use. Using the password manager is more cumbersome than resetting the password most of the time. And that obviously makes the password stored in the password manager out of date, making it even less useful.

For many logins I just use some re-used password with a prefix/suffix based on the service/site name, so I can usually get the password right without opening the manager or resetting the password.

I've been using Bitwarden for a few years, and am very happy with it. I'm glad to pay their reasonable price.

I use Bitwarden and pay for it. I've previously used 1password but stopped when they went to a subscription model.

Password Store and KeepassXC are great. Don’t use “cloud” for password management. They will always be juicy targets.

Anyone here use GNU Pass? Can you describe your setup? Would it be an upgrade coming from KeepassXC?

I roll my own. I use emacs on an encrypted password file stored on my local PC.

I use KeePass (+ KeePassX on Android) with a password database file on Dropbox.

I've been using Roboform for many years and I'm very happy with it.

Macpass for my Mac, and sync the .kdbx file with Keepass2Android for my cell.

For me mobile and multidevice is a thing. No anything better than Bitwarden.

I use keepass and the file is stored in gdrive to sync across devices.

Does anyone use Keeper? Or have thoughts in general on that?

LastPass, which can’t be spelled without a-l-a-s.

I just do it the old-fashioned way: memorisation.

Bitwarden will have my money this year too.

I used LastPass for 13 years. Now I use Roboform.

It just works.

BitWarden meets all those criteria!

Bitwarden