What password manager do you recommend?

Okay so yesterday, I changed my password as a precaution because of the hack, and just now I decided to clean my browser tabs and re login and almost forgot my password. I’m done dealing with passwords.

What password manager do you recommend?

Features I’m looking for

-Open Source

-Can be synced to cloud (I don’t want self host)

-Can be accessed via a browser

-Cross platform, the more platforms, the better

-End to End Encrypted, and Encrypted at rest on my device, also need some way to authenticate before releasing the password, like a pin or biometrics

-Autofill for browser and apps

-Free (can be a freemium model, but I need the base tier to be free, too broke to spend money on this lol)

-Can export the passwords to a file

I never used a password manager before so sorry if I seem like a noob.

I know I could google it, but I want the lastest info, not some outdated reddit post.

Edit: Woah, those replies are fast. I think I’ll use Bitwarden. Thanks for recommendations! Now I don’t need to worry about forgetting passwords anymore. 😄

Edit 2: It seems I’ve forgotten my email password as well as a few other accounts I haven’t logged into for a while. Damn, should’ve used a password manager earlier.

Ab_intra,
@Ab_intra@lemmy.world avatar

I’ve been using keepass for 10+ years now. I store it on a USB that is only connected to the internet when I plug it in.

ancientweasel,

I tried bitwarden and others and finally just settled on the firefox password manager. It does everything I need.

Kajika,

firefox

For me the firefox password manager is totally fine : I know where the encrypted file is and I can manually back it up and copy to an other computer ($HOME/.mozilla/firefox/[profile folder]/key4.db + logins.json). You can decrypt yourself the file easily too.

ancientweasel,

Oh neat. Just gpg -d HOME/.mozilla/firefox/[profile folder]/key4.db + logins.json?

bearfootbees,

I use Firefox as well. My uneducated concern. I once installed Chrome on my PC for something specific. During the install, it asked if I would like to import my saved logins from Firefox. I thought: “let’s see”. In fact, it unencrypted the file, and loaded all my passwords. So, my thought is, of someone was to gain access to that file, how hard would it really be to unencrypted it? If chrome can do it as part of their wizard.

Again, feel free to educate me, but that’s my concern

Corngood,

I assume it would only be (properly) encrypted if you set a master password in firefox?

If chrome could bypass the master password, that would be concerning.

anguo,

My only gripe is having to insert my password every 15min (afaik it’s either that or having all your accessible by anyone using your computer). That and the fact that they discontinued the password manager they had on Android. This is what made me move to bitwarden.

ancientweasel,

they discontinued the password manager they had on Android

I use it on Android Firefox every day, it syncs my passwords to all my linked firefox instances.

anguo,

Ah, I was using Firefox Lockwise, which was discontinued, but I see that Firefox itself can act as a password manager now?

anguo,

By which I mean an auto-fill service

ancientweasel,

Yes, andiyou can sync between you installs.

It not perfect but it’s enough for me at least.

pewgar_seemsimandroid,

bitwarden, proton pass,1password

Trapping5341,

Another vote for Bitwarden just in case anyone needed one more comment to get them to use it.

flashgnash,

I use bitwarden but it can be quite annoying to use sometimes. Feel like I have to type my master password every 5 minutes and it won’t even prompt me to enter it for a site I have a login on, have to dig into the menu and find it

Trapping5341,

On my desktop browser I have it set to relock only when I close the browser. So I only have to enter my master password the first time.

I have an Android phone and an iPhone and have bitwarden enabled on both and set to auto lock after 15 minutes. Very rarely do I run into and instance where bitwarden won’t be able to auto populate everything on either device and I have biometrics set up to unlock my vault. When it doesn’t I have to go searching but imo it’s a minor inconvenience because it very rarely happens.

If you mean that when you are using the auto entry feature your account isn’t showing up to populate the field without searching then you need to save the URI to the password so that bitwarden knows what account goes with that site. Just hit the auto fill and save button and it will automatically add that URI for you so you don’t have to search next time.

flashgnash,

I’ve got all that setup and biometrics work great. The problem is sometimes bitwarden just won’t prompt in the first place, sometimes it works sometimes it doesn’t, sometimes I have to wait a bit for it to realise

Trapping5341,

Ah yeah, I run into that sometimes but in my experience its pretty rare that it won’t pop up. Sometimes just closing the app, from recent apps, and reopening will get it to trigger. I always assumed it had something to do with the apps save state when I closed it since it generally happens on my banking apps that automatically log me out. It’s one thing I like about iOS is that when you are logging into something there is the little key button to open up iCloud keychain and Bitwarden so you don’t have to let it do it automatically.

rarely,

Bitwarden, self hosted.

Christopher,

+1 for Bitwarden here. One day I will go down the self-hosted route.

sgtnasty,
@sgtnasty@lemmy.ml avatar

I have the server, just dont trust myself enough to cut the cord from BW servers.

skullgiver,
@skullgiver@popplesburger.hilciferous.nl avatar

I’ve put Vaultwarden online and have configured it to backup over the network through duplicity. Updates are automatic (I have a cronjob that just does docker pull/stop/rm/run without checking the error codes). No downtime so far!

It’s been a while since I’ve used the official Bitwarden server, but Vaultwarden is pretty much foolproof. It’s one of the easiest programs to self-host that I’ve come across.

dan,
@dan@upvote.au avatar

I have a cronjob that just does docker pull/stop/rm/run without checking the error codes

Ah, you like living on the edge 😛

I don’t trust automated Docker updates… There can be breaking changes between versions. I don’t want my Docker containers to automatically break themselves :D

skullgiver,
@skullgiver@popplesburger.hilciferous.nl avatar

It’s a testament to Vaultwarden’s update policies, not to my amazing server practices!

You’re right that this is a terrible idea and it will inevitably bite me in the ass, but keeping up to date with a dozen of self hosted services is a faff and I’ll accept the 15 minutes of docker fuckery to revert the updates if it means I don’t need to remind myself to perform server maintenance.

arensb,

Yeah, there’s a lot to be said for letting the hosting be done by people who know what they’re doing.

speaker_hat,

If I may, what are the requirements to make it self hosted?

lazynooblet,
@lazynooblet@lazysoci.al avatar

Look up “Vaultwarden”

skullgiver,
@skullgiver@popplesburger.hilciferous.nl avatar

The official Bitwarden server: 2-4GB of RAM, mostly because of the SQL server and all of the separate containers. Probably at least two CPU cores to prevent one process from lagging everything out. 12-24GB of storage.

For Vaultwarden, the Rust reimplementation of the backend server: I don’t know, about 128MB of RAM? It’s using about 40MB of RAM on my server. It’s using about a minute of CPU time per hour for my install. Storage requirements are “the size of the docker container plus some database files”.

Both: a TLS certificate (Let’s Encrypt) and as much free space as you plan on sending through their encrypted file sharing service. Also the storage and configuration for your automated backups, of course.

Vaultwarden isn’t audited and it takes longer to get all of the features because it’s a hobby project and not an enterprise company. Bitwarden is set up to easily scale to whole company/whole enterprise usage. Vaultwarden is set up for “you and your family” scale which probably works fine for larger scales but I don’t think it’s set up for it out of the box.

pandas,
@pandas@are.sexy avatar

@skullgiver @speaker_hat I'm considering spinning up a VW server right now. Thanks for laying out the reqs!

speaker_hat,

How do you make the sever available via the Internet? Do you host it on a cloud provider (e.g. AWS EC2)? or do you self host on your own bare metal machine?

skullgiver,
@skullgiver@popplesburger.hilciferous.nl avatar

You can just open a port in the firewall/port forward a local server if your home ISP isn’t shit. If it is shit, you can run it in the cloud somewhere. I wouldn’t go with Amazon, they’re terribly expensive for hobby projects (who needs multi zone failover for a personal hobby project), any $5 VPS provider will do. Just make sure to install updates automatically so you don’t need to keep a close eye on maintenance and you should be golden.

Alternatively, if you don’t want to expose your server to the internet, you can set up a VPN server on your cloud server and only expose the password manager to your VPN. Wireguard is relatively simple to set up for this purpose, but tailscale (and whatever the self-hosted tailscale server is called) makes things even easier.

dan,
@dan@upvote.au avatar

any $5 VPS provider will do.

A cheap <$20/year VPS is sufficient to host Vaultwarden. No need to spend several times that. My Vaultwarden installation is only using 120MB RAM, so a 1GB RAM VPS would be more than sufficient. Take a look at RackNerd, HostHatch, GreenCloudVPS, and the other top providers on LowEndTalk. RackNerd’s latest sale has a VPS plan with 1GB RAM and 14GB SSD storage for $11.38/year: lowendtalk.com/…/boom-boom-4th-of-july-deals-come…, but I’d personally go with the 4GB RAM and 75GB disk for $47.88/year, since self-hosting is addictive and you’ll find plenty of other stuff you want to host.

(I’m not affiliated with any of these companies)

skullgiver,
@skullgiver@popplesburger.hilciferous.nl avatar

I would trust the absolute bottom of the barrel services with unimportant things like blogs, but I don’t want my password manager to be hosted there. It just feels too sketchy to me.

dan,
@dan@upvote.au avatar

Given the prices of these VPSes, you could get two or three with different providers and have a warm standby in case of any issues.

RackNerd is legit though - a real company with a physical office. I’ve had some VPSes with them in the past, and only got rid of them because I wanted to consolidate a few things.

slimsalm,

Selfhosted or not, you can also make keepassxc portable with a usb drive.

Here is a old thread from redit explaining how to do it:

Dude… KeepassXC has portables for linux, there is no need to mess with wine or mono. As long as you have both portable versions of KeepassXC, you will not have a problem. You can totally have your database sync between OSs.

  • For Linux, just get the AppImage for the portable.
  • For Windows, get the Portable ZIP archive.
  • Shove them both into a USB, you have KeepassXC portable for both OSs on a stick.

Source: www.reddit.com/r/KeePass/comments/10i8joq/…/-

miikaroo,
@miikaroo@lemmy.ml avatar

Non self-hosted: Bitwarden

Self-hosted: Keepass

Both are open-souce, multi-platform, and free. Bitwarden does have additional paid tiers to include support for things like OTPs. I used to use Keepass but got tired of manually syncing my database; If that’s not a problem for you then it’s a great choice.

terk,

It’s more to setup, but I have my keepass auto sync across several devices using OneDrive. Each device has a local copy of the database that is synced with the cloud version using triggers.

Swarfega,

This is what I used to do. Although KeePass is better these days in that it will recognise when a database has changed and ask you if you want to synchronise the changes. KeePassXC will even reload the database when it detects changes.

flashgnash,

Bitwarden supports self hosting doesn’t it? There’s an option in the UI to specify server

jakob,
@jakob@lemmy.schuerz.at avatar

the name is vaultwarden. a reimplementation of bitwarden i think in rust. you can use it with all bitwarden-clients.

Racle,
@Racle@sopuli.xyz avatar

Yup, you can selfhost bitwarden and use your own private server to sync between devices.

Swarfega,

You sound like me. I used KeePass for many years. AutoType rules. That said it wasn’t as slick as other password managers for browser credentials. I moved my home stuff to Bitwarden and use KeePass for work. I honestly could never give up AutoType for work. Typing credentials into other applications is so handy and one majority of other password managers lack, including Bitwarden.

kwelzel,

One thing I was always wondering about the OTP feature: If OTPs are used for two-factor authentication but both your password and the OTP can be accessed through Bitwarden, aren’t you effectively sidestepping the two-factor part? I mean if I have the OTPs only on my phone then I need to know the Bitwarden master password and I need to have my phone in order to log in. On the other hand if both are in the Bitwarden vault, I only need to know the Bitwarden password. So effectively two-factor becomes one-factor authentication.

Maybe the relevant scenario here is your credentials for some website getting leaked. With OTPs inside Bitwarden any attacker would still not be able to log in as long as they don’t know your master password, giving you plenty of time to change your password. Although, if the attacker already found a way to access confidential website logins, they can probably access all kinds of other confidential data related to this account without even logging in as you.

nautical2975,

Bitwarden, Psono, Proton Pass. 1Password is not open source but they’re amazing too and most secure because of a layer of protection

pingveno,

I’ve had a good experience with 1Password, but I would absolutely look at the others if I was starting from scratch now.

One I wouldn’t recommend is LessPass. It is kind of clever, but it relies on doing a hash of a set of values (master key + site + username + counter) and then producing a password from the hash based on some password specifications. Neat, but that’s a lot to remember.

dan,
@dan@upvote.au avatar

because of a layer of protection

What does this mean? It’s very vague :D

nautical2975,

1Password is secured with secret key on top of your master password, adds another level of security. many other password manager, Bitwarden etc are reliant on the strength of your master password

Lewistrick,

Ooh wow, Proton also made a passmanager? I’m going to have a look, I kinda like that company.

Jackolantern,

Bitwarden is ok

Gleddified,

I don’t want to self host

IMO Keepass is not for you then. Bitwarden all day

Candid_Technology_66,

But you can sync your database across devices using Syncthing or a cloud storage like MEGA.

Magnetar,

Keepass + Syncthing is great, works also on phones.

ssm,

openssl and a text file

tycho,

Password-store if you are really fancy

Swarfega,

If you’re going through all your site’s changing passwords maybe take a look at simplelogin.io to also hide your email address. Some sites block you, which is ridiculous, but for the majority of sites it’s a good idea.

Robertej92,

Guess I’m gonna have to give bitwarden a go, I’ve used LastPass for years but their quality of service and value for money has plummeted.

boletus,

Been using Bitwarden for a long time. Secure, easy to use and never had any problems with it.

Voroxpete,

I switched from Lastpass to Bitwarden. Couldn’t be happier.

Selmafudd,

Brah I’ve seen so many of these post asking what password manager people use and the comments filled with bitwarden replies… it could just be lots of people really interested in password managers use Lemmy or bitwarden is astroturfing. One of these seems more likely

Zagorath,
@Zagorath@aussie.zone avatar

I used LastPass up until they re-started charging for multiple devices. I was happy to pay LastPass back in like 2013 when they used to charge for multiple devices, but when they decided to bring that charge back in 2022 (or whatever year it was) they were charging an obscenely high amount for it, and frankly the UX wasn’t good enough to justify that price. On Android, more often than not I was having to go into the app to copy/paste it, because the native integration just wasn’t working.

With Bitwarden I’m back to free, and it works so much better anyway. I never looked back.

b000urns,
@b000urns@lemmy.world avatar

is there a straightforward way to migrate? thanks in advance 🙏

Zagorath,
@Zagorath@aussie.zone avatar

They have a tool for directly doing the import for you.

Or if, for whatever reason, that doesn’t work for you/you don’t want to use that, they have detailed step-by-step instructions for how to manually export your LastPass vault and import it into Bitwarden.

Hope this helps!

b000urns,
@b000urns@lemmy.world avatar

Legend, thanks!

ram,
@ram@lemmy.ramram.ink avatar

Bitwarden checks all the boxes. I’ve had great experience with it. bitwarden.com

I will say, auto-fill on load is a bad idea. On desktop I keep my auto-fill bound to a key so it doesn’t actually end up in fields it shouldn’t be.

2FA is locked behind the $10/year premium if that’s something you wanted, but beyond that the free plan has everything 99% of people will use. They do third party security audits, have public white papers, and is completely open source.

hinterlufer,

Email and TOTP 2FA options are available in the free version, YubiKey, FIDO2 and Duo options are only available in the 10$/year premium option.

Moonwalk,
@Moonwalk@lemm.ee avatar

I’m sure they meant TOTP 2FA for the accounts saved in Bitwarden, not for the Bitwarden login itself.

Saintcloud,

I’ve been curious about a Yubikey like option for a bit now. Would you recommend one and if so which type?

dan,
@dan@upvote.au avatar

Get a Yubikey that supports Webauthn and FIDO2. It’s the future of two-factor authentication on the web. At work we use the YubiKey 5C Nano, but I think the entire Yubikey 5 series supports Webauthn.

DuskLoaf,
@DuskLoaf@lemmy.world avatar

Is there much benefit to having access to the 2FA option if I already use RAIVO for 2FA codes.

Interstellar_1,
@Interstellar_1@pawb.social avatar

No, it’s good to have a seperate service for that

Makeshift,

Bitwarden only autofills if the page’s URL is the same as the account in your vault. So it actually helps you make sure that you aren’t putting your info into a phishing site or something

although, I’m pretty sure autofill is disabled by default anyway?

ram,
@ram@lemmy.ramram.ink avatar

Bitwarden only autofills if the page’s URL is the same as the account in your vault. So it actually helps you make sure that you aren’t putting your info into a phishing site or something

This is true, though wasn’t my concern. My concern is that it (and other PW managers ofc) can sometimes fill in fields its not supposed to, and you end up accidentally including a username or password in a GET header.

although, I’m pretty sure autofill is disabled by default anyway?

Auto-fill on page-load is, yes.

jrubal1462,

After 2 years of ignoring the fact that I use a duplicate password in over 100 places, and that password has officially been in breaches, I finally came to terms with the fact that it was time to find a password manager and generate unique passwords. I didn’t do a ton of research and ended up with bitwarden. If I opened this thread to see a bunch of people ragging on bitwarden I was prepared to be VERY upset.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • asklemmy@lemmy.ml
  • localhost
  • All magazines
    •
    Loading…
    Loading the web debug toolbar…
    Attempt #

    Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 23302272 bytes) in /var/www/kbin/kbin/vendor/symfony/http-kernel/Profiler/FileProfilerStorage.php on line 174

    Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 10502968 bytes) in /var/www/kbin/kbin/vendor/symfony/error-handler/ErrorRenderer/HtmlErrorRenderer.php on line 339