What password manager do you recommend?

teawrecks, 1 year ago

Keepass is

• open source and free
• just uses a file, so you can sync it wherever/however you want
• has a browser plugin with autofill if you’re into that
• is supported on all platforms
• database lives in an encrypted file that you put wherever you choose

sonstwas, 1 year ago

For syncing I use Syncthing. It’s open-source as well and syncs two/multiple devices without the need for cloud-storage

Trapping5341, 1 year ago

Another vote for Bitwarden just in case anyone needed one more comment to get them to use it.

flashgnash, 1 year ago

I use bitwarden but it can be quite annoying to use sometimes. Feel like I have to type my master password every 5 minutes and it won’t even prompt me to enter it for a site I have a login on, have to dig into the menu and find it

Trapping5341, 1 year ago

On my desktop browser I have it set to relock only when I close the browser. So I only have to enter my master password the first time.

I have an Android phone and an iPhone and have bitwarden enabled on both and set to auto lock after 15 minutes. Very rarely do I run into and instance where bitwarden won’t be able to auto populate everything on either device and I have biometrics set up to unlock my vault. When it doesn’t I have to go searching but imo it’s a minor inconvenience because it very rarely happens.

If you mean that when you are using the auto entry feature your account isn’t showing up to populate the field without searching then you need to save the URI to the password so that bitwarden knows what account goes with that site. Just hit the auto fill and save button and it will automatically add that URI for you so you don’t have to search next time.

flashgnash, 1 year ago

I’ve got all that setup and biometrics work great. The problem is sometimes bitwarden just won’t prompt in the first place, sometimes it works sometimes it doesn’t, sometimes I have to wait a bit for it to realise

Trapping5341, 1 year ago

Ah yeah, I run into that sometimes but in my experience its pretty rare that it won’t pop up. Sometimes just closing the app, from recent apps, and reopening will get it to trigger. I always assumed it had something to do with the apps save state when I closed it since it generally happens on my banking apps that automatically log me out. It’s one thing I like about iOS is that when you are logging into something there is the little key button to open up iCloud keychain and Bitwarden so you don’t have to let it do it automatically.

slimsalm, 1 year ago

I use keepassxc, works well for me.

rarely, 1 year ago

Bitwarden, self hosted.

Christopher, 1 year ago

+1 for Bitwarden here. One day I will go down the self-hosted route.

sgtnasty, 1 year ago

I have the server, just dont trust myself enough to cut the cord from BW servers.

skullgiver, 1 year ago

I’ve put Vaultwarden online and have configured it to backup over the network through duplicity. Updates are automatic (I have a cronjob that just does docker pull/stop/rm/run without checking the error codes). No downtime so far!

It’s been a while since I’ve used the official Bitwarden server, but Vaultwarden is pretty much foolproof. It’s one of the easiest programs to self-host that I’ve come across.

dan, 1 year ago

I have a cronjob that just does docker pull/stop/rm/run without checking the error codes

Ah, you like living on the edge 😛

I don’t trust automated Docker updates… There can be breaking changes between versions. I don’t want my Docker containers to automatically break themselves :D

skullgiver, 1 year ago

It’s a testament to Vaultwarden’s update policies, not to my amazing server practices!

You’re right that this is a terrible idea and it will inevitably bite me in the ass, but keeping up to date with a dozen of self hosted services is a faff and I’ll accept the 15 minutes of docker fuckery to revert the updates if it means I don’t need to remind myself to perform server maintenance.

arensb, 1 year ago

Yeah, there’s a lot to be said for letting the hosting be done by people who know what they’re doing.

speaker_hat, 1 year ago

If I may, what are the requirements to make it self hosted?

lazynooblet, 1 year ago

Look up “Vaultwarden”

skullgiver, 1 year ago

The official Bitwarden server: 2-4GB of RAM, mostly because of the SQL server and all of the separate containers. Probably at least two CPU cores to prevent one process from lagging everything out. 12-24GB of storage.

For Vaultwarden, the Rust reimplementation of the backend server: I don’t know, about 128MB of RAM? It’s using about 40MB of RAM on my server. It’s using about a minute of CPU time per hour for my install. Storage requirements are “the size of the docker container plus some database files”.

Both: a TLS certificate (Let’s Encrypt) and as much free space as you plan on sending through their encrypted file sharing service. Also the storage and configuration for your automated backups, of course.

Vaultwarden isn’t audited and it takes longer to get all of the features because it’s a hobby project and not an enterprise company. Bitwarden is set up to easily scale to whole company/whole enterprise usage. Vaultwarden is set up for “you and your family” scale which probably works fine for larger scales but I don’t think it’s set up for it out of the box.

pandas, 1 year ago

@skullgiver @speaker_hat I'm considering spinning up a VW server right now. Thanks for laying out the reqs!

speaker_hat, 1 year ago

How do you make the sever available via the Internet? Do you host it on a cloud provider (e.g. AWS EC2)? or do you self host on your own bare metal machine?

skullgiver, 1 year ago

You can just open a port in the firewall/port forward a local server if your home ISP isn’t shit. If it is shit, you can run it in the cloud somewhere. I wouldn’t go with Amazon, they’re terribly expensive for hobby projects (who needs multi zone failover for a personal hobby project), any $5 VPS provider will do. Just make sure to install updates automatically so you don’t need to keep a close eye on maintenance and you should be golden.

Alternatively, if you don’t want to expose your server to the internet, you can set up a VPN server on your cloud server and only expose the password manager to your VPN. Wireguard is relatively simple to set up for this purpose, but tailscale (and whatever the self-hosted tailscale server is called) makes things even easier.

dan, 1 year ago

any $5 VPS provider will do.

A cheap <$20/year VPS is sufficient to host Vaultwarden. No need to spend several times that. My Vaultwarden installation is only using 120MB RAM, so a 1GB RAM VPS would be more than sufficient. Take a look at RackNerd, HostHatch, GreenCloudVPS, and the other top providers on LowEndTalk. RackNerd’s latest sale has a VPS plan with 1GB RAM and 14GB SSD storage for $11.38/year: lowendtalk.com/…/boom-boom-4th-of-july-deals-come…, but I’d personally go with the 4GB RAM and 75GB disk for $47.88/year, since self-hosting is addictive and you’ll find plenty of other stuff you want to host.

(I’m not affiliated with any of these companies)

skullgiver, 1 year ago

I would trust the absolute bottom of the barrel services with unimportant things like blogs, but I don’t want my password manager to be hosted there. It just feels too sketchy to me.

dan, 1 year ago

Given the prices of these VPSes, you could get two or three with different providers and have a warm standby in case of any issues.

RackNerd is legit though - a real company with a physical office. I’ve had some VPSes with them in the past, and only got rid of them because I wanted to consolidate a few things.

Gleddified, 1 year ago

I don’t want to self host

IMO Keepass is not for you then. Bitwarden all day

Candid_Technology_66, 1 year ago

But you can sync your database across devices using Syncthing or a cloud storage like MEGA.

Magnetar, 1 year ago

Keepass + Syncthing is great, works also on phones.

elboyoloco, 1 year ago

Bitwarden is the exact app you just described. I use it. It’s great.

kamen, 1 year ago

One vote for BitWarden.

techgearwhips, 1 year ago

KeePass all day. Completely open sourced and free.

I use

KeePassium on iOS

KeePassiumXC on desktop

Keepass2Android (no net) on Android.

All synced via Nextcloud but you can sync via sync thing as well if you don’t want to self cloud host.

nautical2975, 1 year ago

Bitwarden, Psono, Proton Pass. 1Password is not open source but they’re amazing too and most secure because of a layer of protection

pingveno, 1 year ago

I’ve had a good experience with 1Password, but I would absolutely look at the others if I was starting from scratch now.

One I wouldn’t recommend is LessPass. It is kind of clever, but it relies on doing a hash of a set of values (master key + site + username + counter) and then producing a password from the hash based on some password specifications. Neat, but that’s a lot to remember.

dan, 1 year ago

because of a layer of protection

What does this mean? It’s very vague :D

nautical2975, 1 year ago

1Password is secured with secret key on top of your master password, adds another level of security. many other password manager, Bitwarden etc are reliant on the strength of your master password

Lewistrick, 1 year ago

Ooh wow, Proton also made a passmanager? I’m going to have a look, I kinda like that company.

ChrV, 1 year ago

Last year I tried (and paid) 1Password.
For the past 6 months I'm using Bitwarden and it's really good. I find 1Password's UI better but if we consider the cost it's better to stay with Bitwarden.

Swuden, 1 year ago

1Password isn’t open source, is it? I use it and I’m super happy with it though. I don’t mind paying a bit for good security. I do wish it was OSS though.

ChrV, 1 year ago

No I don't think it is. I was super happy too but I decided to give Bitwarden a fair try and it's really good too. I only miss the 2FA codes that 1Password filled automatically but I'm using Aegis now since I had some worries about having one app with both the passwords and 2fa codes.

Onionizer, 1 year ago

Bitwarden can auto copy the 2FA code so you just hit ctrl+v

ChrV, 1 year ago

Not in the free version unless I'm mistaken

skatrek47, 1 year ago

I have also really enjoyed 1password, I also subscribe to Fastmail and the easy to make “masked emails” gives me additional peace of mind and makes that practice of unique or throwaway emails much easier to implement.

Curious_Canid, 1 year ago

I’ve been using KeePass since the dawn of time. There are now other good options too, but I haven’t seen any compelling reason to switch. It does everything I need both securely and well.

kingmook, 1 year ago

+1 for bitwarden. If you want full control you can even host your own server. Easyish to setup at Bitwarden Docker Setup

jrubal1462, 1 year ago

After 2 years of ignoring the fact that I use a duplicate password in over 100 places, and that password has officially been in breaches, I finally came to terms with the fact that it was time to find a password manager and generate unique passwords. I didn’t do a ton of research and ended up with bitwarden. If I opened this thread to see a bunch of people ragging on bitwarden I was prepared to be VERY upset.

ancientweasel, 1 year ago

I tried bitwarden and others and finally just settled on the firefox password manager. It does everything I need.

Kajika, 1 year ago

firefox

For me the firefox password manager is totally fine : I know where the encrypted file is and I can manually back it up and copy to an other computer ($HOME/.mozilla/firefox/[profile folder]/key4.db + logins.json). You can decrypt yourself the file easily too.

ancientweasel, 1 year ago

Oh neat. Just gpg -d HOME/.mozilla/firefox/[profile folder]/key4.db + logins.json?

bearfootbees, 1 year ago

I use Firefox as well. My uneducated concern. I once installed Chrome on my PC for something specific. During the install, it asked if I would like to import my saved logins from Firefox. I thought: “let’s see”. In fact, it unencrypted the file, and loaded all my passwords. So, my thought is, of someone was to gain access to that file, how hard would it really be to unencrypted it? If chrome can do it as part of their wizard.

Again, feel free to educate me, but that’s my concern

Corngood, 1 year ago

I assume it would only be (properly) encrypted if you set a master password in firefox?

If chrome could bypass the master password, that would be concerning.

anguo, 1 year ago

My only gripe is having to insert my password every 15min (afaik it’s either that or having all your accessible by anyone using your computer). That and the fact that they discontinued the password manager they had on Android. This is what made me move to bitwarden.

ancientweasel, 1 year ago

they discontinued the password manager they had on Android

I use it on Android Firefox every day, it syncs my passwords to all my linked firefox instances.

anguo, 1 year ago

Ah, I was using Firefox Lockwise, which was discontinued, but I see that Firefox itself can act as a password manager now?

anguo, 1 year ago

By which I mean an auto-fill service

ancientweasel, 1 year ago

Yes, andiyou can sync between you installs.

It not perfect but it’s enough for me at least.

theNoob, 1 year ago

KeePass for me synced to whatever cloud you want. I use DropBox and the Android client has an option for that to save you work