What is the best open-source password manager out there?
Should we use password managers built into browsers like Firefox or Chrome?
Or should we use dedicated applications like Bitwarden?
What do you use and why? Please comment below.
What are the pros and cons of different applications?
Should we write our own script to manage passwords?
Or should we store them in offline files?
Top comments (48)
After having used it personally for years, 1Password is also a great fit for teams. I have shared vaults with the people I work with and can even provide guess access to individuals for short projects at no additional charge.
Besides unique and long passwords, 1P also handles 2FA perfectly well. Not only for your personal accounts, but also the accounts in shared vaults. So even the shared login credentials benefit from OTP, on your phone and laptop.
1password started as Mac-only so when I used the 1password interface the first time I actually had to search online for how to do things. It's not particularly intuitive, but once you learn how to do things it's ok. We use it at work, but I'm not a fan of using proprietary solutions for things like this and don't particularly understand why people want to pay for it, either.
The same reason people want to pay for any other type of software: it brings them value.
Ok, without getting too reductionist, I don't particularly understand what value it brings them.
Which is fine. You might be using something that I don’t see any value in, and that’s fine too. I’m a 1Password user myself and it brings me value. I’m not here to sell you on that product 😄
They are though. They exist because people are prepared to pay for their product instead of using a free software product, so there must presumably be things people like about it that aren't in other apps.
More importantly, and something I forgot to mention, is that the question is explicitly about open source software, and 1password isn't that.
I made my own password manager
Check it out at main.d3qwkjcxzk7m67.amplifyapp.com/
Fork and make your own on github.com/GeoBrodas/aws-password-...
Check out the whole blog I made
dev.to/geobrodas/secure-password-m...
This is awesome
When you join a company you probably have to use whatever they give you access to.
For personal stuff, I use Bitwarden. I think I was turned on to it from a thread here a couple of years ago, actually.
I used to use LastPass, and Bitwarden is mostly a copy of their UI, so the transition was simple. It's free software though.
You can roll your own if you want, it's no different from hiding passwords in a notebook under your bed - it's not like you're writing a crypt library and telling other people to use it or anything.
Other things I've done include keeping text files GPGd in whatever cloud storage I had at the time.
I literally did the same thing. Good decision I think though now that lastpass has gotten greedy about allowing you to only use the app on either your phone or computer but not both.
It's not really greedy when it's a service and product they're supplying without a cost attached.
Software is not safe to store your passwords. If your computer is breached, they can simply copy your passwords database. Not good.
A similar problem existed with the early Bitcoin users. They stored the bitcoin keys on their computer and if some malicious user got access to the computer, they lost everything.
You could assume your computer will never be breached, but this is very optimistic. I recommend using a hardware solution or not storing them on the computer at all.
I disagree. Modern encryption is plenty secure to prevent malicious disk access, and if malware has memory access then you have bigger problems to worry about (they could just log your keystrokes). The Bitcoin situation was different as the key files were unencrypted - any good password manager will encrypt data before saving it to disk.
In the bitcoin space you can find lots of malware. Once installed, it will just wait for you to decrypt your wallet (RAT). A hardware wallet prevents this, because the private key (encryption key) never enters the computer.
The encryption used on both is the same. The difference is in attack surface. With a hardware wallet every password is encrypted and an attacker cannot copy all passwords at once with one master password (keepass). I've seen this happen in a demo of Blackhat USA.
Sure, if your computer is powned you have a bigger problem. But not having a single master key and single file is the more secure way to go imo.
A lot of these password managers offer the option to use 2FA though, which makes this progress a lot harder.
I think the idea of storing passwords under one master password is a bit like solving one problem and creating another one. The problem that's created is what you described.
However, it also solves the problem that whenever websites and applications you have an account have been breached, it's got a password that people can only use on that specific account, protecting you everywhere else. I believe that's a much more common situation than what you are saying.
People who don't store passwords and memorise all of them are going to reuse passwords. Unless they're that good at memorising every single password. I know plenty of people who just use a single password because they can't be bothered to memorise a multitude of them. Even I had a ton of different passwords but still had to reuse them because it'd otherwise be simply too hard to remember each one of them. Reusing passwords is a lot more problematic than using a password manager, and for the average person it'd be better to opt for the latter in that case. Even moreso with 2FA turned on.
Of course, you're right to say that a hardware solution is the best way to store passwords, and I'd recommend it above everything else as well. It's definitely even more important if you're in the cryptocurrency realm, but that's not so much the majority of people.
A computer is a hardware solution.
It is, but a computer is a general purpose device with lots of software and apps running. Compared to a Trezor or similar device that can only do one thing. That means the attack surface is a lot smaller compared to a general purpose PC. It literally saved people thousands of dollars. On top of that, every password is encrypted instead of a single password (like keepass)
We use Bitwarden at work, and it's great to share passwords with the team (not something I'm fond of, I'd prefer individual accounts, but necessary when all you have is a generic account)
I personally use Google passwords as it syncs between Chrome and Android.
For personal passwords, I use Bitwarden protected with 2-Factor & Biometric lock on mobile devices. (planning to self host this soon)
Enterprise passwords are relatively better off stored in an offline medium like MacPass or its equivalent in Linux/Windows with a passphrase on the secrets file. Storing them in online platforms (1Password, Lastpass) could be risky, especially if they're exploited
self hosting means ? a server in your home or rented vps like Digital Ocean or Linode ? what is better ?
A homegrown server would offer total privacy (due to being on local network) but would be inaccessible elsewhere.
Either of DigitalOcean/Linode or AWS/GCP can be used depending on one's budget, latency, support & ease of use among other parameters.
Why ? Is it not possible to expose the home server to the outer world ?
Some configuration in router can be done ?
Honestly I have no experience
No problem, let me attempt to clarify as much I can.
A server (here the Bitwarden software) needs a DNS record with public IP Address(es) to be reachable by clients (smartphones, laptops) over the internet.
Hosting it on a home server won't help as home routers have private IP addresses unreachable via the internet & thus the above stated DNS as well.
It'd also be a security breach of one's computing device if the router gets compromised whilst exposing it as a server.
Hoping this helps!
Hi
I'm using LastPass for the last few years and enjoy it a lot:
I think they managed to simplify features with minimum impact on security; at least this is what I'm hoping for :)
Ok, sounds reasonable for me that some features are only available for paid plans.
I prefer using a service that I trust to keep my passwords safe.
btw once I started using them my passwords become much stronger as im always generating them.
I used LastPass while it was free for all devices and I keep using it now that they added the 2.5$ per month fee cause I didn't want to bother switching to Bitwarden. It works well with all my devices (MacBook, Android). When I think of the money I spend on so many silly things, 2.5$ per month is a totally acceptable amount to pay for password security on the internet.
I might be an odd duck here, but I use Apple iCloud’s password syncing. I only have a Windows machine for gaming and testing, and it works pretty well. Nearly integrated, free, and with support for things like checking for leaked passwords.
Definitely worth a try if a Windows/Linux box isn’t your main machine.
Using pass + git + yubikey
passwordstore.org/
Short answer: BitWarden
I've been using Keeper (paid subscription) for about 7 years. Recently, after an app update, it randomly dropped/ate an entire folder structure of passwords (about 40 entries in total). Their support wasn't able to do anything. Unfortunately, I was bad about backups, and didn't have anything more recent than 8 months so I was unable to recover most of them.
Work uses LastPass, which I've also used personally in the past. I gave it a shot, but even after mapping my Keeper export to LastPass's csv format, it would not import correctly. To be fair, I didn't have high hopes, as we had the same issue when we merged into LastPass a couple years ago at work and essentially had to manually import almost 1000 items by small batch.
So, enter BitWarden. I setup account online, imported the Keeper csv file (no manipulation), and tada! All good now. Been using it every day for a couple weeks, and very happy so far.
After years of development, I've noticed 2 things:
Sometimes I'm browsing, on a website, creating an account, and as a developer, I've gotten used to getting my tasks done quite fast. I was able to do all of those pretty fast, except for creating a complex password.
That's why I created a repo (which currently runs for Mac OS only due to one small command that could be tweaked). Running that script would generate and copy a complex password onto your clipboard, which is pretty seemless.
So I use a combination of that and MYKI Password Manager.
I use safe-in-cloud for my passwords. - super simple, cross platform (window/Mac/iOS/android) and pretty straightforward and nice IU. (It does cost for the mobile apps but it’s a one-time purchase and I don’t mind supporting a fellow dev). The concept is pretty cool, you own the backend storage so there are no monthly fees. Just that initial software purchase for life and $8 USD isn’t bad compared to a monthly charge like some of the other password solutions.
For api creds/access keys I use Unix pass because, again cross platform and I can integrate directly into my terminal. Git and GPG backed, it’s a good solution.
A $10 Bitwarden subscription for a year beats self hosting it and dealing with the security of your self hosted solution, and definitely beats the security of your home grown solution. For that, I have installed Bitwarden's extension into Firefox and downloaded the app on my phone, and I don't have to think about passwords at all anymore. Magnificent.
Exactly. I am on the Bitwarden free plan. And that's fine for me.
In future may upgrade.