DEV Community

Cover image for What password manager should developers use ?
Aahnik Daw
Aahnik Daw

Posted on • Updated on

What password manager should developers use ?

What is the best open-source password manager out there?

Should we use password managers built into browsers like Firefox or Chrome?

Or should we use dedicated applications like Bitwarden?

What do you use and why? Please comment below.

What are the pros and cons of different applications?

Should we write our own script to manage passwords?

Or should we store them in offline files?

Top comments (48)

Collapse
 
stevedejo profile image
Steve

After having used it personally for years, 1Password is also a great fit for teams. I have shared vaults with the people I work with and can even provide guess access to individuals for short projects at no additional charge.

Besides unique and long passwords, 1P also handles 2FA perfectly well. Not only for your personal accounts, but also the accounts in shared vaults. So even the shared login credentials benefit from OTP, on your phone and laptop.

Collapse
 
moopet profile image
Ben Sinclair

1password started as Mac-only so when I used the 1password interface the first time I actually had to search online for how to do things. It's not particularly intuitive, but once you learn how to do things it's ok. We use it at work, but I'm not a fan of using proprietary solutions for things like this and don't particularly understand why people want to pay for it, either.

Collapse
 
murkrage profile image
Mike Ekkel

The same reason people want to pay for any other type of software: it brings them value.

Thread Thread
 
moopet profile image
Ben Sinclair

Ok, without getting too reductionist, I don't particularly understand what value it brings them.

Thread Thread
 
murkrage profile image
Mike Ekkel

Which is fine. You might be using something that I don’t see any value in, and that’s fine too. I’m a 1Password user myself and it brings me value. I’m not here to sell you on that product 😄

Thread Thread
 
moopet profile image
Ben Sinclair

They are though. They exist because people are prepared to pay for their product instead of using a free software product, so there must presumably be things people like about it that aren't in other apps.

Thread Thread
 
moopet profile image
Ben Sinclair

More importantly, and something I forgot to mention, is that the question is explicitly about open source software, and 1password isn't that.

Collapse
 
geobrodas profile image
Georgey

I made my own password manager
Check it out at main.d3qwkjcxzk7m67.amplifyapp.com/
Fork and make your own on github.com/GeoBrodas/aws-password-...
Check out the whole blog I made
dev.to/geobrodas/secure-password-m...

Collapse
 
aahnik profile image
Aahnik Daw

This is awesome

Collapse
 
moopet profile image
Ben Sinclair

When you join a company you probably have to use whatever they give you access to.
For personal stuff, I use Bitwarden. I think I was turned on to it from a thread here a couple of years ago, actually.

I used to use LastPass, and Bitwarden is mostly a copy of their UI, so the transition was simple. It's free software though.

You can roll your own if you want, it's no different from hiding passwords in a notebook under your bed - it's not like you're writing a crypt library and telling other people to use it or anything.

Other things I've done include keeping text files GPGd in whatever cloud storage I had at the time.

Collapse
 
jbeachy21 profile image
Jasper Beachy

I literally did the same thing. Good decision I think though now that lastpass has gotten greedy about allowing you to only use the app on either your phone or computer but not both.

Collapse
 
moopet profile image
Ben Sinclair

It's not really greedy when it's a service and product they're supplying without a cost attached.

Collapse
 
jones268 profile image
jones268

Software is not safe to store your passwords. If your computer is breached, they can simply copy your passwords database. Not good.

A similar problem existed with the early Bitcoin users. They stored the bitcoin keys on their computer and if some malicious user got access to the computer, they lost everything.

You could assume your computer will never be breached, but this is very optimistic. I recommend using a hardware solution or not storing them on the computer at all.

Collapse
 
mileswatson profile image
Miles Watson

I disagree. Modern encryption is plenty secure to prevent malicious disk access, and if malware has memory access then you have bigger problems to worry about (they could just log your keystrokes). The Bitcoin situation was different as the key files were unencrypted - any good password manager will encrypt data before saving it to disk.

Collapse
 
jones268 profile image
jones268

In the bitcoin space you can find lots of malware. Once installed, it will just wait for you to decrypt your wallet (RAT). A hardware wallet prevents this, because the private key (encryption key) never enters the computer.

The encryption used on both is the same. The difference is in attack surface. With a hardware wallet every password is encrypted and an attacker cannot copy all passwords at once with one master password (keepass). I've seen this happen in a demo of Blackhat USA.

Sure, if your computer is powned you have a bigger problem. But not having a single master key and single file is the more secure way to go imo.

Collapse
 
thalitadev profile image
Thalita G.

A lot of these password managers offer the option to use 2FA though, which makes this progress a lot harder.

I think the idea of storing passwords under one master password is a bit like solving one problem and creating another one. The problem that's created is what you described.

However, it also solves the problem that whenever websites and applications you have an account have been breached, it's got a password that people can only use on that specific account, protecting you everywhere else. I believe that's a much more common situation than what you are saying.

People who don't store passwords and memorise all of them are going to reuse passwords. Unless they're that good at memorising every single password. I know plenty of people who just use a single password because they can't be bothered to memorise a multitude of them. Even I had a ton of different passwords but still had to reuse them because it'd otherwise be simply too hard to remember each one of them. Reusing passwords is a lot more problematic than using a password manager, and for the average person it'd be better to opt for the latter in that case. Even moreso with 2FA turned on.

Of course, you're right to say that a hardware solution is the best way to store passwords, and I'd recommend it above everything else as well. It's definitely even more important if you're in the cryptocurrency realm, but that's not so much the majority of people.

Collapse
 
moopet profile image
Ben Sinclair

A computer is a hardware solution.

Collapse
 
jones268 profile image
jones268

It is, but a computer is a general purpose device with lots of software and apps running. Compared to a Trezor or similar device that can only do one thing. That means the attack surface is a lot smaller compared to a general purpose PC. It literally saved people thousands of dollars. On top of that, every password is encrypted instead of a single password (like keepass)

Collapse
 
tbroyer profile image
Thomas Broyer

We use Bitwarden at work, and it's great to share passwords with the team (not something I'm fond of, I'd prefer individual accounts, but necessary when all you have is a generic account)

I personally use Google passwords as it syncs between Chrome and Android.

Collapse
 
vinayhegde1990 profile image
Vinay Hegde

For personal passwords, I use Bitwarden protected with 2-Factor & Biometric lock on mobile devices. (planning to self host this soon)

Enterprise passwords are relatively better off stored in an offline medium like MacPass or its equivalent in Linux/Windows with a passphrase on the secrets file. Storing them in online platforms (1Password, Lastpass) could be risky, especially if they're exploited

Collapse
 
aahnik profile image
Aahnik Daw

self hosting means ? a server in your home or rented vps like Digital Ocean or Linode ? what is better ?

Collapse
 
vinayhegde1990 profile image
Vinay Hegde

A homegrown server would offer total privacy (due to being on local network) but would be inaccessible elsewhere.

Either of DigitalOcean/Linode or AWS/GCP can be used depending on one's budget, latency, support & ease of use among other parameters.

Thread Thread
 
aahnik profile image
Aahnik Daw

Why ? Is it not possible to expose the home server to the outer world ?

Some configuration in router can be done ?

Honestly I have no experience

Thread Thread
 
vinayhegde1990 profile image
Vinay Hegde

No problem, let me attempt to clarify as much I can.

A server (here the Bitwarden software) needs a DNS record with public IP Address(es) to be reachable by clients (smartphones, laptops) over the internet.

Hosting it on a home server won't help as home routers have private IP addresses unreachable via the internet & thus the above stated DNS as well.

It'd also be a security breach of one's computing device if the router gets compromised whilst exposing it as a server.

Hoping this helps!

Collapse
 
eransakal profile image
Eran Sakal

Hi
I'm using LastPass for the last few years and enjoy it a lot:

  1. it is very intuitive
  2. it has cool features like a password generator
  3. you can share passwords with your family
  4. it is available in multiple devices like Android, chrome extension, and dedicated mac app (my favorite, I prefer it over browser extension)

I think they managed to simplify features with minimum impact on security; at least this is what I'm hoping for :)

Collapse
 
eransakal profile image
Eran Sakal • Edited

Ok, sounds reasonable for me that some features are only available for paid plans.

I prefer using a service that I trust to keep my passwords safe.

btw once I started using them my passwords become much stronger as im always generating them.

Collapse
 
nop33 profile image
nop33.eth

I used LastPass while it was free for all devices and I keep using it now that they added the 2.5$ per month fee cause I didn't want to bother switching to Bitwarden. It works well with all my devices (MacBook, Android). When I think of the money I spend on so many silly things, 2.5$ per month is a totally acceptable amount to pay for password security on the internet.

Collapse
 
matthijsewoud profile image
⚡️

I might be an odd duck here, but I use Apple iCloud’s password syncing. I only have a Windows machine for gaming and testing, and it works pretty well. Nearly integrated, free, and with support for things like checking for leaked passwords.

Definitely worth a try if a Windows/Linux box isn’t your main machine.