Ask Slashdot: What's the Best (Encrypted) Password Manager?

Posted by EditorDavid

• ›

  Post-it notes on my screen, with some characters replaced.

  • Re:

    You are doing it wrong, security post-it notes go under the keyboard.

    • Re:

      My password is the name of my cat. I can't put him under the keyboard. For long anyway.

      • Re:

        My password is my dog's name. My dog is named %8Nk=14hD

  • I hate to admit this but you're right. I keep a handwritten log in pencil in small hard copy note book which I treat like POTUS's launch codes minus the USAF handler. Since the 90's. Never failed me yet.

    • Re:

      That gives excellent protection against remote attacks for sure. And these are what almost all attacks on passwords are. Nothing wrong with writing down passwords as long as you keep the thing they are written down in reasonably secure.

      • Re:

        It does nothing for disasters though. House burns down, it would be sad to lose access to not just your physical possessions but virtual access too.

  • Re:

    Despite my best efforts - my mom keeps all of her account passwords in a Word document stored on her computer.

    (yes, I heard all the face-palms when you guys read that - trust me, I feel the same way)

    • Re:

      It is not actually as insecure as most people think, or rather the alternatives are not that much more secure. When somebody compromises that PC, they can just sniff passwords for a few days and get all the more often used ones anyways.

      The real way to get more security than passwords is using 2FA with the 2nd factor on a second device (or it really is not 2FA) that is kept reasonably secure. For most application a phone will be fine as long as you take care what type of apps you put on it and do not log in

    • Re:

      I keep all my work passwords in an Excel spreadsheet on my work laptop. (And never visit non-work related web sites, nor use it anywhere but from a wired network.)

  • Re:

    In all fairness for most people it is actually a better option as a software based one is a single point of failure that is only as strong as the hygiene of the system and safety of the user which for many is shit poor. a post-it note as long as you are concerned about your family seing it is safer for many.

• You want a tool which

  * runs on a PC (since "not Linux geek")
  * is not Vim, nor KeePass
  * isn't based on Java or JavaScript
  * does not involve an "external website" (which I assume to mean doesn't use 'cloud' storage)
  * doesn't have too many features (?!)
  * doesn't have an installer (?!!!!!)
  * isn't rejected by Windows Defender (reasonable)

  This is the point where you manage with KeePass, or you just give up. Honestly, what the fuck more could you ask for?

  • Re: Translation

    A geek ur-response. Like asking Sheldon Cooper how to solve quadratic equations. I'm so far beneath this yada yada yada.

  • Re: Translation

    Lol. Yeah I was wondering the same thing. Geeky but not too geeky. Easy but not too easy. Simple for a Linux user, but actually for windows, but doesnâ(TM)t work like a windows app.

  • Re:

    Slight alternative, same idea: KeepassXC [keepassxc.org]. It's actually open source, unlike the base Keepass (which I used to use). I used Keepass for years, and it's great, but I think that "XC" is better both philosophically, as well as features, like browser integration. And just like regular keepass, if you want it on the cloud, put your encrypted file on Google Drive, or your other internet location of choice, and you're good.

    • • Re:

        Browser integration only occurs with both an addon for the browser, and explicitly setting it up in the application to handshake with the browser (you have to click a button on the application side, it's not automatic from the browser), and then when going to the sites an additional explicit acknowledgement on top of that, given that you even gave the entry a website association in the first place (if your entry doesn't have a URL field, it doesn't associate).

        Pretty secure by default, and that's what reall

  • Re:

    Sounds like Password Safe which is what I use. It has an installer but it might be possible to use just copy the program files folder around and use it, I haven't tested that, my hunch is that'd 70% likely work. https://www.pwsafe.org/ [pwsafe.org]

• Very intuitive and easy to use; you can self-host or use their hosting; basic functionality is completely free, paid plan is only $10/year (family plan is $40/year). Works on Windows, Mac, Linux, Android, iOS, etc. etc. And it's open source.

  What more do you want?

  • I landed here, after fleeing LastPass, too.

    I only paid LastPass for Android support. To use the same tool on my phone (iOS and/or Android) and computer (Windows, OSx, and/or Linux). Which Bitwarden gives me for free. Though I mostly use Android and Windows today, I assume the other platforms work the same way (non-phones use a web page or browser add-on/extension for access).

    I'll admit LastPass was more hands off (stuff "just worked" a lot better for me). But I've figured out how to adapt. And I've yet to hear of a breach, but lived through at

  • Re: I'm a happy Bitwarden customer

    I really like Bitwarden too, Iâ(TM)ve been using the free version on iOS, Linux and Windows for about 2 years and itâ(TM)s really easy to use. So every website I visit has a different password, I can safely store credit card details and secure notes too. It makes filling in forms and CC details a breeze.

    On Windows and Linux I use the Bitwarden browser plug-in, while on iOS I use the app.

    There is a bit of a learning curve and some websites donâ(TM)t work well with Bitwarden for password entry.

  • Re:

    Last time I looked at it, the inability to store the password database in commodity cloud storage seemed like the main issue. Why would someone bother with the complexity of hosting for something so simple?

    • Re:

      How to install Bitwarden on a linux server [bitwarden.com]
      
      I used PassPack and I was happy with it until the company stopped supporting me, so I switched to 1password and I was happy with it, except for the price at the time of renewal and I needed to save money, so I switched to free Bitwarden and I don't even have to self host it and I am happy with it.

• I started using Bitwarden a few months ago for basically the same reason.

  I think it's OK. I can use it for what I need. My non-techie spouse finds it too subtle. It's not a resounding success although that's not entirely Bitwarden's fault.

  What I would have liked was a feature to import passwords from Chrome to Bitwarden. If anyone knows of such a thing, let me know.

  (How many others run into this dynamic? When someone is working on task X and that requires learning tool Y, they're too busy, stressed, and focused to learn. When they're not working on a task, they have no interest in learning Y because they don't need it right now. It's the lazy man with the leaky roof dynamic.)

  • Re: BitWarden: OK but a bit meh

    Ditto on Bitwarden. Until very recently I just kept my files in an encrypted spreadsheet document on an encrypted drive. But that always made it so I had to be home to get them.

    • Re: BitWarden: OK but a bit meh

      Funny thing was, after 15 years of thinking how clever and secure I was with my encrypted spreadsheet (open office), I found out that it was for some reason storing a copy in plain text on my main (unencrypted) drive. It must've unencrypted and cached it locally... ðY¦

  • Re: BitWarden: OK but a bit meh

    Importing from chrome is easy

    https://bitwarden.com/help/imp... [bitwarden.com]

    Bitwarden is my suggestion too. But if the poster is adamant about a desktop only solution that you don't have access to your passwords on your phone or any other location in a secure manner. Then it's either KeePass or password safe for windows users. Both kinda suck from a UI perspective. But if you need to access your passwords when on the go bitwarden works great. It lets my wife and I share passwords for shared accounts easily and securely

• by ZERO1ZERO ( 948669 ) on Saturday August 05, 2023 @06:50PM (#63743200)

  Whats wrong with keepass? I have used it for years Its pretty simple, easy to use, offline, single db file of passwords, can be accessed using tools on ios mac linux and pc. Why looking for something else?

  • by msk ( 6205 ) on Saturday August 05, 2023 @06:57PM (#63743216)

    Also can be accessed on Android.

    Official KeePass works hard to keep a single database synchronized between multiple open instances.

    For my phone, I use Syncthing in one-way mode to keep its copy updated.

    • Re:

      You can use a free cloud storage provider to keep shared Keepass databases synced. You don't have to trust the cloud provider because the database file is encrypted. You can also of course use you own cloud, e.g. Nextcloud.

      Another option is Joplin. It's not a password manager per-se, but you can store passwords as notes in it, and it does cloud sync with client side encryption.

  • Re: Keepass

    Android too. There are a few compatible ports.

    I use my Yubikey via NFC (Android) and USB (macOS) at unlock time, and sync.com to share the database

  • Re:

    KeePass variants also natively support TOTP, so there's that. Additionally "attributes" for a password are really just something I use daily it feels like.

    My primary frontend in Linux is KeePassXC, my phone (android) uses KeePassDX, and my wife on her phone and tablet uses Keepassium. All of these are awesome clients.

    We keep them synced through the Nexcloud client and it works like a charm!

    I cannot say there are not hiccups from time-to-time, or that it isn't easier than a text file, but I do like that ther

• Since most passwords are used for websites, just use the browser as the storage since it can automatically fill them in for you. Microsoft Edge works great for me.

  • Re:

    Low-criticality stuff? Sure. If your computer or browser gets compromised, that attacker can collect passwords you type in anyways.

    • Re:

      I don't trust Chrome or other web browsers with my bank passwords, but most other passwords, yes.

      Browsers do encrypt saved passwords, you can only decrypt them if you know the Windows logon password. It's not Fort Knox secure, but it's pretty decent unless you have a government agency after you.

  • Terrible idea

    Slashdotters may backup their browser data from time to time but most people wouldn't so that's a bad Idea given that drives die. And this doesn't work well across multiple PCs and OSes.

    And Edge? Ugh, is this a joke?

• I use https://strongboxsafe.com/ [strongboxsafe.com] on my Mac and my iPhone. It uses the keepass database protocol so I can keep it in sync with Keepass on my PC. I still live with regular Keepass GUI on my PC:-(
• Never trust password managers, never write down passwords, use different password schemes for office and home activities.

  • Re: Your brain

    I probably have 1000 different, strong passwords in my password manager.

    I used to make a game of how I'd vary the same password for each site so I could remember them. But this was basically spreading weak passwords all over the place.

    I wouldn't use a commercial password manager online - they seem to get hacked pretty regularly, but other than that, my non-connected manager, which has good random password generation, does a great job.

    Combined with a zero-knowledge sync solution and hardware 2FA, I think I'm

  • Re: Your brain

    So you have a small handful of relatively weak passwords. Good for you. I have over 500 accounts in my password manager and all but all but a few, due to stupid, outdated and insecure password policies on a few sites, have very strong, long and random passphrases/words that quite frankly would be impossible for anyone other than some autistic savant to remember even more than 5 or 6 of them. I inly need to remember my main password to access my vault and maybe 4 or 5 other passwords that never get written

  • Re:

    Only for the tiny number of people that have a memory that makes this easy. For most people, keeping the password for the password manager in memory is already a chore.

    Personally, I have 4 or 5 passwords in memory, and one is for my password store (GnuPG encrypted files), the rest is passwords I use several times each day. I do use random passwords from a CPRNG though, so memorizing them is hard but attacking them is basically impossible.

• I just use the Google Password Manager. Works great on both websites and phone apps, and you just copy/paste into anything else if you need to.

  • Re: Chrome/Google Password Manager

    Yep this is the easy way if you use chrome everywhere, even tells you if any of your passwords get leaked

  • I wish "built into OS" was the best answer too.

    I don't understand why the built-in OS doesn't include a standardized way to share this, and automate use of the shared info inside the OS.

    The browser should talk to the OS through a standard interface. Each OS should expose a similar identification system that links to an encrypted credential. With a simple importer/exporter to sync across platforms with a centralized authority.

    But oh...that's right. Being "profit driven" is the solution to the modern world. They'll never create walled gardens that lim

    • Re: I wish "built into OS" was the best answer too

      It is built into macOS and iOS. If you use iCloud, it automatically syncs between all your Apple devices. This answer is probably pretty unpopular here, though.

  • Re:

    The only issue with Google Password Manager is that if you set up a password for it, you can't view those passwords online. In other words you can only access them from an instance of Chrome that you are logged into.

    It's less of an issue these days because everyone has a phone, but still worth considering as it does affect some people.

    I don't know if Firefox has the same issue, I should check.

• /dev/null -- Easily stores a LOT of passwords -- *and* data -- but retrieval and decryption is a bit tricky.:-)

  • Re:

    Gotta say - I've dumped a LOT of stuff into/dev/null and haven't managed to fill it up yet!

    • Re: Not for everyone, but ...

      It's super effective for lost compression like that.

    • Re:

      Try/dev/full instead. And yes, that's a real device:

      $ ls -l/dev/full

      crw-rw-rw- 1 root root 1, 7 Aug 4 07:54/dev/full

    • Re:

      Back in the day, we set something up to send information to/dev/nul (or some other non-existent device like/dev/rmt0). Nothing like filling up a 2 gig slice on a Sun box:)

      [John]

• by Kili ( 265889 ) on Saturday August 05, 2023 @07:08PM (#63743236)

  If you don't mind commercial software, 1Password is amazing. Mac, Linux, Apple, and Android phones. Oh, winbloze too. It all stays synchronized and "just works" (tm). With a family plane you can have personal and shared vaults. Its commercial software but I am happy to pay for it. It even integrates with the cli so aws or azure or gcp command line tools can get their secrets from it.

  • Re: 1Password

    Agreed, I have been using 1Password for different teams at my company and for the family. Very secure and works great.

  • Re:

    Application error: a client-side exception has occurred (see the browser console for more information).

    Bad code already. Doesn't work on all browsers.

    Costs money

    Lock-in

    'intelligent autofill' - "so you donâ(TM)t have to type or paste your password"

    Bloated, over-complicated.

    Relies on private company not shutting down the service or going bankrupt.

    Not open-source so far as I can tell.

    • Re:

      It’s worked fine for me in Chrome, Brave, Firefox, Edge, Safari, and others. Which browser are you using and did you check to see what the nature of the exception even was?

      This is your only valid complaint.

      Not true. Your data is fully exportable in standard JSON and other formats, and can be imported by every major password manager that it competes with. I’ve exported entire vaults from 1Password to Bitwarden without issue in the past. There are also protected methods for sharing with others, in

• A local password manager that has only very few features: qtpass, a GUI on top of unix CLI tool pass (everything FOSS and it also runs in Windows). In a sense it is similar to KeePass (passwords are stored locally on your computer) and each password file is basically an "encrypted notepad" (it's not a big database, normally each password is in a file, although nothing prevents you from taking note of several passwords in each file). It can use git as well if you are worried of making mistakes. The encryptio

• I've used Padloc(k) (they changed the name) forever. I don't use "the cloud" backup/sync option. Has worked great for me.

• I know this doesn't help the OP who uses Linux, but macOS has Keychain Access [apple.com] under Utilities. It's simple, secure, and gets the job done.

• Not clear if you are looking for an app with helpful features or just a secure place to store data.

  If you are looking for just a secure place to store data, without any features of a password manager, then I like these:
  https://apricorn.com/flash-key... [apricorn.com]

• I use it daily on my laptop, and there’s a program for iOS/iPadOS called pwSafe that uses the exact same file format for storing keys that Password Safe does. You can upload to a Proton Drive account for copying between Windows and Apple if you want to keep those two separate.

  • Re:

    I also use Password Safe, even though, as I understand it, it hasn't been updated in quite some time. I also keep a printed copy of the password list, updated every six months or so, offsite. Very, very, offsite.
• KeePass2 is extremely simple. I don't see how much simpler can it be, without sacrificing security? You enter Kepass2 password and then you can retrieve any password from the database. Sticky note glued to the monitor is simpler but not safer. Flat text file is also simpler but not sufficiently secure.

  • Re:

    The sticky note statistically speaking could well be safer, it's not prone to viruses, trojans or WORMs, the password DB can't be copied by hackers the other side of the planet.

    I supposed an ideal solution would be to use an off-line phone with screen lock and store a password manager on it and use that in conjunction with hardware authentication.

• I currently use a mix of Apple's Keychain, a text file with shorthand/obfuscation, a physical notebook, and some stuff I pipe through OpenSSL... but what I would really want is a physical credit-card sized device with keyboard and display that holds everything "offline." I think out-of-band password storage is pretty important, and once you use the same device for both entering and storing the password it can never really be secure.

• Password Gorilla

  I use it on Linux, but it works in Windows too (and Mac as well for that matter)

• I've used Bitwarden for the last few years and really enjoyed it. Plugins and apps for our phones and browsers make password entering very easy.
  
  Since I take care of all the financials and most of our accounts, we use a family vault so my wife can access everything, particularly if I was to die she wouldn't have difficulty finding or getting everything.
  
  In the event both of us die and leave the kids behind, I have my brother set up as being able to request access. He clicks the button requesting access

• by Lije Baley ( 88936 ) on Saturday August 05, 2023 @08:09PM (#63743318)

  I keep my non-work passwords in a text file in masked form, showing just a few chars to jog my memory. I'm not famous, so this is good enough.

  • Re:

    You're nothing to anyone other than an number or email somewhere on the internet. Very few hackers actually target specifically famous people, and when they do it makes the news. The overwhelming majority of victims are us nobodies.

• No Java, and only minimal javascript for the webUI (does things like hiding passwords until you want to reveal or copy them and query the database at the time; prevents passwords from being visible in view-source and ensures that passwords can't be revealed if your session times out, refreshes TOTP-based 2FA codes...useful stuff).

  TPM is self-hosted; it involves an 'external website' to the extent you want it to - it's happy to be accessed with an IP on a LAN if you want. Or, put it on AWS if you want; it's

• Might have to pirate 1Password7 and get its older Chrome extension. Otherwise Bitwarden does the same for free.

  • Re:

    1Password7 has a local password store. The later versions are subscription-based ripoffs of Bitwarden and don't run standalone.

• Neither do I, I use Emacs. The file is stored on an encrypted disk using cryptsetup [gitlab.com] so that if the machine is stolen my passwords cannot be read.

• I've been using this for quite a while. Works on Windows, Linux, and Android. Most likely Apple products as well.

  https://pwsafe.org/ [pwsafe.org]

  • Re:

    Me, too! Works well for me. And one's confidence is boosted by knowing that one of the early developers was Bruce Schneier, well-known cryptography and security expert. If it was good for him, then it is certainly good enough for me.
• Now I use KeepassXC. Uses the same database as Keepass but has more features, a better interface (in my opinion). And has plugins available for Firefox, Chrome, Edge etc. Free, open source, cross-platform. Has decent docs. Link: https://keepassxc.org/ [keepassxc.org]

• I personally use keepass,

  I don't know if there is anything simpler, I just trust it. I trust it because I've been using it for a while, and it's (the data file) survived 2 disasters and the data recovery. I actually haven't been in a position to really know how secure it is or not, I've not had it tested against being stolen or anything, but I've lost less than the keys to everything I own online to a failed hard disk.

  If you guys never hear from me again, it's either because I've died, or if finally didn'

  • Re:

    KeePass's database is fairly secure, but the application itself does have a local-user security issue. The application has some enterprise-level automation scripting not really appropriate for consumer software. Normally that wouldn't be a problem (just don't use the extra stuff), but considering this programs purpose, it's a bit of a security flaw. For example, a local user can edit config files and tell KeePass to spit out a full plain-text database dump next time a database is logged into. It can do so t

    • Re:

      Interesting! is this documented and/or discussed anywhere? legitimately interested.
      also, thank you.

      • Re:

        Sure! Actually, it was discussed on Slashdot previously [slashdot.org].
        
        The functionality in question is Triggers [keepass.info] and the developers don't consider it a security flaw because it requires an attacker already having write access to the system, which already allows a system to be compromised in a number of other ways. While they're technically right, I disagree [slashdot.org], simply because while other methods to extract the same information via system access such as keyloggers or screen recorders require significantly more technical know

        • Re:

          I mangled that last sentence and submitted prematurely. However, I was basically going to say - while they're technically right that an attacker with write access may be able to compromise other password managers, regardless, having such a trivial method of local compromise really weakens the overall product. Better, I would think, to use a password manager that simply doesn't have a "silently dump my entire database in plain text in the background" configuration option.

          • Re:

            I would say this right access debate from the developer is hugely short sighted. Having write access should be considered as my system is completely compromised. Having his database flaw should be considered as *all* systems and accounts I own being compromised which is significantly worse.

• Pass (Password-store) + QtPass + BrowserPass + PGP keys on Yubikey + GitHub private repo.

  Setup yubikeys easily with: https://github.com/Logicwax/gp... [github.com]

  • Re:

    are all these + signs mean you're like quadruple managing it? like to get a password you have to go through github -> yubikeys ->PGP -> browserpass -> qtpass -> pass?

    I don't know anything about any of this, but is that what you mean? that's crazy, what if you forgot a train of thought while you were unlocking your many thousand layers of security?

    You ever hear of the guy who bought a $10,000 safe to protect a $100 bill?

• I used LastPass for years, almost since they were founded. I had a subscription for most of that time. But they started making changes to their subscription and it became time to leave. I needed one that would work on any computer no matter the location, just about any operating system and most browsers. The only one that really fit was Bitwarden. In a lot of ways it worked like LastPass, so there was no learning curve to speak of. Bitwarden also worked on sites that gave LastPass fits, especi

• I've used it for a mix of personal/business for 5+ years and absolutely love it. It's not free, it's not open source, but it "just works" every time.
  
  Store logins, notes, files (business critical keys), credit cards. Everything unlocked with one master password.

• KeePaxxXC (linux davfs) + KeePass2Android (native webdav support) behind a shared webdav file, database protected with HMAC-SHA1 yubikeys + keyfile stored locally + static key.

  For browser integration with Firefox I have KeepassXC extension. It fills in forms on sites and in apps, on android I can use the Keepass keyboard to form-fill everything including TOTP where occasionally form fields aren't detected.

  This has been a solid solution for years.

• For most personal passwords, I use Chrome's password manager. But for passwords I need to share with my wife, I use a password-protected Word document, using a password we both know. For most things, that's secure enough.

• I use 7Zip to create a ZIP file containing an AES-256 encrypted text file with all my passwords. Very simple & cross-platform. Am I overlooking something, or is what I'm doing acceptably secure?

  • Re: ZIP with AES-256

    Seems to be a solid solution if your password list is static, though I'm constantly adding stuff and to do that you have to create a new file every time, or unencrypt it and add, then re-encrypt no? I found out every time I added passwords to my encrypted open office spreadsheet file that it was creating a local, unencrypted, cached copy on my drive (I found my passwords using hxd, in plain text).

    • Re: ZIP with AES-256

      Perhaps I should say decrypt instead of unencrypt... wondering why it kept flagging that for spelling lol.

• I use the sadly unmaintained TkPasMan [xs4all.nl] which is pretty simple. It's also reasonably secure because although it's unmaintained, the encryption is handled by running openssl aes128 to do symmetric encryption/decryption.

• Happy user for years. Pay for a family plan so everyone can use it, though most donâ(TM)t. Lol.
• Modern vim has a habit of storing things from your editing sessions in dot files; e.g..viminfo. That makes it a poor choice for managing a password list unless your willing to configure it carefully. This is one of those times that a dedicated solution is better than the mighty vim!

• Used to use 1password, but walked away when they moved to a subscription model.
  EnPass does all that 1password did, an it syncs to your choice of cloud if you want to go cross-platform. And for a fixed license price.

• Works on Mac and Windows. I never use sensitive stuff on mobile, but apps exists for mobiles as well. Bonus, can store more than just passwords in the drive.
• The last version is more than 20 years old, no problems, and it's open source

• I've used other solutions but Revelation is definitely my favourite so far. As far as I know it only works on Linux but as I only ever use Linux on my desktop/laptop computers that's fine.

  It stores everything in a single encrypted file, has a nice GUI interface that has options for different record types, has a field for URLs that can be clicked on to open the relevant web site, copy-paste works fine from the user ID and password fields and it has a nice free format text field for keeping note of any other

• When someone asks what PW manager they need, the big question is, what are their needs?

  For example, if they just need it for themselves, then KeePass or KeePass-compatible apps like Strongbox, Keepassium, KeePassDroid, or some others is good enough. If you store your KeePass database on a cloud provider, I recommend creating a keyfile, and copying it via adb or iTunes to all the devices. This way, if someone obtains your KeePass database, there is no feasible way for them to brute force it without comprom

• A password manager (though necessary) can be a huge risk. It is a single point of failure "steal all your credentials and take over your life" type of product. I would never put any truly important passwords into a widely used syncs-stuff-and-magically-integrates-with-browsers product. Because if that stuff gets hacked, you are seriously pwned.

  Personally I use PasswordSafe with some old binaries I have used for years; I figure if those executables were compromised, I would have been hacked already. Decided