Hacker News new | past | comments | ask | show | jobs | submit login

Is there a better cloud-based alternative to LastPass? I see KeePass being mentioned but I’m not interested in the keeping devices in sync myself.



Bitwarden is better, but Vaultwarden (the self-hosted version written in Rust) is the absolute best option. Host it yourself on a free tier VM in one of the clouds, configure a backup solution, and never worry about it again. And you don't need to trust anyone with your passwords.

Use tailscale if you want to get fancy and keep it off the public internet or go the easy route and install fail2ban and expose it via public IP.


> Host it yourself on a free tier VM in one of the clouds, configure a backup solution, and never worry about it again. And you don't need to trust anyone with your passwords.

> Use tailscale if you want to get fancy and keep it off the public internet or go the easy route and install fail2ban and expose it via public IP.

This isn't exactly a slam dunk, considering you now have to be knowledgeable about how to secure a machine that is on the internet and stay up to date with security patches which even tailscale itself isn't immune to: https://news.ycombinator.com/item?id=33695886


Can you give some idea why Bitwarden is better?


Open source, self hosted. Has the nice bells and whistles like browser and mobile plugins.


free for personal use, open source, cloud synced, no device limits. and as OP mentioned different server implementations if you want to host it yourself. No idea why people stick to any of the proprietary solutions.


You have no idea why people don’t want to self-host a service? Or don’t have the knowledge to do it (securely)?


You don't need to with Bitwarden, you can if you want to. Like Lastpass by default Bitwarden store and syncs your passwords online.


I would prefer to not self-host as none of my family (who rely on passwords) are technical, and if anything should happen to me, they would be stuck.


Fully end to end encrypted. The other side to that is there is no account recovery.


How much should you worry about security with a setup like this? I have reasonable Linux skills, but I wouldn’t want my VM to get pwned because I forgot to update it.


Honestly I don't even bother with hosting it in a cloud instance. I host Bitwarden on my home network, and whenever one of my devices opens the Bitwarden browser plugin or mobile app (at home), it will automatically sync everything. From that point on you can continue using Bitwarden without it needing to connect to the server.

So on one hand, I lose the ability to sync when I'm not on my home network. On the other hand, I don't change anything in my Bitwarden server _that_ often, and if I do, I can just quickly do a sync on whatever devices and I'm good to go. With the added benefit of not opening myself up to the outside world.


and what if your TV or thermostat, with access to your private network, gets compromised? do you have that machine locked down good enough to protect against an inside-the-firewall attack?


Stuff like that goes on a different VLAN that can only talk to the outside world (or not, depending on the case) and not the rest of the intranet.


Here's where I get a little more naive....do you....have one VLAN that's your "normie" network that your WIFI access points expose to all the devices, then the other VLAN is...only within the wired network, so if your phone wants to get to your bitwarden, it's always going out the wifi out the gateway first and back in, kind of thing?

right now all my "services", which are not bitwarden-level sensitive, are all on the same network as whatever crap I bought at home depot. I have an edgemax router and there is a third NIC I've never used, so I guess I'd finally plug a switch in there! ok. next project I guess


> How much should you worry about security with a setup like this?

One should be extremely worried about it


You can “self-host” using a service like Cloudron or (if they’ll still manage it for you) Sandstorm.io.

https://blog.cloudron.io/sharing-passwords-with-teammates/


I can never recommend 1Password enough.

When it comes to hosted options, they are hands down the best. Worth pointing out that they also have integrated 2FA, if you're satisfied with first and second factor living in the same spot.

https://1password.com


> if you're satisfied with first and second factor living in the same spot

It’s no longer “2FA” then.


It is still 2 factor, breaching the password manager is a corner case that you can decide to cover or not. It seems like for critical accounts you should NOT. For derived accounts, it should be better than just a password.


Only very marginally so. Or what would you say storing a (unique, long) password next to a TOTP hash actually achieves?


Well the totp (even in your passwd manager) defends against phishing I'd thought vs password alone.


For a "service based" password manager, sure. (It can prevent the service from ever handing over your encrypted database to an attacker.)

In a local password manager, it doesn't work like that. A challenge-response mechanism can help there, but the cost/benefit analysis looks pretty different there, IMO.


Eh, it's still a lot better than sms 2fa.


What about 1password is inherently safer though?


I'd suggest reading their security page[0] and write ups others like Troy Hunt has done[1][2].

[0] https://1password.com/security/

[1] https://www.troyhunt.com/have-i-been-pwned-is-now-partnering...

[2] https://haveibeenpwned.com/1Password


What exactly about 1Password is safer, including their cloud hosted options?

Curious as I may look at multiple options.


https://news.ycombinator.com/item?id=33820779


What exactly about 1Password is safer, including their cloud hosted options?

Curious as I may switch.


This costs a monthly subscription.


I mean we're talking about a monthly fee that is less than a cup of coffee, it's not exactly an exorbitant amount


I don't pay for coffee either.


...and you eat only what you kill with bare hands right?


Good. When it comes to hosted options, this is one I'd rather pay for to ensure long-term sustainability.

If nobody is paying, they are probably the product.


I’ll second the 1Password recommendations, it’s fantastic software that is becoming better and better. If you’re comfortable with cloud syncing, I can’t imagine a better option than 1Password.

A top 1Password tip is that the business plans include free family plans for every member, so if you can get your employer to use 1Password then you’ll be able to get your personal account for free (which would include your family, too). A very underrated deal!

I recently logged back into my old LastPass account after 5 years and it was fascinating just how bad it is compared to 1Password.


> A top 1Password tip is that the business plans include free family plans for every member

Oh wow, thanks for that tip. My employer has 1Password Business and I had no idea about the deal: https://support.1password.com/link-family/


I've been pretty happy with cloud-hosted Bitwarden. I used 1Password at work on macOS and the form fill didn't seem to work quite as well (that was ~2020-2021 so maybe things have changed)

Not sure about 1Pass on Android, but Bitwarden works very well for me there (much better than Lastpass which afaik required a subscription to use the app)


Enpass may be worth a look.

It doesn't do cloud syncing itself, but it lets you pick from a number of different providers (DropBox, iCloud, OneDrive, plus a few others) which you probably already use.


How about https://pwsafe.org/ and their releases on github https://github.com/pwsafe/pwsafe/releases?q=non-windows&expa... ?


The built-in password manager in Chrome. Nothing to install and works seamlessly across all devices.


1password.


Dashlane, 1Password & Bitwarden are the most popular I believe.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: