Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: How do you manage your passwords in 2023?
89 points by pentab on Jan 1, 2023 | hide | past | favorite | 175 comments
I have yet to find a password management solution which is:

- secure

- easy to use

- accessible on multiple devices (home PC, work PC, and ideally phone)

I currently use a mixture of KeePassX (synced manually using SSH) and stored passwords (e.g., in my browser). But I keep thinking that there MUST be a better solution.




I'm all in on Bitwarden at this point. It's the place where I keep all my credit cards, secure notes and about a 500 logins. A vast majority of these logins have passwords generated by Bitwarden itself.

I'm confident even if BW goes down I can still recover my data since the vault works offline too. While the browser extension could use some UX work the mobile apps have been top-notch and sharing passwords with my spouse has been a bliss.

I bought myself a dedicated server earlier in December and will be migrating to Vaultwarden pretty pretty soon.


Sounds like you're very happy with Bitwarden, and confident that if they go down you wouldn't lose access to your secrets.

Can I ask why the desire to switch to Vaultwarden? I assume if a significant slice of the userbase did this, the project would suffer—so I'm asking this question genuinely as an avid Bitwarden supporter myself.

I hope they don't have to rely solely on VC funding, seems that VCs motives would be precisely orthogonal to my own in terms of privacy and feature roadmap.


I run Vaultwarden and still buy a license. I wish they’d offer an optional self-hosted license specifically for those who want to support the project while hosting their own server.


Are you buying a license just to support BW? Or is there any other benefit?


Not them, but vaultwarden doesn't accept the license file, so it's surely just to support. I'm planning on doing the same thing at some point.


I trust bitwarden enough as of now and I don't see any privacy issues with them..... yet!

The main reason I'm switching is for the fun in it and having my data under my complete control. And, to save some money, for me and some friends, for whatever it is worth.


Note that file attachments are not stored in the json file that contains the vault, so if you care about those you still have to back them up some other way.


I'm aware of this but thanks for reminding! You can also do a full search for such specific entries like this btw:

>attachments:*


How good is for iOS/OSX? I use enpass and if I don't open it all the time (and retype the master pwd!) then it not catch most logins and now I have a lot of that into the Apple system instead.

I wonder which one is truly transparent (I work mostly on Mac/iOS but still need other platforms)


I’ve been using Bitwarden for 2 years now, and I feel like completion has continuously improved. It uses the built-in auto fill feature on iOS and it works pretty well. Whenever I see a login form, I see the auto fill toolbar appear. I click on it, unlock Bitwarden with FaceID and it auto fills fine.

I had quite a few apps in the beginning where I needed to manually open BW to copy paste my username/password, but it doesn’t seem like it occurs to me anymore.


I use BitWarden on iOS and it is pretty much same as the default iOS auto fill (which is iCloud?). It uses the system auto fill service and the detecting of password fields to show the auto fill option and filling the password is done by that service, not BitWarden. You can actually use two active auto fill services (say BitWarden and iCloud, I did when I was testing the waters), you will get a prompt to choose which one you want to use.


Speaking of the browser extension UX, for those who don't know, the keyboard shortcut for filling in your login details is ctrl-shift-L.


Please document your migration (and backup strategy!)


Sure. When I do the migration, I will come back to this and keep you posted!


I use 1Password. It isn't perfect, but it's quite good.

My big goal now is to come up with a better solution for 2FA that works for me and my wife's shared accounts.


1Password with shared vaults and OTP fields works well for this.

I understand the idea of putting both factors in one place is odd, but I feel it strikes the right balance between the convenience and security.


> the idea of putting both factors in one place is odd

This is AKA "one factor", right?


If your password is compromised they still don't have access to your OTP, so 2 factor. If your password manager is compromised then they have both, 1 factor.

I'm no math wiz but pretty sure that makes it a 1.5 factor


Right, presumably with a password manager you’re using a totally random string as your password too, coupled with different passwords for each site. so there are a combination of factors that make it still much more secure than just “both factors in one place” since neither factors can easily be guessed.

The main threat vector would be, as you mentioned, compromise of the actual password manager.

As far as I can tell, 1Password’s end to end encrypted architecture makes this less probable.

That would reduce the main risks to our actual devices.


Sort of.

TOTP MFA is crap anyway because it has no passcode and it is so trivial to sync and it’s common for people to do so. So in scenarios where people close to you are a risk, or you’re dealing with other peoples data, it’s pretty weak control. It’s great for preventing spray attacks and mitigating some compromise scenarios.

It’s likely members of your household, friends, coworkers have access to shared devices or shared vaults in 1Password. That makes that type of MFA more like 1.5 factor vs 2 factor.


1Pasword is itself a two factor app. The password is something you know and the secret key is something you have. Definitely counter-intuitive, but like how your operating system can contain both your password and your 2FA app, or your desk can contain your computer and your hardware key.

Whether you want to be one bad front-end UI deployment away from both factors being exposed, fair question...


Aren’t you using 1Password for generating one time passwords? Or do you deliberately want to keep them out of it?


I haven't been, but I should look into it.

But the shared accounts that are my pain point only offer SMS OTP.


I had this same issue. Use a shared vault with OTP. Anyone with access to the vault can see the same 2FA code.

As for shared SMS, look into Google Voice. They automatically forward SMS texts to email as an option. I created a "shared" email account and gave my family access to that.


A lot of sites won't allow you to use a Google Voice number for your 2FA. There are services now that will validate if a number is VOIP, and then the site you're on can choose to filter those at the application level.

I did find a way around this, in that I had a real number, added all my 2FA accounts to it, and then ported the number to Google Voice, but this isn't a long term solution. Idk how long Google Voice will stick around, but I have found a couple backup options that are low cost if I need to keep the number long term.


I hope their desktop app is better now, last time i took a look, the whole vault is decrypted in memory and even when it timed out and request user for password, I was still able to inspect memory and retrieve the plaintext passwords


I use 1password OTP for everything that I don't care about that people can't do real damage (YNAB, LinkedIn, etc). But anything important like my email account or bank accounts I keep on my phone using Raivo.


i'm staying on 1password 7 to avoid their subscription fees, and using sync'ed, shared vaults to have access on my devices too (and share vaults with others as necessary). there's some duplication in apple keychain and firefox for convenience.

i use 1password's built-in 2FA (TOTP), but only for a couple accounts as i find it unwieldy generally. i'm also keeping an eye on how passkeys develop over time.


I still use KeePassXC and sync with cron jobs to Chroot SFTP-Only servers wrapped in a further encrypted file, then conversely use cron to pull the file to devices. I do not personally foresee ever using any of the commercial solutions. I also use this to sync bookmarks.

If KeePassXC one day becomes unmaintained I will make my own custom tool, probably using sqlite+openssl+bash. I only log into one semi-sensitive thing on my phone so I don't bother syncing to that device.


How do you avoid merge conflicts? Do you only ever edit your KeePassXC files on one machine?


Do you only ever edit your KeePassXC files on one machine?

Most of the time, yes. I can edit the copy and push it back to the SFTP server but that push is manual. I have done that from time to time. I do not share the file with anyone else so I always have confidence which version is up to date. I also have rsnapshot copies of the files.


Some versions of KeePass support a synchronisation which gets around collisions


ditto.. KeePassXC + contemporary cloud store


I recommend syncthing


I use - and pay for - BitWarden.

It does all the things you ask for. With the paid version I can share passwords with my spouse for relatively unimportant things (like Netflix) in a reasonably secure manner.

I could self host and run it myself. But I'm not a multi-person team with decades of security engineering experience. So I gladly let someone else take on that burden.


You don't need to be a multi-person team or have a lot of security experience to host Bitwarden.

I'm very positive Bitwarden won't get hungry for money looking at their revenue models, but there's always Vaultwarden you can self host. It's pretty popular and secure. I'll be deploying soon for myself.


I'm sure that's true. But when it comes to the think with my bank's passwords - I'd rather trust a team of professionals.

This morning I loaded up the dishwasher, switched it on, and completely forgot to add a cleaning tablet. I don't want the responsibility of forgetting to update a critical patch or misconfiguring an obscure YAML file.


Without a security background, it’s hard to evaluate whether what you are doing is secure or not. You don’t know what you don’t know; unknown unknowns etc


This is a valid point. I feel savvy with a lot of things but this is not an area where I'm willing to take risks.


Given that the cloud password managers are much bigger targets, self-hosting may actually lower your risk.


I'm in the same boat. Another great reason to use Bitwarden is the ability for my wife to recover my passwords if something happens to me. We share most things but there are certain semi-important things that only I have the password to. If something happens to me my wife can get access to those semi-important things fairly easily.


1Password, it “just works” most of the time, the desktop and mobile UI is nice and polished and it works pretty well on iOS. I’m happy to pay for that. Previously was using LastPass and 1Password is definitely nicer and more polished.


KeepassXC for password management and Syncthing for syncing across devices. Everything I'd available offline and syncs on network availability. Working well for years now.


Syncthing and keepass are a perfect combination, if you also combine them with some kind of offsite automatic backups.


My setup too. However, this year I would like to give a go to self hosted Bitwarden in a RaspberryPi. Just for the satisfaction of it.


Set up yesterday vaultwarden in docker on a rockpro64, it's interesting, but I think it will not do it, as I don't see myself having the ability to keep it on consistently without issues, but I decided to give it a go since I am away from home until the 27th of January without ability to start the sbc if it goes offline, so will be a good way to test reliability


Just commented about my setup here: https://news.ycombinator.com/item?id=34207417 :D.

Definitely worth the slight effort, for all the gains.


Thank you for that. One question, do you use the default SQLite database storage backend or something else? What about backups?


I use keepass with gdrive, works even fine on linux via rclone and is very easy to setup


1Pass, a family account, primarily for the sharing features, and the good integrations into iOS.

The biggest challenge with passwords was finding a tool for the whole family, which is more important than the most secure. If not, then it won't be used and we'll be back at the days of sharing "the family password" on everything. Yes, that password is on HIBP.

As a couple we have a shared vault that most things go into. We have equal access, she's a full admin.

As a family we have a shared vault for lower-tier things that the kids also need access to.

They all know to create passwords in 1Pass and save them into their vaults. It's not always perfect, but it's a great start. Generally we'll do 2FA within 1Pass, which is another weakness, but again, some 2FA is better than no 2FA, and OTP is vastly better than SMS.

Also saves a lot of problems with the kids (in this case ages 10+) not knowing their iCloud, Roblox, etc passwords. They're all saved, either of us can look them up.

The kids have had their accounts hacked and socially engineered, and also seen friends share their passwords which turn out to be their passwords to everything, and so get their more important stuff hacked (eg. as a teen their Snapchat seems pretty vital).

Overall 1Pass has a great security track record, their support has been friendly and useful, and I've had friends of friends I respect work their who are pretty trustworthy.

It's not the best app (but having used some others it's also pretty good).

Personally I have Yubikeys for 2FA for critical services that support them.

I also don't want to have to support this myself. Password access is pretty critical, and has a low SLA, must work. I've done on-call tech-support for over a decade, I don't do it at home. So, no home-hosted stuff.


1password everywhere. Employer pays for it, and I have a separate vault for personal and work credentials, meaning I don't have any work credentials on personal devices and work has no claim over my personal credentials. Works on my iPad, MacBook, windows workstation and android phone seamlessly.

My only complaint is that it doesn't let me use a yubikey as a primary method of authentication on windows - all my other devices have biometric authentication.


I find KeePassX plus Owncloud to be perfect for my needs. I have all my passwords with me and even if there are some synchronisation issues every once in a while, it works out sufficiently well and is very low-maintenance.


FYI: KeePassX had its last release in 10/2016 and the development has been stopped: https://www.keepassx.org/index.html%3Fp=636.html


Sorry, stupid typo, I meant to write KeepPassXC :-|


Give KeePassXC and the browser extension a try.


Huge fan of 1Password.

Used it personally for nearly a decade and introduced it at work. Happy 1Password Business users and that gives all our employees free personal accounts (that we can’t see or touch) as an added benefit.


I exclusively self host vault warden behind a VPN and firewall with a custom domain. Changes are automatically managed and deployed through GitHub CI/CD.

I have wireguard VPN on all my devices tunneled into my server. I also self-host the VPN since vaultwarden runs on a local Docker intranet.

If people are interested, I was going to write a step by step blog.

Less technical, but I also get yubikey and duo 2factor push auth out of the box with Vaultwarden! (Open source rust implementation of Bitwarden)


I'd like to mention I would be interested if you ever did a write up


Firefox is enough for me.

On mobile you can enable the option to auto fill passwords for apps, and let you use the fingerprint sensor to access the list quickly > select the account > auto fill :)


I've been using and paying for Bitwarden for almost two years now. However recently I purchased a Raspberry Pi, so now I've completely shifted to self-hosting Bitwarden (using Vaultwarden[0]) on it. On top of it, I've attached a custom subdomain to the server through Cloudflare Tunnel, so even behind non-static IP address it works well (with SSL).

No privacy or security issues now since I own all my data, no subscription fees, and no complaints till now with the self-hosted setup. Definitely would recommend!

[0] https://github.com/dani-garcia/vaultwarden


For a long while I've trusted and used various KeePass ports/forks on my phone and laptops and stored the password file in cloud storage.

With the recent LastPass exposure, the supply-chain attack on PyTorch, needing to be vigilent and avoid granting apps access to my cloud drive, I've actually just been reviewing my setup and workflow.

Here's what I'm planning to change...

Phone: Switching from MiniKeePass to KeePassium. I've found it's not too difficult to build KeePassium from source and install without needing an Apple Developer subscription. This means I can properly audit the code and control/verify all updates.

Laptops: Start building KeePassXC from source. In the short term, I'll be more diligent in obtaining updated versions from trusted sources and using PGP to verify the package.

File sync: Start storing the password file on a self-hosted file server. Having recently setup Tailscale on all my devices, it's now convenient to manage Samba and remove cloud storage from the system. In case the SMB share is inaccessible, I'll fallback to the backups kept by KeePassium and use cron+rsync to maintain an secondary copy on my laptop.

Backups: I'm planning to periodically backup to a hardware keypad encrypted USB drive. In comparison to a regular USB / external drive, the hardware encryption makes it harder for somebody to quickly make a copy of the password file and take it away to be brute-forced.

Would welcome any pointers on things I may not be considering or suggestions for improvement!


1Password on Windows/Mac/Linux/Mobile

Used keepass and pass for years but got fed up with them. Switched to 1Password this year and never looked back.


Firefox. It's not perfect especially on Android (I have to manually copy the password instead of it auto-filling) but it's good enough.


Fwiw it's the app's fault when that doesn't work, not Firefox's or Android's. (I too encounter it frequently and it's annoying. I still have and use the Lockwise precursor app, because it's easier to copy from than Firefox when this happens.)


have you tried firefox sync? recently gave it a try and on android it works seamlessly. Cross browser integration is an extra step though.


Yes, that's what I meant. I use two PCs and two Android phones and Firefox Sync keeps my passwords across all devices.


Same. It is not perfect but works.


Default macOS/iOS password manager. Chrome doesn't use it, but everything else does.


Yes I’ve moved to this from Dashlane, it’s much better and integrates flawlessly with all my devices. Why do I need another piece of software when the MacOS default is so good?


Does it support notes, attachments, etc.? Last time I checked it didn’t seem to, which makes it unviable if you use those features in your password manager.


It does support secure notes but you have to use macs keychain access app.


Sorry, I meant notes associated with each site/password. Sometimes you want to record not only a site’s username and password, but also some extra data, so having a notes field comes in handy.


Yes it does, I keep my recovery codes there.


This is what I do. As well as SSH keys.


There is an official Chrome extension:

https://chrome.google.com/webstore/detail/icloud-passwords/p...


Seems to be rated very low


I’m still in LastPass!

How at risk am I?

If I move to something else, are those services not just at risk too at some point?

I’d hope LP would be doing more at this point.

IDK! Help!


I moved to iCloud keychain from LastPass, then changed my most important passwords (financial, social media, major tech accounts, any place with recent credit card info)

If you’re using Apple stuff almost exclusively (safari, iOS, osx) it seems to offer best integration. I have light password sharing needs. It can airdrop passwords to people In my contacts, but they won’t get password changes.

I made sure to make my device and Apple ID passwords very strong. I’m not sure which it encrypts with. But with FaceID, it’s not a big deal to make a iPhone passcode and actual long pass phrase and not a PIN number.

My main concern is I don’t feel I have a lot of transparency in how it works. And using passwords outside the Apple ecosystem will be difficult.


If you have a Mac use keychain. I never understood why Mac users use external tools.. I mean really? Why? Perhaps if you manage a team at work ok.. but single user subscriptions?

For Linux and windows i would use keepassx.


There are several issues with the macOS/iOS Keychain:

- it does not understand that some accounts are used on multiple domains, does not allow you to modify domains, or have more than one. For example something like microsoft.com, live.com, microsoftpassword.com. I believe maybe microsoft cleaned it up and use now only one domain, but websites like that still exist.

- multiple accounts for the same website, just need to have a title to name them. Say you have 2 AWS account and each has a user root. How would you identify them?

- password sharing is a big issue as well, within the family.


I briefly moved to Keychain from 1Password when they went Electron, but the experience of actually managing credentials is so bad in comparison that the experiment lasted less than three months.

At minimum, Apple needs to make Keychain a standalone app instead of a half-baked settings dialog for it to even be considered an option imo.


It’s a legacy OSX component that exists by the grace of benign neglect. Apple will suddenly “fix” it someday.


I would use Keychain with it’s iCloud sync if I didn’t occasionally use non-Apple devices.


Any thoughts on Bruce Schneier's Password Safe?

https://www.schneier.com/academic/passsafe/


Stored encrypted using gpg, in a git repo which is synced using syncthing: https://www.passwordstore.org/


FYI, gpg is soon considered insecure, even now.


You can’t make a statement like that without clarifying what you mean and sharing some alternative to gpg


It's less about the algorithm, but more how gpg/pgp is constructed/used. No forward secrecy, leaks info, bad text authentication, and other. Those things maybe can be fixed, but they're not.

https://latacora.micro.blog/2019/07/16/the-pgp-problem.html

Edit: an alternative for file encryption is age, fast simple and secure. Signing is signify.


What would you recommend, NaCl? Signify?


I would recommend using signify. That's what security researchers also recommend. Simple and elegant tool, designed to only signing, unlike gpg which is used for encrypting and signing as well.


lol


Since I'm using all Apple devices after a short foray with 1Password I've switched to an app called Strongbox on macOS and iOS. It's the only app I know of that uses Apple's AutoFill API on macOS and thus works without any extension in Safari and feels like the native Keychain.

On top of that, it supports syncing the database via iCloud, WebDAV, SFTP, Dropbox and a few other services. And it uses a bog standard KeePass2 database for storage, so you can use it with KeePassXC on Windows or any other KP2-compatible app. This also means that there's always a way to get to your data should Strongbox disappear.


Before I used password managers I would just keep a monolithic text file with all the relevant information for sites and password and also keep notes. I was using vim encryption at the time. This was a bad idea because the vim encryption doesn't really follow cryptography best practices for example the encryption isn't authenticated.

The first password manager I started with is LastPass in 2014 when it was recommended to me by a password security expert in academia. I used a memorable human generated passphrase with enough twists to get about 80 bits of entropy, so if my old encrypted data is in the wild (doubtful), I'm not really concerned about the recent breach.

I've since been all in on 1Password since 2017 after LastPass was getting progressively worse and I sought out a new password manager. I've examined the security design whitepaper and most of the choices when it comes to cryptographic protocol design is pretty good, no real homebrew and should stand the test of time, but there's still better choices that can be made about protocols such as PAKE that'd be better in 2023. Anyways, 1Password UI is pretty good.

I also make backups of 1Password using the command line interface incase they decide to kick me off their systems or something happens where I can't make payments for years. The backups are then encrypted using the scrypt tool.

If I was to get off password managers completely, I wouldn't bother with these password management tools like Keepass etc. as they constrain you to their UIs and don't do an adequate job of doing things like browser autofills. I'd rather just go back to a plaintext file and encrypt/decrypt with scrypt or age.


    openssl rand -base64 25 | cut -c1-25
Then https://www.passwordstore.org/

This GUI for it under Windows https://github.com/geluk/pass-winmenu

And this iOS app on phone https://github.com/mssun/passforios


Just 1Password with a long, randomly generated password. The more complicated you make your password management system the more likely you are to have an issue.


I have started using pass (https://www.passwordstore.org) since last year and I'm quite happy with it. The main advantage of using pass is the feeling that I've control overy passwords and I also understand the process. If you decided to give it a try, make sure to have a look on available extensions.


KeePass Password Safe on desktop and Keepass2Android Password Safe on my Android. Database is sync on my own server.


I store my credentials in plain text files on an encrypted disk image, and I back them up onto an ironkey. Secure and easy to use? Seems so! But it's not especially easy to access on multiple devices, and that's by design. As a rule I don't want my personal data living on hardware which belongs to my employer, and phones are too easily lost or stolen. For everything else, there's scp or thumb drives.

Online password managers never made much sense to me; one by one, they eventually all get hacked. And why not? A centralized service storing thousands of people's credentials makes a great big juicy target. Their security is undoubtedly better than mine, but my personal laptop is not likely to be worth anyone's time.

For the same reason, I don't let browsers store passwords either.


You don't have to get an online one. There are offline ones like KeePassXC which are a lot more convenient to use than a file.


Strongbox on desktop and mobile. It uses keepass file format to store databases but I prefer the ui.


I was a 1Password customer before, but work pays for a family plan now, so it makes too much sense.


One of my major goals for 2023 is to migrate as much as feasible from passwords to tokens or at least passkeys. NitroKeys or YubiKeys for that. Process has already begun, but I definitely hope to see that accelerate big time (at long, long last) this year. Feels like there is serious industry momentum from the big players this time, and that cost, UX, support in frameworks to make it easy for non-sec webdevs, may all finally start to reach the tipping point. US Government is onboard now too, having dumped lots of obsolete terrible advice for a refreshingly great set of modern guidelines and updating government service sites in general for good uniform login with hardware token support. Ideally I'd like to see that become more universal for various web GUIs/access for services too (OPNsense in particular, which I now use for firewall/gateway services and is probably one of the more security critical bits of my infra).

Passwords though will have a very long tail even in the most optimistic scenarios, so yes password managers aren't going anywhere for a while yet. What I use right now is 1Password 7 with a slow migration towards Bitwarden clients and a self-hosted Vaultwarden server. I still have a standalone license and still have shared vaults in Dropbox, I will not be moving to the electron based 1P8. So end of the line on that decade+ journey I'm afraid, I'm disappointed with what happened with them but so it goes. Bitwarden/Vaultwarden seem solid to me so far though, and have client support across a range of devices. Nebula or Wireguard make keeping a bunch of selfhosted services accessible in a reasonably secure way pretty easy, and almost more importantly once setup have been rock solid reliable for me. Wrapping my head around them and making sure I had it all figured out certainly took a bit of time early on, but once setup it's Just Worked™ without being touched a single time ever again. No specific 3rd party dependencies is attractive.

If you have family/friends/coworkers to deal with though obviously the needs of the group are going to have to factor in on some level, and you may find you need to either run a few different things or compromise somewhat/pay more.


I have over 1,000 logins in Bitwarden. I got a new Yubikey last year and found maybe a dozen sites which support it.

I hope this is the year that WebAuthN goes mainstream - but it'll be a long time before a plurality of sites support it.


>I hope this is the year that WebAuthN goes mainstream - but it'll be a long time before a plurality of sites support it.

Oh for sure, like I said passwords will undoubtedly have a long tail. Even more so for internal apps/hardware, I routinely deal with old stuff that I have to keep old browsers around to access since newer ones no longer will work, or reenable old SSH negotiation or whatever. I'm just hoping 2023 is when we start to see a critical mass, and further that it ends up being a non-linear adoption curve that goes better then we might expect. If it becomes a standard check box item for insurance or security assessments or interacting with other companies/government and gets integrated as default into widely used frameworks it might go quicker. I also expect adoption not to be randomly distributed, with important tech services more likely to pick it up or use it already. If financial and medical does as well then that'd hit a lot of the most vital ones even if it's not a plurality.

Realistically it'll probably take another few years after hitting the tipping point to truly ramp, since there are clearly remaining hardware and software rough edges to sand down/refine. But if 2023 proves the start of an S-curve I'll be happy.


Ah this is what I wanted to hear about Yubikeys. The dozen site that support it. It feels like a huge PITA to have two system to login. I'll pass till it becomes more mainstream


Hash of a salt stored in my brain unlocks the password vault.

This doesn’t work well on mobile though since hashed aren’t typable.

One of my New Years todos today is to set up a mnemonic for my phone.

That, paired with disappearing messages and making individual apps require a touchID will make it very difficult for folks to be… nebby.

Biometrics are easy to spoof or steal, whereas a fourteen digit mnemonic of the Shakespeare lines you used to quote will be easy to type, easy to remember, and take years and/or a Targeted effort to crack.

(Also I hope it goes without saying that nothing from Bill ever unlocked my box - examples are fictionalized.)


I just use iCloud. I’m fully in on iCloud now that they support custom domains, even moved my gsuite over this holiday season.

The password manager is enough for me and just works (tm) with all my devices. It even supports 2fa. I used LastPass until the most recent hack. I prefer iClouds keychain so far.

The only problem is using Chrome. There are no extensions for keychain so I have to copy paste the password into Chromes manager if I want to use it. But Safari works for most of my purposes anyways.

I’ve only been on this setup for about a week but so far I love it. It’s so simple and works, I doubt I’ll ever move.


I’ve been doing this for a while too. I used lastpass for a couple of years then bounced between dashlane and 1Password for a bit, but when apple added 2fa I dropped everything else and use it exclusively.

There are some UX things I would like to see improved, notably I would really like to manually edit the list of domains for a given password. Overall though I have been very happy and I feel like my daily needs are simplified.


Bitwarden does all my password and OTP management. Works on any browser and operating system, it's open source and audited. All the services I use have 2FA enabled, and I try to avoid SMS second factor as much as possible.

My email and Bitwarden itself are secured by two Yubikeys, one is always on my person on my keychain, the other is physically stored away from my house. I have an AirTag on my keychain because losing your keys is a pain in the butt.

This is a cheap yet very secure system for most people that care about security but are not persecuted by police or government agencies.


I use KeepassXC distributed via NextCloud.


Would recommend Syncthing (with e.g. simple file backups) instead to not have to rely on a central server. Even allows fully encrypted nodes.


I developed Authorizer to have a cross-platform solution without any server/cloud-service. It is an offline hardware password manager based on PasswdSafe for Android. The concept is to use an old Android phone as your password manager. It can type the password over USB and Bluetooth on your target device. Supports OTP.

Smartcard and WebAuthn support are on the roadmap. Doing also a lot of modernization on the next weeks. https://github.com/tejado/Authorizer


So all these people are posting with likely their normal accounts and announcing their security posture to the world… feels insecure ironically.

I miss having a solution that was locally synced across multi platform.


At least you found a way to feel superior


Haha, wasn’t trying to do that at all. More just “does knowing that X person uses a particular password manager make them more vulnerable”. I’m not in cybersecurity and I know they discourage security by Obfuscation so perhaps not sharing password manager deets falls under that dubious practice and I worry for nothing.


I think most people have a higher chance of being helped out by a nerd-sniped stranger than targeted.

I.e. chances are pretty low of being spotted by someone inclined to do something bad with it, who also has reason to think you're protecting something worthwhile; but the chances of someone on HN telling you you're doing it wrong and it could be trivially done so much more securely..!


I use keepassxc to store my password. The Android app syncs with a file stored on my home server via SSH. No need to sync it manually, the Android app automatically checks for remote changes and copies the file over when you make changes on the app.

The password file on my server resides in a folder that's synced across all my computers using syncthing. My home server also runs an OpenVPN server so all my devices can talk to each other.

Everything is self hosted and runs on open source software. I'm pretty happy with my setup.


Why not only syncthing? That's what I've been doing to sync across devices (Android, Linux and Mac).


Mostly for legacy reasons... my KeepassXC Android ssh setup predates setting up syncthing. I suppose I could change it to syncthing but it works well as is and there's no real reason to.


KeepassXC sync'd with onedrive. I use a certificate key that I only move with USB, and a Yubikey to limit the attack area if someone were to gain access.

Keepass2android works very well. For the longest time I avoided the browser extension since it's a weak spot, and instead relied on auto-type. I finally caved in since most websites nowadays use a UI that asks for the user name first and then the password because reasons. The browser extension is very finicky and doesn't complete half of the time.


KeepassXC supports custom auto type sequences, such as "name, enter, wait, pw, enter" for sites that ask the password on a second page.


I memorize all my passwords; they’re different but they all follow a similar format, so it’s not difficult to keep them all straight. There’s a couple variants of the format that I can cycle through when I need to change a password. The format involves the name of the service and a “salt” string, as well as some special character and uppercase/lowercase patterns. It’s quite nice to be able to keep everything in my head without needing to worry about a password manager!


I used to do that too. When I started to fret about forgetting any one of my scores of passwords, I switched to a password manager. Now I never worry about losing a password, I use more secure passwords, and I change my passwords more frequently.


Are you not worried about compromising all your passwords when one of them is compromised? I assume attackers know they can replace the service name in a leaked password?


yah, i used to do something like the parent poster until i realized that it's a serious reduction in the brute-force search space for a malicious attacker.


bitwarden for the everyday, lower value stuff, keepassxc on private storage for the more sensitive things like bank accounts, etc.

Once passbolt adds offline storage of a copy of the vault to their extensions I may switch to that as I am a big fan of their system, it is just annoying for a home gamer to find their internet is down and then going to log in to their router to fix it finding the password manager doesn't work.


Jumped to KeePassXC (for Linux) + KeePassDX (for Android) after the latest LP fiasco, syncing the databse with Syncthing everywhere it's needed.

It's... fine, actually! And it all being open-source and using an open/documented/versioned database format decreases risks, also the browser extension is perfectly serviceable (certainly not worse than LP's abortion).

In short, I have absolutely no idea why I haven't made the jump long ago.


All in on Minimalist Password. One of the few macOS-native apps left with enough of the right features (OTP, custom fields, iOS apps) without bloat, and no subscription (syncs via iCloud). The only drawback is no Chrome/Brave/Firefox extension yet (Safari only) but it's on the roadmap for this year I believe.

Edit: I see you didn't specifically mention Mac or Windows, but this one is Apple ecosystem only, currently.


Buttercup[1] is a highly usable password manager that supports multiple storage backbends.

It has clients for desktop on Linux, Mac, and Windows, and it's got Apple and Android mobile clients. There's also a browser plugin. I've had a great experience so far.

I also use KeepassX, though it's a lot less usable / portable.

References: 1: https://buttercup.pw


Bitwarden for me - I’ve paid for the past 2-3 years after Lastpass put their prices up too high for me to justify. And I’m glad I deleted my lastpass account when I moved over!

Bitwarden is secured with my yubikey, with a 2FA code in another Authenticator app. Then, all my other OTP codes are within Bitwarden. For $10 a year, I am very happy with the service.


https://www.passwordstore.org/


Keepassx

I have copy of keepass dbs on phone, private notebook and employer notebook. Once a month I doing backups, and I am updating these databases. Fresh passwords, for current month I'm holding unencrypted in email draft/todo list/google keep till full backup procedure.


I needed something cross platform, as i use mix of android, windows, macos, and iOS devices. Also i want ease of use, vault unlocking woth fingerprint methods.

Bitwarden clients really provide ease of use and I use it in combination with a Selfhosted bitwarden server called vaultwarden.


1Password. Has all the features I want, really like the UI, and available everywhere I need it.


I just made the switch this week after reading the news about the most recent hack from LastPass. The UX for 1password was so refreshing after using LastPass for so long. The switching process was very simple. The only issue I had was getting dupes from the shared folders from the family account.


1password or Bitwarden. I personally like 1password UI better but it’s a personal choice.


I wrote a small blog post on my journey and shared it not too long ago: https://news.ycombinator.com/item?id=34181689


Strongbox protected with Yubikey NFC as 2FA on iPhone and Mac - sync via iCloud..


Same, and also keychain on macOS/iOS.


I switched from LastPass to Bitwarden. I'm still not even 1/3 the way through from changing all my passwords and OTP tokens (Obviously I changed bank passwords, etc, right away.)


Have fun changing those passwords. It took me at least three days. Absolutely miserable experience to conclude my 7 year relationship with LastPass.


What?! You can’t import/export between them?

That’s what I did when I left LastPass for 1Password, was fairly straight forward from what I remember.


You can import/export, and it worked well. But you still have to change every one, and reset your OTP token generators if you stored them in LastPass as well


I had to reset them regardless because of the breach so didn’t even bother looking into exporting/importing.


It seems like there are basically two camps: Trusting/convenience-oriented people use BitWarden, while more careful people prefer KeePass-based solutions.

Personally, I think Enpass is the best of both worlds. The ecosystem isn't open source by default, but there are open source tools that get technical assistance from Enpass folks. And the experience is quite good, usually slightly less polished than BitWarden or 1Password, but sometimes slightly more polished (TOTP is a lot easier on Enpass than with 1Password). Lastly, it's local-first and offers a lifetime purchase for about $90.


I’m using Bitwarden. I was a KeePassX user but I was missing: multiple devices support, sharing selected passwords with family members. Bitwarden solves those.


KeepassXC, Syncthing to sync. KeePass2Android on phone.


This is almost exactly my setup too. This plus OpenVPN to make it easy for all my machines to talk to each other without having to setup NAT traversal everywhere.


If I can piggyback on this question, what do people do about those infernal security questions? Browsers don't help much with them.


1Password has a handy solution to that problem: https://support.1password.com/generate-security-questions/

They have a bunch of "standard" questions in the drop-down list, like "first grade teacher" or whatever, but you can always just type your own since they're merely designed to be helpful. The answers they generate are built on top of their normal password generator, but I found the "battery horse staple" variety makes for the least amount of headache, although you could probably generate a PIN format if the target website accepted it since it'd be much easier to read to a customer service rep if it came to that (err, aside from the social hurdle of "what is your first grade teacher? ... 8675 ... no, I mean the teacher? ... yes, my answer is 8675" nonsense


Does anyone use any password manager and do regular backups? I use 1password but it's scary that all passwords depend on it.


Bitwarden


I have a 1Password subscription but I find it too much of a hassle to use. Using the password manager is more cumbersome than resetting the password most of the time. And that obviously makes the password stored in the password manager out of date, making it even less useful.

For many logins I just use some re-used password with a prefix/suffix based on the service/site name, so I can usually get the password right without opening the manager or resetting the password.


I've been using Bitwarden for a few years, and am very happy with it. I'm glad to pay their reasonable price.


I use Bitwarden and pay for it. I've previously used 1password but stopped when they went to a subscription model.


Password Store and KeepassXC are great. Don’t use “cloud” for password management. They will always be juicy targets.


Anyone here use GNU Pass? Can you describe your setup? Would it be an upgrade coming from KeepassXC?


I roll my own. I use emacs on an encrypted password file stored on my local PC.


How do you keep the password file encrypted on file write and file open? Do you decrypt to the file system to a temp file first?

Thank you


Not GP, but using a similar setup (.org.gpg files for textual private data, on top of encrypted partitions as well), and Emacs comes with an EasyPG interface; doesn't need an intermediate temporary plaintext file. It can also handle an encrypted .authinfo, .authinfo.gpg, and encrypted bits of configuration (.el.gpg).

That's one of the nice things about common/basic/widespread standards and tools: good compatibility and support.

Handling non-GPG encryption in a similar way should be possible too, but won't work out of the box.


Emacs has lisp for that, it prompts for a password on open. On save it encrypts it if it was changed.


I use KeePass (+ KeePassX on Android) with a password database file on Dropbox.


I've been using Roboform for many years and I'm very happy with it.


Macpass for my Mac, and sync the .kdbx file with Keepass2Android for my cell.


For me mobile and multidevice is a thing. No anything better than Bitwarden.


I use keepass and the file is stored in gdrive to sync across devices.


Does anyone use Keeper? Or have thoughts in general on that?


I do. It’s fine.


LastPass, which can’t be spelled without a-l-a-s.


I just do it the old-fashioned way: memorisation.


I feel that you either have the best memory on earth, live offline and need to memorize only a couple of passwords, or you are doing something wrong (like using the same password over multiple services)


Bitwarden will have my money this year too.


I used LastPass for 13 years. Now I use Roboform.

It just works.


BitWarden meets all those criteria!


Bitwarden




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: