pull down to refresh

What password manager do you like and why?
434 sats \ 19 comments \ @Taj 5 Dec tech

First of all stackers, I'm not asking which PM is best!

I'm asking which one you like and what features stand out as better than the competition

I've used several of the well known offerings and here's my thoughts on each

  • I started off with a Proton Mail account and naturally progressed on to Proton Pass, their native password manager
  • This was my go to for a long time, I like the simplicity of it, I like the option of creating folders but there's a cap on the free version.
  • Then I thought, well what happens if I lose access to Proton? I know I'll create another account with a different PM and store the password there, and vice versa
  • So I originally just downloaded Bitwarden to store the Proton password and didn't really make use of it, but I'll come back to my thoughts on Bitwarden in a second
  • And just for belt and braces I downloaded KeypassDX, to again store the passwords from Proton and Bitwarden
  • But then Keypass started to become my daily driver, what I really like about the features, is the built in entropy password creator, very cool ๐Ÿ˜Ž

But one day last week, I was playing around with the settings and pressed something and it downloaded a file for some reason, so I deleted the file from downloads in my phone's file manager, went back to Keypass and the app wouldn't open!

  • My heart immediately sank and I thought if I can't access this, I've lost a fair amount of data
  • And being on the long uphill struggle learning about all things technical, I quickly thought about retrieving the file from the recycle bin and restore in downloads, et voila! It opened!
  • Feeling very pleased with myself, I did some research and turns out this is a feature not a bug, because you can store your data in this encrypted file, which the app can only open with the password

So for you stackers reading this, this is 101, like 1st day of easy tech, but I'm learning this shit from scratch

  • It took me ages to work out that I needed to store the file in a new folder [keypass] and delete the original database in the app, then open existing database and choose the new folder location, enter password, BOOM ๐Ÿ’ฅ we're cooking on gas now!
  • But the downside to all this in KeypassDX, is that your data is only as good as your last back up

So we go full circle and after my little scare with Keypass, I thought I'd add the most important information on Bitwarden, and that's when I really started to like it, each addition is replicated across devices, no need for downloaded files becoming differing data

So what would I rate these three PMs?

  • I'd give Proton Pass a 7/10
  • I'd give KeypassDX a 6/10
And
  • I'd give Bitwarden a 9/10

While writing this, I'm thinking, have I got way too many PMs, have I left gaps in security by having more than one?

  • But what if you put all your eggs in one basket and you can't access the ๐Ÿงบ?
  • That's the question isn't it, single point of failure has a double meaning here!
write
preview
related posts
230 sats \ 1 reply \ @kepford 5 Dec
I've used many of them for many years. I recommend Bitwarden for most people.
  • Open Source
  • Great UX
  • Can self-host
  • Been audited many times (including my company's team)
  • Has a working business model
  • Can start for free
  • Multiplatform support.
  • Family/Business accounts.
Its really great. There are others that are really good as well.
reply
97 sats \ 0 replies \ @bitcoingecko 5 Dec
I've also been using bitwarden for years and recommend it to everyone. No complaints!
reply
42 sats \ 7 replies \ @winteryeti 5 Dec
Honestly, none of them. I get why PW managers are popular; you have to be more and more complex, everything requires a password now, and it's simply too much to remember everything instantly. But managing your own passwords only takes a slight bit of effort with at least three layers of defense. Can't remember them? Put them on a spreadsheet and give it a password. Then use an encryption tool and keep your files encrypted when not in immediate use. Lastly, make a redundant copy and update it regularly as a backup in another encrypted, locked place separate from your primary computer/tool. It's about a secure as things get without relying on faulty human memory. And do you really believe your PWmanager software will be better? Take into account that it is usually 1) Internet-based, 2) run by a third party you really don't know, and 3) they control your tool by license or portal access. Every online tool I've used for anything has eventually gone down or been hacked or compromised. PWmanagers are no different in that respect, especially online versions. But that's my two cents. My only hack damage as been due to the phone company of all things getting hacked and releasing my stuff (bastards). Looking forward to that class action lawsuit outcome, personally.
reply
205 sats \ 6 replies \ @Norbert 5 Dec
You're recommending against using a password manager, and then you go on to reinvent one poorly with an encrypted spreadsheet. This gives you no browser integration and no paste buffer management.
it is usually 1) Internet-based, 2) run by a third party you really don't know, and 3) they control your tool by license or portal access.
If those are your concerns (and I'd agree with them), they are all addressed by KeePassXC. It's a solid, mature tool. Just use a password manager.
reply
21 sats \ 5 replies \ @winteryeti 5 Dec
I'm not recommending a PWmanager, period. I'm simply giving an example of how I manage my passwords manually with an emphasis on max protection, not trusting a third party. And no, I will not "just use a password manager" because it's in vogue. Sometimes a basic hammer is still the best tool to use to hit a nail.
reply
21 sats \ 4 replies \ @kepford 23h
KeepassXC is not hosted. You are not trusting a third party at all.
But the good hosted tools can't read your passwords by design. They are encrypted by your key and they can't decrypt them. Bitwarden for example does this and you can self host Vaultwarden and you aren't trusting them for sync.
The spreadsheet approach as a few negative tradeoffs and few positive ones.
Mostly posting this for others following along.
There are also CLI local only tools like pass that use gpg and you don't have to decrypt ALL you passwords at once of that is a concern.
I do find it odd when bitcoiners (others I have encountered) trust encryption with their money which is spread out across the Internet but don't trust encryption with passwords. Its kinda odd to me.
reply
21 sats \ 3 replies \ @winteryeti 23h
To be honest, it comes from experience. Just about every third party tool I've used that stored PW online or had an online connection has been compromised or hacked. Maintaining control of my info myself hasn't failed in two decades. That's not to say it's perfect; it's not as you pointed out. But that's because I manually engage. Personally, I think relying on tools blindly for protection is being lazy. I have no issue manually referring to my own encrypted database regularly and then, even if I have to copy, immediately copying something else or purging the temporary copy to block stuff sitting in my flash memory or browser memory and being grabbed via a script.
reply
100 sats \ 0 replies \ @kepford 23h
That's interesting. LastPass is the only (once good) service I've heard of being compromised. If it's done right the data at rest and transit should be safe even if publicly available. Which no one does.
There are crappy password managers but ones like Bitwarden have a big juicy target on them and haven't been compromised.
Whatever works for you, but most people are more likely to lose, expose, or reuse passwords without a good tool. Most people have crappy passwords they reuse. These people are easy prey. Most people are just fine using Bitwarden or 1Password.
reply
21 sats \ 1 reply \ @Norbert 23h
I think relying on tools blindly for protection is being lazy.
Is that what using a password manager is, though? Just a dumb reliance on tools?
Personally I have carefully picked KeePassXC because it suits my situation. I know it in and out, and I have a sound backup regime for it. I'm not some confused cargo cultist who does strange things I don't understand because experts on the internet told me to โ€“ and I doubt many such people exist.
reply
21 sats \ 0 replies \ @kepford 21h
Is that what using a password manager is, though? Just a dumb reliance on tools?
Its not. Just using any password manager is dumb. They are not all the same. Open source matters. How tested and used it is matters. It's track-record matters. It takes knowledge to evaluate any tool. The more complex the tool the harder that is.
I'm not some confused cargo cultist who does strange things I don't understand because experts on the internet told me to โ€“ and I doubt many such people exist.
They are a small minority. The majority don't use anything. They reuse bad passwords and get hacked when a site they use has a breech. They don't use 2FA. They need well designed tools that dont require a ton of training to use. This attitude I sense is elitist and also poor security / UX.
I do wonder how this file is being encrypted as well. It is possible and not hard to encrypt a file but most people have never heard of pgp let alone use it.
I am not an encryption expert but I know enough to know the right questions to ask and who to listen to. Some of the tools mentioned have been tested by entire teams of security specialists.
I'm all for everyone doing whatever they want to do but tools are good tools when they solve problems. Password managers that are well done do this.
There is a contrarian attitude that I battle in myself. There for sure are cargo cults in tech but password managers are not a cargo cult.
The problems with password managers are adoption and crappy apps. Few people use them. And even fewer are equipped to pick a good one.
Hence passkeys being pushed which actually are making it even more confusing for average people.
reply
21 sats \ 1 reply \ @Zion 5 Dec
I don't use any, everyone one is in my head
reply
60 sats \ 0 replies \ @Taj OP 5 Dec
reply
100 sats \ 0 replies \ @Corey_San_Diego 5 Dec
Keepass. Best if accessible via WebDAV tho
reply
42 sats \ 1 reply \ @kristapsk 5 Dec
I use pass, cli with gpg encrypted storage on git.
reply
21 sats \ 0 replies \ @kepford 23h
Pass is great. If you want to access passwords in scripts it's a great option.
reply
42 sats \ 0 replies \ @unboiled 5 Dec
Passwordstore together with dmenu and a script that it feeds from. Use: I hit some keys, dmenu pops up and I start typing the key I'm after. The script filters options using pass find. I then highlight the one I'm after (or keep typing until only one is left) and press enter. The password is now in memory for 15 secs.
Previously, I used KeepassXC. It still is my recommendation for most users. I now only keep copies of some passwords from pass in there. So my wife could access the most important ones should something happen to me.
reply
21 sats \ 0 replies \ @kepford 21h
I don't think anyone has mentioned it but set up 2FA on your email at a minimum. Regardless of your password strategy they can be reset and if you email account is compromised and you don't have 2fa you are hosed.
reply
21 sats \ 0 replies \ @ek 5 Dec
vaultwarden hosted inside your own WireGuard VPN
reply
21 sats \ 0 replies \ @OT 5 Dec
I used to use Dashlane. Then switched to Keepass and Bitwarden.
reply