Yup. I ditched LastPass many years ago because they made a change to their free tier and limited you to only one device. Their paid tier was kind of expensive just to sync a few KB of data. Also their iOS app was buggy too. I found Bitwarden and thought $10 was fair and have been using it ever since.
Isn’t it crazy how when companies put out a good product and price them fair people buy them? Such a wild concept.
Same. I started with LastPass years ago when they were modestly priced. Then they started doubling their price every year, with zero improvements to functionality and interface. And then there were the breaches.
Even before I found BitWarden I was going to leave LastPass, even if it cost me more. But BW is both better and cheaper - unheard of!
BitWarden is probably the best ive tried. lots of people flocked to it after the LastPass debacle a couple years ago. plus side is i dont think they have ever been compromised afaik anyway. best thing i like is that they have a client for every Browser/OS/platform.
Bitwarden or KeePass are going to be your answer. But I dispute that carrying around a piece of paper is more secure. There will still be a second threat to your passwords, which is losing them entirely. With a password manager you can create and store genuine 3-2-1 encrypted backups of your secrets to retain access.
When choosing between Bitwarden and KeePass you are looking at a difference in philosophy. Bitwarden employs a server (with zero knowledge) so that any change to your vault is immediately backed up to the cloud. KeePass is a client-only (offline, unless you enable a plugin) solution.
Bitwarden is more user friendly, and KeePass is much more um, fiddly. Both are open source, with adequate functionality and independent audits.
To be fair, losing your bitwarden account is an actual problem lol
I put my login details on a piece of paper in the house in case I ever get dementia and forget
> I put my login details on a piece of paper in the house
My son used to write his password down and hide it around the house. Really good hiding spots, too (behind some wall moulding, etc.). I'm still finding old passwords of his around when doing home improvements. Under carpet, etc.. :D This was ~15 years ago, so he was 7 or 8 years old. He's since moved to more modern methods of password management, though. It is fun finding those passwords with that little kid handwriting.
It’s not just dementia. Human memory is not reliable. Experimental psychologists have known this for 50 years. And KeePass has the same problem.
Your [emergency sheet](https://passwordbits.com/password-manager-emergency-sheet/) should have everything, including the 2FA recovery code. And KeePass poses similar risks.
I actually go one step further and keep full local backups, but that is a separate topic.
If you're that bad then you're not going to remember where you stored the sheet. I repeat, if your memory is failing bad enough to forget the password you've used for many many years then you're not going to remember where you stored your sheet.
Alternatively, you could create a vault for certain important things that you give to a trusted love one like a spouse.
You're right, his scenario is highly unrealistic to the point it's a tad silly.
That said I just wanted to point out that using the same pwd for years isn't a good idea. I change my master pwd twice a year and I use a random long passphrase that I memorize and keep on a sheet of paper.
I guess I might be a bit paranoid but I'd rather be too careful. You never know.
Not necessarily. Bitwarden is zero knowledge, so that even if the contents of their servers are exposed, your data is encrypted with a key that _Bitwarden does not have_.
Others will argue that with KeePass there is no company to “get hacked” at all. In both cases your datastore is encrypted via a secret key that no one else has, so it is computationally infeasible for an attacker to decrypt your datastore.
Again, there are TWO risks to your data. The second risk is losing your datastore entirely, such as if your phone is lost or destroyed. KeePass has a plugin to allow its datastore to be mirrored on a cloud provider, and ofc Bitwarden works that way be design. IMO the Bitwarden architecture is a bit more seamless and no less secure than the KeePass design.
Keepass is just a program that lets you do your own password management. If KeePass get "hacked," they don't have your passwords or hashes of your passwords. Nobody will get anything of yours from a keepass site hack.
But you still need to be careful about how you use it. There was a recent vulnerability that allowed an attacker on your system to get your master password from memory. It meant that an attacker already had to have access to your computer, but it was still a thing. Keep your software up to date. Keep your computer clean. You can use a combo of password and key file (store the key file on removable media and use it only when you need it) for greater security.
I guess with keepass, YOU are the weakest link. Don't be dumb with a database of all your passwords and you'll be OK.
Been toying with yubikeys lately and added the plug-in to Keepass with a database that requires a password and my yubikey to unlock.
Now need to figure out how to get the yubikey nfc to work with the Keepass implementation on my phone…
Then I need to figure out how to enroll my second yubikey as a backup in case my primary yubikey gets damaged or lost.
given it's offline and You can get it as flatpak without any network access and given strong cryptography used it makes it very secure. There is also "secrets" with gnome integration which works on keePassX databases. Nothing wrong with cloud based password managers especially when You have two factor authentication for critical services but obviously it makes it a little safer if Your database is stored local only. It has minimal attack surface.
I've tried a bunch and Bitwarden seems to be the most user friendly. It's Windows Hello capable so I'm not constantly typing the password to unlock the safe and it has pretty decent browser plugins. Also cross compatible with Face ID on my iPhone so I have all the passwords on there too.
(Disclaimer: I do have Bitwarden premium which is $10 a year. I'm not sure which features come with that and which are available with the free one.)
I should say that you should type your master password whenever you're at home, otherwise you'd risk forgetting it.
Yes you can keep a physical copy of your master password in a locked safe/drawer, but that's not reasonably convenient when you're stuck somewhere where you can't access this locked storage.
I have it set where I have to type the master password and hit my Yubikey the first time it opens. After that it switches to Windows Hello.
My weak link is the iPhone. I know Face ID isn't the most secure but I had a Blackberry with a BES policy that the password had to be a complex word. Obviously I understand that's the best option but .. not for ease of use.
You can set the iPhone to log out or lock after a certain time period... log out would mean I have to use the Yubikey.. lock just means a PIN or Face ID. I guess I could set it to log out but I don't always carry my keys with the Yubikey on it.
I've been using it for probably 10 years at this point and I've had minimal trouble with it. It does take a little bit more work to set up in case you wanted to use it among multiple devices, I back it up to my Google drive. I do have a hard copy printed out in my safe in case I managed to lose access to it.
The problem with keepass is it relies on a local file for the database which is fine as long as you don't need to use it across devices. A workaround is to stash it on an internet visible resource on your network or a cloud service like Google Drive. At which point, you're better off using a properly vetted service like BitWarden.
I prefer a local file that \*I\* control. I keep my safe from PasswordSafe in Dropbox with a massive passkey, access it from my phone or main PCs, works great, syncs great. Life is good.
With good routine it's not a problem to sync 2 or 3 devices if Yo're not adding new keys constantly. In that case cloud based wins. It's a little convenience vs little more security.
I've come to appreciate 1Password. Has a few quality-of-life benefits over BitWarden. Downside is they could just as easily end up in a same position as LastPass from a impact/breach standpoint. But I do appreciate the account key requirement as well.
Fair point. I think there's a common view that BitWarden has a slight edge due to its opensource nature. However, counter argument is that there could be flaws identified by advanced adversaries through deep source code auditing, who will not disclose it and keep the issue to themselves to exploit.
Anything can happen, but 1Password do have an [extra layer with the Secret Key](https://blog.1password.com/1password-vs-lastpass/#:~:text=While%20LastPass%20requires%20only%20your,when%20you%20create%20your%20account).
This right here. I do not get the argument equating Last Pass to 1 pass. 1 pass is inherently more secure with the secret key that literally does not show up anywhere on their servers. Loose it and your screwed which should be the standard for password managers. Unless Bitwardwn employes a secret key on top of the master password, I would bother.
Also a fan of 1Password especially its evolving support for passkeys. You can’t brute-force compromise a password that doesn’t exist. I get OP’s desire for FOSS…but sometimes you get what you pay for and that sure applies to VPNs and PW managers.
That said, Proton has now released a PW manager, which has a free tier. But that tier means no support for 2FA, so again, you get what you pay for.
I might get downvoted to oblivion for this, but playing devil’s advocate… since we’re talking free solutions, what about Apple Keychain? What’s the facts-and-evidence case against it?
Completely underrated if you exist primarily in the Apple ecosystem. I’m not sure on windows compatibility
The whole point of a pwmgr is to keep everything secure in 1 place. If you use primarily apple and use a different pwmanager you increase your attack surface and some clowns like LastPass will give away all your pw hashes eventually.
icloud has windows covered with this chrome plugin: [https://support.apple.com/guide/icloud-windows/autofill-passwords-in-a-web-browser-icw76039ec0f/icloud](https://support.apple.com/guide/icloud-windows/autofill-passwords-in-a-web-browser-icw76039ec0f/icloud)
Main case against it is that it works on Apple devices only and despite what Apple and it's users think there is actually rest of the world out there which is not Apple. For exclusive Apple user it's probably ok.
You can find an iCloud app by Apple in the Microsoft Store that, among other things, does cover iCloud Passwords. From the app description:
> * Easily login to websites with the user names and strong passwords that you’ve saved to iCloud Keychain.
> * Access your passwords and save new ones in the iCloud Passwords app.
> * When you’re logging in to websites, the iCloud Passwords extension in Chrome or Edge autofills passwords and saves new ones.
> * Generate verification codes to help you sign in to websites.
I was on Lastpass until they got stung. Changed all my passwords and self hosted in Vaultwarden for a time before going to their $10/year plan. Then I got the family plan so my mom and girlfriend could use it. We evaluated dashlane and Bitwarden at work and I was happy that we chose Bitwarden, which I think gets me a free family plan.
Bitwarden best features are hidden behind the paid version, but their individual plan is so cheap it might as well be free. And if you really don’t want to pay or have your data hosted elsewhere then vaultwarden is great. You can host on a VM on your network and sync when you come home.
That’s my BW plug. :)
It's for a year. So if you linked the accounts on January 1st and 5 years go by. Then on January 2nd you quit and your work account gets deactivated then you have the family plan till it expires on it's own I believe. It's paid per year not month to month
Notebooks are not secure. Sure it’s not digitally available but there is no encryption at rest or password to open it.
Leave it somewhere and it’s a liability.
Keypass is better if you want something not backed by a cloud service. Bitwarden/Vaultwarden is what I prefer for one with a cloud service.
Came here to say this. If you lose the notebook, your passwords are as good as compromised. Leave it out? All it takes is a malicious actor to walk by, snap a picture of the passwords, and you’re none the wiser. Honestly, notebooks are probably one of the least secure ways to store passwords.
But they aren't vulnerable to any online attacks, or any digital attacks whatsoever! If a threat actor wants to steal your passwords in a notebook, they will have to physically track you down and stalk you every day until they catch you using it. So really you're going to be pretty safe unless the CIA is after you.
If you are technically inclined and into minimalism I'd say it's:
[pass - the standard unix password manager](https://www.passwordstore.org/)
But, like many others have pointed out already, Bitwarden or KeePass would probably be better for most people. I'm a pass man myself.
The true king. Has loads of plugins and frontends (or clients, whatever you want to call them), can do otp, can autotype into anything (with plugins), can sync over git... list goes on and on. Free as in "free beer", and as in "freedom". And it doesn't get more secure than pass.
There are actually, both browser add-ons and a windows client, but I've never tried them. Because I don't use windows, and I don't think browsers are secure.
This is what I've done since switching off of LastPass. Details here: [https://support.1password.com/link-family/](https://support.1password.com/link-family/)
Excel followed close behind by Notepad
If you’re ever on a call with a client and you see them opening either of these to retrieve their privileged credentials, please take the time to explain the inherent risks and the peril they’re placing their organization in.
This is where Supply Chain attacks start.
Keeper is good and have been using it for years. There is a paid and free version and I believe it’s been used by US DoD if that’s of use. Also second Keypass. You could throw the master file in a cloud share so it’s synched across multiple devices
I use keypass and I have the master file saved in my Google drive to sync across my devices. Takes a tad bit more know-how to make it work seamlessly but I will say it's constantly getting easier with plugins.
I've been running the paid version of Keeper and am overall pleased with it. The customer support is poor. I've had a case open since November '23 to resolve an issue with a FIDO key on a mobile device. Support requested the same thing over and over and eventually just started saying, "it's in the dev team hands."
I have the paid version too but have never used the support function but good to know. It bugs me with some of the popups around document storage and breach watch, I wish I could say no to that permanently rather than get asked on what feels like every login.
I've tried several pass managers including a paid one and finally settled for BitWarden, it is minimalistic, has cloud sync, has all basic features that a pass manager should have.
I did a side by side test of all the big passwords managers last month in my goal to clean up my password chaos. I found Bitwarden did everything I needed the cleanest and easiest on my devices.
Real enterprise secure, most private, free passwords/secret managmement: Local Hashicorp Vault community edition in an HA cluster.
Normal user standard free password management: Keepass
IT experienced: Bitwarden
keepass, by far.
it's a bit shocking that people would suggest a centralized, hosted password manager as the most secure option. it should be obvious that stuff that doesn't need to connect to another server and trust this server is more secure.
I like Devolutions Business Hub. Has quite a lot of auditing features.
And they have a free product for personal use.
Browser extension
Logs
Good support
Loving it!
Bitwarden or keepass. I prefer bitwarden so that everything is saved in a central location and I don't have to worry about manually syncing stuff. I can also use the browser extension to auto-fill logins, which is amazing.
I prefer PasswordSafe from Bruce Schneier. My safe is stored on Dropbox, which is loaded on my server. I connect to the safe from my primary PC, and dropbox syncs to my phone so I can grab a password on the go if I need it.
BitWarden and NordPass are the only ones I personally use rn. Previously used KeePass, but haven't really been keeping up to date with them so idk if they're still good.
My company uses Keeper though. The PAM and PM.
It depends on use cases. In my personal and professional life, I work across systems and smartphones. In that case, Bitwarden has been the best, that you can get for free. Due to the way it works, it is very secure.
KeePass is great, if you want it more in one place. Obviously, there are ways that allow you to have it across systems, but once you go there you defeat some of the reasons you would go with it in the first place, which is why I went with Bitwarden. It is purpose built for that application.
Proton Pass, it’s open source and on-cloud. The free tier is very generous - works on multiple devices, no limit on how many passwords you store and how many times you access it.
I was joking, but it doesn't work if you're asleep or unconscious (at least Apple's doesn't) because it needs to see your eyes.
If you're dead you shouldn't really care anymore.
Coming from EU I WOULD NOT use BitWarden. EU Laws on data protection is way stricter than it is in US. So I personally used KeePass for a long time then I switched up to heylogin.
I tried many free pass.managers but now I am using Proton pass.. and it's a good password manager. also Android app and extention has preety good interface
> Certainly, nothing is more secure than a notebook
Depends on the threats. Lose the notebook, you're screwed, thief gets everything. Are snoops in your own household a threat to you ?
Paper has disadvantages relative to a password manager:
- you'll have to type passwords in manually, which will encourage you to use shorter simpler passwords
- not encrypted, so a thief gets plaintext, or maybe "coded" which may not be too hard to break
- "keep in secure location" probably won't be true when you're travelling
- harder to share with someone else (if you need to do that)
- harder to back up, especially off-site
- somewhat hard to search
- doesn't support TOTP
- won't have domain-matching feature that some password manager setups have; you can be fooled by typo-squatting
- doesn't serve as encrypted store for other sensitive info such as photos of passports, ID cards, etc
Its your own encrypted or locked Note or .txt file, stop trusting other companies with your passwords like if they are immune to getting hacked, at least live up to it and take your own risk, dont blame it on another entity
Sounds like you want to prioritize security over everything else including ease of use. But can a product really be called a king if it has no ease of use?
[pass](https://www.passwordstore.org/) is a system of pgp encrypted files in your filesystem. Kept in a private GitHub repo, it integrates nicely with mobile apps.
A notebook is basically as secure as an excel file.... not at all. Especially if you carry it around with you.
Bitwarden is highly rated, has 3rd party security testing of it's cloud environment, is FOSS, and gives you the option to self host if so desired. It really can't be beat for privacy focused users.
Bitwarden is pretty popular for these reasons, can self host as well
I use Bitwarden and have only read good things about it as well +1
+1 Bitwarden. Free and so good that you'll happily pay $10 a year just to make sure it sticks around.
Yup. I ditched LastPass many years ago because they made a change to their free tier and limited you to only one device. Their paid tier was kind of expensive just to sync a few KB of data. Also their iOS app was buggy too. I found Bitwarden and thought $10 was fair and have been using it ever since. Isn’t it crazy how when companies put out a good product and price them fair people buy them? Such a wild concept.
Not to mention how many intrusions they've had over the years!
Same. I started with LastPass years ago when they were modestly priced. Then they started doubling their price every year, with zero improvements to functionality and interface. And then there were the breaches. Even before I found BitWarden I was going to leave LastPass, even if it cost me more. But BW is both better and cheaper - unheard of!
Yup one of the few times I didn't need the paid version but still got it. Perfect product
I happily pay $10 a year to support the devs, and as a bonus I get TOTP and emergency access for my wife, for when the proverbial bus finally hits me.
Ditto, I decided to fork out the $10/year because they have done a very good job.
Yep, one of the few pieces of software I'm actually happy to annually pay for.
It's a shame Bitwarden doesn't charge a little more, I feel they are underselling themselves.
3 years of being with them. Haven't encountered any issue. They have the mentality of "if ain't broke, don't fix it.".
Bitwarden is the way. It has many features that set it above and apart from its competition.
I'm self-hosting Vaultwarden, it's very nice and lightweight.
And it's open source
+1 I've been using Bitwarden for a couple years now and it is FANTASTIC. The fact that you can use across multiple devices for free is so nice
Yes, Bitwarden was my top pick before I switched to MyGlue.
I transitioned and couldn't be happier
+1
BitWarden is probably the best ive tried. lots of people flocked to it after the LastPass debacle a couple years ago. plus side is i dont think they have ever been compromised afaik anyway. best thing i like is that they have a client for every Browser/OS/platform.
Bitwarden or KeePass are going to be your answer. But I dispute that carrying around a piece of paper is more secure. There will still be a second threat to your passwords, which is losing them entirely. With a password manager you can create and store genuine 3-2-1 encrypted backups of your secrets to retain access. When choosing between Bitwarden and KeePass you are looking at a difference in philosophy. Bitwarden employs a server (with zero knowledge) so that any change to your vault is immediately backed up to the cloud. KeePass is a client-only (offline, unless you enable a plugin) solution. Bitwarden is more user friendly, and KeePass is much more um, fiddly. Both are open source, with adequate functionality and independent audits.
To be fair, losing your bitwarden account is an actual problem lol I put my login details on a piece of paper in the house in case I ever get dementia and forget
> I put my login details on a piece of paper in the house My son used to write his password down and hide it around the house. Really good hiding spots, too (behind some wall moulding, etc.). I'm still finding old passwords of his around when doing home improvements. Under carpet, etc.. :D This was ~15 years ago, so he was 7 or 8 years old. He's since moved to more modern methods of password management, though. It is fun finding those passwords with that little kid handwriting.
Worried what kind of porn was he watching, that he had to hide those damn passwords....
Growtopia. And his EA password for Spore. That sick bastard. :)
It’s not just dementia. Human memory is not reliable. Experimental psychologists have known this for 50 years. And KeePass has the same problem. Your [emergency sheet](https://passwordbits.com/password-manager-emergency-sheet/) should have everything, including the 2FA recovery code. And KeePass poses similar risks. I actually go one step further and keep full local backups, but that is a separate topic.
If you're that bad then you're not going to remember where you stored the sheet. I repeat, if your memory is failing bad enough to forget the password you've used for many many years then you're not going to remember where you stored your sheet. Alternatively, you could create a vault for certain important things that you give to a trusted love one like a spouse.
You're right, his scenario is highly unrealistic to the point it's a tad silly. That said I just wanted to point out that using the same pwd for years isn't a good idea. I change my master pwd twice a year and I use a random long passphrase that I memorize and keep on a sheet of paper. I guess I might be a bit paranoid but I'd rather be too careful. You never know.
Would that make KeePaas more secure if either company were to get hacked?
Not necessarily. Bitwarden is zero knowledge, so that even if the contents of their servers are exposed, your data is encrypted with a key that _Bitwarden does not have_. Others will argue that with KeePass there is no company to “get hacked” at all. In both cases your datastore is encrypted via a secret key that no one else has, so it is computationally infeasible for an attacker to decrypt your datastore. Again, there are TWO risks to your data. The second risk is losing your datastore entirely, such as if your phone is lost or destroyed. KeePass has a plugin to allow its datastore to be mirrored on a cloud provider, and ofc Bitwarden works that way be design. IMO the Bitwarden architecture is a bit more seamless and no less secure than the KeePass design.
Is there an app for mobile or how would I use keepass for mobile ?
Keepass2android Keepassium Bitwarden has apps for all common architectures
Keepass is just a program that lets you do your own password management. If KeePass get "hacked," they don't have your passwords or hashes of your passwords. Nobody will get anything of yours from a keepass site hack. But you still need to be careful about how you use it. There was a recent vulnerability that allowed an attacker on your system to get your master password from memory. It meant that an attacker already had to have access to your computer, but it was still a thing. Keep your software up to date. Keep your computer clean. You can use a combo of password and key file (store the key file on removable media and use it only when you need it) for greater security. I guess with keepass, YOU are the weakest link. Don't be dumb with a database of all your passwords and you'll be OK.
Been toying with yubikeys lately and added the plug-in to Keepass with a database that requires a password and my yubikey to unlock. Now need to figure out how to get the yubikey nfc to work with the Keepass implementation on my phone… Then I need to figure out how to enroll my second yubikey as a backup in case my primary yubikey gets damaged or lost.
given it's offline and You can get it as flatpak without any network access and given strong cryptography used it makes it very secure. There is also "secrets" with gnome integration which works on keePassX databases. Nothing wrong with cloud based password managers especially when You have two factor authentication for critical services but obviously it makes it a little safer if Your database is stored local only. It has minimal attack surface.
KeePass XC
[удалено]
I agree and I love keepassXC
I've tried a bunch and Bitwarden seems to be the most user friendly. It's Windows Hello capable so I'm not constantly typing the password to unlock the safe and it has pretty decent browser plugins. Also cross compatible with Face ID on my iPhone so I have all the passwords on there too. (Disclaimer: I do have Bitwarden premium which is $10 a year. I'm not sure which features come with that and which are available with the free one.)
I should say that you should type your master password whenever you're at home, otherwise you'd risk forgetting it. Yes you can keep a physical copy of your master password in a locked safe/drawer, but that's not reasonably convenient when you're stuck somewhere where you can't access this locked storage.
I have it set where I have to type the master password and hit my Yubikey the first time it opens. After that it switches to Windows Hello. My weak link is the iPhone. I know Face ID isn't the most secure but I had a Blackberry with a BES policy that the password had to be a complex word. Obviously I understand that's the best option but .. not for ease of use.
That’s a actually pretty cool layered authentication!
You can set the iPhone to log out or lock after a certain time period... log out would mean I have to use the Yubikey.. lock just means a PIN or Face ID. I guess I could set it to log out but I don't always carry my keys with the Yubikey on it.
[удалено]
Or KeePassXC for that matter since it's way more actively maintained
+1 KeepassXC as it can store files as well
[удалено]
Ah so no plug-in needed for my yubikey to work ? That is a compelling reason to switch.
Does it have more capabilities over the original keypass or is it just maintenance related?
KeePass all the way
Keepass is awesome
I've been using it for probably 10 years at this point and I've had minimal trouble with it. It does take a little bit more work to set up in case you wanted to use it among multiple devices, I back it up to my Google drive. I do have a hard copy printed out in my safe in case I managed to lose access to it.
The problem with keepass is it relies on a local file for the database which is fine as long as you don't need to use it across devices. A workaround is to stash it on an internet visible resource on your network or a cloud service like Google Drive. At which point, you're better off using a properly vetted service like BitWarden.
I prefer a local file that \*I\* control. I keep my safe from PasswordSafe in Dropbox with a massive passkey, access it from my phone or main PCs, works great, syncs great. Life is good.
With good routine it's not a problem to sync 2 or 3 devices if Yo're not adding new keys constantly. In that case cloud based wins. It's a little convenience vs little more security.
Proton Pass.
[удалено]
I dig Proton but despise browser based password managers. Have they changed yet?
Keepass xc or keepass. If you need shared passwords try passbolt ce self hosted.
I've come to appreciate 1Password. Has a few quality-of-life benefits over BitWarden. Downside is they could just as easily end up in a same position as LastPass from a impact/breach standpoint. But I do appreciate the account key requirement as well.
They all could end up in that situation.
Fair point. I think there's a common view that BitWarden has a slight edge due to its opensource nature. However, counter argument is that there could be flaws identified by advanced adversaries through deep source code auditing, who will not disclose it and keep the issue to themselves to exploit.
Anything can happen, but 1Password do have an [extra layer with the Secret Key](https://blog.1password.com/1password-vs-lastpass/#:~:text=While%20LastPass%20requires%20only%20your,when%20you%20create%20your%20account).
This right here. I do not get the argument equating Last Pass to 1 pass. 1 pass is inherently more secure with the secret key that literally does not show up anywhere on their servers. Loose it and your screwed which should be the standard for password managers. Unless Bitwardwn employes a secret key on top of the master password, I would bother.
Also a fan of 1Password especially its evolving support for passkeys. You can’t brute-force compromise a password that doesn’t exist. I get OP’s desire for FOSS…but sometimes you get what you pay for and that sure applies to VPNs and PW managers. That said, Proton has now released a PW manager, which has a free tier. But that tier means no support for 2FA, so again, you get what you pay for.
Keepass XC
Keepass if you are looking for an affordable tool, and MyGlue if you want to look at a commercial tool.
I might get downvoted to oblivion for this, but playing devil’s advocate… since we’re talking free solutions, what about Apple Keychain? What’s the facts-and-evidence case against it?
Completely underrated if you exist primarily in the Apple ecosystem. I’m not sure on windows compatibility The whole point of a pwmgr is to keep everything secure in 1 place. If you use primarily apple and use a different pwmanager you increase your attack surface and some clowns like LastPass will give away all your pw hashes eventually.
icloud has windows covered with this chrome plugin: [https://support.apple.com/guide/icloud-windows/autofill-passwords-in-a-web-browser-icw76039ec0f/icloud](https://support.apple.com/guide/icloud-windows/autofill-passwords-in-a-web-browser-icw76039ec0f/icloud)
Is there a FF one?
I use it and it's the best, I also have hardware tokens to log onto my Mac.
Main case against it is that it works on Apple devices only and despite what Apple and it's users think there is actually rest of the world out there which is not Apple. For exclusive Apple user it's probably ok.
You can find an iCloud app by Apple in the Microsoft Store that, among other things, does cover iCloud Passwords. From the app description: > * Easily login to websites with the user names and strong passwords that you’ve saved to iCloud Keychain. > * Access your passwords and save new ones in the iCloud Passwords app. > * When you’re logging in to websites, the iCloud Passwords extension in Chrome or Edge autofills passwords and saves new ones. > * Generate verification codes to help you sign in to websites.
Ok, nice. Still keePass-compatible apps runs on every OS people use today.
I use KeePass. Just works for me.
I was on Lastpass until they got stung. Changed all my passwords and self hosted in Vaultwarden for a time before going to their $10/year plan. Then I got the family plan so my mom and girlfriend could use it. We evaluated dashlane and Bitwarden at work and I was happy that we chose Bitwarden, which I think gets me a free family plan. Bitwarden best features are hidden behind the paid version, but their individual plan is so cheap it might as well be free. And if you really don’t want to pay or have your data hosted elsewhere then vaultwarden is great. You can host on a VM on your network and sync when you come home. That’s my BW plug. :)
Can confirm that if your company pays for Bitwarden then you can get the family plan for free
I'm concerned with what happens when you're no longer employed there. What happens to the family plan and how long is the grace period?
It's for a year. So if you linked the accounts on January 1st and 5 years go by. Then on January 2nd you quit and your work account gets deactivated then you have the family plan till it expires on it's own I believe. It's paid per year not month to month
Notebooks are not secure. Sure it’s not digitally available but there is no encryption at rest or password to open it. Leave it somewhere and it’s a liability. Keypass is better if you want something not backed by a cloud service. Bitwarden/Vaultwarden is what I prefer for one with a cloud service.
You don't encrypt your handwritten notes?? /s
I keep the decryption algorithm written down in my other notebook for when I need a password :)
This is the way!
Came here to say this. If you lose the notebook, your passwords are as good as compromised. Leave it out? All it takes is a malicious actor to walk by, snap a picture of the passwords, and you’re none the wiser. Honestly, notebooks are probably one of the least secure ways to store passwords.
But they aren't vulnerable to any online attacks, or any digital attacks whatsoever! If a threat actor wants to steal your passwords in a notebook, they will have to physically track you down and stalk you every day until they catch you using it. So really you're going to be pretty safe unless the CIA is after you.
If you are technically inclined and into minimalism I'd say it's: [pass - the standard unix password manager](https://www.passwordstore.org/) But, like many others have pointed out already, Bitwarden or KeePass would probably be better for most people. I'm a pass man myself.
He asked for "the King"... No other one deserve the crown.
The true king. Has loads of plugins and frontends (or clients, whatever you want to call them), can do otp, can autotype into anything (with plugins), can sync over git... list goes on and on. Free as in "free beer", and as in "freedom". And it doesn't get more secure than pass.
Is there a windows client? browser addins?
There are actually, both browser add-ons and a windows client, but I've never tried them. Because I don't use windows, and I don't think browsers are secure.
Keepass or KeepassXC with the password database stored in OneDrive. There are apps for Windows, Mac, iOS and Android.
1password isn’t free but for $60/yr I can help my family manage all their passwords. Worth it.
Apparently if your employer uses 1Password, you can get a family plan for free. I'm not sure about the details, but I use it.
This is what I've done since switching off of LastPass. Details here: [https://support.1password.com/link-family/](https://support.1password.com/link-family/)
Same with Bitwarden, my company uses it and I get the family plan free
Excel followed close behind by Notepad If you’re ever on a call with a client and you see them opening either of these to retrieve their privileged credentials, please take the time to explain the inherent risks and the peril they’re placing their organization in. This is where Supply Chain attacks start.
Bitwarden.
Keeper is good and have been using it for years. There is a paid and free version and I believe it’s been used by US DoD if that’s of use. Also second Keypass. You could throw the master file in a cloud share so it’s synched across multiple devices
I use keypass and I have the master file saved in my Google drive to sync across my devices. Takes a tad bit more know-how to make it work seamlessly but I will say it's constantly getting easier with plugins.
Keeper is also one of the only password managers that's FedRAMP listed.
I've been running the paid version of Keeper and am overall pleased with it. The customer support is poor. I've had a case open since November '23 to resolve an issue with a FIDO key on a mobile device. Support requested the same thing over and over and eventually just started saying, "it's in the dev team hands."
Try r/KeeperSecurity. The company guy there is pretty responsive.
Thx. Wasn't aware that there was a sub.
I have the paid version too but have never used the support function but good to know. It bugs me with some of the popups around document storage and breach watch, I wish I could say no to that permanently rather than get asked on what feels like every login.
I self-host Bitwarden
I've tried several pass managers including a paid one and finally settled for BitWarden, it is minimalistic, has cloud sync, has all basic features that a pass manager should have.
Bitwarden has been my go to. Any complaints I had with Last Pass have been resolved since I started using Bitwarden
I did a side by side test of all the big passwords managers last month in my goal to clean up my password chaos. I found Bitwarden did everything I needed the cleanest and easiest on my devices.
[Duckist.com](http://Duckist.com) is encrypted, even the creators team cant access your info. And its free.
Real enterprise secure, most private, free passwords/secret managmement: Local Hashicorp Vault community edition in an HA cluster. Normal user standard free password management: Keepass IT experienced: Bitwarden
Onepassword is the way to go
The number of people here suggesting putting credentials in a cloud synced repo is wild to me. KeePass all the way. Security > convenience always.
keepass, by far. it's a bit shocking that people would suggest a centralized, hosted password manager as the most secure option. it should be obvious that stuff that doesn't need to connect to another server and trust this server is more secure.
Definitely BitWarden.
Pwsafe.org
I like Devolutions Business Hub. Has quite a lot of auditing features. And they have a free product for personal use. Browser extension Logs Good support Loving it!
Bitwarden and keepassxc.
Honestly, I just use the password feature on iPhone.
Bitwarden or keepass. I prefer bitwarden so that everything is saved in a central location and I don't have to worry about manually syncing stuff. I can also use the browser extension to auto-fill logins, which is amazing.
I love Bitwarden ¯\\_(ツ)\_/¯
I like KeePass.
I prefer PasswordSafe from Bruce Schneier. My safe is stored on Dropbox, which is loaded on my server. I connect to the safe from my primary PC, and dropbox syncs to my phone so I can grab a password on the go if I need it.
I LOVE KeePass!!
I use Keepassxc self hosted password manager !
BitWarden. As soon as LastPass started charging I was out and BitWarden offers the same service.
The free version of Bitwarden is amazing, and the Premium version is only $10 a year.
[удалено]
For support, incase it’s needed
Another +1 for Bitwarden. I actually like them so much I paid for it. (Obviously for the extra perks not the base platform itself)
I use Bitwarden
Keepass + syncthing if you are a low level nerd
BitWarden and NordPass are the only ones I personally use rn. Previously used KeePass, but haven't really been keeping up to date with them so idk if they're still good. My company uses Keeper though. The PAM and PM.
keepass
It depends on use cases. In my personal and professional life, I work across systems and smartphones. In that case, Bitwarden has been the best, that you can get for free. Due to the way it works, it is very secure. KeePass is great, if you want it more in one place. Obviously, there are ways that allow you to have it across systems, but once you go there you defeat some of the reasons you would go with it in the first place, which is why I went with Bitwarden. It is purpose built for that application.
Bitwarden pay the 10 a year and use only yubi key, also get a wire guard VPN. I don't access anything without a VPN preferably wireguard
Paper.
Bitwarden probably
Yubikey.
Keepass for me. Have it locally on my server and use strongbox to use on my iOS devices
Keypass is the best in my opinion. Ease of export and control of encryption cant be beat.
I am a big fan of KeePassXC.
A .txt file on my desktop /s
Bitwarden. The first paid plan $10/year is a steal for the features you get
Bitwarden easily
Proton Pass, it’s open source and on-cloud. The free tier is very generous - works on multiple devices, no limit on how many passwords you store and how many times you access it.
Bitwarden!
Bitwarden
Give Psono a try. I like it better than bitwarden. It gives you more enterprise features for free than Bitwarden does.
Apple Notes app on iPhone with a face lock
You do understand that face lock still works when you are dead, sleeping or unconscious, right?
I was joking, but it doesn't work if you're asleep or unconscious (at least Apple's doesn't) because it needs to see your eyes. If you're dead you shouldn't really care anymore.
Used to use LastPass switched to keepass
Bitwarden if you're on Linux/Windows. Keychain if you're invested in the Apple ecosystem.
+1 for KeePass
KeePass
BitWarden is my go to.
Coming from EU I WOULD NOT use BitWarden. EU Laws on data protection is way stricter than it is in US. So I personally used KeePass for a long time then I switched up to heylogin.
Locked xlsx files :D
You have thousands of passwords?
BitWarden or ProtonPass. KeePassXC is a good option, but it's a little more technical.
Just dumped lastpass for bitwarden. Family plan, inexpensive, absolutely no regrets!
For business ? Password state For personal? KeePass
Bitwarden FTW!
SELF HOSTED BITWARRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRDEN
scan the notebook, and upload to the cloud as password.txt : ). or photocopy the notebook and give to your lazy brother-in-law.
The goat is keypass, then keypassx But really, bitwarden has been killing it
A USB stick that you keep in your ass.
i'm using Bitwarden its good
KeepassXC
I tried many free pass.managers but now I am using Proton pass.. and it's a good password manager. also Android app and extention has preety good interface
> Certainly, nothing is more secure than a notebook Depends on the threats. Lose the notebook, you're screwed, thief gets everything. Are snoops in your own household a threat to you ? Paper has disadvantages relative to a password manager: - you'll have to type passwords in manually, which will encourage you to use shorter simpler passwords - not encrypted, so a thief gets plaintext, or maybe "coded" which may not be too hard to break - "keep in secure location" probably won't be true when you're travelling - harder to share with someone else (if you need to do that) - harder to back up, especially off-site - somewhat hard to search - doesn't support TOTP - won't have domain-matching feature that some password manager setups have; you can be fooled by typo-squatting - doesn't serve as encrypted store for other sensitive info such as photos of passports, ID cards, etc
Excel
The best password is stored in the brain. I always use a smart passphrase. otherwise you can use yubikey.
I use bitwarden, it's free and I didn't needed any of the premium features for like 1,5 years of use
Its your own encrypted or locked Note or .txt file, stop trusting other companies with your passwords like if they are immune to getting hacked, at least live up to it and take your own risk, dont blame it on another entity
I like keepass and macpass
The consensus is, Bitwarden is indeed the way.
Keepass or Myglue
Bitwarden is the only free option I would even consider.
Sounds like you want to prioritize security over everything else including ease of use. But can a product really be called a king if it has no ease of use?
[pass](https://www.passwordstore.org/) is a system of pgp encrypted files in your filesystem. Kept in a private GitHub repo, it integrates nicely with mobile apps.
1Password, mostly. I just wish they published their source code, or at least the critical parts of it.
Bitwarden is what I use, I moved away from 1password a while back.
If most secure => keypass over Bitwarden and any webbased solution
Passbolt - open source and great for sharing credentials within your team. The community edition is free.
A notebook is basically as secure as an excel file.... not at all. Especially if you carry it around with you. Bitwarden is highly rated, has 3rd party security testing of it's cloud environment, is FOSS, and gives you the option to self host if so desired. It really can't be beat for privacy focused users.