Could anyone give me recommendations for a password manager? Google is basically useless now and I don't know anywhere else to ask. 😅
So far, I've never found one that I trust enough to use. I do understand the importance but I'm extremely, incredibly hesitant to hand over my passwords to a 3rd party program. I'm even more hesitant to use randomly-generated passwords that I can't memorize as a backup.
All that being said, here's what's important to me:
Transparency - public audits, published whitepaper, and/or open source.
Export to a printable format. I don't have reliable backups, so this is a must-have!
Works with desktop & mobile Firefox.
Works on Windows & Linux (I regularly use both).
Works on Android - not critical, but would be really helpful.
Can work offline (I don't trust any sync server to stay online).
For everything else, I'm more flexible. I don't mind paying a small amount for a better / more trustworthy option, either.
Any suggestions, recommendations, or just boosts are appreciated! Thanks so much in advance! 💙
@hazel Bitwarden! I can only speak for selfhosted vaultwarden on server side, but this alone works perfectly in daily life switching fast between windows, linux, macos and android!
@hazel I switched the family to BitWarden a year ago (when the LastPass fiasco got going big time.) Research suggested the likely choices were that or 1password. My criteria included the hit by a bus scenario: if I wasn't around to be the helpdesk (and/or my vault was locked) would my family have some sort of resource and community they could look to for help. Its ease of use and their apparent willingness to listen to security concerns have not disappointed me yet.
@jwd630 thanks for the recommendation! BitWarden and 1Password are currently my top choices. Family use isn't a top priority, but it would be a nice bonus. I appreciate the note about their security response. I didn't put it in my post, but I pay very close attention to how a company responds when (not if) they are compromised. Trying to cover up or downplay it is a huge red flag, whereas responding openly and swiftly is a huge plus.
To the best of my knowledge, it does all of these things. It also supports family accounts, so you can give vaults to loved ones and also share passwords with others.
@hazel@redcrew 1Password is my recommendation. Syncing is through their servers but there is a secret key that only lives on your devices. Super reliable and also on the Fediverse: @1password
• Exportability/Printability: You can export in CSV or JSON, or you can print items directly from 1Password.com | https://support.1password.com/export/
@hazel I've been using Bitwarden for a while now and it has never let me down. It has extensions for almost all browsers I've had to use and apps across all devices. Plus you can host it yourself if needed to ensure maximum security.
@tkk13909@hazel #selfhosted bitwarden works great for me. You do not have to self-host if you dont want to.
2FAS for OTP allows off-line backups that you can carry around and backup as necessary.
@hazel I have a python script based on an idea from CACM in 2005 or so which takes the domain name of the site you want to log into, asks for a secret phrase, concatenates them and puts them through a hash function to make 8 random characters.
some problems are: some sites want more characters, some sites don’t like the characters it uses (either it uses ones they don’t accept or they want something specific), also what to do if you have to change your password
@hazel I personally am using the KeePass-Ecosystem for my password managing needs. KeePass databases are just files, which you open with a primary password, so they work offline just fine.
On my laptop and desktop I'm running KeePassXC, which is a great cross-platform KeePass password manager (supports Linux, macOS and Windows). It also allows for exports to a plain text file I'm certain and it comes with an accompanying browser extension, which then allows you to fill in your passwords on different websites.
For mobile - as an iOS user - I use Strongbox, which is also amazing as well, tho I also have friends using KeePass on Android, so I'm assuming you should find a good client there as well.
And then finally for making sure my passwords are synced, I simply store them in my Nextcloud (tho you could also use a cloud provider or maybe even something like Syncthing I would assume).
That's kinda like my personal setup, which would also fit your needs pretty well from what you've written.
@highway2009 Thanks for the suggestion! p2p is interesting, although I'd be nervous about exposing the db like that. If there's ever a vulnerability in the encryption, then all of my credentials would be exposed.
@hazel my personal recommendations, as a noted password security expert and password cracking tool developer, are Bitwarden, 1Password, and Dashlane. hope that helps!
@hazel@alice depending on how unixbeard-level you’re willing to go: private GitHub/GitLab/sourcehut repo and https://www.passwordstore.org, it is not a app on itself but just a standard saying “store passwords in GPG-encrypted files and store those in git”
it has applications that run on most platforms and I believe they also have browser plugins - not sure how good they work, never used them
@hazel Bitwarden ticks all of those boxes, can recommend :blobfoxfloofhappy:
It only needs to be connected online for write access, but read access is always available
Exporting works as a CSV, JSON or encrypted JSON
Has a desktop (although Electron) client, Firefox extension for desktop, for Android it integrates via the autofill framework
Add comment