Ask Slashdot: What's the Best (Encrypted) Password Manager? 154
For storing passwords, Slashdot reader eggegick has a simple, easy solution: "I use Vim to keep my passwords in an encrypted file."
But what's the easiest solution for people who don't use Vim? My wife is not a Linux geek like I am, so she's using [free and open-source] KeePass. It's relatively simple to install and use, but I seem to recall it used to be even much simpler... Does anybody know of a really simple password manager or encrypting notepad?
I've looked at a number of them, and they use Java or Javascript, or they involve an external web site, or they have way too many features, or they use an installation program. Or Windows Defender objects to them.
Share your own suggestions and thoughts in the comments.
What's the best (encrypted) password manager?
But what's the easiest solution for people who don't use Vim? My wife is not a Linux geek like I am, so she's using [free and open-source] KeePass. It's relatively simple to install and use, but I seem to recall it used to be even much simpler... Does anybody know of a really simple password manager or encrypting notepad?
I've looked at a number of them, and they use Java or Javascript, or they involve an external web site, or they have way too many features, or they use an installation program. Or Windows Defender objects to them.
Share your own suggestions and thoughts in the comments.
What's the best (encrypted) password manager?
The best evah! (Score:3)
Post-it notes on my screen, with some characters replaced.
Re: (Score:3)
You are doing it wrong, security post-it notes go under the keyboard.
Re: (Score:3)
My password is the name of my cat. I can't put him under the keyboard. For long anyway.
Re:The best evah! (Score:5, Funny)
My password is my dog's name. My dog is named %8Nk=14hD
Re: The best evah! (Score:2)
Re: The best evah! (Score:2)
I don't get it. All we saw is, "My password is ********"
Re: The best evah! (Score:4, Informative)
Re: (Score:2)
That gives excellent protection against remote attacks for sure. And these are what almost all attacks on passwords are. Nothing wrong with writing down passwords as long as you keep the thing they are written down in reasonably secure.
Re: (Score:2)
It does nothing for disasters though. House burns down, it would be sad to lose access to not just your physical possessions but virtual access too.
Re: (Score:2)
It's also particularly vulnerable to access by family members.
That's not to say writing down passwords in a notebook is bad, it just really depends on your threat model: who do you want to defend from? The spouse / parents / kids? Hackers half a world away? The police? Thieves out to get the code to your safe? Solutions that work for one case may not work for the other or may be totally impractical (e.g. timer-based solutions).
Re: (Score:2)
It's also particularly vulnerable to access by family members.
Sometimes this can be useful. One of my parents had a massive stroke that completely disabled them, but because they had written all of their passwords on a notepad, I was able to immediately start to pay their bills and manage their communications. Obviously, it is risky in a lot of scenarios to let someone else, family or not, have that kind of access, but it saved me a huge headache, and I will be preparing something similar for my own family.
Re: The best evah! (Score:2)
Re: (Score:2)
I hate to admit this but you're right. I keep a handwritten log in pencil in small hard copy note book which I treat like POTUS's launch codes minus the USAF handler. Since the 90's. Never failed me yet.
It fails my mother on a sometimes almost daily basis as can be witnessed by the number of email notifications I get about a password change on her Microsoft account.
Re: (Score:2)
Despite my best efforts - my mom keeps all of her account passwords in a Word document stored on her computer.
(yes, I heard all the face-palms when you guys read that - trust me, I feel the same way)
Re: (Score:2)
It is not actually as insecure as most people think, or rather the alternatives are not that much more secure. When somebody compromises that PC, they can just sniff passwords for a few days and get all the more often used ones anyways.
The real way to get more security than passwords is using 2FA with the 2nd factor on a second device (or it really is not 2FA) that is kept reasonably secure. For most application a phone will be fine as long as you take care what type of apps you put on it and do not log in
Re: The best evah! (Score:2)
Why does 2FA make your computer magically immune to sniffing attacks? At some point, the password is still going to be as a clear text string.
Re: The best evah! (Score:2)
That may be, but the attacker will be unable to login in any service where you setup 2FA cause they wonâ(TM)t have the second factor.
Re: (Score:2)
It does not. Why would it? Maybe read up on what 2FA actually does?
Re: (Score:2)
I keep all my work passwords in an Excel spreadsheet on my work laptop. (And never visit non-work related web sites, nor use it anywhere but from a wired network.)
Re: (Score:2)
Translation (Score:5, Insightful)
You want a tool which
* runs on a PC (since "not Linux geek")
* is not Vim, nor KeePass
* isn't based on Java or JavaScript
* does not involve an "external website" (which I assume to mean doesn't use 'cloud' storage)
* doesn't have too many features (?!)
* doesn't have an installer (?!!!!!)
* isn't rejected by Windows Defender (reasonable)
This is the point where you manage with KeePass, or you just give up. Honestly, what the fuck more could you ask for?
Re: (Score:2)
Re: (Score:2)
Browser integration only occurs with both an addon for the browser, and explicitly setting it up in the application to handshake with the browser (you have to click a button on the application side, it's not automatic from the browser), and then when going to the sites an additional explicit acknowledgement on top of that, given that you even gave the entry a website association in the first place (if your entry doesn't have a URL field, it doesn't associate).
Pretty secure by default, and that's what reall
Re: (Score:2)
Sounds like Password Safe which is what I use. It has an installer but it might be possible to use just copy the program files folder around and use it, I haven't tested that, my hunch is that'd 70% likely work. https://www.pwsafe.org/ [pwsafe.org]
Seriously... (Score:2)
LOL at the "no cloud" and "no installer" requirements. Preference for it? Sure. But you give up and move on with your day. Or write it yourself.
How will you share passwords without a cloud or installer? Yes, I could write an algorithm, but I could recreate the wheel too. https://xkcd.com/927/ [xkcd.com] "Standards" Just because you can, and there is still a problem, doesn't mean you should try to.
Could everything be hand written in binary? And optimized down to the nanosecond and byte/bit? You go ahead. I'
I'm a happy Bitwarden customer (Score:5, Informative)
Very intuitive and easy to use; you can self-host or use their hosting; basic functionality is completely free, paid plan is only $10/year (family plan is $40/year). Works on Windows, Mac, Linux, Android, iOS, etc. etc. And it's open source.
What more do you want?
I landed here, after fleeing LastPass, too. (Score:2)
I only paid LastPass for Android support. To use the same tool on my phone (iOS and/or Android) and computer (Windows, OSx, and/or Linux). Which Bitwarden gives me for free. Though I mostly use Android and Windows today, I assume the other platforms work the same way (non-phones use a web page or browser add-on/extension for access).
I'll admit LastPass was more hands off (stuff "just worked" a lot better for me). But I've figured out how to adapt. And I've yet to hear of a breach, but lived through at
Re: I'm a happy Bitwarden customer (Score:2)
I really like Bitwarden too, Iâ(TM)ve been using the free version on iOS, Linux and Windows for about 2 years and itâ(TM)s really easy to use. So every website I visit has a different password, I can safely store credit card details and secure notes too. It makes filling in forms and CC details a breeze.
On Windows and Linux I use the Bitwarden browser plug-in, while on iOS I use the app.
There is a bit of a learning curve and some websites donâ(TM)t work well with Bitwarden for password entry.
Re: (Score:2)
Very intuitive and easy to use; you can self-host or use their hosting... What more do you want?
Last time I looked at it, the inability to store the password database in commodity cloud storage seemed like the main issue. Why would someone bother with the complexity of hosting for something so simple?
Re: (Score:2)
I used PassPack and I was happy with it until the company stopped supporting me, so I switched to 1password and I was happy with it, except for the price at the time of renewal and I needed to save money, so I switched to free Bitwarden and I don't even have to self host it and I am happy with it.
Re: (Score:2)
BitWarden: OK but a bit meh (Score:2)
I started using Bitwarden a few months ago for basically the same reason.
I think it's OK. I can use it for what I need. My non-techie spouse finds it too subtle. It's not a resounding success although that's not entirely Bitwarden's fault.
What I would have liked was a feature to import passwords from Chrome to Bitwarden. If anyone knows of such a thing, let me know.
(How many others run into this dynamic? When someone is working on task X and that requires learning tool Y, they're too busy, stressed, and foc
Re: BitWarden: OK but a bit meh (Score:2)
Re: BitWarden: OK but a bit meh (Score:3)
Re: (Score:2)
What I would have liked was a feature to import passwords from Chrome to Bitwarden. If anyone knows of such a thing, let me know.
https://bitwarden.com/help/imp... [bitwarden.com]
Keepass (Score:5, Informative)
Re:Keepass (Score:4, Informative)
Also can be accessed on Android.
Official KeePass works hard to keep a single database synchronized between multiple open instances.
For my phone, I use Syncthing in one-way mode to keep its copy updated.
Re: (Score:2)
You can use a free cloud storage provider to keep shared Keepass databases synced. You don't have to trust the cloud provider because the database file is encrypted. You can also of course use you own cloud, e.g. Nextcloud.
Another option is Joplin. It's not a password manager per-se, but you can store passwords as notes in it, and it does cloud sync with client side encryption.
Re: (Score:2)
> You don't have to trust the cloud provider because the database file is encrypted.
The file is not defensible against gov't (or judicial branch) confiscation and is probably crackable by national intelligence agencies or top line academic cryptologists. Not that your computer or phone is much "safer", but it may be possible to make either more secure than a 3rd party vendor.
Re: Keepass (Score:2)
Android too. There are a few compatible ports.
I use my Yubikey via NFC (Android) and USB (macOS) at unlock time, and sync.com to share the database
Your brain (Score:2, Troll)
Re: Your brain (Score:3)
I probably have 1000 different, strong passwords in my password manager.
I used to make a game of how I'd vary the same password for each site so I could remember them. But this was basically spreading weak passwords all over the place.
I wouldn't use a commercial password manager online - they seem to get hacked pretty regularly, but other than that, my non-connected manager, which has good random password generation, does a great job.
Combined with a zero-knowledge sync solution and hardware 2FA, I think I'm
Re: Your brain (Score:2)
So you have a small handful of relatively weak passwords. Good for you. I have over 500 accounts in my password manager and all but all but a few, due to stupid, outdated and insecure password policies on a few sites, have very strong, long and random passphrases/words that quite frankly would be impossible for anyone other than some autistic savant to remember even more than 5 or 6 of them. I inly need to remember my main password to access my vault and maybe 4 or 5 other passwords that never get written
Re: (Score:2)
Only for the tiny number of people that have a memory that makes this easy. For most people, keeping the password for the password manager in memory is already a chore.
Personally, I have 4 or 5 passwords in memory, and one is for my password store (GnuPG encrypted files), the rest is passwords I use several times each day. I do use random passwords from a CPRNG though, so memorizing them is hard but attacking them is basically impossible.
Chrome/Google Password Manager (Score:4, Informative)
I just use the Google Password Manager. Works great on both websites and phone apps, and you just copy/paste into anything else if you need to.
I wish "built into OS" was the best answer too. (Score:2)
I don't understand why the built-in OS doesn't include a standardized way to share this, and automate use of the shared info inside the OS.
The browser should talk to the OS through a standard interface. Each OS should expose a similar identification system that links to an encrypted credential. With a simple importer/exporter to sync across platforms with a centralized authority.
But oh...that's right. Being "profit driven" is the solution to the modern world. They'll never create walled gardens that lim
Re: I wish "built into OS" was the best answer too (Score:4, Insightful)
It is built into macOS and iOS. If you use iCloud, it automatically syncs between all your Apple devices. This answer is probably pretty unpopular here, though.
Re: (Score:2)
The only issue with Google Password Manager is that if you set up a password for it, you can't view those passwords online. In other words you can only access them from an instance of Chrome that you are logged into.
It's less of an issue these days because everyone has a phone, but still worth considering as it does affect some people.
I don't know if Firefox has the same issue, I should check.
Not for everyone, but ... (Score:4, Funny)
Re: (Score:3)
Gotta say - I've dumped a LOT of stuff into /dev/null and haven't managed to fill it up yet!
Re: Not for everyone, but ... (Score:2)
It's super effective for lost compression like that.
Re: (Score:2)
Try /dev/full instead. And yes, that's a real device:
$ ls -l /dev/full
crw-rw-rw- 1 root root 1, 7 Aug 4 07:54 /dev/full
Re: (Score:2)
Back in the day, we set something up to send information to /dev/nul (or some other non-existent device like /dev/rmt0). Nothing like filling up a 2 gig slice on a Sun box :)
[John]
1Password (Score:3, Informative)
If you don't mind commercial software, 1Password is amazing. Mac, Linux, Apple, and Android phones. Oh, winbloze too. It all stays synchronized and "just works" (tm). With a family plane you can have personal and shared vaults. Its commercial software but I am happy to pay for it. It even integrates with the cli so aws or azure or gcp command line tools can get their secrets from it.
Re: (Score:2)
Bad code already. Doesn't work on all browsers.
It’s worked fine for me in Chrome, Brave, Firefox, Edge, Safari, and others. Which browser are you using and did you check to see what the nature of the exception even was?
Costs money
This is your only valid complaint.
Lock-in
Not true. Your data is fully exportable in standard JSON and other formats, and can be imported by every major password manager that it competes with. I’ve exported entire vaults from 1Password to Bitwarden without issue in the past. There are also protected methods for sharing with others, in
pass + GUI (Score:5, Informative)
A local password manager that has only very few features: qtpass, a GUI on top of unix CLI tool pass (everything FOSS and it also runs in Windows). In a sense it is similar to KeePass (passwords are stored locally on your computer) and each password file is basically an "encrypted notepad" (it's not a big database, normally each password is in a file, although nothing prevents you from taking note of several passwords in each file). It can use git as well if you are worried of making mistakes. The encryption is managed by pass https://www.passwordstore.org/ [passwordstore.org] so it's very sold, but the interface qtpass has some graphical/behaviour bugs; there are other interfaces specific other OSes (android, windows, macOS) that you could try as well
For Macs (Score:3)
I know this doesn't help the OP who uses Linux, but macOS has Keychain Access [apple.com] under Utilities. It's simple, secure, and gets the job done.
just encrypted or app features? (Score:2)
Not clear if you are looking for an app with helpful features or just a secure place to store data.
If you are looking for just a secure place to store data, without any features of a password manager, then I like these:
https://apricorn.com/flash-key... [apricorn.com]
Password Safe, created by Bruce Schneier. (Score:2)
Re: (Score:2)
I want a hardware appliance (Score:2)
I currently use a mix of Apple's Keychain, a text file with shorthand/obfuscation, a physical notebook, and some stuff I pipe through OpenSSL... but what I would really want is a physical credit-card sized device with keyboard and display that holds everything "offline." I think out-of-band password storage is pretty important, and once you use the same device for both entering and storing the password it can never really be secure.
Use what I use (Score:2)
Password Gorilla
I use it on Linux, but it works in Windows too (and Mac as well for that matter)
None (Score:3)
I keep my non-work passwords in a text file in masked form, showing just a few chars to jog my memory. I'm not famous, so this is good enough.
Re: (Score:2)
I'm not famous
You're nothing to anyone other than an number or email somewhere on the internet. Very few hackers actually target specifically famous people, and when they do it makes the news. The overwhelming majority of victims are us nobodies.
Re: (Score:2)
If you are using passwords that you can remember with a hint, you are most likely doing it wrong.
We've reached the point now where I find randomly generated usernames and email addresses for each entity to be prudent. I switched to having unique randomly generated passwords for each entity ages ago.
The problem is that you never really know what an entity is doing to protect your password. Some of them presumably do a good job protecting it, but plenty of others just stick it raw into a database table. If
Team Password Manager (Score:2)
and they use Java or Javascript,
No Java, and only minimal javascript for the webUI (does things like hiding passwords until you want to reveal or copy them and query the database at the time; prevents passwords from being visible in view-source and ensures that passwords can't be revealed if your session times out, refreshes TOTP-based 2FA codes...useful stuff).
or they involve an external web site
TPM is self-hosted; it involves an 'external website' to the extent you want it to - it's happy to be accessed with an IP on a LAN if you want. Or, put it on AWS if you want; it's
Encrypting notepad aka Text files? (Score:2)
I use Veracrypt for that.
https://www.veracrypt.fr/en/Home.html/ [veracrypt.fr]
Don't want to use vim ? (Score:2)
Neither do I, I use Emacs. The file is stored on an encrypted disk using cryptsetup [gitlab.com] so that if the machine is stolen my passwords cannot be read.
Password Safe (Score:2)
Re: (Score:2)
keepass (Score:2)
I personally use keepass,
I don't know if there is anything simpler, I just trust it. I trust it because I've been using it for a while, and it's (the data file) survived 2 disasters and the data recovery. I actually haven't been in a position to really know how secure it is or not, I've not had it tested against being stolen or anything, but I've lost less than the keys to everything I own online to a failed hard disk.
If you guys never hear from me again, it's either because I've died, or if finally didn'
Re: (Score:2)
Re: (Score:2)
Interesting! is this documented and/or discussed anywhere? legitimately interested.
also, thank you.
Re: (Score:2)
The functionality in question is Triggers [keepass.info] and the developers don't consider it a security flaw because it requires an attacker already having write access to the system, which already allows a system to be compromised in a number of other ways. While they're technically right, I disagree [slashdot.org], simply because while other methods to extract the same information via system access such as keyloggers or screen recorders require significantly more technical know
Re: (Score:2)
Re: (Score:2)
I would say this right access debate from the developer is hugely short sighted. Having write access should be considered as my system is completely compromised. Having his database flaw should be considered as *all* systems and accounts I own being compromised which is significantly worse.
me use bitwarden now (Score:2)
I used LastPass for years, almost since they were founded. I had a subscription for most of that time. But they started making changes to their subscription and it became time to leave. I needed one that would work on any computer no matter the location, just about any operating system and most browsers. The only one that really fit was Bitwarden. In a lot of ways it worked like LastPass, so there was no learning curve to speak of. Bitwarden also worked on sites that gave LastPass fits, especi
1Password (Score:2)
Store logins, notes, files (business critical keys), credit cards. Everything unlocked with one master password.
Password-protected document (Score:2)
For most personal passwords, I use Chrome's password manager. But for passwords I need to share with my wife, I use a password-protected Word document, using a password we both know. For most things, that's secure enough.
ZIP with AES-256 (Score:2)
Re: ZIP with AES-256 (Score:2)
Re: ZIP with AES-256 (Score:2)
TkPasMan (Score:2)
I use the sadly unmaintained TkPasMan [xs4all.nl] which is pretty simple. It's also reasonably secure because although it's unmaintained, the encryption is handled by running openssl aes128 to do symmetric encryption/decryption.
vim + encrypted file is potentially insecure (Score:2)
Text file in a True/Vera crypt drive (Score:2)
Revelation (Score:2)
I've used other solutions but Revelation is definitely my favourite so far. As far as I know it only works on Linux but as I only ever use Linux on my desktop/laptop computers that's fine.
It stores everything in a single encrypted file, has a nice GUI interface that has options for different record types, has a field for URLs that can be clicked on to open the relevant web site, copy-paste works fine from the user ID and password fields and it has a nice free format text field for keeping note of any other
Many choices depending on PW manager need... (Score:2)
When someone asks what PW manager they need, the big question is, what are their needs?
For example, if they just need it for themselves, then KeePass or KeePass-compatible apps like Strongbox, Keepassium, KeePassDroid, or some others is good enough. If you store your KeePass database on a cloud provider, I recommend creating a keyfile, and copying it via adb or iTunes to all the devices. This way, if someone obtains your KeePass database, there is no feasible way for them to brute force it without comprom
Risky business; KISS plus bonus thoughts (Score:2)
A password manager (though necessary) can be a huge risk. It is a single point of failure "steal all your credentials and take over your life" type of product. I would never put any truly important passwords into a widely used syncs-stuff-and-magically-integrates-with-browsers product. Because if that stuff gets hacked, you are seriously pwned.
Personally I use PasswordSafe with some old binaries I have used for years; I figure if those executables were compromised, I would have been hacked already. Decided
Getting people to use something (Score:2)
1st step, getting them to use unique and long passwords for each site.
They might reset them via their email account.
Write them on paper so they reset less often
Keepass makes it easier to type in a longer password. But only on the device you have.
You can share the database, but there might be issues changing passwords on multiple devices.
Bitwarden does the sync well, can be updated on all devices.
I find it easier than Keepass. But if someone is stuck on paper/resets, its hard to get them to try either.
I actually have a no-tech solution (Score:2)
If you want to get fancy with it, the length of the url/site-name can inform the number of prefix/suffix characters to use to increase entropy, so maybe 3 prefix/suffix characters for sites with odd numbers of characters and 4 for even.
It's not perfectly secure, but it assures
KeePass is already optimal for Windows (Score:2)
If your wife was running macOS with Safari, or
Internet Password Minder (Score:2)
Unironically, I agree with Ellen Degeneres. [youtube.com] Get a password book and put it in a safe if you really don't trust people in your household or are worried about it being physically robbed.
It's offline, so the virus your computer gets wont send the relatively small, easily located file to some scammer so he can patiently wait until a file exploit or de-encryption technique becomes available to steal your passwords.
As for browser password managers. Only use them for passwords you don't care about like forum or so
Password Safe (Score:2)
I'm old, so I still use Password Safe.
https://pwsafe.org/ [pwsafe.org]
The only downside is it isn't a standalone program ( has an installer ) but the encrypted database is stored locally ( not in the cloud ) and also has a Linux version out there somewhere if you wanted it.
Re: (Score:2)
Re: (Score:2)
Low-criticality stuff? Sure. If your computer or browser gets compromised, that attacker can collect passwords you type in anyways.
Re: (Score:2)
I don't trust Chrome or other web browsers with my bank passwords, but most other passwords, yes.
Browsers do encrypt saved passwords, you can only decrypt them if you know the Windows logon password. It's not Fort Knox secure, but it's pretty decent unless you have a government agency after you.
Terrible idea (Score:2)
Slashdotters may backup their browser data from time to time but most people wouldn't so that's a bad Idea given that drives die. And this doesn't work well across multiple PCs and OSes.
And Edge? Ugh, is this a joke?
Re: (Score:2)
With multiple computers and hundreds of passwords I find Password Safe easy enough to use and I can email myself the encrypted passwords for safe keeping also, I don't mind using browsers to remember less important passwords but depending on them is just not a good idea.
Re: (Score:2)
are all these + signs mean you're like quadruple managing it? like to get a password you have to go through github -> yubikeys ->PGP -> browserpass -> qtpass -> pass?
I don't know anything about any of this, but is that what you mean? that's crazy, what if you forgot a train of thought while you were unlocking your many thousand layers of security?
You ever hear of the guy who bought a $10,000 safe to protect a $100 bill?
Re: (Score:2)
The sticky note statistically speaking could well be safer, it's not prone to viruses, trojans or WORMs, the password DB can't be copied by hackers the other side of the planet.
I supposed an ideal solution would be to use an off-line phone with screen lock and store a password manager on it and use that in conjunction with hardware authentication.