Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Encryption Privacy

Ask Slashdot: What's the Best (Encrypted) Password Manager? 154

For storing passwords, Slashdot reader eggegick has a simple, easy solution: "I use Vim to keep my passwords in an encrypted file."

But what's the easiest solution for people who don't use Vim? My wife is not a Linux geek like I am, so she's using [free and open-source] KeePass. It's relatively simple to install and use, but I seem to recall it used to be even much simpler... Does anybody know of a really simple password manager or encrypting notepad?

I've looked at a number of them, and they use Java or Javascript, or they involve an external web site, or they have way too many features, or they use an installation program. Or Windows Defender objects to them.

Share your own suggestions and thoughts in the comments.

What's the best (encrypted) password manager?
This discussion has been archived. No new comments can be posted.

Ask Slashdot: What's the Best (Encrypted) Password Manager?

Comments Filter:
  • by whoever57 ( 658626 ) on Saturday August 05, 2023 @05:38PM (#63743176) Journal

    Post-it notes on my screen, with some characters replaced.

    • by GuB-42 ( 2483988 )

      You are doing it wrong, security post-it notes go under the keyboard.

    • Re: The best evah! (Score:4, Informative)

      by Dr_Ken ( 1163339 ) on Saturday August 05, 2023 @05:43PM (#63743184) Journal
      I hate to admit this but you're right. I keep a handwritten log in pencil in small hard copy note book which I treat like POTUS's launch codes minus the USAF handler. Since the 90's. Never failed me yet.
      • by gweihir ( 88907 )

        That gives excellent protection against remote attacks for sure. And these are what almost all attacks on passwords are. Nothing wrong with writing down passwords as long as you keep the thing they are written down in reasonably secure.

        • It does nothing for disasters though. House burns down, it would be sad to lose access to not just your physical possessions but virtual access too.

          • by fgouget ( 925644 )

            It's also particularly vulnerable to access by family members.

            That's not to say writing down passwords in a notebook is bad, it just really depends on your threat model: who do you want to defend from? The spouse / parents / kids? Hackers half a world away? The police? Thieves out to get the code to your safe? Solutions that work for one case may not work for the other or may be totally impractical (e.g. timer-based solutions).

            • by Alopex ( 1973486 )

              It's also particularly vulnerable to access by family members.

              Sometimes this can be useful. One of my parents had a massive stroke that completely disabled them, but because they had written all of their passwords on a notepad, I was able to immediately start to pay their bills and manage their communications. Obviously, it is risky in a lot of scenarios to let someone else, family or not, have that kind of access, but it saved me a huge headache, and I will be preparing something similar for my own family.

            • Small hard copy notebook ðY"' attached to my wallet with a rubber band. Nothing fancy.
      • I hate to admit this but you're right. I keep a handwritten log in pencil in small hard copy note book which I treat like POTUS's launch codes minus the USAF handler. Since the 90's. Never failed me yet.

        It fails my mother on a sometimes almost daily basis as can be witnessed by the number of email notifications I get about a password change on her Microsoft account.

    • Despite my best efforts - my mom keeps all of her account passwords in a Word document stored on her computer.

      (yes, I heard all the face-palms when you guys read that - trust me, I feel the same way)

      • by gweihir ( 88907 )

        It is not actually as insecure as most people think, or rather the alternatives are not that much more secure. When somebody compromises that PC, they can just sniff passwords for a few days and get all the more often used ones anyways.

        The real way to get more security than passwords is using 2FA with the 2nd factor on a second device (or it really is not 2FA) that is kept reasonably secure. For most application a phone will be fine as long as you take care what type of apps you put on it and do not log in

      • by Nutria ( 679911 )

        I keep all my work passwords in an Excel spreadsheet on my work laptop. (And never visit non-work related web sites, nor use it anywhere but from a wired network.)

    • In all fairness for most people it is actually a better option as a software based one is a single point of failure that is only as strong as the hygiene of the system and safety of the user which for many is shit poor. a post-it note as long as you are concerned about your family seing it is safer for many.
  • Translation (Score:5, Insightful)

    by DaPhil ( 811162 ) on Saturday August 05, 2023 @05:43PM (#63743182)

    You want a tool which

    * runs on a PC (since "not Linux geek")
    * is not Vim, nor KeePass
    * isn't based on Java or JavaScript
    * does not involve an "external website" (which I assume to mean doesn't use 'cloud' storage)
    * doesn't have too many features (?!)
    * doesn't have an installer (?!!!!!)
    * isn't rejected by Windows Defender (reasonable)

    This is the point where you manage with KeePass, or you just give up. Honestly, what the fuck more could you ask for?

    • by Erioll ( 229536 )
      Slight alternative, same idea: KeepassXC [keepassxc.org]. It's actually open source, unlike the base Keepass (which I used to use). I used Keepass for years, and it's great, but I think that "XC" is better both philosophically, as well as features, like browser integration. And just like regular keepass, if you want it on the cloud, put your encrypted file on Google Drive, or your other internet location of choice, and you're good.
    • by MrL0G1C ( 867445 )

      Sounds like Password Safe which is what I use. It has an installer but it might be possible to use just copy the program files folder around and use it, I haven't tested that, my hunch is that'd 70% likely work. https://www.pwsafe.org/ [pwsafe.org]

    • LOL at the "no cloud" and "no installer" requirements. Preference for it? Sure. But you give up and move on with your day. Or write it yourself.

      How will you share passwords without a cloud or installer? Yes, I could write an algorithm, but I could recreate the wheel too. https://xkcd.com/927/ [xkcd.com] "Standards" Just because you can, and there is still a problem, doesn't mean you should try to.

      Could everything be hand written in binary? And optimized down to the nanosecond and byte/bit? You go ahead. I'

  • by 93 Escort Wagon ( 326346 ) on Saturday August 05, 2023 @05:48PM (#63743194)

    Very intuitive and easy to use; you can self-host or use their hosting; basic functionality is completely free, paid plan is only $10/year (family plan is $40/year). Works on Windows, Mac, Linux, Android, iOS, etc. etc. And it's open source.

    What more do you want?

    • I only paid LastPass for Android support. To use the same tool on my phone (iOS and/or Android) and computer (Windows, OSx, and/or Linux). Which Bitwarden gives me for free. Though I mostly use Android and Windows today, I assume the other platforms work the same way (non-phones use a web page or browser add-on/extension for access).

      I'll admit LastPass was more hands off (stuff "just worked" a lot better for me). But I've figured out how to adapt. And I've yet to hear of a breach, but lived through at

    • I really like Bitwarden too, Iâ(TM)ve been using the free version on iOS, Linux and Windows for about 2 years and itâ(TM)s really easy to use. So every website I visit has a different password, I can safely store credit card details and secure notes too. It makes filling in forms and CC details a breeze.

      On Windows and Linux I use the Bitwarden browser plug-in, while on iOS I use the app.

      There is a bit of a learning curve and some websites donâ(TM)t work well with Bitwarden for password entry.

    • by piojo ( 995934 )

      Very intuitive and easy to use; you can self-host or use their hosting... What more do you want?

      Last time I looked at it, the inability to store the password database in commodity cloud storage seemed like the main issue. Why would someone bother with the complexity of hosting for something so simple?

      • How to install Bitwarden on a linux server [bitwarden.com]

        I used PassPack and I was happy with it until the company stopped supporting me, so I switched to 1password and I was happy with it, except for the price at the time of renewal and I needed to save money, so I switched to free Bitwarden and I don't even have to self host it and I am happy with it.
    • Same. I've been a paying customer of Bitwarden for a few years now, it ticks pretty much every box I could want it to check.
  • I started using Bitwarden a few months ago for basically the same reason.

    I think it's OK. I can use it for what I need. My non-techie spouse finds it too subtle. It's not a resounding success although that's not entirely Bitwarden's fault.

    What I would have liked was a feature to import passwords from Chrome to Bitwarden. If anyone knows of such a thing, let me know.

    (How many others run into this dynamic? When someone is working on task X and that requires learning tool Y, they're too busy, stressed, and foc

  • Keepass (Score:5, Informative)

    by ZERO1ZERO ( 948669 ) on Saturday August 05, 2023 @05:50PM (#63743200)
    Whats wrong with keepass? I have used it for years Its pretty simple, easy to use, offline, single db file of passwords, can be accessed using tools on ios mac linux and pc. Why looking for something else?
    • Re:Keepass (Score:4, Informative)

      by msk ( 6205 ) on Saturday August 05, 2023 @05:57PM (#63743216)

      Also can be accessed on Android.

      Official KeePass works hard to keep a single database synchronized between multiple open instances.

      For my phone, I use Syncthing in one-way mode to keep its copy updated.

      • by AmiMoJo ( 196126 )

        You can use a free cloud storage provider to keep shared Keepass databases synced. You don't have to trust the cloud provider because the database file is encrypted. You can also of course use you own cloud, e.g. Nextcloud.

        Another option is Joplin. It's not a password manager per-se, but you can store passwords as notes in it, and it does cloud sync with client side encryption.

        • > You don't have to trust the cloud provider because the database file is encrypted.

          The file is not defensible against gov't (or judicial branch) confiscation and is probably crackable by national intelligence agencies or top line academic cryptologists. Not that your computer or phone is much "safer", but it may be possible to make either more secure than a 3rd party vendor.

    • Android too. There are a few compatible ports.

      I use my Yubikey via NFC (Android) and USB (macOS) at unlock time, and sync.com to share the database

  • Never trust password managers, never write down passwords, use different password schemes for office and home activities.
    • I probably have 1000 different, strong passwords in my password manager.

      I used to make a game of how I'd vary the same password for each site so I could remember them. But this was basically spreading weak passwords all over the place.

      I wouldn't use a commercial password manager online - they seem to get hacked pretty regularly, but other than that, my non-connected manager, which has good random password generation, does a great job.

      Combined with a zero-knowledge sync solution and hardware 2FA, I think I'm

    • So you have a small handful of relatively weak passwords. Good for you. I have over 500 accounts in my password manager and all but all but a few, due to stupid, outdated and insecure password policies on a few sites, have very strong, long and random passphrases/words that quite frankly would be impossible for anyone other than some autistic savant to remember even more than 5 or 6 of them. I inly need to remember my main password to access my vault and maybe 4 or 5 other passwords that never get written

    • by gweihir ( 88907 )

      Only for the tiny number of people that have a memory that makes this easy. For most people, keeping the password for the password manager in memory is already a chore.

      Personally, I have 4 or 5 passwords in memory, and one is for my password store (GnuPG encrypted files), the rest is passwords I use several times each day. I do use random passwords from a CPRNG though, so memorizing them is hard but attacking them is basically impossible.
       

  • by Tomahawk ( 1343 ) on Saturday August 05, 2023 @05:57PM (#63743214) Homepage

    I just use the Google Password Manager. Works great on both websites and phone apps, and you just copy/paste into anything else if you need to.

    • I don't understand why the built-in OS doesn't include a standardized way to share this, and automate use of the shared info inside the OS.

      The browser should talk to the OS through a standard interface. Each OS should expose a similar identification system that links to an encrypted credential. With a simple importer/exporter to sync across platforms with a centralized authority.

      But oh...that's right. Being "profit driven" is the solution to the modern world. They'll never create walled gardens that lim

    • by AmiMoJo ( 196126 )

      The only issue with Google Password Manager is that if you set up a password for it, you can't view those passwords online. In other words you can only access them from an instance of Chrome that you are logged into.

      It's less of an issue these days because everyone has a phone, but still worth considering as it does affect some people.

      I don't know if Firefox has the same issue, I should check.

  • by fahrbot-bot ( 874524 ) on Saturday August 05, 2023 @06:02PM (#63743224)

    /dev/null -- Easily stores a LOT of passwords -- *and* data -- but retrieval and decryption is a bit tricky. :-)

  • 1Password (Score:3, Informative)

    by Kili ( 265889 ) on Saturday August 05, 2023 @06:08PM (#63743236)

    If you don't mind commercial software, 1Password is amazing. Mac, Linux, Apple, and Android phones. Oh, winbloze too. It all stays synchronized and "just works" (tm). With a family plane you can have personal and shared vaults. Its commercial software but I am happy to pay for it. It even integrates with the cli so aws or azure or gcp command line tools can get their secrets from it.

  • pass + GUI (Score:5, Informative)

    by test321 ( 8891681 ) on Saturday August 05, 2023 @06:10PM (#63743242)

    A local password manager that has only very few features: qtpass, a GUI on top of unix CLI tool pass (everything FOSS and it also runs in Windows). In a sense it is similar to KeePass (passwords are stored locally on your computer) and each password file is basically an "encrypted notepad" (it's not a big database, normally each password is in a file, although nothing prevents you from taking note of several passwords in each file). It can use git as well if you are worried of making mistakes. The encryption is managed by pass https://www.passwordstore.org/ [passwordstore.org] so it's very sold, but the interface qtpass has some graphical/behaviour bugs; there are other interfaces specific other OSes (android, windows, macOS) that you could try as well

  • by Equuleus42 ( 723 ) on Saturday August 05, 2023 @06:23PM (#63743252) Homepage

    I know this doesn't help the OP who uses Linux, but macOS has Keychain Access [apple.com] under Utilities. It's simple, secure, and gets the job done.

  • Not clear if you are looking for an app with helpful features or just a secure place to store data.

    If you are looking for just a secure place to store data, without any features of a password manager, then I like these:
    https://apricorn.com/flash-key... [apricorn.com]

  • I use it daily on my laptop, and there’s a program for iOS/iPadOS called pwSafe that uses the exact same file format for storing keys that Password Safe does. You can upload to a Proton Drive account for copying between Windows and Apple if you want to keep those two separate.
    • I also use Password Safe, even though, as I understand it, it hasn't been updated in quite some time. I also keep a printed copy of the password list, updated every six months or so, offsite. Very, very, offsite.
  • I currently use a mix of Apple's Keychain, a text file with shorthand/obfuscation, a physical notebook, and some stuff I pipe through OpenSSL... but what I would really want is a physical credit-card sized device with keyboard and display that holds everything "offline." I think out-of-band password storage is pretty important, and once you use the same device for both entering and storing the password it can never really be secure.

  • Password Gorilla

    I use it on Linux, but it works in Windows too (and Mac as well for that matter)

  • by Lije Baley ( 88936 ) on Saturday August 05, 2023 @07:09PM (#63743318)

    I keep my non-work passwords in a text file in masked form, showing just a few chars to jog my memory. I'm not famous, so this is good enough.

    • I'm not famous

      You're nothing to anyone other than an number or email somewhere on the internet. Very few hackers actually target specifically famous people, and when they do it makes the news. The overwhelming majority of victims are us nobodies.

    • If you are using passwords that you can remember with a hint, you are most likely doing it wrong.

      We've reached the point now where I find randomly generated usernames and email addresses for each entity to be prudent. I switched to having unique randomly generated passwords for each entity ages ago.

      The problem is that you never really know what an entity is doing to protect your password. Some of them presumably do a good job protecting it, but plenty of others just stick it raw into a database table. If

  • and they use Java or Javascript,

    No Java, and only minimal javascript for the webUI (does things like hiding passwords until you want to reveal or copy them and query the database at the time; prevents passwords from being visible in view-source and ensures that passwords can't be revealed if your session times out, refreshes TOTP-based 2FA codes...useful stuff).

    or they involve an external web site

    TPM is self-hosted; it involves an 'external website' to the extent you want it to - it's happy to be accessed with an IP on a LAN if you want. Or, put it on AWS if you want; it's

  • Neither do I, I use Emacs. The file is stored on an encrypted disk using cryptsetup [gitlab.com] so that if the machine is stolen my passwords cannot be read.

  • I've been using this for quite a while. Works on Windows, Linux, and Android. Most likely Apple products as well. https://pwsafe.org/ [pwsafe.org]
    • by ve3oat ( 884827 )
      Me, too! Works well for me. And one's confidence is boosted by knowing that one of the early developers was Bruce Schneier, well-known cryptography and security expert. If it was good for him, then it is certainly good enough for me.
  • I personally use keepass,

    I don't know if there is anything simpler, I just trust it. I trust it because I've been using it for a while, and it's (the data file) survived 2 disasters and the data recovery. I actually haven't been in a position to really know how secure it is or not, I've not had it tested against being stolen or anything, but I've lost less than the keys to everything I own online to a failed hard disk.

    If you guys never hear from me again, it's either because I've died, or if finally didn'

    • KeePass's database is fairly secure, but the application itself does have a local-user security issue. The application has some enterprise-level automation scripting not really appropriate for consumer software. Normally that wouldn't be a problem (just don't use the extra stuff), but considering this programs purpose, it's a bit of a security flaw. For example, a local user can edit config files and tell KeePass to spit out a full plain-text database dump next time a database is logged into. It can do so t
      • Interesting! is this documented and/or discussed anywhere? legitimately interested.
        also, thank you.

        • Sure! Actually, it was discussed on Slashdot previously [slashdot.org].

          The functionality in question is Triggers [keepass.info] and the developers don't consider it a security flaw because it requires an attacker already having write access to the system, which already allows a system to be compromised in a number of other ways. While they're technically right, I disagree [slashdot.org], simply because while other methods to extract the same information via system access such as keyloggers or screen recorders require significantly more technical know
          • I mangled that last sentence and submitted prematurely. However, I was basically going to say - while they're technically right that an attacker with write access may be able to compromise other password managers, regardless, having such a trivial method of local compromise really weakens the overall product. Better, I would think, to use a password manager that simply doesn't have a "silently dump my entire database in plain text in the background" configuration option.
            • I would say this right access debate from the developer is hugely short sighted. Having write access should be considered as my system is completely compromised. Having his database flaw should be considered as *all* systems and accounts I own being compromised which is significantly worse.

  • I used LastPass for years, almost since they were founded. I had a subscription for most of that time. But they started making changes to their subscription and it became time to leave. I needed one that would work on any computer no matter the location, just about any operating system and most browsers. The only one that really fit was Bitwarden. In a lot of ways it worked like LastPass, so there was no learning curve to speak of. Bitwarden also worked on sites that gave LastPass fits, especi

  • I've used it for a mix of personal/business for 5+ years and absolutely love it. It's not free, it's not open source, but it "just works" every time.

    Store logins, notes, files (business critical keys), credit cards. Everything unlocked with one master password.
  • For most personal passwords, I use Chrome's password manager. But for passwords I need to share with my wife, I use a password-protected Word document, using a password we both know. For most things, that's secure enough.

  • I use 7Zip to create a ZIP file containing an AES-256 encrypted text file with all my passwords. Very simple & cross-platform. Am I overlooking something, or is what I'm doing acceptably secure?
    • Seems to be a solid solution if your password list is static, though I'm constantly adding stuff and to do that you have to create a new file every time, or unencrypt it and add, then re-encrypt no? I found out every time I added passwords to my encrypted open office spreadsheet file that it was creating a local, unencrypted, cached copy on my drive (I found my passwords using hxd, in plain text).
  • I use the sadly unmaintained TkPasMan [xs4all.nl] which is pretty simple. It's also reasonably secure because although it's unmaintained, the encryption is handled by running openssl aes128 to do symmetric encryption/decryption.

  • Modern vim has a habit of storing things from your editing sessions in dot files; e.g. .viminfo. That makes it a poor choice for managing a password list unless your willing to configure it carefully. This is one of those times that a dedicated solution is better than the mighty vim!
  • Works on Mac and Windows. I never use sensitive stuff on mobile, but apps exists for mobiles as well. Bonus, can store more than just passwords in the drive.
  • I've used other solutions but Revelation is definitely my favourite so far. As far as I know it only works on Linux but as I only ever use Linux on my desktop/laptop computers that's fine.

    It stores everything in a single encrypted file, has a nice GUI interface that has options for different record types, has a field for URLs that can be clicked on to open the relevant web site, copy-paste works fine from the user ID and password fields and it has a nice free format text field for keeping note of any other

  • When someone asks what PW manager they need, the big question is, what are their needs?

    For example, if they just need it for themselves, then KeePass or KeePass-compatible apps like Strongbox, Keepassium, KeePassDroid, or some others is good enough. If you store your KeePass database on a cloud provider, I recommend creating a keyfile, and copying it via adb or iTunes to all the devices. This way, if someone obtains your KeePass database, there is no feasible way for them to brute force it without comprom

  • A password manager (though necessary) can be a huge risk. It is a single point of failure "steal all your credentials and take over your life" type of product. I would never put any truly important passwords into a widely used syncs-stuff-and-magically-integrates-with-browsers product. Because if that stuff gets hacked, you are seriously pwned.

    Personally I use PasswordSafe with some old binaries I have used for years; I figure if those executables were compromised, I would have been hacked already. Decided

  • 1st step, getting them to use unique and long passwords for each site.

    They might reset them via their email account.
    Write them on paper so they reset less often

    Keepass makes it easier to type in a longer password. But only on the device you have.
    You can share the database, but there might be issues changing passwords on multiple devices.

    Bitwarden does the sync well, can be updated on all devices.
    I find it easier than Keepass. But if someone is stuck on paper/resets, its hard to get them to try either.

  • In short, you use the same reasonably complex 8-12 character "base password" for everything, and then use the first 3-4 letters of the site in question, along with the last 3-4 letters of the site in question as a prefix and suffix.

    If you want to get fancy with it, the length of the url/site-name can inform the number of prefix/suffix characters to use to increase entropy, so maybe 3 prefix/suffix characters for sites with odd numbers of characters and 4 for even.
    It's not perfectly secure, but it assures

  • Windows offers no isolation between standard GUI apps running on the same desktop as the same user and does nothing to protect browser cookie jars from theft. This means KeePass is already your best bet for password management (as it is written with these weaknesses in mind) while a FIDO2 security key will be your best bet to provide MFA. Everything beyond that will depend upon your ability to prevent Windows and the web browser itself from being compromised.

    If your wife was running macOS with Safari, or
  • Unironically, I agree with Ellen Degeneres. [youtube.com] Get a password book and put it in a safe if you really don't trust people in your household or are worried about it being physically robbed.

    It's offline, so the virus your computer gets wont send the relatively small, easily located file to some scammer so he can patiently wait until a file exploit or de-encryption technique becomes available to steal your passwords.

    As for browser password managers. Only use them for passwords you don't care about like forum or so

  • I'm old, so I still use Password Safe.

    https://pwsafe.org/ [pwsafe.org]

    The only downside is it isn't a standalone program ( has an installer ) but the encrypted database is stored locally ( not in the cloud ) and also has a Linux version out there somewhere if you wanted it.

    • by rc5-ray ( 224544 )
      There is a PWSafe Disk-on-Key version, which is basically a portable app. Doesn't install or use the Windows registry. https://www.pwsafe.org/dok.sht... [pwsafe.org] I use this across my devices, but have the password file saved on a ProtonDrive folder, so I can access it from anywhere. Prior to this, it lived on a Google Drive folder. But the file is encrypted so Google couldn't do anything with it even if they wanted.

A consultant is a person who borrows your watch, tells you what time it is, pockets the watch, and sends you a bill for it.

Working...