What's your password manager?

I was using lastpass free and thanks to their terrible new limitations, I’m now looking for another alternative. Easiest would be to pony up their monthly fee but only if I cannot help it at all (plus I’d hate to reward them for the switch honestly).

My unicorn password manager is: free; secure; cloud syncs across at least PCs and android; not tied to any browser; allows 2FA; allows sharing of passwords.

I’m looking currently at Bitwarden but wondering what’s everyone’s favorite password manager and why.

This is an automatically-generated Wiki post for this new topic. Any member can edit this post and use it as a summary of the topic’s highlights.

Mine doesn’t meet your unicorn criteria – no cloud sync, no “sharing of passwords”.

I’ve used Password Safe – pwsafe.org, not passwordsafe dot com – for many years. Here’s my reason.

I couldn’t trust anyone to implement “secure” and “cloud”, even lastpass had security issues. For “sharing of passwords” you could create two password databases and share the password for one of them. There’s an Android version, but the phone apps I use can remember their own logins and I don’t use that many so I haven’t had to use it. If I had to “sync” I’d just copy the file manually.

Bitwarden looks interesting as they have a self-host feature. And it’s written in C#, which means it’s less prone to the most basic security blunders like buffer overflows.

1 Like

Why complicate things and put your security at risk with a password manager? Especially a manager that stores data in the cloud. I have a algorithm that I use that allows me a unique password based on the web address the password is for. Just by looking at the current web address I can deduce the password using my algorithm 98% of the time. For the 2% of the passwords that require something different than my personal standard I store a exception hint in the bookmark description of that web address.

iOS Of course, it’s only as secure as physical custody of the device can be.

I have used “KeePass” in the past. I think there are a couple of versions and believe it is open-source (or was at one time).

1 Like

Our need for sharing is basically due to both DH and I updating passwords on a common database/account. We could keep them separate but this complicate things a bit especially considering that I’m doing most of the transactions/account reconciling/budgeting/etc but DH still wants to stay in the loop.

I’d prefer a solution that’s only local on our devices but I just can’t find a way to make that work for two people needing to have access and updating the database.

I also like for Bitwarden that it’s open source so I assume quite a few people have looked at vulnerabilities and tried to poke holes at it by now. But like with any change, it’s a bit of a leap of faith whether they’re totally secure (even Lastpass wasn’t).

That could work but I’d be concerned somebody guesses my algorithm, then 98% of my passwords would be toast. And I wouldn’t trust that I’m smart enough to beat them for making a secure algorithm.

I used KeePass in the past but can’t remember why I didn’t keep using it. Maybe it was the cloud sync or something. I should take another look at it now that you mention it. Thanks.

Another solution is to place the password database file on a network share and / or have it synced by other, unrelated “cloud” software, like Microsoft OneDrive. Definitely more complicated than it needs to be, but it creates another layer of security as it disconnects the cloud provider from the password storage provider. Even if someone gets your password database file from the cloud storage, they can’t do anything with it (just don’t use the same password for the two different things).

2 Likes

I’m sorry, but it has to be asked - why would you possibly need a password manager to help you remember 1-2-3-4-5?

3 Likes

I’ve used pwsafe for more than 10 years. I use several databases, depending on whether they are for client hardware, local hardware, ecommerce sites, business accounting, or personal financial. The business accounting and personal financial get stored on one pc and backed up weekly to rotating usb sticks. The others are stored on the lan and get backed up nightly.

Pwsafe has been rock solid with no loss or mix-up of data. When there is a new version released (rarely), I intentionally cut power with the db open. Other than routine housekeeping (lock files), it’s never lost a bit … or byte.

LOL. I think the type of failure you’re trying to force isn’t possible to do by hand these days, especially with tiny files and drives that can flush their cache with a tiny amount of power left in their capacitors. You’d have to go back to floppy disks (or big ol’ spinning drives that shake the whole desk). And you’d have to cut the power in the middle of a write operation of a big-enough file (to cut the power before it completes), since reading shouldn’t cause data loss. Also you should get a UPS, so power loss is never an issue.

I was thinking of a local storage solution possibly. Since we have our own server, Bitwarden would let us setup local storage for our encrypted password database. I think that would add that double layer of security provided that password to our private server is different from master password for the password database. At least if I understand what my IT guy (DH) told me about it.

But that way we’d keep syncing capability, storage on our own servers instead of MS Azure ones, and form filling functionality.

You mean the 8", right? I’ve advanced all the way to the 3.5".

You’re talking about the washing machine sized Winchesters, right? I’ve moved on from them and have my untrustworthy st-225 that works just fine as long as I re-format it once a year. :wink:

Here we have come to a difference of opinion. I’ve seen lots of files (not just databases) get corrupted by loss of power. Also, I’m not trying to force a failure, but rather looking to see what happens if the machine loses power while the db is open. I’ve got lots of backups, so it isn’t as much of a loss of data issue as a “what happens if” issue.

I don’t believe that power loss is never an issue. That said, I’ve got an oversized online UPS that trips system shutdowns when the power is off more than 3 minutes.

1 Like

If your intention is to only sync on your home network, then you could do that many different ways, no bitwarden needed. I thought you wanted to be able to sync across the internet, like from your phone when not home. If so, then exposing this “local” Bitwarden server to the outside world could also expose your home network (there are ways to keep your network unexposed, like with fwknopd, but it’s just another complication).

2 Likes

It was indeed a Winchester and it shook like a washing machine, but such dimensions must have been before my time. I had one about the size of an ATX power supply. 80 Megs, if memory serves (ha!).

AFAIK, corruption by a power outage is caused by either unfinished writes or by the magnetic head dropping where it’s not supposed to (before automatic head parking). Read operations don’t corrupt data. Aging / wear can also lead to corruption with enough time or writes, but that’s not related to sudden power loss.

That may have been a Pixie. The Winchesters were 14" in diameter and had fixed/removable components. IIRC, they were called Winchesters because, initially, they had 30Mb removable disks and 30Mb fixed disks. When most people heard 30-30, they thought of the Winchester rifle.

My memory may be failing me, though. :smile:

1 Like

Where did I say read operations corrupt data? If that’s what you got out of my comment, let me rephrase - I’ve seen files get corrupted during power interruptions. Not many, but some were even marked read-only, and at least one has been since y2k (long after auto head parking was the standard)

I paid for a year of last pass premium several years ago because I wanted to use it with a yubikey. For some reason, I’ve never been cut off even though I’ve never paid them since. I don’t know about the shenanigans they just pulled that this thread is all about, but because they have been so generous to me in the past by not charging me, if they ever do, I’ll probably pay them. Also, I’m lazy and don’t want to switch.

1 Like

Oh DH is an IT guy… then you definitely need to setup on a server and rsync it back and forth. He’ll love a new project! :slight_smile:

2 Likes

It’s only $48 for the family pack of 6 licenses for LastPass so that’s what I’m doing. We share it just like we share the Office 365 family subscription so works out to $8 a year with taxes for LastPass ($13 for Office). I’m literally sharing with family (parents, sibling, in-laws) but for LastPass, you get 6 individual licenses for only a few dollars more than buying 1 license so well worth the cost. Good way to get the rest of the family doing secure passwords.

LastPass also gives you 1GB of shared “family cloud drive” or something but since we have 1 TB each from MS Office, we won’t even use this part.

1 Like