Option 2. It’s the most robust. You’ll never lose it (provided you have the redundancy), you can use it offline, you can transfer it using a USB pen, it’s available in all platforms, including web. I’ve been using this for 8+ years, on my phone, desktop, laptop, company computer, etc. I store it on a personal cloud (and on each machine, of course, by syncing).

I’ve been happy with Keeper

Bitwarden+vaultwarden, harden the chosen VPS, set SSH to use keys only, then setup fail2ban for webserver and ssh Also consider putting ffsync on it as well for extra browser benefits.

Apple keychain. Supposedly secure, extremely convenient, may be in the Cloud but not centralized - can’t lose everyone’s credentials at once.

The plug-in for Windows works pretty well too, although I wonder if that puts my confidential data at more risk

Having gone through all of these options I have thoughts.

Option 1 sounds awesome but will almost always leave you in a situation where you can’t get your logins when you need them in an emergency. You’re always depending on a chain of things. Depending on your situation it may not be a big deal. But this option sucks, imho.

Option 3 sounds amazing because it gives you the control of option 1 with the ease of option 2. But… unless you’re the kind of person that enjoys hosting their own email server you really don’t want this option. Fun in theory but not so much when you realize you now have a 3rd job.

So that leaves option 2. It’s great but you’re depending on someone else. This is the option that most people should choose too, imo. However it lacks some of control and trust that option 1 and 3 have.

Sooooo, that leaves us with option 4, the onion option. Breaking up your data into layers and using different tools for them.

So first and foremost I want my password storage to always be available. For me that means Bitwarden, (though I’m evaluating protonpass currently.) this is the outer layer. Things that can and should be stored here are stored here. I use it to manage web logins and 2FA tokens for those sites. I also use it for storing autofill data eg credit cards. I don’t use it to hold things like my gpg keys.

Next layer is pass. This layer is mostly things that I need to have logins or other information on headless/remote servers. Think self hosted lab services like a mariadb/postgres or backups. This is easily kept in sync with git. This is the layer where I’ll store things like gpg keys and other VERY sensitive data that I need to sync around.

For other things on this layer I use ansible vault. This is mostly used for anything where I need automation and/or I don’t want too or can’t easily use my yubikey for gpg. This is kept in sync with git as well.

Lastly the inner layer I use AGE or PGP. This is for anything else I can’t use the above for. So my Bitwarden export/backups are in this level too. I also use this layer for things that I need to use to bootstrap a system. Think sensitive dotfiles. This can be kept in sync with git as well.

Git is the best sync solution imo because you can store it anywhere and use anything to sync that repo. Just throw that raw repo on Dropbox, use ssh with it on a vps, rsync it, etc. you’ll always have it somewhere and on something.

My work flow goes like this Bitwarden -> Apple/Google/Firefox -> Pass -> Ansible -> AGE/PGP

This allows for syncing things as needed and how needed. It also gives you the option of having an encrypted text file if/when everything fails.

I use keepassXC and sync across my devices with nextcloud and VPN to my home network with wire guard and this setup has never failed me.

I’ve toyed around with passbolt, and I really want to try because it just looks cool to me, but I keep having trouble with it playing nice with my reverse proxy.

My personal preference is hosting it myself on my own server and using a VPN to get to it. It gives me peace of mind because I’m not a big enough target for someone to try that hard to get my passwords and I’m not exposed to bitwarden or dashlane getting breached.

I use option #1. Each instance of KeePass maintains a local file, but updates them automatically whenever it opens or closes. I also back up the file to my personal server automatically, so I have a copy even if the cloud service fails for some reason.

This setup has been serving me well for a long time.

For highest security don’t store in cloud or multiple places. Memorize them or keep a separate device that has no intermet access and keep them on that device encrypted/locked

To improve security of option 1 you could use a keyfile, that is either only transferred manually to devices or stored at a second cloud provider.

I used to self host Bitwarden, but didn’t want the hassle of securing it and updating it properly and consistently. So I just pay $10 for bitwarden premium and I get to support the company.

I’ve been using option 1 for many many years. It lets me keep control of the encryption, and it’s accessible just about anywhere.

Vaultwarden behind mutual tls and reverse proxy and https://github.com/oguzhane/bitwarden-mobile until https://github.com/bitwarden/mobile/pull/2629 is merged

But honestly all services you mentioned are worthy.

Anything that fits your needs imao

I’ve used Option 1 with my Nextcloud and it works perfectly. Other options seem more apropriate when you need scale, many user each with their own vault.

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

7 acronyms in this thread; the most compressed thread commented on today has 4 acronyms.

[Thread #173 for this sub, first seen 28th Sep 2023, 18:45] [FAQ] [Full list] [Contact] [Source code]

I’d never store my passwords in the cloud.