• mub
    link
    fedilink
    442 years ago

    Bitwarden - does everything, and is free. You can even setup a shared vault so 2 people can have access to shared stuff like online shopping and streaming sites. Takes a bit of admin work but it is not hard.

    • @[email protected]
      link
      fedilink
      English
      82 years ago

      Sadly that second but requires the other person to care enough to make an account and not just text you when they need the password 😂

      • @[email protected]
        link
        fedilink
        English
        12 years ago

        Just send a photograph of your screen showing the requested password of 25 random characters so they have to type it out. Guaranteed their next question will be where they sign up for an account.

        • @[email protected]
          link
          fedilink
          English
          12 years ago

          lol that’s generally what I do. Sometimes I’m nice enough to copy and paste. We don’t share a lot of accounts so it’s not a huge issue.

  • @[email protected]
    link
    fedilink
    1132 years ago

    I second the recommendation for Bitwarden.

    I switched over from Dashlane and never looked back. They even have a browser extension for mobile Firefox (the browser you should be using anyways) so it’s easy and convenient on all my devices.

    • @[email protected]
      link
      fedilink
      English
      422 years ago

      +1 for Bitwarden. There were growing pains at the start to move off of iCloud Keychain. Once done and being more proactive with managing passwords it’s so good and trustworthy

      • @[email protected]
        link
        fedilink
        152 years ago

        Agreed. Bitwarden has been fantastic. I just wish it was easier to swap between accounts on the browser extension. You can do it on desktop and mobile pretty easily.

        • @[email protected]
          link
          fedilink
          English
          22 years ago

          First time using it you export your password data and move it into BW. Then browser extension can help auto fill and detect new ones. It also has a password generator built in so that’s handy

          Phone app can integrate and auto fill. On iPhone I’m not sure it if can detect and save. But the few times I’ve needed to sign up on phone I manually input.

          I still use Firefox password and iCloud saves when prompted. Doesn’t hurt to have a backup I suppose.

        • Otter
          link
          fedilink
          English
          32 years ago

          Manually putting what in?

          You can import from another service if that’s what you mean

        • @[email protected]
          link
          fedilink
          12 years ago

          I spent some time when I migrated from just storing my passwords in Chrome. I went through and made sure all of them were strong, unique passwords. I set up categories for all of them. I set it up so I could share the right ones with the family and whatnot.

          Doing the raw import is easy, but it was a good time to make sure everything was in order.

    • Otter
      link
      fedilink
      English
      142 years ago

      Is there a reason to use the mobile extension over the app itself? The app can input into other apps as well

      • @[email protected]
        link
        fedilink
        12 years ago

        I have never even got the mobile extension to work. When I set it up and enter in my email and master password, the Captcha that is supposed go show up is missing entirely. There is just a blank space under the password field where the Captcha is supposed to have appeared.

        IMG_20230910_152738

        • asudox
          link
          fedilink
          12 years ago

          If you have a custom DNS or VPN, that might be blocking the CAPTCHA.

      • @[email protected]
        link
        fedilink
        12 years ago

        Don’t know honestly - I’ve never tried the app so I don’t have a comparison. Didn’t even know they had one.

        • @[email protected]
          link
          fedilink
          English
          22 years ago

          The app is nice if you want to use bitwarden to login to other appa. You can allow it permission to run alongside other apps that can fill in login forms.

  • @[email protected]
    link
    fedilink
    562 years ago

    Been using KeePassXC (and before that, KeePassX) since I abandoned LastPass about a decade ago. The apps integrate with Nextcloud perfectly and at least for me, it’s a breeze. I use it for TOTP too, and I second the recommendation of a hardware token for an additional layer of security. There are some USBc options that work on phones (I’m using a pixel 7 pro).

    • FlumPHP
      link
      fedilink
      22 years ago

      I’m curious about using the same store for passwords and TOTP. Technically if someone gets screwed to your database, they have both your factors, yes? But I guess it does thwart someone trying to brute force your password.

      • Amju Wolf
        link
        fedilink
        English
        12 years ago

        Technically you do lose the second factor, but nowadays 2FA is often mandatory or they force some crap like SMS/email verification onto you. If you are aware of the risk then it isn’t a huge deal.

        Though you might want to consider not using it at least for the most important stuff like banking (here you don’t even have an option; banks have their own 2FA apps that you have to use) and primary/recovery email.

      • @[email protected]
        link
        fedilink
        3
        edit-2
        2 years ago

        Adding a hardware key, like Nitrokey, would be an additional level of safety there. I would not use the database without some kind of additional key (something you know and something you physically have).

        If there’s something nefarious that has user access, you’ve already lost in that regard.

          • @[email protected]
            link
            fedilink
            22 years ago

            This is what I do: I have 3 KeepassXC databases (regular passwords, “security” questions, TOTP tokens) each with a different password.

    • jelloeater
      link
      fedilink
      English
      52 years ago

      I never got YubiKey to work on desktop with it. Key files seem to work good enough and easy to manage.

      • @[email protected]
        link
        fedilink
        42 years ago

        It does require some configuration within yubikey manager. I did not find it straightforward but once set up its really reliable.

      • Rootiest
        link
        fedilink
        English
        6
        edit-2
        2 years ago

        YubiKey works for me, both on desktop with KeePassXC and on Android with KeePassDX to the same DB

        • @[email protected]
          link
          fedilink
          32 years ago

          I like the look of KeePassDX but I was bothered by the fact that I have to use the yubikey every single time to unlock the database, unlike keepass2android which allows me to store the yubikey credential with biometric lock until the phone restarts. Keepass2android is not as nice of an app but that feature was really required for me.

          • Rootiest
            link
            fedilink
            English
            32 years ago

            KeepPassXC can do this as well, but it does require the yubikey to be inserted every time you want to save a change to the database.

            Look under Settings -> Security -> Convenience -> Enable database quick unlock (Touch ID/Windows Hello)

            Using that I can quick-unlock my database using my laptop’s fingerprint scanner, just like how KeepPassDX works on Android.

            • @[email protected]
              link
              fedilink
              32 years ago

              its not a huge issue on KeePassXC because I keep a yubikey nano plugged into my laptop, but for my phone, I haven’t been able to make this work reliably with KeePassDX. I’ll have to give it another go.

              • Rootiest
                link
                fedilink
                English
                22 years ago

                Ah yeah you are right, it makes me tap my key every time I open the app.

                The biometrics seem to only replace the master password.

                I do wish it worked more like KeePassXC where the key is only needed to save the database after unlocking and confirming with fingerprint

  • downpunxx
    link
    fedilink
    542 years ago

    when lastpass screwed around with it’s free tier offering, i switched to bitwarden and haven’t felt any reason to use or even try anything else, it’s rock solid

  • @[email protected]
    link
    fedilink
    7
    edit-2
    2 years ago

    I made a hardware-based password manager that I keep on me with the 3-2-1 rule. (One on me, one at home, one in a remote location) It’s barely-secure, but the data is not accessible except when I’m updating it. It’s similar to the mooltipass but all the passwords are stored on eeprom.

    Could the eeprom be hacked by someone and all my passwords probably read in cleartext? Yeah. How many fucking people actually know how to do that though? Virtually none.

    Honestly, I’d love to just simply be able to afford a mooltipass though. :(

    This is what I based my personal one on: https://www.instructables.com/PasswordPump-Passwords-Manager/

    And I usually generate the passwords with an online tool so that I’m never using the same password twice.

    • Extras
      link
      fedilink
      13
      edit-2
      2 years ago

      Why not keepass and its editors and just keep the vault file on a flash drive?

    • Amju Wolf
      link
      fedilink
      English
      1
      edit-2
      2 years ago

      That’s a lot of trouble to go into to have questionable security. Though it’s admittedly really cool.

      I guess this is only great if you have to use potentially compromised computers often, so you are risking leaking at most a single password at a time, but still…

      Unlike a proper password manager this still has issues though; for one, saving in cleartext is just bad, reading EEPROMs is trivial, and (perhaps more importantly) unlike a normal password manager this doesn’t protect you against inputting data on a wrong (phished) domain.

    • Natanael
      link
      fedilink
      82 years ago

      Depends on how it’s implemented. IMHO the best ones are password managers external to the browser but with a plugin which detects the domain name. The risk with autofill is stuff like spoofing and malicious iframes, a secure plugin can detect that and refuse to autofill.

      Alternatively, just set it to always ask when it detects a login form.

      • Amju Wolf
        link
        fedilink
        English
        12 years ago

        That is, in fact, more secure than having to copy the login manually.

      • @[email protected]
        link
        fedilink
        English
        22 years ago

        Most browser autofills already work off the domain name? Unless you’re saying there’s plugins that work off of security certs instead?

      • @[email protected]
        link
        fedilink
        22 years ago

        I would guess so, although the real purpose is likely to keep your passwords somewhere so that you can find them when you need them. I’m not sure why autofill is bad since your password manager generally already knows which password works on which website.

        • @[email protected]
          link
          fedilink
          English
          22 years ago

          If an attacker compromises the page or does a man in the middle and injects a form that isn’t displayed, it can trick your password manager to auto fill your login information and then send it anywhere. But that’s just one vector and if an attacker has compromised the server, there are a number of attack vectors they could take.

          • Amju Wolf
            link
            fedilink
            English
            12 years ago

            Yeah, if an attacker can modify your page it doesn’t matter if you auto-fill, fill on request or copy/enter the credentials manually - you are fucked either way.

      • PupBiru
        link
        fedilink
        102 years ago

        automatic auto fill is where your u/p is filled when you load the page with no interaction required

        requiring an interaction to fill the u/p means you expect there to be a login box to fill, which can mitigate certain kinds of compromise

  • @[email protected]
    link
    fedilink
    English
    282 years ago

    Wow, so 1Password is not recommended anymore? How come? I’ve been using them for years.

    • @[email protected]
      link
      fedilink
      2
      edit-2
      2 years ago

      I’ve been thinking about trying it… I like Windows Hello integration which seems to easily break in Bitwarden

      • @[email protected]
        link
        fedilink
        English
        12 years ago

        I can personally recommend 1Password, the Windows Hello integration works really well. Asks for your PIN code to unlock (or your master password after a reboot). If you put your computer to sleep rather than turn it off overnight, you won’t need the full master password.

        Also, if you’re so inclined, 1P has an excellent CLI tool you can use for accessing vaults programmatically. I use this for auto filling TOTP codes for my Final Fantasy XIV login.

    • @[email protected]
      link
      fedilink
      52 years ago

      Same. We’ve been using it for about a decade I think. One vault for my wife and I to share. Hosted on their end in case all our self hosted stuff takes a crap our passwords are still available. Been considering looking at bitwarden but haven’t had the time.

    • @[email protected]
      link
      fedilink
      72 years ago

      Former 1password user, current Bitwarden user. Jumped ship when 1password dicked local vaults. Never been happier.

      And it’s a FUCKLOAD cheaper. 1password is very overpriced.

      • @[email protected]
        link
        fedilink
        52 years ago

        Bitwarden is practically free. You can pay for some extra features but all the core features and unlimited passwords storage works. Nobody should pay for a password manager.

    • @[email protected]
      link
      fedilink
      16
      edit-2
      2 years ago

      Possibly because it is not open source and doesn’t have anything to offer that the other recommendations do not.

      • @[email protected]
        link
        fedilink
        English
        172 years ago

        Ya I think so. These are always tech articles and Foss software is always a big feature.

        But 1password has on going audits and a sane ui and mobile apps that pass the boomer-parent test. Canadian company too which is nice given the US centric tech world.

        • @[email protected]
          link
          fedilink
          12 years ago

          I use it because I share an account with my parents, so I can manage their stuff. My fathers old local Pw-Manager was a mess.

      • @[email protected]
        link
        fedilink
        62 years ago

        Fastmail integration for masked emails! If you already have an email provider you like then yeah not much to offer. But if you’re like me a few years ago and was looking to get off of chromes password manager and gmail, then 1password and fastmail is a nice combo.

        • @[email protected]
          link
          fedilink
          4
          edit-2
          2 years ago

          Bitwarden has integration with Fastmail, as well as for many other alias services (anon addy, SimpleLogin, etc). They also just added support for selfhosted anon addy, and are working on adding support for self hosted SimpleLogin.

    • @[email protected]
      link
      fedilink
      72 years ago

      It’s in their honorable mentions.

      Have no source available clients is the author’s main nit pick.

      • @[email protected]
        link
        fedilink
        English
        52 years ago

        Which personally I think does a disservice to their readers. If their article ends up high in search results for “best password manager 2023” for whatever reason, most people aren’t going to care if there’s a source available client or not.

        Dash lane and 1Password might not have source available clients but they likely have better UI/UX than these more open source alternatives that are made for people with technical expertise.

  • @[email protected]
    link
    fedilink
    12 years ago

    I’ve been using gopass+Yubikey for years, with gopass syncing to a remote git repository. Works great on my phone too with Open Keychain+Password Store. I’m really happy with it, but do realize it doesn’t fit into most people’s workflow.

    Put my wife on bitwarden though, and she’s pleased with it. At some point I’ll migrate her over to a self-hosted variant with Vaultwarden, but that’s mostly because I prefer to have services in-house, not because either of us are dissatisfied with BW.

  • @[email protected]
    link
    fedilink
    12 years ago

    Quick question - any issue with just saving passwords on Firefox? I use FF across all my devices and the sync between them without the need of an extra app is super convenient.

    Or am I just being naive?

  • @[email protected]
    link
    fedilink
    32 years ago

    I use KeepassXC for years, but lately I’m having problems connecting it. I use it only offline and the Firefox plugin doesn’t work very well. It has many options, too many in my opinion. I don’t like having my passwords in a company’s cloud. The selfhosting is the solution, but i dont have to know

    • 80386SX
      link
      fedilink
      12
      edit-2
      2 years ago

      I too like to keep my pet Donkey to myself. I love it. 🙂

      Also KeePassXC – KeePassDX + Nextcloud + (encrypted container dropbox backup)

        • @[email protected]
          link
          fedilink
          22 years ago

          i guess because of metadata. an encrypted file has no readable header, which the keepass database file probably has so that keepass knows how it is encrypted.

          • Natanael
            link
            fedilink
            12 years ago

            KeePass don’t have much beyond a password hash for testing if you entered the right password or not.

        • 80386SX
          link
          fedilink
          12 years ago

          The Dropbox is just a remote backup container. The backup is automated , gathers files from a few locations, dumps them in an encrypted box and push them to Dropbox once a day. The encryption bit is just for some other files which are not encrypted in their natural state.

  • @[email protected]
    link
    fedilink
    82 years ago

    While I find a discussion about password managers great, I found the article to be underwhelming.