Which password manager to use?
-
I haven't seen it mentioned here so I'll throw it out there - 1Password. It's just a very smooth experience that I really appreciate.
Got a free family subscription through my work. Before that I was paying for it.
1Password is just great. Wonderful Linux support (desktop app, cli client, identity agent for SSH).
The major update to version 8 was rolled out to Linux first, actually.
One of the few pieces of software where you feel that the developers care about their product.
-
Which one? Or both?
Actually keepassdx, and sounding syncthing
-
I currently use KeepassXC that is synced through NextCloud. The sync isn't very elegant, especially on my phone. So I'm looking for a new password manager, which has a native server sync support that I can self host. What do y'all recommend?
I like to use SyncThing for my keepass vault. Imo it's about as simple and elegant as it can get without involving third party services.
-
Bitwarden.
My recommendation: Don't use Vaultwarden (self hostable server side of bitwarden. Really easy to run and use).
Why? You're not a security personal, and securing your vault isn't your job. You might do a slight mistake that'll lead to the compromise of your vault.The people at Bitwarden have their work dedicated to securing the vaults and all they do is security. And they'll probably do it better then you.
When it comes to serious matter, I prefer to trust the professionals.Just to play devils advocate. Bitwarden.com is a much more valuable target. My instance is behind a VPN. I think its actually far more likely Bitwarden will have a breach similar to LastPass then I will. But I agree with you mostly.
-
Bitwarden.
My recommendation: Don't use Vaultwarden (self hostable server side of bitwarden. Really easy to run and use).
Why? You're not a security personal, and securing your vault isn't your job. You might do a slight mistake that'll lead to the compromise of your vault.The people at Bitwarden have their work dedicated to securing the vaults and all they do is security. And they'll probably do it better then you.
When it comes to serious matter, I prefer to trust the professionals.Ignoring the security aspect of it Bitwarden is responsible for hosting a fault tolerant, highly available web app.
They have redundant networking, redundant servers, load balancers, redundant databases.
While you could host this yourself to these tolerances it's work and it's not free.
If you're using your password manager to the fullest you have a different password for every resource out there. It's more than a minor inconvenience if you get locked out of your passwords.
Their service is dirt cheap and it's absolutely worth every penny.
-
I currently use KeepassXC that is synced through NextCloud. The sync isn't very elegant, especially on my phone. So I'm looking for a new password manager, which has a native server sync support that I can self host. What do y'all recommend?
Vaultwarden is perfect imo
-
I currently use KeepassXC that is synced through NextCloud. The sync isn't very elegant, especially on my phone. So I'm looking for a new password manager, which has a native server sync support that I can self host. What do y'all recommend?
If you can't self host --> KeePass
If you can self host --> Vaultwarden -
I currently use KeepassXC that is synced through NextCloud. The sync isn't very elegant, especially on my phone. So I'm looking for a new password manager, which has a native server sync support that I can self host. What do y'all recommend?
I use KeepassXC on desktop, KeepassDX on my phone and keep it all synced with Syncthing. Works great
-
If you can't self host --> KeePass
If you can self host --> VaultwardenIs VW audited in the same way that BW is?
-
If you can't self host --> KeePass
If you can self host --> VaultwardenI hear good thing about Vaultwarden, but the web UI is horrible.
Vaultwarden's web UI is very confusing, especially the search feature. And it's difficult to move items between folders/collection. The desktop app is available as DEB/RPM package but without auto-update, which isn't great.
Fon now I'm sticking to KeepassXC because the app my distribution has a package for it and allows auto-update. The UI works well, and it has decent browser integration.
-
Just to play devils advocate. Bitwarden.com is a much more valuable target. My instance is behind a VPN. I think its actually far more likely Bitwarden will have a breach similar to LastPass then I will. But I agree with you mostly.
The data stored on Bitwarden's servers is completely encrypted though, which means a breach will not yield useful data, unlike the plain text storage for LastPass.
-
I hear good thing about Vaultwarden, but the web UI is horrible.
Vaultwarden's web UI is very confusing, especially the search feature. And it's difficult to move items between folders/collection. The desktop app is available as DEB/RPM package but without auto-update, which isn't great.
Fon now I'm sticking to KeepassXC because the app my distribution has a package for it and allows auto-update. The UI works well, and it has decent browser integration.
Vaultwarden is not to be used in itself you can for example use the bitwarden app but with your vaultwarden server
-
Is VW audited in the same way that BW is?
Really I don't know, surely a bit less but in my opinion, not that much
-
The data stored on Bitwarden's servers is completely encrypted though, which means a breach will not yield useful data, unlike the plain text storage for LastPass.
Yes I agree. I was just offering a counter to the statement that Vaultwarden isnt as safe as Bitwarden. They both are encrypted but my vaultwarden instance is a lot less likely to experience a breach than Bitwarden. The guys with real skill are going after Bitwarden not me.
-
Vaultwarden is not to be used in itself you can for example use the bitwarden app but with your vaultwarden server
You're right. I was referring to the bitwarden app above. See https://github.com/bitwarden/desktop
It's an electron app, and there's no auto-update solution for DEB packages (ie no DEB repo for apt auto update).
Some people are probably happy with it, but I prefer KeepassXC which is more lightweight (ie not electron based) and can auto update via APT.
-
I currently use KeepassXC that is synced through NextCloud. The sync isn't very elegant, especially on my phone. So I'm looking for a new password manager, which has a native server sync support that I can self host. What do y'all recommend?
Hackers have increased their focus on cracking password managers by extracting data from RAM and registry, compromising local and cloud storage.
-
Is VW audited in the same way that BW is?
I'm not completely sure, but doesn't Bitwarden encrypt all data before it reaches the server? That means the server implementation is a bit less important. I guess you probably don't want to be leaking even encrypted databases though since there is a chance they could be cracked.
-
2nding the Bitwarden, absolutely love it. I moved from LastPass years ago and never looked back.
3rded moving from LastPass to Bitwarden and never looking back. I got out when LogMeIn got in.
-
I also use Unix pass and self host a git repo over Tailscale to keep it synced across devices. Works like a charm so long as I remember to push whenever I edit a password somewhere.
One of the big flaws of snapshot-based VCSs like get is the patch order mattering—which causes conflicts. I would love to see an alternative built on Darcs or Pijul with their Patch Theory-based VCS system that does not have the flaws Git does.
-
One of the big flaws of snapshot-based VCSs like get is the patch order mattering—which causes conflicts. I would love to see an alternative built on Darcs or Pijul with their Patch Theory-based VCS system that does not have the flaws Git does.
Yeah agreed. I borked my repo a couple times and needed to rollback changes, re-sync everything, and resubmit changes. It was a bit scary, but that’s also kind of the beauty of the system, is it’s just files in a folder. I could move the conflicting files out, do a push/pull and then move the files back in and push. The biggest part is getting in the habit of doing a pull before I make any local changes on a device.
I haven’t heard of the tools you mentioned, but you’ve got me curious, so I’ll definitely be looking into them and a potential fix. I’m sure I could automate things with some simple scripting, but until I make my final move off iOS I’m sort of stuck with the clunky Unix Pass app on that OS which causes most of my issues.
Presumably you could just target the passwordstore folder with any version control, Unix Pass just has some git interaction built in.
