Password Manager Recommendations
from SomeAmateur@sh.itjust.works to privacy@lemmy.ml on 15 Oct 01:35
https://sh.itjust.works/post/47935445
from SomeAmateur@sh.itjust.works to privacy@lemmy.ml on 15 Oct 01:35
https://sh.itjust.works/post/47935445
Hello everyone, what is your go-to password manager? What would you suggest for friends and family that aren’t very tech savvy?
threaded - newest
KeePassXC for something hosted locally on your home network. Best aspect of KeePassXC is the support for OTP codes built-in, in my opinion. For mobile OTP codes, I personally use Aegis.
Bitwarden for non-tech-savvy family and friends.
You could actually host your KeePass DB online, if you secured it good enough (and on a server you control). That way you’d have a solution working for every device you have, wherever you are.
I’m using Syncthing for sharing it, so as long as one other device is online it shares the newest version of the database.
I would recommend if you do this to have a two part key. Password and file. Then you can have the file on specific devices but share the database through the cloud.
ProtonPass is probably the least untrustworthy normie solution in 2025…
Less untrustworthy than Bitwarden? I’m not saying that you’re wrong, but could you justify that?
I wouldn’t consider bitwarden normie since it’s a freemium self-hostable open source thing, not a single company’s service you just sign up for and then it has apps and extensions with no possible confusion if you google something about it.
While Bitwarden does offer a self-hosted option, their main(?) product is a hosted option, complete with apps, extensions, and vault hosting.
Bitwarden. There are also self host options, and other free/freemium offerings as well. Personally, I feel like Bitwarden built all this infrastructure to keep my passwords encrypted and secure, and since my db contains not only personal data, but also business data, I’ll leave it to Bitwarden who has a fantastic record as far as breaches.
i’ve used 1password forever and have the family plan for my mum and dad and they’re fine with it. plus it’s canadian not american.
Good thing Canada isn’t going elbows down, bend over and creating a regime for secret orders that weaken encryption and give warrantless access to your data in an effort to appease Trump.
Bitwarden
Bitwarden is great!
Bitwarden with self-hosted Vaultwarden.
Bitwarden with self-hosted Vaultwarden is great!
Firefox
Can’t tell if serious.
Give me reasons to not use firefox’s pw manager and I’ll jump back to bitwarden
www.privacyguides.org/en/passwords/
mullvad.net/en/help/tag/mullvad-browser#102
As a general rule, browser based password storage is less secure than a standalone offering. While convenient, Firefox loads the cipher into memory. and stores passwords in a local file (logins.json) encrypted with 3DES (older versions) or AES (newer), using a key derived from an optional primary password. Without a primary password, Firefox uses a blank key, making it trivially decryptable. Even with one, decryption occurs locally but lacks the layered, zero-knowledge design of something like Bitwarden. This makes Firefox stored passwords more vulnerable to something like a virus outbreak on your computer, which can access your Firefox stored passwords.
This is how I understand it. If someone has better intel, or if I need schooled up, do share.
Even if all the rest were true, what virus outbreak would affect me on Linux?
I am basically relaying conventional wisdom I have gleaned over the years of ‘best practice’. I also forget that a lot of people in the privacy sphere run Linux solely, where as I run Windows, Linux, and Mac. I hold no high ground in privacy, security, or anonymity. You are certainly within spec to run your network as your requirements deem necessary. I’m just a lot more comfortable not using a browser to store my passwords. If you’ve got it all down to a note, then rock on my brother and don’t let them give you shit about your ponytail either.
You seem to be much more knowledgeable on the topic, and while I would call myself privacy conscious, I would hardly consider myself within the pricacy sphere. How would using something like bitwarden or keepassxc work with entering passwords on websites? Firefox just retrieves it from its vault (as bad as it may be from what I’m reading) and then inserts it into the u/p fields. I’ve seen LastPass in action plenty, because corporations seem to love it, and I find it anything but seemless. So how do those two aforementioned compare?
Well, the first thing you need to know about me is that I am an expert at nothing. I’ve just been screwing up enough computers since the mid 70s to learn a couple things. LOL
Some thoughts and opinions:
Firefox: As mentioned earlier, Firefox stores it’s logins in a file called logins.json, which is encrypted. It stores the encryption keys in a separate file called key4.db. They are encrypted with 3DES in CBC mode for the passwords themselves. When you save a password, Firefox encrypts it before writing it to disk. If you don’t create a master password in Firefox, the browser uses a basic form of encryption based on your operating system credentials or a default key. This allows Firefox to automatically decrypt your passwords for autofill purposes without requiring any extra authentication, as long as you’re logged into your device. The master password is key, because with the master password Firefox adds a stronger cipher in the form of PBKDF2-SHA256. Without the master password, anyone using your browser can fill in log information.
Bitwarden: Bitwarden is a dedicated, separate, password manager that stores your vault data in the cloud on Microsoft Azure in the US or EU regions iirc. Bitwarden has zero-knowledge of your passwords or encrypted data. You start with a master password, much like you would with Firefox. That master password is never sent to Bitwarden. Here’s where my eyes start to glaze over. LOL It undergoes key stretching using PBKDF2-SHA-256 with 600,000 iterations. This derives a 256-bit master key, which is then expanded via HKDF to a 512-bit stretched master key. A separate 512-bit symmetric key generated by CSPRNG, is encrypted with this stretched key and stored on the servers as your ‘protected symmetric key’. Your passwords are individually encrypted using AES-256-CBC with HMAC-SHA256 for integrity, each with its own unique cipher key that’s further protected by your symmetric key. When you log in, the master password re-derives the keys client-side to decrypt the protected symmetric key fetched from the server, and decryption happens only in memory and is never written to disk. I’m not going to even pretend to thoroughly understand the process. That’s going to take someone way more intelligent than I. LOL
Firefox password system is browser based. Firefox does not mandate a master password like Bitwarden, or at least in the past has not. Firefox stored passwords, as mentioned earlier, are susceptible to Firefox based exploits. Those exploits are not relegated to just Windows platforms, and can happen on Linux and Mac just by visiting a laced up website. Bitwarden is device agnostic and invokes more encrypted protections than it’s Firefox counterpart.
To boil the ox down to the bullion cube, Bitwarden, in my humble opinion, gives you more layers of protection than your standard Firefox browser. I like layers. They do add complexity to the situation, but at times, complex layers is just what is required. At the end of the day, it gets down to what you feel comfortable with based on your threat model. Both options offer encryption and security features. Both options are reasonably secure, with Bitwarden being, in my mind, far more secure because it offers more robust layers of complexity. Bitwarden has a fabulous track record of security, and tho there have been previous breaches, none to my knowledge ever revealed any user data.
It has been quite a while since I have used LastPass briefly, so I cannot speak with intelligence about it’s operation. I do know that Bitwarden is super easy (for me) to use and in the browser, works like any other password storage option. You can set it to automatically fill in passwords and user names which is a feature I think appeals to those who use Firefox or other browser based password storage systems. However, as I stated, at the end of the day, it all gets down to what aligns with your threat model, and how comfortable you feel using the options you have chosen. For me, Bitwarden offers more layers of protection, and I am a green ogre who likes layers.
Thank you for taking the time to write this
You are welcome. Anytime. I’m not the sharpest knife in the drawer but I do like to help.
Used it for years before switching to bitwarden (because I needed more? I dont remember).
Absolutely usable and maybe the best browser pw Manager.
Also using one is better than none
Keepass and Bitwarden respectively. Keepass has a lot of fringe advantages but most important to me is automation and offline consistency. Bitwarden will let you stay logged in offline depending on the options but it’s a bit different and they offer some kind of premium service. They both have good Android apps and Firefox addons
Keepass or bust
Bitwarden is great, has lots of free features, and a pretty cheap premium family plan. I’ve been trying to onboard my old people to my family plan so that I can help them if they forget their passwords. 1Password is more expensive, but more polished, and a better choice for newbies IMO.
Bitwarden got a nice polish update about 2 months ago, its a lot better now.
I used Bitwarden for a long time and it was easy and convenient. I’ve since switched to KeePassXC which is less convenient, but it’s more private and secure because it’s offline. I wouldn’t recommend it to someone less tech savvy unless they are just going to need access to their passwords on one device as setting it up reliably with a cloud solution isn’t always simple.
I recently moved my family from 1Password to Bitwarden. They’re not tech savvy at all and haven’t really noticed a difference aside from that “the password vault looks different”.
Again, they’re not tech savvy so they don’t really use any specific 1Password features. They’re also not constantly adding or removing logins, so Bitwarden has been pretty easy for them.
When is recently? Would be good to know how Long they used it
I checked my email just to be sure. So looks like I migrated my family in August 2024. Ah. Actually, further back than I thought.
So my mom, dad, wife, and me have been using Bitwarden for a little over a year without any issues.
My wife is a macOS user (for now…) and she’s totally fine with Bitwarden. She doesn’t care about password managers. It’s just some random app that saves passwords to her. She probably wouldn’t remember if she’s using 1Password or Bitwarden. My wife occasionally will add logins to Bitwarden.
My parents were macOS users—now they’re on Fedora Silverblue for 2 months!—but they’re even less technical than my wife. They don’t know what OS they’re running or what a password manager app is. They just know
wolf icon = internet,shield icon = passwords. They don’t add or remove passwords. I added their 5 website logins and that’s all they need.Bitwarden.
Keeper, myself. Work gives me a free/subsidized family plan so sure I’ll take it.
Definitely better than Lastpass.
Keepassxc and self hosted vaultwarden.
I thought Vaultwarden was a server for Bitwarden? I didn’t know it could interact with KeePassXC.
It is. I just happen to use both keepassxc and bitwarden with my own vaultwarden instance.
Ah, fair enough.
If you use nextcloud, especially for your friends and family, the passwords app is really good there. Plenty of apps and plugins available to use it everywhere.
Authpass. Store offline or in their cloud. Works on multiple types of devices. Has autofill
Bitwarden. Second place isn’t even close.
You’re not tech savvy… Don’t self-host a password manager!
This.
I am quite tech savvy, and I have been using 1password for years.
Actually… From a data-loss POV, it’s actually pretty much fine; since the server only serves an e2ee file anyways, each end device’s data is sufficient to recover everything.
I.e. if you host Vaultwarden, log into it on your mobile device, save all your logins; then fuck up the server, it doesn’t matter, because your mobile device not only still has everything, but also does not need a server connection to export everything in a way that can then be imported again on a new server installation.
Nobody else here is using Keepass with syncthing for cross-device syncing? I can’t dont know of an easier, more more reliable and secure method.
Same here, KeePass with SyncThing with a weekly copy of the database-file to a VPS I rent. Besides a password the database requires a key-file, which is copied between the various devices over a USB memory stick.
Why would I keep my passwords with an external company?
But yeah, this is a somewhat tech-savvy solution.
Same here, KeePassXC via Syncthing, has been working like a charm for many years and I love it.
Yup, KeePassXC is amazing, especially with the add-on in your browser (librewolf I think you need to do something to work). I don’t use my phone much for logging into things, but you can probably sync it on Android (I don’t know how it works on iOS). I love it because you can download icons from websites, and it’s very simple once you get used to it!
Proton Pass, I use the full suite so it’s just convenient. It also has a few nice functions like e-mail aliases and secure password share links.
Let the proton haters come👀.
That is one of the things that I really wish were on bitwarden
BitWarden. All day everyday. Every human
bitwarden imo however, explore other options here
Keepass. I need to figure out a way to securely sync between Android <-> PC.
GNUpass should be very secure too but I need a way to view it on Android.
Syncthing does the job pretty great for me. Local sync, rather than cloud. As long as your network is secure, you’re good
I use self-hosted Nextcloud to sync mine. Other people like Syncthing. I’m going to drop an unpopular opinion here: if you use a sufficiently strong master passphrase, you can sync your file with even gdrive or Dropbox if those are more convenient for you.
Bitwarden if you share accounts between two devices, keepass if just one.
Not just between devices. Between people, too. Super handy to coordinate shared passwords. I use it with my wife for utilities and stuff.
You can also designate other Bitwarden accounts to have the ability to reset your master password, in case of emergency. So my wife has a password she can use to get in there, in case something happens to me. But people can’t do it on the sly, because it’ll notify the account holder of its use.
Pass or qtpass if you need gui. Simple and efficient.
KeypassXC for sus stuff and Bitwarden for everything else.
KeePassXC (Desktop) and KeePassDX (mobile). Offline, local-only password manager. There’s also a Firefox browser extension for it too.
If you need it to sync between devices, Syncthing gets the job done by syncing the DB file.
I don’t trust any cloud solutions. You’re trusting some random company with your passwords. Data breach is inevitable.
This one for me too! I’ve been very happy.
I try to minimize use of browser extensions, but i have the phone & desktop application. Nextcloud/whatever you run for syncing. I also back up those files through rsync to encrypted volume in a cloud provider (so double encrypted), so that if the worst should happen, I can still access the last version.
It’s worth noting that you can manage OTP through it. When you add to your phone’s OTP manager, you can also add it to Keepass, so you wont be up shit creek if your phone dies. Personally I would make a separate volume for your OTP, so you retain dual verification, even if someone should gain access to one of the two.
Bitwarden, DON’T self host.
Why not self host?
Because if it’s something that’s vital, you should just pay to have someone else host it. ESPECIALLY if it’s a nominal cost per year.
Thanks for answering. I don’t self host it but am interested. It’s still a company that i entrust to store highly sensitive data with, hence my interest in self hosting. Usually folks promote self hosting, so i was curious about your comment to not. Agree, that’s not something to consider lightly.
Porque no los dos?
Bitwarden, 100%. You can self-host later if you feel like it, but don’t have to
ProtonPass
you don’t have to be very tech savy to use a password manager. I use a keypass variant for local ones and keep important ones there and bitwarden online with stuff that if it got taken over would not matter.
Bitwarden has always worked great for me on android.