Password managers in 2024 - which ones are the best?

sakete · Jan 11, 2024

I've been using 1password for years now. Recently started working at a new company and they use Keeper as the company password manager. I asked if I could install 1password on my work computer for personal use and they said Keeper is more secure and thus I'm not allowed to install 1password (I think they misinterpreted my request as me asking to use 1password for company passwords, so I sent a clarifying email).

But anyway, that answer got me to thinking, should I re-evaluate my use of 1password and perhaps switch to something else? I use it across Windows, MacOS, iOS and Android, and as browser plugins.

Which ones are the best these days? And by best I mean first and foremost, the most secure (e.g. Keeper claims to encrypt each invidual record in addition to the entire vault, whereas 1password apparently only encrypts the vault - not sure it matters though), and then also the most user friendly with the best QOL features.

Cost no object, I take my security seriously.

Demento · Jan 12, 2024

sakete said:
Keeper claims to encrypt each invidual record in addition to the entire vault, whereas 1password apparently only encrypts the vault - not sure it matters though

It doesn't. Unless the original encryption is very weak or something and you use a better one per record. But assuming it's the same sort of encryption, no there's no benefit. Cryptography doesn't work like that. (I mean, it can be better, but it's not guaranteed to be so unless you've worked out all the maths around it. Eg: 3DES was engineered specifically to work that way.)

I tend to go with any password manager being so much better than not using one that I just stuck with Lastpass because it's what I'm used to. That's going to be an unpopular option, and I certainly wouldn't recommend that anyone move to LP, but it's what I have, it's what I'm used to, and I'm confident in the complexity of my keyphrase.

Ardax · Jan 12, 2024

As for the OP's question: 1Password and BitWarden are my top two recommendations for personal/family password managers. Hard to go wrong with either one. BitWarden is Open Source if that makes you feel better, and you can host your own server if you don't trust anyone's cloud but your own.

I recently migrated from KeePass to 1Password and it's taken some getting used to. Not saying it's "better" or "worse", just more "I'm not used to doing things this way and who moved my cheese?" I switched partially because it came "free" with my Eero Plus sub, partially so I could see what the hype was all about, partially so that I could finally kick to using a family plan, maybe getting my wife on it so we could securely share passwords that needed shared.

Encrypting each record independently as well as the vault doesn't really make a lot of sense. Once the master password is cracked, so is the entire vault. Secure handling of vault authentication is the single most important piece of any password manager.

All that said, I keep my personal shit off of my work computers. The only personal bits I have on my work laptop are being logged into Ars on my browser, Discord, and using my personal JetBrains sub to install Rider. Certainly not enough for me to want to access my passwords from my work system.

Demento said:
That's going to be an unpopular option

You don't say?

It was fine until they were bought by LogMeIn. That was pretty much the death knell for me and many others. Yes, it's better than nothing at all, but you know you're using a system that's run by a terrible company by now. I also understand that we can only be outraged about so many things, so this might not hit your personal radar.

Oddabe19 · Jan 12, 2024

BitWarden is a popular one. Personally I use KeePassXC (also open source). Works well on my main Linux box and Windows boxes.

For strong security, integrate cert and passphrase authentication for the vault/database. Don't lose the cert though.

oikjn · Jan 12, 2024

++ for Keepass I like it as its open source and there is no central hosting. Its just a DB file you can store locally. I store mine on onedrive and access it on my iphone through onedrive sync, but you can use icloud or dropbox as well and I'm sure there is an android equivalent. Either way, there is no 3rd party involved where your data could be part of a breach. I don't use the browser integrations, but copying from the DB is simple for me and I like how much information and what types you can store in it.

ColinABQ · Jan 12, 2024

I had been using Bitwarden, which works well enough, but am now favoring Proton Pass. It's also open source, and I've trusted Proton with my email and calendaring for several years now, on a paid plan. There is a free tier, though, if you're not already using Proton products. Proton Pass works well in Firefox and on Android. There don't appear to be desktop apps yet, but they keep adding those to their products. One benefit: encrypted notes, alongside your passwords.

sakete · Jan 12, 2024

Ardax said:
As for the OP's question: 1Password and BitWarden are my top two recommendations for personal/family password managers. Hard to go wrong with either one. BitWarden is Open Source if that makes you feel better, and you can host your own server if you don't trust anyone's cloud but your own.

I recently migrated from KeePass to 1Password and it's taken some getting used to. Not saying it's "better" or "worse", just more "I'm not used to doing things this way and who moved my cheese?" I switched partially because it came "free" with my Eero Plus sub, partially so I could see what the hype was all about, partially so that I could finally kick to using a family plan, maybe getting my wife on it so we could securely share passwords that needed shared.

Encrypting each record independently as well as the vault doesn't really make a lot of sense. Once the master password is cracked, so is the entire vault. Secure handling of vault authentication is the single most important piece of any password manager.

All that said, I keep my personal shit off of my work computers. The only personal bits I have on my work laptop are being logged into Ars on my browser, Discord, and using my personal JetBrains sub to install Rider. Certainly not enough for me to want to access my passwords from my work system.

You don't say? It was fine until they were bought by LogMeIn. That was pretty much the death knell for me and many others. Yes, it's better than nothing at all, but you know you're using a system that's run by a terrible company by now. I also understand that we can only be outraged about so many things, so this might not hit your personal radar.

Well that's why I wanted to install 1Password on my work computer, so I can log in to Ars. I have no idea what my Ars password is otherwise, just some randomly generated one by 1Password. I otherwise try to avoid logging into personal email / banking / etc. on my work computer as I know all the traffic is monitored.

Anyway, sounds like I don't need to bother switching to something else. 1Password has been working great for me all these years and I'm happy with the product. I'm not paranoid about hosting my password database on my own server and in fact I'd rather not as that would require a lot more work to keep that server secure and I'm not at all confident that I have all the know-how to keep it secure. I'll trust that 1Password has competent engineers who are heavily focused on keeping their systems secure (thought I realize it'll never be 100% perfect).

koala · Jan 12, 2024

Note that Bitwarden has a web vault. Never used it (I run a self-hosted Vaultwarden and I'm too lazy to set it up), but in theory you could access your passwords without installing anything, by navigating to the Bitwarden website using your browser.

Probably all similar services have a similar feature.

I like Bitwarden and I like it's OSS. I used to use Keepass, and I liked it, but when I wanted to share a vault between multiple devices, I was too lazy to do it. Of course, the option I chose was to selfhost Vaultwarden- which of course was more work. But it made sense in my head.

bigjoec · Jan 12, 2024

Does anyone else shy away from password managers because they just seem too ripe a target? Don't you think that one of these days one of the big guys in the space is going to get hacked?

Of course, the smart way to hack it would be to get inside and then not make a big splash, just drip-drip-drip an unauthorized access here and there. Find the couple thousand extremely high-volume credit card users who won't notice a $90 charge here and there, and squeeze them all just a little each month. The old "pigs get fat, hogs get slaughtered".

I don't have any visibility into their controls or their tech. There's a lot of faith involved in giving them the keys to every account I hold.

Paladin · Jan 12, 2024

That also means the liability is enourmous. If one got hacked and the customer data was actually that effectively exposed, the company would be instantly destroyed from the liability, regardless of EULA or whatever. They all (or at least they all should) store the actual password and other critical data in encrypted format that cannot be reversed without the customer's unique input like a decryption password or whatever.

That way, even say a big password management service gets hacked and all the customer data is exfiltrated, the biggest issue is the hacker getting your sign up info (name, email, and possibly billing info) which is bad enough but relatively manageable. You get a new credit card number and refund any fraudulent charges and lock your credit in case anyone tries to use your name and address or whatever. If they try to access your actual stored password data, the encryption of that data should be so good as to be effectively impossible to access as long as you have a highly complex master password to access it.

This is especially true if you use a 2 factor login system like many of them support (which I use with Bitwarden).

Of course, if you choose not to use the 2 factor login feature and you use a trivial master password, then there is a chance your stuff may be easily accessed and you're horribly hosed. But that's no different than doing that without a password manager, which is what most people who don't use a password manager do.

Now, ideally, the company will use effective encryption and meaningful access controls for the customer data, regardless of type, so if the company is hacked it will be very difficult for the hackers to get anything more than maybe some internal employee data, chats, maybe some old code repo data or something, etc. Everything related to customer data will be segmented, encrypted and have access restriction so it can only be accessed by specific employees who also require a 2 factor system or more complex controls.

Ardax · Jan 12, 2024

oikjn said:
Either way, there is no 3rd party involved where your data could be part of a breach.

You mean, except for the cloud provider that would be hosting the file if you threw it on OneDrive/iCloud/Dropbox/GDrive...

sakete said:
Well that's why I wanted to install 1Password on my work computer, so I can log in to Ars. I have no idea what my Ars password is otherwise, just some randomly generated one by 1Password.

I just read the few passwords I needed off of my phone and typed it in by hand, the old fashioned way. Sure, it's tedious, but that way I'm not entering my master passphrase into my work system.

sakete said:
I'll trust that 1Password has competent engineers who are heavily focused on keeping their systems secure (thought I realize it'll never be 100% perfect).

The important bit is how they react in the event of a compromise. That's where LastPass has fallen down hard on this since being bought by LogMeIn. Having regular pentests and audits of your code and business processes is important too -- 1Password and BitWarden regularly post the results of all these.

bigjoec said:
then not make a big splash, just drip-drip-drip an unauthorized access here and there.

You think they won't notice, or don't have processes in place to prevent and detect exactly that kind of thing?

bigjoec · Jan 12, 2024

Ardax said:
You think they won't notice, or don't have processes in place to prevent and detect exactly that kind of thing?

You think every password manager company has unbeatable processes that will foil every high-access employee who wants to do a little skimming?

Just as a general proposition, employee theft is one of if not the most common causes of loss that businesses face, especially in smaller companies. Do we really think these little mom-and-pop password keeper operations are that advanced in their internal corporate security?

koala · Jan 12, 2024

The question is: what's the better alternative to a password manager?

With Bitwarden, the clients are OSS, and I assume you can demonstrate that the central servers only hold a copy of your vault which is "as safe as your password". You are exposed either if you have a weak password, or if bad guys manage to sniff your password. The first one is under your control. The second one... is hard. Other non-OSS services are similar, thanks to audits.

(Not sure how 2FA works in Bitwarden to add security.)

Alternatives:

a) Not syncing your vault to the cloud. I believe the increase of security is mostly if you use a weak password, otherwise you do not gain much IMHO. Plus, you lose some convenience, but that's a common tradeoff to increase security. However, sometimes using inconvenient systems nudges towards doing unsafe stuff. Also, is there an easy way to set up?

b) Using something more niche. I believe using a cloud file sync service + password managers is really equivalent to using something like Bitwarden. However, I guess truly Bitwarden is a big juicy target, and using something less popular might get you some security through obscurity. But are the so many good options? E.g. OneDrive/Google Driver are juicy targets too.

c) Physical storage of passwords. I'm not joking- this does offer some advantages.

d) Passkeys and all that. For the moment, I don't see good options out there.

I manage my own Vaultwarden because I'm very good at making bad decisions. I suspect I may be safer than other Bitwarden users, but definitely, this is an option for a negligible amount of the population. (Also, I don't feel comfortable offering others to use my service. I think it's technically sound, but...)

There should be Bitwarden franchises. Banks could offer a similar service, I guess. But for the moment, I think using the Bitwarden service is a good tradeoff. I would frame any discussion as pros/cons of other methods vs. using the Bitwarden service.

Demento · Jan 12, 2024

You honestly shouldn't be too concerned about the inevitable hacks that will occur, so long as your passphrase is 16+ characters and complex. Perhaps in 10 years' time it will be doable, but right now there aren't any bad actors with the computational power to brute force the encryption used. It's weak master passwords that are the problem when data leaks. None of these providers store anything more dangerous than your name and address where it can be "easily" obtained. By the time that much computational power is commonly available, I hope to god we're not using passwords for security any more.

I don't mean "oh, it doesn't matter at all" but there are quite seriously more important things to worry about. That's assuming you're a good person and change all passwords at least biennially. (I mean, I try for annual but it doesn't happen)

sakete · Jan 12, 2024

I use a ~60 character passphrase to unlock my vault. Is that long enough?

Easy to remember for me, very hard to bruteforce. And then any new device needs to authenticate with 2FA before they can unlock the vault + 1Password's secret key.

oikjn · Jan 12, 2024

Ardax said:
You mean, except for the cloud provider that would be hosting the file if you threw it on OneDrive/iCloud/Dropbox/GDrive...

That all depends on how you chose to encrypt that file. If the cloud provider is compromised and they get access to the raw file, it shouldn't give them access to anything without being able to decrypt that file which the cloud provider has no part in. Read up on the encryption options you can do with Keepass. I would feel perfectly comfortable passing anyone my keepass DB file as it won't do anyone any good without my key.

*edit: The difference with that vs. a total hosted solution is 1: the hosted solutions are major targets worth hackers spending their time on. 2: if they are compromised, there is a chance that compromise could include a path that would allow them access to your key and the stored data. There are many more avenues to compromise with a cloud central storage program than there is in a simple encrypted file with an open source client program. You lose some of the nice features like native browser integrations and backing up the DB file is your responsibility.

koala · Jan 13, 2024

Well, the hack is a problem if they manage to inject code into any software you run where you type in your password. I think 2FA will not be much of a protection there. And in theory, the same could happen if someone slipped malicious code into Keepass.

The cloud providers really are in a very similar position. You can verify that the Bitwarden clients never send unencrypted vaults to the cloud. So if they root Bitwarden, the hackers will get the same thing: an encrypted vault. Which they might be able to decode if there's a flaw in the encryption or you use weak keys (same as Keepass).

And yes, password cloud providers are a juicy target, but OneDrive/Google Drive have additional juicy data to get hold of

I think the status quo is good enough, no matter what you use. Even if it is a physical notebook.

ramases · Jan 15, 2024

Whatever offers purely local storage and floats your goat.

Keepass is an acceptable solution and while it too has viable threat models (like a theoretical supply chain attack slipping it a malicious library), by foregoing cloudstorage of your password vault you can exclude entire categories of attack vectors, and can mitigate many others.

It of course isn't perfect, but the important part to understand is that for every attack scenario that allows a compromise of a local-only store there's an equivalent attack for a remote-only store; but not every threat to a remote-only store has a local-only store equivalent.

From that perspective local+remote stores are actually the worst of both worlds, because they offer the largest attack surface, and have the highest system complexity.

Xelas · Jan 25, 2024

Bitwarden's hosted platform is used ONLY to store passwords, so a hacker knows exactly what they'll get. A massive data leak containing user data is certain to contain 99% password info. Syncing a Keepass file via a cloud provider is different. Onedrive, for example, is going to be 99.999% everything BUT Keepass files (documents, photos, videos, etc). If you also use a common file extension (such as *.jpg or *.mkv) for your Keepass file, the hacker really has to go out of their way to find it and they'll have to dredge through terabytes/petabytes of other stuff to find the few Keepass files that might be in there. Yes, they can probably scan the files headers but it's still much more effort, and they still only end up with a encrypted lump. I use a combo of cert, password, AND keyfile, so they will have to break the encryption to gain access. Since I'm not a VIP, I don't consider that to be a viable threat.

papadage · Feb 3, 2024

Is there a benefit to keeping the last few digits of all your passwords in your head, using the password manager to paste in the bulk of your password and then typing in the last few digits manually?

Paladin · Feb 4, 2024

What if you forget?

oikjn · Feb 5, 2024

and how to you manage keeping it different and changing it for all accounts? if you keep it all the same... what is the point? seems to be more of a problem than a solution to me. if you want to limit the risk of a breach when your PM is compromised, maybe consider splitting the scope of what you store in a single PM vault instead.

koala · Feb 5, 2024

Xelas said:
Bitwarden's hosted platform is used ONLY to store passwords, so a hacker knows exactly what they'll get. A massive data leak containing user data is certain to contain 99% password info. Syncing a Keepass file via a cloud provider is different. Onedrive, for example, is going to be 99.999% everything BUT Keepass files (documents, photos, videos, etc). If you also use a common file extension (such as *.jpg or *.mkv) for your Keepass file, the hacker really has to go out of their way to find it and they'll have to dredge through terabytes/petabytes of other stuff to find the few Keepass files that might be in there. Yes, they can probably scan the files headers but it's still much more effort, and they still only end up with a encrypted lump. I use a combo of cert, password, AND keyfile, so they will have to break the encryption to gain access. Since I'm not a VIP, I don't consider that to be a viable threat.

OTOH, cloud storage is a juicy target because it contains a ton of other interesting information, with likely less encryption to go through.

In my case, I switched to Vaultwarden from Keepass for convenience- and I see both approaches roughly equivalent (or rather, the differences seem negligible to me).

papadage said:
Is there a benefit to keeping the last few digits of all your passwords in your head, using the password manager to paste in the bulk of your password and then typing in the last few digits manually?

This is a bit of a reduced version of 2FA.

As long as you have your passwords stored in an encrypted file, that's good enough for me. There's further ways to increase security, but if they sacrifice convenience, I wouldn't do them.

papadage · Feb 5, 2024

I use 2FA wherever I can anyway, including using facial recognition to use LastPass on my iPhone and their authenticator to get into the Windows version. I was just wondering if having an additional four characters for each password in my head would help make any passwords unusable for someone who hacks their client data.

koala · Feb 5, 2024

I think it would, but I think it's not great in the benefit/cost ratio.

I'd like to find some good public docs on "good security posture for regular people".

Entegy · Feb 6, 2024

koala said:
I'd like to find some good public docs on "good security posture for regular people".

Use a password manager, anything. Even iCloud password manager or Google password sync. SOMETHING is better than using February2024! or Mydogsname or mybirthdate everywhere.

Drizzt321 · Feb 11, 2024

I'm switching away from Dashlane (started to go downhill when they went to "Web App" extension only) to KeePassXC, synced by SyncThing.

I looked at BitWarden, but since switching to linux (stock Debian), I'm finding far, FAR too many companies aren't publishing standard packages (mostly mean deb and rpm), instead they're doing Snaps or Docker or what not. BitWarden doesn't even run their own Flatpak, which I'd be open to using. It was started by someone else, and mostly abandoned (I think), and they're just taking their sweet time with taking over the Flathub entry for their own damn product.

So if you're on Linux, evaluate if you want to use it. And I'm ignoring hosting it yourself.

Oddabe19 · Feb 11, 2024

I've been using KeePassXC for years, you're making a good choice. It's also cross compatible with other versions of key DB's, as well as easy to import .csv/xls of passwords if family/friends does that kind of thing, and need to recommend software that will make the transition to a manager easily.

Xelas · Feb 15, 2024

So - now that Twilio is retiring their desktop clients, any suggestions? I use KeePass, and could, in theory, use it for TFA with an additional plug-in and have that sync across my devices (PC, phone, tablet) but I've intentionally kept the two separate as a (admittedly weak) separation of factors. I have to use TFA all the time, and the desktop version was also a backup for my phone, and this has saved my bacon a couple times when my phone battery died or the one time I was without a phone for a day due to a hardware failure.
I get that security adds some friction, but it's so damned tiring to have to reengineer my apps and workflow every time some app changes or someone drops support for something.

Ardax · Feb 15, 2024

I mean, if your 2FA store is going to be sitting alongside your password store, I'm not sure how much actual extra security you really gain by having it in a separate program. Not to mention KeePass probably has a more secure data at rest encryption than anything else you'd use.

I'd just shove it into KeePass and be done with it.

(I say this as someone who didn't do this for the longest time...)

KingKrayola · Feb 29, 2024

I've set up Bitwarden at my small company with Duo 2FA, with vaults synced over the cloud. Pretty smooth, better than having a shared spreadsheet of logins for accounts that several of us use (suppliers whose eCommerce isn't multi-user).

I figure there's more direct ways to attack us financially or IP-wise than trying to break their encryption if/when someone gets old of a pile of vaults.

We do though try to insist on 2FA for any critical systems.

Burn24 · Apr 4, 2024

I've used bitwarden self-hosted for a couple years, but due to recent issues I'm moving off it.

It's not a very well-behaved server, and I've had multiple upgrade failures, and inexplicable crashes after kernel upgrades (fedora, ubuntu 22.04 & 20.04 LTS hosts). My 2vCPU 2GB t3a.small instance in AWS started just falling over, seems to be due to memory exhaustion, probably by the Microsoft SQL server it runs on an Ubuntu container image. It's not a heavily used server either, 2 accounts with 4 clients. Their support & forums seem to have a dearth of practical hosting, service management information or help. It seems pretty clear self-hosted is not a priority, and is not well behaved, so many people have moved off to homebrew vaultwarden to host if they insist on self-hosting. It seems bitwarden figured this out, because they have a completely new self-hosted software product in beta. A reason I was attracted to their self-hosting product was I was convinced it had reasonable security audits, was production quality, and had a useful support path, but after getting the usual non-responses from support in my latest round of troubleshooting, I've lost confidence in the company. More to the point, since it looks like I will need to give the smallest bitwarden server 4GB of RAM so it doesn't choke itself off after a few hours of uptime, costing hundreds of dollars year more in hosting fees, I think I'm de-camping for KeepassXC and will figure vault sync on my own. Perhaps the self-hosted product is really meant for enterprise customers buying large contracts who don't have to penny-pinch resources as much as a hobbyist, and who will pay premium for support on top of the license.

It's a shame, because when it worked, it work great, with OS clients, web vaults, firefox integration, yubikeys...

koala · May 21, 2024

To the previous message: Vaultwarden is great- I've been running it for a good with no issues. And you can use the existing clients.

...

Related question: anything that rivals Bitwarden (paid service) for a Microsoft 365 org? I really like Bitwarden, but $4/user/month for just secret sharing... seems like there should be something competing with that. However, we have mostly Linux users (and some macOS users).

I'm leaning towards encrypted passwords on OneDrive (using something KeePass or whatever), but having some secret sharing would be nice.

Drizzt321 · May 21, 2024

koala said:
To the previous message: Vaultwarden is great- I've been running it for a good with no issues. And you can use the existing clients.

...

Related question: anything that rivals Bitwarden (paid service) for a Microsoft 365 org? I really like Bitwarden, but $4/user/month for just secret sharing... seems like there should be something competing with that. However, we have mostly Linux users (and some macOS users).

I'm leaning towards encrypted passwords on OneDrive (using something KeePass or whatever), but having some secret sharing would be nice.

I'm using KeepPassXC with SyncThing. There's a KeePassXC setting to help it save and monitor and reload when a file gets synced around by something SyncThing/OneDrive/etc.

oikjn · May 21, 2024

I use KeePass for my desktop which is saved to a OneDrive and KeePassium on my iPhone to access it on my phone. I feel that gives me the security balance I desire which is open-source and self-hosted. If I close KeePassium, it needs to re-download the DB each time from onedrive which is a little annoying, but on the whole, I"m happy.

Burn24 · May 21, 2024

koala said:
Related question: anything that rivals Bitwarden (paid service) for a Microsoft 365 org? I really like Bitwarden, but $4/user/month for just secret sharing... seems like there should be something competing with that. However, we have mostly Linux users (and some macOS users).

Secrets in general seem to be pretty expensive for enterprise, like identity providers and backups. I was looking into using AWS Secrets for personal infra use, but they charge US$0.40/month/secret! 10 secrets and it's the same price as a single user sub for bitwarden, heh.

Drizzt321 · May 21, 2024

Burn24 said:
Secrets in general seem to be pretty expensive for enterprise, like identity providers and backups. I was looking into using AWS Secrets for personal infra use, but they charge US$0.40/month/secret! 10 secrets and it's the same price as a single user sub for bitwarden, heh.

Because security has to be expensive, right?

Password managers in 2024 - which ones are the best?

Ars Scholae Palatinae

Ars Legatus Legionis

Ars Legatus Legionis

Ars Praefectus

Ars Scholae Palatinae

Ars Tribunus Angusticlavius

Ars Scholae Palatinae

Ars Tribunus Angusticlavius

Smack-Fu Master, in training

Ars Legatus Legionis

Ars Legatus Legionis

Smack-Fu Master, in training

Ars Tribunus Angusticlavius

Ars Legatus Legionis

Ars Scholae Palatinae

Ars Scholae Palatinae

Ars Tribunus Angusticlavius

Ars Tribunus Angusticlavius

Ars Praefectus

Ars Legatus Legionis

Ars Legatus Legionis

Ars Scholae Palatinae

Ars Tribunus Angusticlavius

Ars Legatus Legionis

Ars Tribunus Angusticlavius

Ars Legatus Legionis

Ars Legatus Legionis

Ars Praefectus

Ars Praefectus

Ars Legatus Legionis

Ars Scholae Palatinae

Smack-Fu Master, in training

Ars Tribunus Angusticlavius

Ars Legatus Legionis

Ars Scholae Palatinae

Smack-Fu Master, in training

Ars Legatus Legionis