It's just cobbling together of GPG and git with shell scripts but it works like a normal git repository so you get all your synchronization, from that, your security from GPG which are all things I know and trust without introducing other components that I don't know / understand.
For me the combination of features in pass is just perfect! But it's from the same person that created Wireguard so it's no surprise...
I have recently submitted a bug, be careful when saving a password with duplicate name (it replaces old password without warning); not sure if it has been fixed.[1]
[1]:https://github.com/zeapo/Android-Password-Store/issues/451
Edit: it turns out OTP is one time password, that's neat!
I'm only familiar with that through Erlang and consider it an architectural pattern for supervision trees, would you be willing to expound a teeny bit more on what you mean?
Currently have over 250+ passwords in it, and it's great.
I like it because of its multi-line ability too, which makes it useful for storing blobs of text (such as API keys).
I wrote a bit about that at https://nickjanetakis.com/blog/managing-your-passwords-on-th....
They were not evaluating pw managers from point of personal user but as a company. You don't want to share one file with all passwords with all company.
Keypassxc having such features(and apparently the old network protocol was vulnerable lol) is for me a strike against it.
Given macOS's security track record - especially with High Sierra - and how particularly verbose Mach-O binaries tend to be, I'd be kinda worried about something relying so heavily on proprietary APIs (and potentially the system keystore?) Though I'm sure using Keepass with Mono (that the Macpass site lightly implies is the only Keepass macOS alternative) isn't exactly an impenetrable fortress either haha
Got that Hopper license around here somewhere...
...Huh? 1Password supports all of those platforms (including Linux) https://1password.com/downloads/linux/
I used to use "pass" like others here, but did not like the Android experience.
*edited to add: and we use the 1Password team account at my day job -- and are satisfied customers. I'm sure other products work well too -- just my one data point.
LastPass, on the other hand, is in a different category. It _claims_ to have full Linux support, and for a long time they did, but more recently -- as you point out -- copy/paste in their browser plugins stopped working properly when the binary component of the plugin is enabled on Linux. Since the binary plugin component is required to work with attachments, Linux users have been forced to choose between working copy/paste and the ability to manipulate attachments. They've known about this bug for many months and have not fixed it. In fact, this is one of the unfixed bugs which drove us to finally evaluate alternatives to LastPass.
> full functionality can’t be dependent on an app which is only available on Mac OS and/or Windows.
The existence of 1Password X means that full functionality is not _dependent_ on a MacOS/Windows app. The argument that there should be a graphical (because there _is_ a multi-platform CLI), native app for Linux, which does not depend on any browser, is a perfectly valid one -- but it is also an argument that I don't believe they've made.
I think the article would be a bit more accurate to say there's not native client support for Linux.
> ...at one point during our evaluation we submitted a bug report about Bitwarden through its Github project; one of the product’s maintainers committed a bug fix seventeen minutes later, and just a few days after that the fix was released to the public.
It should ideally take from a few seconds to a few minutes. That's not extremely excellent, it's just good practice.
More than that and it hints towards heavy reliance on manual testing, and that's something I'd be worried about.
EDIT: Despite the parent comment's misguided logic, it seems his/her fears are actually in the right place.
An issue was opened about 6 weeks ago asking where the tests are and it received zero responses from the maintainers: https://github.com/bitwarden/core/issues/399
https://github.com/bitwarden/web/issues/303
Edit: Never mind, I can't find anything opened and fixed in ~17m.
A few requests aren't exactly answered.
https://github.com/bitwarden/website/issues/12
https://community.bitwarden.com/t/who-is-hosting-bitwarden/1...
My impression is that Kyle cares more about spending time writing software than about hyping his company. ;-)
It's an unfortunate flaw in a founder, but not a fatal one if he hires people to do the communication that he doesn't want to be doing. It feels to me like he's moving in that direction.
Apps used for Mac, Linux, windows, browser integration also works fine. All boxes are checked, don't know why isn't it popular among masses or nerd community.
There was never any chance that we would use a product which required every user to set up their own cross-device synchronization. Turnkey synchronization across devices as a first-class feature is a hard requirement for us.
Also, as far as I can tell, Enpass doesn't support sharing credentials between users, another hard requirement for us.
The family of password managers like KeePass and Enpass have their place, but they aren't good solutions to password management for businesses.
But do note that backing up on cloud means, 1 password combination and you'll let your encrypted files infinite local crack attempt.
That's a thorough comparison. I just wanted to make an attempt on why someone should consider using Zoho Vault for password management.
Zoho Vault is an online password manager for teams, used by more than 20,000 small and medium sized companies across the globe. We offer client-side encryption, multi-platform support, auto-fill, auto login websites and cloud apps, fine-grained password sharing, bulk folder sharing with user groups, audit, reports, two-factor & multi-factor authentication, US/EU data centers, browser extensions (Chrome, Firefox, Safari), and mobile apps (iOS, Android, Windows), option to maintain personal vault.
Integrations: G Suite, Microsoft Office 365, Zoho Mail, Zoho Desk, OKTA, OneLogin, Single Sign-On for 90+ Cloud Apps, Windows Active Directory/LDAP, Azure Active Directory
Disclaimer: I work for Zoho Vault. If you need a comparison document of Zoho Vault with any product, drop an email to support@zohovault.com.
huh? I use my yubikey in the Bitwarden browser extension.
Otherwise, a very extensive collection of comparison data. Not surprised to see Bitwarden come out on top.
Bitwarden supports 2FA with Yubico OTP - although there's a bug so it works only for QWERTY layouts. Or you can use Yubikey's static password feature for your master password, I guess.
There's also OpenPGP Card and PIV, which, to my knowledge, is not used/supported by any password manager software except for `pass` and some compatible implementations.
I'm using Windows an Linux and these improvements have come in the past week or so for me. Perhaps they recently updated, I haven't checked.
Worth taking another look if you can.
^^^Yes, this.
In 2018, we reported nine different substantive security holes to LastPass. At least two of them were security issues. All of them took far too long to fix; some of them still aren't fixed.
There's a tenth bug which impacts many of our users on a regular basis which we haven't bothered to report to them because by the time we started running into it, our users were like, "Meh, whatever, that's just LastPass being LastPass." It's not good when you stop reporting bugs to a vendor because you've become convinced that they just don't care.
They've had 12 outages of varying severities and lengths in the past six months.
Pretty much every time I reported a bug to them -- and believe me, most of my bug reports were extremely detailed and often included videos or screenshots demonstrating them -- their first response was, "Try uninstalling and reinstalling your plugin." I hate that. HATE, HATE, HATE it.
https://discussions.agilebits.com/discussion/80105/cant-disa...
BitWarden just famously had one.
I don't understand how this information is actionable. It would be worth knowing whether something has _ever_ been audited (again: most of the major password managers have been), but just knowing an audit has been done isn't sufficient to know whether it's secure.
Our company went through an audit and did quite well, and we fixed most of the findings. However, I know for a fact that there are things we can do to improve that weren't covered.
Not all audits are created equal, no audit will catch everything, and there's no guarantee that findings were patched sufficiently. However, I feel much better knowing that an audit was done, which means the author cares at least somewhat about security.
https://cdn.bitwarden.net/misc/Bitwarden%20Security%20Assess...
The latest appears to be a private bug bounty program, where 9 high priority issues were discovered. Who knows what they where, or whether any of the low priority issues should have been classified differently.
Without transparency, we just trust an empty attestation.
Also in the comments here someone said there are no tests. Does anyone have any info about that? I am interested in the software but no tests would be worrying. (Had no time to browse the code yet.)
It is an Android password manager based on PasswdSafe with USB HID keyboard support to enter paaawords automatically on any device. Also stores TOTP/HOTP.
The idea is, to have a complete offline device (hardend android without network stack/always flight mode on, baseband overwritten, ...).
It's likely that these services have already been zerodayed, and we're just waiting for the shell to drop on an upswing.
Personally I am also not going to use cloud based solution.
Breaking into fifty PHP forum sites running buggy old versions is easy. Figuring out how to get anything from (picking at random since I use pass personally) Lastpass is hard work, and you're more likely to get caught, not worth it.
[1] https://blog.bitwarden.com/bitwarden-completes-third-party-s... [2] https://github.com/bitwarden/
I realize this is becoming an increasingly minor problem in the modern world, but it still bothers me. I don't know what future situations I'll find myself in, and I don't want to be locked out of all my accounts.
• What if a new browser comes out that's actually better than Chrome? (I don't want to admit to myself how unlikely this actually is.)
• What happens if I'm using a Windows 10 S device, or a locked-down library computer, or a Wii U, or some other weird gadget with a non-Chrome browser?
Chrome has a feature to export passwords to a CSV file, but I had to enable it via a chrome:flag, so who knows if/when support for this will disappear. This created a bit of a sense of urgency for me, as Google aggressively removes features that they don't want to support.
My employer MITMs all web traffic, so I would never log into my Google account from work. They also have an ridiculously strict password change policy (every 3 months). But having a password manager on my phone lets me store passwords for my various work-related accounts somewhere, which makes each password change fairly easy, and also lets me log into certain work-related apps/sites (e.g. Slack) from home.
If you have multiple accounts on a single website, it's a bit easier to do in a password manager (at least Keepass or Bitwarden).
Chrome is a web browser, so it only remembers passwords to websites. If you have passwords that don't map to a website - e.g. hard drive encryption password, a pgp/ssh key, a wifi password), it's a bit easier to do in a password manager.
Some password managers have OTP generators built-in, which can be convenient.
Firefox has a nifty feature where it doesn't send ALL your data to Google, you could try that.
(1)This is the same-old argument as "there are more copies of Windows installed then Mac" [semantics aside, there is some truth to it]
(2)Don't shit where you eat. You don't use the same tool to protect that you use. [e.g. Windows Defender vs external gateway/firewall]
(3)Between compliance with the government [in contrast to Apple fighting the government with encryption on iphones], and YOU being the product not Chrome; I don't trust Google to keep my secrets 'secret'.
So, I'd say the point stands! You'd potentially be using a worse web browser in exchange for access to your passwords!
The freedom to do this is important to me regardless of whether I ever actually use it.
Reason? I have too much code to look/trust to add more and I do not keep log-in anywhere during my day, I do my best to avoid web-(cr)app as much as I can and try to live asynchronously connects via Emacs, being capable of operate as much as I can offline...
This silly thing alone would preclude me ever buying an iOS device! (My wife ran into it when I tried to get her up and running with Keepass, she gave up...)
I love keepass's simplicity, no browser plugins with pop up dialog boxes or UIs that conflict with the browser's own password management, just, a list of accounts and passwords.
In fact, iOS's own Files app can be used to access different cloud providers (I have iCloud, Dropbox and Google drive set up).
Do you have any good references pointing to Apple limiting Keepass in that regard?
I will start switching to a replacement shortly. I wish I'd known sooner.
https://www.enpass.io/docs/desktop-windows/import_export.htm...
Also it has no automated tests, which makes me somewhat wary.
The main selling points for me were that it's open source and they allow you to host it yourself.
Apart from these, I really enjoy the browser addons which don't require any jumping through hoops[1] and that they provide their own Android client and you don't have to play Play Store Columbus to find a decent one. It can also be used as an autofill service which allows it to interact with other apps which is incredibly useful.
But because nothing in this world is perfect, the downsides so far are:
1. Lack of shortcuts to copy only the username or only the password and forcing me to reach for the mouse. That's really annoying.
2. With KeepassXC you could have a keyfile that you was necessary to unlock your database while Bitwarden doesn't have that option. They do provide 2FA[2] but only TOTP and email for the free version (although $10/year for the premium subscription, arguably, is not much).
1: https://keepassxc.org/docs/keepassxc-browser-migration/ 2: https://help.bitwarden.com/article/setup-two-step-login/
KeepassXC is open source too. And it does not require hosting. You can simply store your db onto a synced folder between devices and that's about the same anyway.
As for your comment regarding browser addons, I am not sure what "hoops" you are referring to. I installed the browser addons for KeePassXC and it took 5 minutes to setup and I have had no issue since. And the link you refer to is pretty self explanatory. Maybe Bitwarden makes that even more simple, but it's not that KeePassXC is utterly complex in the first place either.
On Android, KeePassDX is a good client that works with KeePassXC databases.
Thanks for the recommendation for KeePassDX, I will take a look.
This is better than a hosted version in a way you don't reveal the URL of your login screen but yet letting anyone open up the entire vault with 1 password combination is a deal breaker for me.
Why don't online services provide unique URL for their logins for each users, so that no lucky breach happens?
(Like https://unique-id.service.domain)
I'd rather stick with an offline one.
The general consensus of security experts seems to be that they're a bad idea.
I think my setup using `password-store` works great, and arguably is more secure since I rotate my passwords regularly as well.
The main reason I argue my system is more secure is that it has a physical gpg yubikey token to decrypt my password database.
In the 'deterministic password managers', there's no easy way to require that you have physical access to my yubikey in order to decrypt the passwords. You could keylog the master phrase in the case of deterministic ones and have a persistent pwn... heck, just typing the master password into a public slack by accident pwns most deterministic password managers (as pointed out in the above article)
On the other hand, even if someone keylogs my yubikey's user pin, well, they still need to either have the yubikey or to trick me into unlocking the yubikey again for their malicious attacking software. If I accidentally type my user pin into slack, I really don't have to worry all that much.
What if you need to change your password for a site to a different one?
What if the site changes its URL?
This does mean that you need to remember what the version is. Fortunately this information doesn't need to be kept secret. I also have a system that generates emojis based on your settings, so as long as you remember the emoji that goes with the site, you can just increment it until you get the right one, so it's down to you whether you store the version number somewhere or remember the emoji.
I use URLs by default, but you can enter anything you want into the 'purpose' field. It's still pretty raw, but it's at https://github.com/kybernetikos/sinkless
Most of the complaints people have about deterministic systems don't really hold up in practice for me. Protecting them by 2fa would be better of course, which deterministic can't do and lots of the good password managers do, but I really dislike having to worry about syncing state beyond just emailing it to myself.
One thing that would be awesome would be if someone came up with a standard machine readable way of describing the limitations on passwords for sites (allowable characters, number of characters, any restrictions on previous values / sequences etc), and all good sites could embed that information, and poor sites could be looked up in a third-party service.
They also have settings depending on password requirements (no special characters, etc.).
I'm unsure what the URL really has to do with it, you could just generate a new password for the new URL and change it.
too bad the article is quite thin.
On macOS everytime I opened safari it launched a dashlane.com page reminding me to install the plugin. I did not want the plugin, and after much googling never was able to prevent this behavior. I had to uninstall it.
Switched to KeepassXC, its good.
interested to know your experience good/bad/etc...I am considering installing on a vm at home to use for family.
whois lastpass.com
LogMeIn, Inc.
whois bitwarden.com
WhoisGuard, Inc.It’s at the bottom of the page.
So why the discrepancy?
Bitwarden is open source and self-hosted. This is a better trust model than any of the other offerings by a mile.