I trust Mozilla more than any random app that advertises on random podcasts. I like that it warns me when sites I use have been compromised, and that it is generally easy to use. That said, I am not a security expert, so I am interested to see if anybody has any concerns about this setup.
In practice I use https://www.passwordstore.org/ to fill the gaps.
I just use BitWarden and it's close to perfect.
I did a write up on it for anyone interested.
I recently picked up my adult daughter’s phone and tried the password I knew she used as a teenager, it is still the one she uses. I’ve tried to get her and other family members to use password managers and better security practices. It’s like talking to a brick wall. They all think it is too much work. Of course, these are the same people that post their entire lives on social media.
- KeePassXC: tried this when I was looking for a self-hosted, open-source alternative to LastPass years ago. Was surprised at how well it worked, but syncing was too much of a hassle so I gave up fairly quickly.
- 1Password: my favorite of the bunch so far, great UI and UX, works seamlessly across all my devices with all the stuff I want and need: credit card info, logins, 2FA, automatic hidden email generation via Fastmail, easy sharing and family accounts work really well, CLI for use in scripts and now builtin SSH-key management. Not a huge fan of the subscription model, but probably the service I am most happy to pay for.
- LastPass: was forced to use this at my previous job, absolutely hated it. The UI and UX feels ten years behind 1Pass and Bitwarden, it's slow and not nearly as featureful as the alternatives. I switched from them when they were bought out by LogMeIn, but it doesn't look like the product has meaningfully changed since then.
- BitWarden: played around with this for a while, but didn't switch from 1Pass mostly because I am not willing to host something like this myself and it costs the same as 1Pass with less features and polish.
Personally, I would recommend 1Pass for a "it just works" and Bitwarden hosted yourself if you want the same but on your own premises via https://github.com/dani-garcia/vaultwarden.
Weird, I can't stand the 1Password UI/UX. I've used it at work for two years now, so I can get around ok at this point, but for a long time I struggled to find even basic functionality. Also the keyboard navigability is garbage.
> BitWarden: played around with this for a while, but didn't switch from 1Pass mostly because I am not willing to host something like this myself and it costs the same as 1Pass with less features and polish.
The SaaS Bitwarden offering is less expensive than 1Password at all tiers, plus there's a (functional) free tier.
I will say, 1Password does seem to be the most secure of the SaaS options. But this is just my vague impression -- I haven't looked into it closely, nor am I qualified to.
Why can't you use Dropbox or Google Drive to sync? Seems fairly easy.
Unless you mean subscription pricing which you could side-step before with one-time licenses, but those are gone now too.
This alone makes me doubt the reliability of your assessment.
A quick google:
1password free: nope.
1password personal: 36 usd yearly
1password family: 60 usd yearly
Bitwarden free: almost every important feature available.
Bitwarden personal: 10 usd yearly
Bitwarden family: 40 usd yearly
Yeah, not even close
AFAICT, 1Password encrypts all metadata, their key derivation is stronger, and the use more rounds. Their security whitepaper [0] goes into a ton of detail. I'm more comfortable with my choice in 1Password (I previously used LastPass years ago, and need to rotate some old passwords that were still in LastPass).
[0]: https://1passwordstatic.com/files/security/1password-white-p...
Finding the info re where to place your trust is tricky. I happen to have been personally recommended 1Password by a genuine security expert who uses it for his family, and that's about the best I can do. I know Agilebits pays for regular 3rd party security audits / pen tests. I guess you could look further into those. I know they're financially sustainable so can afford the expertise they need (which is part of why I think subscription a good model for software like this - I want Agilebits to be on a long-term secure footing). As far as we know publicly, they also have an excellent security record (which LastPass didn't even before the recent breach).
[edit - there's more info here https://support.1password.com/security-assessments/]
I use 1pass. I don’t know if they’re actually better. I wouldn’t recommend rolling your own here, however, even if you can’t think of why your solution would have flaws.
It takes a special kind of mind to accept the limitations of your perspective, and this is a field ripe with that exact kind of bias.
If you want “seamless sync of your secrets” by a trusted 3rd party with an online vault, well, then, Bitwarden or 1Password. But the architecture is roughly the same as that of lastpass (though they also encrypt URLs, and might have better KDF, and operational security).
In particular, you should assume that 3-letter agencies snapshot data in cloud placed at their feet, have your vault, and may attempt to crack it should that be needed.
I sync the DB with Nextcloud and encrypt with a combination of password and keyfile. The keyfile is a few KB of /dev/random and I only transfer it "offline" between devices (mostly over USB to/from my phone).
Also, /dev/urandom instead of /dev/random (as seed to diceware).
Easy, end to end encrypted, always up to date, free.
https://open.substack.com/pub/magoop/p/how-to-manage-500-pas...
First, they encrypt with the secret key AND the master password. This is the most important thing, and I was shocked to learn Lastpass doesn't do it.
Second, the master password runs through PBKDF2 with 100000 rounds, but a precursory Google search suggests the very earliest versions used around 10000. Lastpass's problem was a low 5000 rounds, and did not update the number of rounds. I don't know if 1password updates the number of rounds.
Third, they use a zero-knowledge proof protocol called "secure remote password". When I was sharp in cryptography, this is what made me choose 1password over the others. I don't understand all the details anymore, and I don't know if it is "post-quantum secure."
Fourth, the UX is nice and I can recommend it to anybody who is literate. (This is not a cynical take-- I don't know how good the UX is for someone who is not fluent in a language 1password uses.) (Also, 1password recently released "1password 8", a new UI. I have not tried it and cannot speak to it.)
Fifth, 1password's biggest (only?) controversy was moving to a subscription model. I actually prefer this. (I want devs to be paid in perpetuity to keep this secure! I assume 1password has security holes somewhere, and I want 1password to pay their folks to find them first.)
Unfortunately, the monthly price "billed annually" is $3/month, but it seems the true monthly price is hidden behind a signup wall. I feel comfortable assuming the price is less than $10 per month.
Sixth, and most importantly: If your payment lapses, you can still access all your passwords, but you no longer get sync. (But I have not tried this in practice.)
---
1password security whitepaper: https://1passwordstatic.com/files/security/1password-white-p...
1password security overview: https://support.1password.com/1password-security/
Secure Remote Password (SRP) overview: https://blog.1password.com/developers-how-we-use-srp-and-you...
The UX is simple enough so every person in my family from wife to kids can use it. Because ensuring your family's cybersec is important as well. Teach your kids good cyber hygiene from day one.
1Password deals with the infra and software stack which is a time saver for me.
I previously stored everything in Firefox, transfered it easily to Bitwarden. Linux app seems to work fine, tested in Firefox, Chrome, Android phone, smooth transition.
The only thing that I've noticed is that you have to change existing passwords manually by editing records in the vault, the Firefox extension does not prompt you to update password once it detects a succesful login with another one.
The LastPass exporter IME is very unreliable.
https://chriszarate.github.io/supergenpass/mobile/
It combines an easily recalled password with domain to generate a longer password. I feel quite safe using this as no data is stored anywhere.
Rumor was Apple uses 1pass internally???
https://support.apple.com/guide/iphone/automatically-fill-in...
I’m a little unclear on what is authentication here. You need iCloud password — if I lose my phone will I need my old PIN as well? I remember going through a bunch of “reset keychain” instances at one point because I somehow changed my PIN and misremembered it.
