Ask HN: LastPass Alternatives
As I change passwords and research migrating from Lastpass, what are the current HN recommendations, Linux, Firefox, IOS please.. KeePassXC can be synchronized to/from any public or private cloud platform using your existing sync tools specific to each platform. [1] The benefit being cloud-agnostic and avoiding vendor lock-in. I do that but with Syncthing. Good point. Edited to include public or private clouds. I didn't mean to say what you said was inaccurate. I clicked the link because I thought it was some KeepassXC option for cloud sync but it was just an FAQ saying you can save your vault file on various cloud platforms. Just an additional since even KeepassXC didn't mention it. I just use Firefox sync. It integrated with iOS and Android. You just install the app and use the system settings to set Firefox as the default password store for the system. It works in all apps, as far as I can tell. I wish it integrated with Linux& gnome a bit better, but I just work around that by bookmarking the browser link to the password page in Firefox. I trust Mozilla more than any random app that advertises on random podcasts. I like that it warns me when sites I use have been compromised, and that it is generally easy to use. That said, I am not a security expert, so I am interested to see if anybody has any concerns about this setup. I mostly use Firefox Sync as well. The main downside is that it is super basic. It can only store basically URL, username, password. There is no option it store TOTP secrets, backup codes, binary data or arbitrary information. If it text you can cheat and make "fake" entries, but it isn't good UX. In practice I use https://www.passwordstore.org/ to fill the gaps. Theres also the possibility of self hosting the sync server. Though it won't necessarily mean more secure, someone may sleep better at night. Bitwarden. Very straight forward and open source Absolutely BitWarden unless you want to do KeePass+SyncThing and can do your own research and keep track of the app specific issues in how they handle sync conflicts. I just use BitWarden and it's close to perfect. Self-hosted vaultwarden is my choice. I did a write up on it for anyone interested. Second Bitwarden. Pretty cheap, good customer service. You can self-host if you prefer that route. The source code is on GitHub. I have been using it for years. Love it. I’m thinking of self-hosting, but can I keep using the iOS and desktop apps? Yes, as far as I remember, you can enter the host you want to connect to in the settings. EDIT: docs: https://bitwarden.com/help/change-client-environment/ Yes, just click on setting and type in a new URL. I've been so satisfied with it that I showed it to my manager, he started using it as a private customer, and we adopted it as the company wide password manager some months later. Self-hosted bitwarden plus Tailscale is something I’ve been considering. To avoid exposing the server to the internet. I was shocked at how many people still used LastPass when Bitwarden is out there, being better in pretty much every way. Are you also shocked at how many people don’t use a password manager at all and reuse the same password? I recently picked up my adult daughter’s phone and tried the password I knew she used as a teenager, it is still the one she uses. I’ve tried to get her and other family members to use password managers and better security practices. It’s like talking to a brick wall. They all think it is too much work. Of course, these are the same people that post their entire lives on social media. Throughout the years I've tried most of the more popular ones on the market, some times forced via work and other times because I was curious. - KeePassXC: tried this when I was looking for a self-hosted, open-source alternative to LastPass years ago. Was surprised at how well it worked, but syncing was too much of a hassle so I gave up fairly quickly. - 1Password: my favorite of the bunch so far, great UI and UX, works seamlessly across all my devices with all the stuff I want and need: credit card info, logins, 2FA, automatic hidden email generation via Fastmail, easy sharing and family accounts work really well, CLI for use in scripts and now builtin SSH-key management. Not a huge fan of the subscription model, but probably the service I am most happy to pay for. - LastPass: was forced to use this at my previous job, absolutely hated it. The UI and UX feels ten years behind 1Pass and Bitwarden, it's slow and not nearly as featureful as the alternatives. I switched from them when they were bought out by LogMeIn, but it doesn't look like the product has meaningfully changed since then. - BitWarden: played around with this for a while, but didn't switch from 1Pass mostly because I am not willing to host something like this myself and it costs the same as 1Pass with less features and polish. Personally, I would recommend 1Pass for a "it just works" and Bitwarden hosted yourself if you want the same but on your own premises via https://github.com/dani-garcia/vaultwarden. > 1Password: my favorite of the bunch so far, great UI and UX Weird, I can't stand the 1Password UI/UX. I've used it at work for two years now, so I can get around ok at this point, but for a long time I struggled to find even basic functionality. Also the keyboard navigability is garbage. > BitWarden: played around with this for a while, but didn't switch from 1Pass mostly because I am not willing to host something like this myself and it costs the same as 1Pass with less features and polish. The SaaS Bitwarden offering is less expensive than 1Password at all tiers, plus there's a (functional) free tier. I will say, 1Password does seem to be the most secure of the SaaS options. But this is just my vague impression -- I haven't looked into it closely, nor am I qualified to. > syncing was too much of a hassle so I gave up fairly quickly. Why can't you use Dropbox or Google Drive to sync? Seems fairly easy. You can, and it's trivial. I've never had a problem after a decade of constant use. My KeePassXC DB is synced between my phone, tablet, desktop, and laptop, and they all stay perfectly in sync. I've been scratching my head for this whole decade about why people want some SaaS for this. The only use case I found (though still quite possible) is if I have NO access at all to any of my devices, and I only have access to internet, and precisely - web only. I could go to 1Password website (for example, in an internet cafe or via someone’s tablet), get into my vaults with the master key and the password, and start recovering other passwords, details etc. Without SaaS, it would be barely possible. Bitwarden has a free service that I've been using fine for a few years. I really like 1password but the the only thing that keeps me away right now, and I would love to hear that it's changed, is that the only way to use 1Password outside of macOS/iOS requires the subscription service. You used to have Dropbox/folder sync until 1Password 7 (I've used it that way on Windows since 1P4), but 1P8 dropped that. You can still use 1P7 and it'll receive security updates IIRC, but it's gone from app stores unless you already downloaded it (which is annoying in other ways too: 1P8 is missing some languages that 1P7 had). Unless you mean subscription pricing which you could side-step before with one-time licenses, but those are gone now too. I sync KeyPassXC with Google drive across all my devices no problem. Same (well, different file sync but same idea). Love this approach. 4 devices and counting. Zero problems. Maybe cause I don't use this service a lot. What's the easiest way to use google drive to sync across Linux, MacOS and iOS? > - BitWarden: played around with this for a while, but didn't switch from 1Pass mostly because I am not willing to host something like this myself and it costs the same as 1Pass with less features and polish. This alone makes me doubt the reliability of your assessment. A quick google: 1password free: nope. 1password personal: 36 usd yearly 1password family: 60 usd yearly Bitwarden free: almost every important feature available. Bitwarden personal: 10 usd yearly Bitwarden family: 40 usd yearly Yeah, not even close 1Password for me - not overly happy that they moved over to a subscription based pricing, but I’ve been using it for years now and it works well across all of my devices. Is 1Password any less vulnerable, architecturally, to a massive hack akin to what happened recently to LastPass? I'm in the same boat as the OP and wary of putting all my stuff somewhere else that will result in a similar breach a few months from now. I'm not a security expert or cryptographer so take with a grain a salt, but I've been trying to understand what flawed architectural decisions LastPass made, and based on the critiques I've seen by some security/cryptographer folks (on Twitter, mostly) it does seem that 1Password is less vulnerable. It seems the key derivation, number of rounds, and unencrypted metadata (e.g. the website associated with the credential) are factors that made LastPass more vulnerable. AFAICT, 1Password encrypts all metadata, their key derivation is stronger, and the use more rounds. Their security whitepaper [0] goes into a ton of detail. I'm more comfortable with my choice in 1Password (I previously used LastPass years ago, and need to rotate some old passwords that were still in LastPass). [0]: https://1passwordstatic.com/files/security/1password-white-p... Yes, it is. Lastpass is uniquely poor amongst the most commonly used password managers. 1Password at least has the architectural benefit that your vault key isn't just your passphrase, but also an "account key". (Both are merged to form the actual key) So at the very least it's dramatically harder to crack, compared to running dictionary attacks on passphrases with LastPass. That's one reason I finally switched from 1Password.com + Dropbox to 1Password.com a year ago. Architecturally no. Operationally based on folks I know have (or continue to) worked there in the past suggests they are much less likely to be popped. Something about having higher calibre security folk seems to make major breaches much less common. See here Google and Apple which apart from some social engineering vulns in iCloud have remained mostly untouched for decade+ whilst being the juiciest of juicy targets. I don't know if I would say it is based purely on syncing with 1Password.com like you do with LastPass but I would on the fact (AFAIK they still offer these options) you can choose where to sync your vault, 1Password.com, iCloud, Dropbox, FTP, locally between devices. So, from an attacker viewpoint going after 1Password.com wouldn't necessarily get all the 1Password users. I just don't have the security expertise to make the judgement, and, let's face it, that's true of most of us. Which is of course why you're asking, but you're not guaranteed to get answers from people you know to be any more knowledgeable than you. Somewhere you have to rely on good old human trust. Finding the info re where to place your trust is tricky. I happen to have been personally recommended 1Password by a genuine security expert who uses it for his family, and that's about the best I can do. I know Agilebits pays for regular 3rd party security audits / pen tests. I guess you could look further into those. I know they're financially sustainable so can afford the expertise they need (which is part of why I think subscription a good model for software like this - I want Agilebits to be on a long-term secure footing). As far as we know publicly, they also have an excellent security record (which LastPass didn't even before the recent breach). [edit - there's more info here https://support.1password.com/security-assessments/] As someone historically adjacent to the security industry, and having worked with some of the best, all I can say for sure is that questions like these really bring out some of the worst, most bespoke, and operationally insecure password management strategies that fail miserably to understand the problem. I use 1pass. I don’t know if they’re actually better. I wouldn’t recommend rolling your own here, however, even if you can’t think of why your solution would have flaws. It takes a special kind of mind to accept the limitations of your perspective, and this is a field ripe with that exact kind of bias. KeepassXC is a thick client password manager. Password store might be even more secure. If you want “seamless sync of your secrets” by a trusted 3rd party with an online vault, well, then, Bitwarden or 1Password. But the architecture is roughly the same as that of lastpass (though they also encrypt URLs, and might have better KDF, and operational security). In particular, you should assume that 3-letter agencies snapshot data in cloud placed at their feet, have your vault, and may attempt to crack it should that be needed. I use Keepass(XC) across all my devices, windows, Linux and android. I sync the DB with Nextcloud and encrypt with a combination of password and keyfile. The keyfile is a few KB of /dev/random and I only transfer it "offline" between devices (mostly over USB to/from my phone). I could suggest a small improvement: a diceware password instead of directly taking the output of /dev/urandom. That would allow you to easily and securely exchange the symmetric key by typing it. Also, /dev/urandom instead of /dev/random (as seed to diceware). Oooh smart. Yeah moving my keyfile when I get a new phone or device every few years via a USB cable hasn't been much of a hassle, but your plan is even better. Isn’t the solution obvious? Just don’t store the entire password in the manager. Add a memorized manual prefix or suffix to the randomly generated/filled in password when you log in. Trust nobody. It’s not too much extra work and protects against anything like this in the future. Keepass (I use KeepassXC on Linux, MacOS and Android) family or Bitwarden self hosted (never used) are probably going to be the top comments. What do you use for sync? I use KeePass and just save the encrypted file in iCloud. Easy, end to end encrypted, always up to date, free. https://open.substack.com/pub/magoop/p/how-to-manage-500-pas... Does KeePass supports OTP? That's one of the reasons I have stuck with 1Password. Depends on which type you mean. In its security settings you can have a password, a key file and then a challenge response via a YubiKey or OnlyKey for HMAC-SHA1 Challenge-Response which is sort of OTP but potentially not the type you are considering? It doesn't do a fallback to email or mobile for a second factor but it can use the hardware keys. You can store TOTP info in it for sites if that's what you mean. I use and generally recommend 1password. I've used it on every major mobile and desktop OS browser. (I've had some issues on Android, but it was not a standard Android OS.) The UX is generally nice. First, they encrypt with the secret key AND the master password. This is the most important thing, and I was shocked to learn Lastpass doesn't do it. Second, the master password runs through PBKDF2 with 100000 rounds, but a precursory Google search suggests the very earliest versions used around 10000. Lastpass's problem was a low 5000 rounds, and did not update the number of rounds. I don't know if 1password updates the number of rounds. Third, they use a zero-knowledge proof protocol called "secure remote password". When I was sharp in cryptography, this is what made me choose 1password over the others. I don't understand all the details anymore, and I don't know if it is "post-quantum secure." Fourth, the UX is nice and I can recommend it to anybody who is literate. (This is not a cynical take-- I don't know how good the UX is for someone who is not fluent in a language 1password uses.) (Also, 1password recently released "1password 8", a new UI. I have not tried it and cannot speak to it.) Fifth, 1password's biggest (only?) controversy was moving to a subscription model. I actually prefer this. (I want devs to be paid in perpetuity to keep this secure! I assume 1password has security holes somewhere, and I want 1password to pay their folks to find them first.) Unfortunately, the monthly price "billed annually" is $3/month, but it seems the true monthly price is hidden behind a signup wall. I feel comfortable assuming the price is less than $10 per month. Sixth, and most importantly: If your payment lapses, you can still access all your passwords, but you no longer get sync. (But I have not tried this in practice.) --- 1password security whitepaper: https://1passwordstatic.com/files/security/1password-white-p... 1password security overview: https://support.1password.com/1password-security/ Secure Remote Password (SRP) overview: https://blog.1password.com/developers-how-we-use-srp-and-you... I use a KeePass database stored on iCloud, with the KeePassium client on IOS, and the KeePass client on Windows. Works like a charm. 1Password. The UX is simple enough so every person in my family from wife to kids can use it. Because ensuring your family's cybersec is important as well. Teach your kids good cyber hygiene from day one. 1Password deals with the infra and software stack which is a time saver for me. I just switched to Bitwarden after seeing it recommended on HN a bunch of times. Bought a subscription right away. I previously stored everything in Firefox, transfered it easily to Bitwarden. Linux app seems to work fine, tested in Firefox, Chrome, Android phone, smooth transition. The only thing that I've noticed is that you have to change existing passwords manually by editing records in the vault, the Firefox extension does not prompt you to update password once it detects a succesful login with another one. The extension on chromium browsers does offer to update passwords if your vault has been unlocked recently Does anyone know of an open source tool that will reliably export LastPass entries to the other formats or even a csv? The LastPass exporter IME is very unreliable. I had no trouble with the built-in csv exporter, but had to do some manual fixes in the text editor before it could be satisfactory imported into bitwarden Used to use Password Safe early on before switching to KeePassXC. Have the KDBX file synced across my phone and desktop with Syncthing For a while I used an encrypted excel spreadsheet (AES-256 but no idea about other tuning) and stored in OneDrive. Could open just about anywhere since Office is everywhere and OneDrive pretty ubiquitous (I’m guessing no Linux though except Wine?). I have moved to BitWarden now because so many passwords a spreadsheet is cumbersome and prone to fat fingers. I use a locally saved version of supergenpass https://chriszarate.github.io/supergenpass/mobile/ It combines an easily recalled password with domain to generate a longer password. I feel quite safe using this as no data is stored anywhere. Doesn’t this mean that you can never change your password for a given site? E.g. if some retailer leaks a bunch of data and is storing passwords in plain text or something, I want to be able to rotate my password for that website. No. You can change/rotate your own password whenever you want. Wouldn’t that change all of the passwords? I've tried Bitearden, and it's great (and free) but the best option is 1Password if you ask me. Enpass, an offline password manager with option of syncing vault to third party apps like Dropbox or Google drive. https://www.enpass.io/ I will add another voice in favour of Bitwarden. It even has some nice visual polish after many years. I pay the 10$ per year because that's basically free and the value prop is obvious (to me). YMMV BitWarden as Home Assistant Addon. Make sure to also run the 'Google Backup' addon for HA to have a backup for your passwords. Running it for 2+ years now (Raspberry Pi 3). Works like a charm. I would love to use iCloud Keychain, but it doesn’t have extra fields, support OTP, or even really have a proper GUI. Rumor was Apple uses 1pass internally??? Keychain on iOS does support OATH TOTP out of the box. https://support.apple.com/guide/iphone/automatically-fill-in... And it has a notes field. Has it always had that and I just never clicked through somehow! I’m a little unclear on what is authentication here. You need iCloud password — if I lose my phone will I need my old PIN as well? I remember going through a bunch of “reset keychain” instances at one point because I somehow changed my PIN and misremembered it. Been using KeePassXC for the last five years. Look at https://spectre.app/ KeePass with db stored on OneDrive I've been very happy with the built-in Chrome/Google password manager. Passwords for nextcloud +1 for - Bitwarden vim ~/docs/passwords.gpg That work at all in mobile? I'd imagine it works with termux. bitwarden is the obvious choice