PasswordManagement: which one of these options would you choose?
Objective: Secure & private password management, prevent anyone from stealing your passwords.
Option 1: Store Keepass PW file in personal cloud service like OneDrive/GoogleDrive/etc , download file, use KeepassXC to Open
Option 2: Use ProtonPass or similar solution like Bitwarden
Option 3: Host a solution like Vaultwarden
Which would do you choose? Are there more options ? Assume strong masterpassword and strong technical skills
Keepass on phone, desktop and tablet. Sync serverless via Syncthing.
Yup. Same system here. I really like it.
Same here. Home server to which desktop and phone connect with OpenVPN.
Check out tailscale (or headscale)
It lets you connect those devices without necessarily sending all data through your home network when you are remote. (Though that is an option along with many other great features like ssh authentication)
It also uses WireGuard for the backend which is more secure and efficient than openvpn.
Thx! Will check out.
Keepass + syncthing.
Don't let your vault go unencrypted through the cloud.
Your vault is always encrypted very securly except when in RAM. There is no security concern with uploading it directly to the cloud.
It's encrypted at rest with a passphrase. Syncthing encrypts it at transit with a random key.
There is a huge difference on the security of those.
Keepass allows you to use a passphrase in combination with a randomly generated keyfile. You only need to copy the keyfiles to your devices once (not via cloud services, obviously). Your actual database can then be synchronized via any cloud provider of your choice (hell, you could even upload it publicly for everyone to see) and it would still be secure.
I use option 1 with Syncthing for a distributed cloud solution
Same, works like a charm!
Ditto, but with Resilio Sync.
I'm very happy with self-hosted Vaultwarden.
Keepass fIle in my own nextcloud instances, synced to my phone so I can also use keepass2android. This way if something happens I at least have another copy of it, beyond my backup system.
that's actually exactly how I have my setup. I just use syncthing to keep everything dynamically backed up as I add passwords. my main login password is memorized and not written down anywhere so I think I'm good
I do the same, but synced to Dropbox from computers and phone.
I have the Proton password manager as well but not sure yet if I'll do a full swap over.
Vaultwarden behind mutual tls and reverse proxy and https://github.com/oguzhane/bitwarden-mobile until https://github.com/bitwarden/mobile/pull/2629 is merged
But honestly all services you mentioned are worthy.
Anything that fits your needs imao
That PR might be a while....
https://github.com/bitwarden/mobile/pull/2629#issuecomment-1731457466
Considering that android is going to prevent users from importing a CA
Edit:
Wait, I think I have my wires crossed.
I think android is removing the ability for apps to install certs.
The user has to manually install a cert, and then select it in the app
Edit again:
Yeh, this is what I was thinking of:
https://httptoolkit.com/blog/android-14-breaks-system-certificate-installation/
But, thinking about it now, I doubt it will actually affect the feature
"But, thinking about it now, I doubt it will actually affect the feature"
It will not
We don't need to import a custom CA authority here just to insatll a client cert
Using let's encrypt is a lot easier to deal with on the client side than modifying CAs, although the initial set up of the server can be a pain in the ass if you're new to it.
I've used Option 1 with my Nextcloud and it works perfectly. Other options seem more apropriate when you need scale, many user each with their own vault.
Stupid me, didnt even remember using nextcloud instead of commercial clouds. I like it
I used to self host Bitwarden, but didn't want the hassle of securing it and updating it properly and consistently. So I just pay $10 for bitwarden premium and I get to support the company.
Option 1, KeePassXC plus SyncThing, done. Works amazing on all my devices.
I've never heard of Syncthing, I use Keepass on Windows and my Android, syncing to Dropbox. If I change to Syncthing is it an easy swap, anything I should watch out for?
Option 2. It's the most robust. You'll never lose it (provided you have the redundancy), you can use it offline, you can transfer it using a USB pen, it's available in all platforms, including web. I've been using this for 8+ years, on my phone, desktop, laptop, company computer, etc. I store it on a personal cloud (and on each machine, of course, by syncing).
Host your own bitwarden
I use and prefer option one, but take it a step further in that I host my own cloud service. I used to use Dropbox for years, but we got divorced.
I do keypassXC and Syncthing. It’s cross platform with only a couple bucks needed for lifetime access to all all necessary features depending on platform. Besides I use Syncthing for a bunch of other stuff as well, so it fits right into my flow. I’m considering moving to a command line tool simply called Pass, and still syncing with Syncthing, but I’ve yet to pull the trigger on that switch yet.
I also do keepassxc, dx on Android, and syncthing to keep them updated. What is it you paid for?
I’m both an iOS and Android user for various reasons. There is a free KeePass front end for iOS, but I paid a one time lifetime license for one that was a little more feature rich. That and the only version of Syncthing for iOS requires a like $4 purchase to allow you to sync folders outside of its default location, which was a pretty necessary feature for me.
Option 4: levy existing tools such as gpg and git using something like pass. That way, you are keeping things simple but it requires more technical knowledge. Depending on your threat model, you may want to invest in a hardware security key such as a yubikey which works well with both gpg and ssh.
Why use tools not meant for password management, when alternative tools explicitly meant for password management, which have similar levels of security, work just fine?
You’re essentially saying “instead of driving down the road, I like to ride my bike with rollerblades.”
I have a set up like this (age, passage, & git). Bitwarden's browser integration works just fine, for the most part. The thing is, some of my passwords are not browser-based, and I spend large amounts of time in the terminal. Using a CLI-tool in this case lets me save a bit of time
Bitwarden has a cli tool which I find pretty useful. Together with jq you can even pipe the password or store it to a variable.
Ah I didn't know that! Thanks, will be checking it out for sure
It is just how I prefer to do my computing. I tend to live on the command line and pipe programs together to get complex behavior. If you don't like that, then my approach is not for you and that's fine. As for your analogy, I see it more as "instead of driving down the road in a car, I like to put my own car together using prefabs".
Vaultwarden. And take regular back ups. I don't trust my passwords to be safe anywhere other than my own servers. The chances of my server being hacked is very less.
I used option 1 (KeePass synced to Google Drive) for years. It's nice that you know you have control of your passwords at all times, and as long as you can access your cloud storage account and can download a KeePass app, you can get your passwords. It works reasonably well most of the time, but I was consistently running into edge cases that weren't as smooth as I'd have liked (mostly apps on Android)
I switched to vaultwarden (option 3), and immediately fell in love with things mostly just working. However, since I was hosting it out of my house, I had a bit of a disaster recovery problem. If i had say a fire, I could easily lose all copies of my vault, which would be... suboptimal.
After reviewing the options, I switched to straight bitwarden. I've been happy with the experience, and once I have disposable income, I plan to get pro long enough to have emergency contacts available so my family can still get important passwords in case of the worst.
All options have their pros and cons, but IMO password storage is something that deserves to be given proper consideration.
pass https://www.passwordstore.org/
Bitwarden+vaultwarden, harden the chosen VPS, set SSH to use keys only, then setup fail2ban for webserver and ssh Also consider putting ffsync on it as well for extra browser benefits.
Remember to back that up, and test the back at intervals to make sure they work
Not watertight ofcourse but I love that the bitwarden clients keep a local copy so if the server ever goes down youve still got access just no sync.
goes without saying.
I like this one as well, technically more challenging though
Bitwarden for me. My password manager is not just for me, it's also a crucial component of my family life so if something happened to me I want my next of kin to be able to access it
For that it needs to be an easy to access solution.
Same, I'm all for complicated things that only I know how to use but the keys to the kingdom shouldn't be one of those when there are laypeople relying on me.
I still have to figure out how to let those people in when needed, I'm thinking writing the master password and the backup code on a paper that lives in a drawer, maybe in a "break in case of emergency" box, etc.
Curious what's the best way to mitigate the wrong person getting that, but I think if you have to worry about someone breaking in your house who is also looking for that info, then you have a different threat profile to consider, and the above calculus doesn't apply.
Bitwarden offer the option to set up an emergency contact.
You choose someone to be an emergency contact, it means that if they want they can request access to view your passwords.
When they send a request you receive several emails to warn you and after X (you can choose the amount) days if you don't do anything they get access to your account.
Option 1
Option 2: 1Password
Option 3: Vaultwarden + Wireguard.
I don't have to worry about attacks from the internet. And a single wireguard connection on my phone sometimes doesn't even appear on the battery stats.
Edit: Browser addons need valid ssl certificates, which I get by dns challenge.
could you expand a bit on your edit? so bitwarden extensions need a valid ssl certificate for the domain where the server is hosted? how do you get that for (i assume) a local domain? thank you for your time!
DNS-01 challenge allows for domain ownership verification without open ports and instead looks for a txt record. Using a tool like lego[1] with the respective dns provider's API automatically creates and deletes the txt record after generating a certificate.
Because ownership is verified by dns txt entry, the (sub-)domain doesn't have to point to a publicly routable host. This allows for using any IP, so I'm using a local ip only available through wireguard or my local network (E.g. bitwarden.example.com points to 192.168.1.123).
The disadvantage is that the provider has to be supported and you have to store an API key for your domain on the server.
[1] https://github.com/go-acme/lego
that's genius. i have never even considered that you could use a (sub)domain with a local ip like that to get a certificate from a trusted ca. i ma not sure i understand the neccessity for api access to your dns service. is the txt record for LE different every time you have to pass a challenge? otherwise i imagine you could just set and forget the record.
thank you for the explanation, well appreciated!
Yes it's awesome. I never even considered that it's possible to add not publicly routable IP's to public DNS server, until I recently read a post about dns-01 challenge.
I believe the txt record is different every time.
Not the one who wrote initially, but i have the same setup (mostly).
I went with a self signed certificate. So the server is running with a certificate i have signed with my own certification authority certificate (ca-cert) .
That means I have to install the ca-cert on all devices to get vaultwarden to accept it.
The alternative is a let's encrypt cerrtificate, which are free, but you need to open port 80 (and another one if I remember correctly) for it to work (at least every 3 months)
If you own a domain name you can use the DNS-01 challenge instead of hosting a web server to serve the challenge response.
With DNS-01 it will add a TXT record to your DNS zones and check if the record exists to verify that you own the domain and then issue the certificate.
Depending on which tool you use, they usually support DuckDNS and some other free DDNS providers. If you have your domain on a registrar, chances are that it's also supported.
Yep that would be a good alternative...I don't have an official domain for it, so I went the self-signed way
Which enables me to provide tls/https for all my local services. And it was a fun experience to learn
I use option 1, I host my keepass db file on a free secure nextcloud storage account, and use nextcloud client to keep it synced to all my devices. It's available offline on all of my devices too, in case the server goes down. I use KeepassXC on my PCs and KeepassDX on Android, to open the files.
If you work for a company that uses a reasonably good manager such as BitWarden, you should look into whether or not you get it for free or reduced. For the moment, at least, I use Bitwarden because I get it for free (and a families sub to boot!). I know 1password does the same; others might too. Do make sure you’re okay with paying the full price for a period of time in case you get laid off and have to migrate. Also make sure you’re okay with any compromises you make for the price tag. There is no price tag that makes LastPass acceptable, for example.
I use keepassXC and sync across my devices with nextcloud and VPN to my home network with wire guard and this setup has never failed me.
I've toyed around with passbolt, and I really want to try because it just looks cool to me, but I keep having trouble with it playing nice with my reverse proxy.
My personal preference is hosting it myself on my own server and using a VPN to get to it. It gives me peace of mind because I'm not a big enough target for someone to try that hard to get my passwords and I'm not exposed to bitwarden or dashlane getting breached.
Keepassxc + syncthing to phone in read only mode and to other machine. So 3 copies on different machine, while one of them is on me
Option 2 would be your best bet. Great balance between security and convenience. Bitwarden is my go to because afaik it stores every detail encrypted (unlike mainstream PWs) and when you open your vault, the database gets transferred to your pc and is decrypted locally. Its essentially the same as option 1, just 1000x more convenient.
Id only selfhost vaultwarden if you want bitwardens premium features, if you dont then youre maintaining a service which you wouldnt really need. Not to mention if you selfhost on a machine on your network, you have to deal with exposing that machine to the internet, not really worth it imo.
Personally I'm running option 2 with self hosted bitwarden. Sure, it's a bit more effort to make it work and while it's not perfect that's what I've ended up with. The most convinient thing with that is that I can access my passwords whenever I have internet access with a browser without any need to install any software on the thing I'm using. Obviously that doesn't mean that I'll happily access the vault with whatever free-to-use endpoint I happen to encounter but it also gives an option to access whatever even if I'm borrowing a computer from a (trusted) friend and once I close the private window I used it's gone. And even more often, when I'm accessing my credentials from a family shared computer, I can just log out and I don't need to do any cleanup on the host which might get infected by our kids browsing something malicious or some other breach of security.
With keepassxc I'd need to worry about the database file, which is a bit different than logging out and closing browser. Your usage patterns might be different, but web-based hosting solution works for me.
I choose keepassXC stored locally
I've been happy with Keeper
Same. Zero knowledge is good enough for me tho I may eat them words.
Realistically, I only see 3 risks using Keeper: my device has malware which lets them grab my passwords from my clipboard as I copy them, malware that lets them take control of my device after I've unlocked my password manager, or if the cloud storage is completely wiped out in some freak accident.
1 and 2 are risks for anyone using any password manager. And 3 is extremely unlikely since they use AWS for storage wirh multi-zone and multi-region redundancy, and certainly much more reliable than self hosting.
The risk of actually having your passwords cracked, even if the cloud data is leaked, is practically 0 as long as you have a decent complexity and length master password and 2FA enabled. And the risk is just as low with a MITM attack or other network based interceptors because of the ZK architecture (as you mentioned) and high encryption used.
Anyone promoting other password managers as more secure either aren't considering the risks to data loss due to self hosting or are buying too much into their password manager's marketing. I think it's totally reasonable to prefer other options due to feature support or subscription price though. A couple of features that Keeper had that made me choose it were:
There might be other password managers now that support these features, as I haven't kept up with them. I subscribed to Keeper about 6 years ago and haven't had a reason to switch. I'm open to suggestions if people know of other managers with better features.
I use option #1. Each instance of KeePass maintains a local file, but updates them automatically whenever it opens or closes. I also back up the file to my personal server automatically, so I have a copy even if the cloud service fails for some reason.
This setup has been serving me well for a long time.
I've been using option 1 for many many years. It lets me keep control of the encryption, and it's accessible just about anywhere.
To improve security of option 1 you could use a keyfile, that is either only transferred manually to devices or stored at a second cloud provider.
Option 1, except for the cloud bit. My KeePass file is stored in a restricted shared folder on my home file server, and auto-syncs to my phone on the rare occasion I update it from my desktop.
I'm currently hosting vaultwarden on my rack, mostly just because I can really. It's easy enough and I have plenty of resources.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
7 acronyms in this thread; the most compressed thread commented on today has 4 acronyms.
[Thread #173 for this sub, first seen 28th Sep 2023, 18:45] [FAQ] [Full list] [Contact] [Source code]
Why not Keepass on a webdav server? Both Keepass on the computer and Keepass2Android can open the file directly. If you save it on one it will merge the changes in any other copies you have open.
I went from Keepass synced via NextCloud (self hosted) for years... to trying out Bitwarden (their servers) and found the experience much better... then I switched to Vaultwarden via Docker going through Cloudflare Tunnel (with zero trust email authentication required) and fail2ban added. I'm content with the last option.
Option 1, with manual copying to mobile. I tried syncthing in the past but had problems with corrupted files
I do 3 and have encrypted backups to Dropbox so I can easy restore/spin up a cloud server if I need to
Yep but use Microsoft.
Been using option 3 but with Bitwarden for almost 5 years at this point. First started out on a VM in a cloud provider. Now it's in a VM on unraid behind a local HAProxy or Cloudflare tunnel for remote access.
Bitwardens full docker stack provides great daily backups which I've had to restore on occasion or go back to one from months ago to dig out a password for my wife.
Been testing and hoping to move to the unified-container from them soon, assuming I can replicate encrypted backups like their solution.
I switched to proton pass after using bitwarden for a couple years
I like LessPass, essentially you choose one password and then it generates secure passwords for each website, since it uses a predefined generation algorithm it's completely offline and doesn't need syncing it's very secure. However it has the inconvenience of needing to remember the way you spelled the website, but if you stick to something like all lowercase it's fine.
Option 2, because once you start thinking about the ways your stuff could be stolen ("threat modelling") you'll see that realistically it's the easiest option.
I like Enpass. $25 lifetime sub via Stack social. Does the trick. If they ever pull the rug out on lifetime folks, I would go to Bitwarden.
I ended up scoring a free lifetime membership years ago, but is their stuff open source? I never fully trusted it, so I didn't end up using it for anything
It's not open source, so that's an easy deal breaker for some. Considering the vaults are encrypted and Enpass itself stores nothing on their servers, I've been okay with it. The vaults just exist on my phone and wherever I've chosen to back it up (OneDrive, GDrive, Nextcloud, NAS, etc).
Enpass uses the open source library sqlcipher (which is an sqlite fork with encryption). So while Enpass as a whole is not fully open source, you can still exfiltrate your passwords with open source tools, should they ever vanish or radically change their business model. You can then use for example enpass-cli.
That gives me enough confidence to trust in Enpass, since they can't easily hold my data hostage.
Lastpass /s
Oh God no kill it with fire
I did option 1 for a number of years but now I'm doing option 3 off a proxmox container and some cloud scripted backup. So far so good.
We just started doing option 3 at work and just keep it behind the firewall. It is going well so far.
I'm currently using KeePassXC. The setup that I created below gives me 3-backups of my passwords, but it's a bit to manage.
Computer
On my computer, I have my keepassxc database and key file stored in a veracrypt container. Next to my computer, I have a piece of paper that has the password for my keepassxc database and the password for my veracrypt container.
computer -> veracrypt container -> keepassxc database AND keepassxc key file
paper -> keepassxc database pw AND veracrypt pw
KeePassXC Export File (text file that contains all of my login information)
I store this file inside of a veracrypt container, on my USB LUKS. Next to my USB LUKS, I have a piece of paper that has the associated veracrypt password.
usb luks -> veracrypt container -> keepassxc export file
paper -> veracrypt pw
Cloud
I store my database in cloud service a.
I store my key file in a veracrypt container, in cloud service b.
On a piece of paper, I have the login information to both of these cloud accounts and the password for the veracrypt container.
Having gone through all of these options I have thoughts.
Option 1 sounds awesome but will almost always leave you in a situation where you can’t get your logins when you need them in an emergency. You’re always depending on a chain of things. Depending on your situation it may not be a big deal. But this option sucks, imho.
Option 3 sounds amazing because it gives you the control of option 1 with the ease of option 2. But… unless you’re the kind of person that enjoys hosting their own email server you really don’t want this option. Fun in theory but not so much when you realize you now have a 3rd job.
So that leaves option 2. It’s great but you’re depending on someone else. This is the option that most people should choose too, imo. However it lacks some of control and trust that option 1 and 3 have.
Sooooo, that leaves us with option 4, the onion option. Breaking up your data into layers and using different tools for them.
So first and foremost I want my password storage to always be available. For me that means Bitwarden, (though I’m evaluating protonpass currently.) this is the outer layer. Things that can and should be stored here are stored here. I use it to manage web logins and 2FA tokens for those sites. I also use it for storing autofill data eg credit cards. I don’t use it to hold things like my gpg keys.
Next layer is pass. This layer is mostly things that I need to have logins or other information on headless/remote servers. Think self hosted lab services like a mariadb/postgres or backups. This is easily kept in sync with git. This is the layer where I’ll store things like gpg keys and other VERY sensitive data that I need to sync around.
For other things on this layer I use ansible vault. This is mostly used for anything where I need automation and/or I don’t want too or can’t easily use my yubikey for gpg. This is kept in sync with git as well.
Lastly the inner layer I use AGE or PGP. This is for anything else I can’t use the above for. So my Bitwarden export/backups are in this level too. I also use this layer for things that I need to use to bootstrap a system. Think sensitive dotfiles. This can be kept in sync with git as well.
Git is the best sync solution imo because you can store it anywhere and use anything to sync that repo. Just throw that raw repo on Dropbox, use ssh with it on a vps, rsync it, etc. you’ll always have it somewhere and on something.
My work flow goes like this Bitwarden -> Apple/Google/Firefox -> Pass -> Ansible -> AGE/PGP
This allows for syncing things as needed and how needed. It also gives you the option of having an encrypted text file if/when everything fails.
I currently host Vaultwarden and use the Bitwarden Android app and browser plugin. What does this have to do with a mail server? I don't host a mail server and it works fine for me (tried to host a mail server, but got blocked by ISP and would need a business account to request them to unblock it, which costs double what I currently pay for the same speeds).
It wasn’t meant to be taken literally. What I mean by that is if you’re the type of person who enjoys the upkeep of something as critical (though maybe not so much theses days) as email then go ahead and host your own password vault service. I’m not saying it shouldn’t be done and couldn’t be done.
My point is that there’s going to be times where you NEED your password vault and having it be down because something happened at home or your VPS had a problem is a really shitty situation to be in.
Of course there’s work arounds and edge cases to everything too. For me planning and building for those possibilities came down to what can I do that is the most reliable, simple, and boring. Because that’s what most people need with anything that is critical.
IMHO much like backup, password storage should be reliable, simple, and boring. Kinda like flushing a toilet or flipping a light switch.
Oh, got it. That makes sense. Though if I remember correctly, Bitwarden makes a local copy for you, so even if your device doesn't have internet or your backend is down, you should still be able to enter your passwords, just not create new passwords or sync new passwords from other devices.
I have only been using Vaultwarden/Bitwarden for a short time, but I haven't had any issues thus far. My house is pretty resistant to power outages (solar + 12 hour battery backup for whole house with no sun), but if something happened with my ISP, obviously there's nothing I could do. I haven't tested that case yet. I probably should, though.
Agree 100%. I self-host a lot of services but access to my passwords needs at least 3-nines uptime and the cost of providing that via Azure/AWS isn't really worth it to me.
That said, I trust Bitwarden way more than I ever trusted Lastpass and I still use option 1 for highly sensitive accounts along with redundant Yubikeys (FIDO2, PIV, and GPG in that order) for anything that supports it.
Apple keychain. Supposedly secure, extremely convenient, may be in the Cloud but not centralized - can’t lose everyone’s credentials at once.
The plug-in for Windows works pretty well too, although I wonder if that puts my confidential data at more risk
For highest security don't store in cloud or multiple places. Memorize them or keep a separate device that has no intermet access and keep them on that device encrypted/locked
Memorizing passwords just leads to passwords that are easy to attack with dictionary attacks and to password reuse.
I memorize the random generated ones, you type it in enough it becomes muscle memory.
My password database contains a few hundred entries. Good luck memorizing that.
Thats why my second suggestion was a secondary device with no internet access. And a hardware key gor additional security is a good idea.
I'd never store my passwords in the cloud.
I keep my passwords in Google. Unencrypted of course
I never understood how storing your password in an unified storage is better than just remembering it yourself
Pease be satire! 😐
Because humans are generally unable to remember passwords varied enough to be secure.