Password management


Don’t re-use passwords; that would be stupid. Don’t try to remember passwords; that would be hard. Use a password manager which does all that nonsense for you.

Does that not make sense? To avoid password embarrassments, read this helpful intro to password managers from Mozilla.

See? The solution is easy because we’re in the future and there are many options to synchronise passwords across your various computing platforms… A difficulty is in fact the excess of options.

Built-in password management in your OS.

Works fine but syncing across devices usually involves entrusting yourself to their cloud infrastructure, and usually doesn’t sync across platforms, e.g from Windows to Linux to macOS to android and back. So if you are stuck to just e.g. Windows or whatever this might be advisable. This doesn’t work for me.

Bitwarden

I had not heard of Bitwarden but it looks interesting. It seems to support every known platform, browser, desktop and mobile, plus is open source and hosting is available cheaply. It also provides encrypted file sync in which regard it resembles keybase and has many team-sharing options.

Here is a review of unscrutinised bias.

sudo snap install bitwarden
brew cask install bitwarden
# etc

Lockbox

Mozilla’s Lockbox is a recent entrant. Syncs between mobile and desktop Firefox browsers. Open source. Open SDK. Sadly it doesn’t have strong import/export abilities, which makes it hard for me to actually try.

1password

1password: (Mac/Windows/iOS/Android) Closed source, so who knows if it works? It’s Canadian, which is an awful jurisdiction. Shiny. Has smartarse features such as not disclosing your secrets under duress in the airport, a.k.a. “Travel mode”, a.k.a rubber hose for normal people. Has a CLI.

Dashlane

dashlane: seems to be more or less the same as 1password, but French (?). I am not expert enough to know if this is legally more or less suspect.

Lastpass

lastpass runs on every platform, browsers, phones, Linux, Windows, Mac. The product is closed-source and inscrutable and they have headquarters in the USA, so they have limited ability to resist pressure from casual data harvesting from the American spook apparatus. Also I don’t really trust this company, since their other high-profile product, Xmarks, is so horrible. They claim to be host-safe, though, and this may be true. Their security process seems flaky.

pass

pass (aka zx2c4 pass) is the unixiest thing here; it GPG-encrypts everything in text files. There are plugins for its friendly open format for various browsers.

Password management should be simple and follow Unix philosophy. With pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities.

pass makes managing these individual password files extremely easy. All passwords live in ~/.password-store, and pass provides some nice commands for adding, editing, generating, and retrieving passwords. It is a very short and simple shell script. It’s capable of temporarily putting passwords on your clipboard and tracking password changes using git.

It’s disconcertingly freeform, but allows for integration, if you don’t mind using various less-scrutinized bits of code. Also it leaves various metadata (website URLs) in plain sight, which may or may not be what you expect from a confidential data manager.

Keepass

Keepass/keepassx is the open source in-principle cross-platform one. Pronounced “Key-pass” or “Keep-ass” depending on whether it compiles successfully. Free, but makes up for it by being clunky and confusing, which is bad for something like password management. Also it was never so very cross-platform, and the ports to different platforms are balkanised and confusing. Doesn’t seem to have scheme for smoothly syncing passwords across devices, so you’ll have 50 different password files that you have in various stages of updateness. Moreover, one gets the feeling that although the various Keepass forks are somewhat interoperable, they kind of hate each other.

You can choose from, e.g.

  • keepassc terminal-based keepass client written in python, which means you can access it cross-platform on your desktop but good luck with integrating into your phone
  • rust-keepass rewrites keepass in rust, which is a language designed to be more secure. More secure still would be if it ran on all your devices so that you actually used it.
  • macpass is a Mac version. But is it the best mac version, or are there fork wars? Guess.
  • etc

etc

There are now many others.

  • encryptr, the spideroak one. Open source, runs everywhere as a javascript app
  • keeper also offers a Linux client for their encrypted cloud password whodangle
  • roboform is the oldest one here I think, (1999!), and does Linux and everything else.
  • password safe (open source) has Bruce Schneier branding. It has many ports to every conceivable platform. It doesn’t seem to have a strategy for synchronising between devices, which they regard as a feature, but that may be a problem if you have both a phone and a laptop.
  • passopolis is an open source client/server browser-extension-based password thing.

Generating passwords

passwordsgenerator.