Password management

July 20, 2016 — January 5, 2023

computers are awful
computers are awful together
Figure 1

Don’t re-use passwords for different services; that would be foolish. Don’t try to remember many passwords; that would be hard. Use a password manager, which remembers many passwords for you. Now you only need one password, for the password manager.

Is it not clear how that would work? Here, read a helpful intro to password managers from Mozilla.

See? The solution is easy because we’re in the future and there are many options, free ones even, to synchronise passwords across your computing platforms… The main difficulty is choosing which option, because there are annoyingly many.

Also how to sync passwords. Some people regard syncing passwords over the internet as a bug not a feature, because it is more secure than keeping all your passwords on one computer and using that for everything. Maybe if I were a secret agent I would keep one computer with special ultra-secret passwords on it alone, and would live with the awkward problem of how to back up that computer while still satisfying my paranoia. But I am a normal person operating in the 21st century. I need to use many different computers and OSes to get through the day, and 1/3 of my computers are broken most of the time, hard drives are constantly dying and I lose things. I am prepared to pay a cost in security to use a password manager that syncs across the computers, for the 90% of my passwords that are low-security ones that I do not care about, so that I actually use it.

1 Built-in password management in your OS.

Works fine but syncing across devices usually involves entrusting yourself to their cloud infrastructure, and usually doesn’t work across platforms, e.g from Windows to Linux to macOS to android and back. So if you are stuck to just e.g. Windows or whatever this might be advisable. This doesn’t work for me.

2 Bitwarden

Bitwarden is open source, It seems to support every known platform, browser, desktop and mobile, plus is open source for the client and hosting is available cheaply.

A review of unscrutinised bias suggests it is an OK option..

It supports importing from other password managers but will tend to produce duplicates.

It seems to be online-only, so is the opposite of your tinfoil-hat offline-only options. You might regard this as a red flag.

sudo snap install bitwarden
brew install --cask bitwarden
# etc

3 Myki

MYKI is a shiny and cross-platform option. It is closed-source, which you might regard as a red flag, but also claims to be offline-only.

4 1password

1password: (Mac/Windows/iOS/Android) Closed source, so who knows if it works? It’s Canadian, which is an awful jurisdiction. OTOH, it is shiny and easy. Has clever features such as not disclosing your secrets under duress in the airport, a.k.a. “Travel mode”, a.k.a rubber hose for normal people. Has a CLI. It has been around and functional for many years, and in that time they have buffed down all the usability frictions that plague their newer competitors. A luxurious option that I cannot wholeheartedly endorse because they are closed source option hosted by a suspect collaborationist jurisdiction, poor folks, but seems to be a pretty good option.

5 Enpass

Enpass seems to support every known platform, browser, desktop and mobile, plus is open source. It shares passwords, if at all, by file syncing. The upsell is on mobile apps which only handle a small number of passwords without a paid account. (AUD35/year) Note that its import function from 1Password is unreliable at present. It is closed source. Jurisdiction seem to be India (?). I am not sure of the implications of that.

6 Dashlane

dashlane: seems to be more or less the same as 1password, but French (?). I am not expert enough to know if this is jurisdictionally more, or less, suspect than the American and Canadian and Indian options. However the software looks functional and good and so forth.

7 Lastpass

lastpass runs on every platform, browsers, phones, Linux, Windows, Mac. The product is closed-source and inscrutable and they have headquarters in the USA, so they have limited ability to resist pressure from casual data harvesting from the American spook apparatus. Also I don’t really trust this company, since their other high-profile product, Xmarks, is so horrible. They claim to be host-safe, though, and this may be true. Their security process seems flaky.

Update (12-2022): Recently they had lots of data stolen in a particularly messy and dangerous way.

They have borked it so bad that I would also be asking about whether they were even still commercially viable.

8 pass

pass (aka zx2c4 pass) is the unixiest thing here; it GPG-encrypts everything in text files. There are plugins for its friendly open format for various browsers.

Password management should be simple and follow Unix philosophy. With pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities.

pass makes managing these individual password files extremely easy. All passwords live in ~/.password-store, and pass provides some nice commands for adding, editing, generating, and retrieving passwords. It is a very short and simple shell script. It’s capable of temporarily putting passwords on your clipboard and tracking password changes using git.

It’s disconcertingly freeform, but allows for integration via plugins and such, although the plugins are less scritinised and bug-tested. Also it leaves various metadata (website URLs) in plain sight, which may or may not be what you expect from a confidential data manager. Suggestion: Think of this as a construction kit for a DIY password manager and ask yourself if that is what you wish to do with your time.

9 Keepass

Keepass (.NET) a.k.a. keepassx (Qt), is a cult open source in-principle cross-platform ecology of database standards and contending implementations thereof. Pronounced “Key-pass” or “Keep-ass” depending on whether it compiles successfully. Free, but makes up for it by being clunky and confusing, which is bad for something like password management. Also it was never so very cross-platform, and the ports to different platforms are balkanised and confusing. Doesn’t seem to have scheme for smoothly syncing passwords across devices, so you’ll have 50 different password files that you have in various stages of updatedness, unless you happen to only ever use one computer to log in to things because you are a time traveller from 1994.

Within a single platform you can still have multiple different front- and backends to the keepass database, officiated by different implementations and forks of the keepass foramt. One gets the feeling that although the various Keepass forks are somewhat interoperable, they kind of hate each other.

You can choose from, e.g.

  • keepassc terminal-based keepass client written in python, which means you can access it cross-platform on your desktop but good luck with integrating into your phone
  • Lester Hightower’s kpcli is command line interface to work with KeePass 1.x or 2.x database files, written in Perl Seems, FWIW, to have a thoughtful interface philosophy, and feels like pass, above.
  • rust-keepass rewrites keepass in rust, which is a language designed to be more secure and useful for things like password managers. More secure still would be if it ran on all your devices so that you actually used it, or if it was actively developed.
  • macpass is a Mac keepass. But is it the uncontroversially best mac version, or are there fork wars? Guess.
  • etc

10 Lockbox

Mozilla’s Lockbox is a recent entrant. Syncs between mobile and desktop Firefox browsers. Open source. Open SDK. Sadly it doesn’t have strong import/export abilities, which makes it hard for me to actually try.

11 Password safe

password safe (open source) has Bruce Schneier branding. It has many ports to every conceivable platform. It doesn’t seem to have a strategy for synchronising between devices, which they regard as a feature, but that may be a problem if you have both a phone and a laptop that log in to the same account. Since we are deep into the internet age, this describes me and presumably you also. Probably password safe is most useful to you if you have the discipline to support only using one computers with ultra secret passwords on it for high security things (spying, banking…), or if you are a time traveller from 1994 who has only one computer.

12 etc

There are now many others.

  • encryptr, the spideroak one. Open source, runs everywhere as a javascript app
  • keeper also offers a Linux client for their encrypted cloud password whodangle
  • roboform is the oldest one here I think, (1999!), and does Linux and everything else.
  • passopolis is an open source client/server browser-extension-based password thing.

13 Generating passwords