
Ask HN: How do you manage password security? - donohoe
I&#x27;m a huge fan of <i>1Password</i> but I&#x27;m balking at the idea that I will need to pay nearly $4000 ($60 a year by remaining life expectancy) over the course of my remaining lifetime for a password security subscription. Can anyone recommend a free or paid alternative?
======
tomtompl
I recently switched from lastpass to locally kept keepass passwords database
and I am using [https://keepassxc.org/](https://keepassxc.org/) client as it
supports many operating systems.

It's not as comfortable as lastpass but it gives me a control of where do I
store that data, how do I keep backups etc. I can't really recommend that
setup, I am keep experimenting myself.

~~~
donohoe
I hadn't seen this before and this might be what I need. I'll also give it a
go and see how the experiment goes. Thank you.

------
ascar
I want to second keepass2 here. I'm using it for a years and the database
format is uncoupled from the client. There are many different clients (I use
the official one for windows and Keepass2android, but there are also linux and
macOS clients available) and addons that make it better. E.g. "kee" previously
"keefox" automatically fills in passwords to webpages and saves new logins, if
you want to and use Firefox (which is definitely worth a try after the big
upgrade last year if you are currently in Chrome).

The database file is strongly encrypted and you can lock it with a keyfile and
a password. It's easily synced with Google Drive or Dropbox. Keepass2Android
even provides direct connection with a Dropbox or Google Drive database file.
Conflicts are easily resolvable in case an update didn't get pushed until you
change something at another device. I sync the 1024bit keyfile using usb
sticks (only needed when setting up new devices) and a long password (the only
one I have to remember).

You can even import passwords from your local firefox password manager and
from 1password (though import from 1password seems to run through unencrypted
csv files.

And you get all that for free.

------
aosaigh
Another person happily paying $60 for a subscription. Software needs to be
maintained and improved, it's never finished. I'm happy to pay for the
continued security of my passwords, as well as new features and the ability to
seemlessly sync everything across all my devices.

------
harianus
I'm happy I can pay for my password manager. It's also great that it's a
subscription. You know why? I want people to have money to improve the
security of my personal data, I'm using the service every day, so it makes
sense to pay for it via a subscription.

I would never want to use a free password manager, because it's likely they
have different intentions with your data or are can shut it down any time.

------
amorphous
Bitwarden is free and working better

------
retzoh
I'm using keepass2 / keepassX with google drive to sync the database, works
like a charm on any device. For devices where I cannot install the drive
syncing utility, as my work computer, I use this python script:
[https://github.com/Retzoh/keypass_google_drive_sync](https://github.com/Retzoh/keypass_google_drive_sync)

------
swah
I've been letting Chrome/Google generate and save passwords for me the last
months - its incredibly convenient. (Only for throwaway kind of sites)

~~~
davchana
+1 I am using Chrome's password manager with Chrome Sync Phrase. Phrase makes
it impossible for passwords to leave my device & thus making
passwords.google.com also unusable, but no complaints. I use bookmarklet to
reveal password in case I need to see it.

I use keepass2 for various serious passwords.

------
java-man
wrote Passwørd Safe

[https://github.com/andy-goryachev/PasswordSafe](https://github.com/andy-
goryachev/PasswordSafe)

------
sotojuan
I only pay $48 a year for 1Password, but even if it was $60 it doesn't bother
me. If that means thousand of dollars by the time I die, it's fine. I like the
service.

$4,000 over 40-60 years is insignificant. If it's useful and doesn't mess with
your monthly budget, why not keep paying?

Not trying to change your mind, but I don't see the problem, and you could say
that about anything you pay monthly for.

~~~
donohoe
Yeah, I kinda noted its a small amount but it seems odd to have it as
subscription service.

I feel I'm paying for almost everything as a "subscription" and I own zero.

    
    
      $60 1Password
      $156 Netflix
      $120 Amazon Prime
      $1200 AT&T (estimated, Family Plan)
      $720 Internet 
      $260 NYTimes
      $168 Spotify
    

So thats $2684.00 for services and content per year - with nothing to show for
it if I cancel. Fine for most people, but part of it gnaws at me. To each
their own.

~~~
muzani
When you compare it, it's still pretty cheap. I considered buying all the
movies and songs I used to pirate and it adds up for a whole lot more than
registering for Netflix and Spotify.

It's more suited for things that we consume once then throw away. We only
watch a movie or episode a few times, we do play songs often but get bored of
them in 40 years.

Password managers are another category, but even then I'd rather pay $4000
over 60 years than $1000 today.

~~~
donohoe
Prices will go up... :)

I do take your point. The point is, if you cancel your subscription you are
left with nothing.

------
donohoe
While I can't update my original post here its worth noting that _1Password_
got in touch and said there is a standalone plan with a license purchase - and
you do not need a monthly/annual subscription.

[https://support.1password.com/upgrade-
mac/](https://support.1password.com/upgrade-mac/)

~~~
mattmanser
Not for Windows though.

------
CM30
I use KeePass 2. Works pretty well for me, and the fact its self hosted means
neither having to subscribe to anything or trust any rich people/companies.

The database file is then stored on a removable piece of media that can be
plugged into any other machines I use, then accessed via KeePass on that one.

------
limpkin
I designed www.themooltipass.com, a hardware-based password keeper, fully open
hardware / firmware / software.

~~~
donohoe
I need to know if the name is a reference from _The Fifth Element_?

~~~
limpkin
it is!

------
rmurri
Check out enpass. Small, one time payment per platform. (Free for certain
usage). It is a native client that supports sync. It also works well cross-
platform, including linux. The mobile clients are also good.

[https://www.enpass.io/](https://www.enpass.io/)

~~~
Nadya
I wasn't happy with how shady they were around their security audit or the
fact they redesigned their entire program that made it super clunky and broke
my workflow. I had been using Enpass since 2014 maybe 2013. I had even
purchased a lifetime license. I didn't like the idea of a closed source
password manager but never found anything better than Enpass. I wouldn't
personally recommend it to anyone, even when I was using it, because of it
being closed-source.

I've since moved to a self-hosted Bitwarden [0]. Open source and free and
weren't shady with their security audit.

[0] [https://bitwarden.com/](https://bitwarden.com/)

[1] [https://blog.bitwarden.com/bitwarden-completes-third-
party-s...](https://blog.bitwarden.com/bitwarden-completes-third-party-
security-audit-c1cc81b6d33)

~~~
rmurri
What exactly is shady about the security audit? Are you referring to the audit
linked below?

[https://dl.enpass.io/docs/EnpassSecurityAssessmentReport.pdf](https://dl.enpass.io/docs/EnpassSecurityAssessmentReport.pdf)

~~~
Nadya
It was everything leading up to the audit really and some issues with the
audit itself as pointed out by a user in a long-running forum thread about the
need for an audit [0]. I share most of the concerns in the 3rd paragraph in
regards to the audit - it seemed focused on restoring or capturing the master
password and made no mention of countless other attack vectors that may or may
not be problems.

Compare their security audit with the one provided for Bitwarden [1].

[0]
[https://discussion.enpass.io/index.php?/topic/404-security-a...](https://discussion.enpass.io/index.php?/topic/404-security-
audit/&do=findComment&comment=14415)

[1]
[https://cdn.bitwarden.net/misc/Bitwarden%20Security%20Assess...](https://cdn.bitwarden.net/misc/Bitwarden%20Security%20Assessment%20Report.pdf)

------
deanmoriarty
Lastpass all the way, perfect (for me) Chrome and iOS integration. On top of
that, I enable 2FA whenever possible, and every couple months I export my
Lastpass data on a couple USB keys (they offer csv export).

~~~
muzani
I second LastPass and the free tier is very functional.

------
phakding
I keep passwords in a text file encrypted using gpg. I also don't write the
entire password in the file, just enough digits/alphabets to remind me what
the password would be.

------
zunzun
My passwords are all in the form of "salt + 4 digits", where the salt is only
known to me. I keep lists of the useless-without-the-salt 4 digit numbers in
several places.

~~~
muzani
I used to do this, but there are always a few leaked passwords - shared with
colleagues, password for my PC shared with wife, companies that store
plaintext passwords, things like the Adobe leak.

It's quite easy to guess once they do have the salt. I just do this as a
minimum security alternative to calling my password "password"

------
stevenwliao
Does Chrome or Apple saved passwords work as a workflow for you? I find
Apple's integration quite nice.

------
mijndert
I rely on 1Password for my password management. You can also sync 1Password
through other means.

~~~
donohoe
Right - but it seems they have switched to a subscription-only service for any
new users

------
codegeek
Locally used keypassx and synced with a cloud provider like dropbox, s3 etc.

