
Ask HN: Password manager with best experience on Linux? - asdkhadsj
I&#x27;ve been really happy with 1Password, but it seems 1Password does not have a Linux client. They have what seems to be a browser extension <i>(1PasswordX)</i>, but so far I&#x27;ve hated the 1Password browser extension on OSX, so I can&#x27;t imagine using that full time on Linux.<p>With that said, I&#x27;m super happy with 1Password&#x27;s UX on OSX. It sits in the tray, can be activated with a toggle, allows me to search a password name, and then keeps that site&#x2F;etc active while you toggle back and forth between the app and 1Password Mini. Copying in this manner is quick and easy. This, plus excellent support for Windows&#x2F;OSX&#x2F;Mobile makes 1Password a joy.<p>What are you using on Linux and do you enjoy it? Any problems with it?
======
imran3740
I use pass[0], which is essentially just a wrapper on top of Git and GPG. All
your secrets are stored in text files that are then encrypted by your GPG key,
which is then tracked in a Git repo that you can store anywhere. I use the
PassFF extension[1] for Firefox, and Password Store for Android[2]. There are
plenty of pass-compatible clients for all platforms and extensions for pass on
the first site.

If I need to get my password for eg. GitHub outside of Firefox, I just type `$
pass -c dev/github`, decrypt, and it's in my clipboard for 45 seconds.

[0]: [https://www.passwordstore.org/](https://www.passwordstore.org/)

[1]: [https://addons.mozilla.org/en-
US/firefox/addon/passff/](https://addons.mozilla.org/en-
US/firefox/addon/passff/)

[2]: [https://github.com/zeapo/Android-Password-
Store](https://github.com/zeapo/Android-Password-Store)

~~~
unfunco
I originally used pass too and it's excellent, there's gopass too which is an
improvement on pass and works well for teams.

[https://www.gopass.pw](https://www.gopass.pw)

~~~
Hamuko
What makes it better for teams than just pass?

~~~
0lpbm
Pass has no out of the box multi user support. Gopass allows encryption for
multiple keys, hence better for teams.

I use it for the same reason to encrypt different folders with different keys
(work vs. private).

------
dmacvicar
KeepassXC ([https://keepassxc.org](https://keepassxc.org)) combined with:

* It's browser plugin ([https://addons.mozilla.org/firefox/addon/keepassxc-browser/](https://addons.mozilla.org/firefox/addon/keepassxc-browser/))

* Syncthing ([https://syncthing.net/](https://syncthing.net/)) to synchronize across devices and mobile

* Keepass2Android Offline for Mobile access ([https://play.google.com/store/apps/details?id=keepass2androi...](https://play.google.com/store/apps/details?id=keepass2android.keepass2android_nonet))

Then the experience is close to Lastpass but only using opensource components.

~~~
nerdponx
Another vote for this setup. It works on all of my devices, it's FOSS, and my
passwords are stored in a regular file that I can synchronize however I want.
I also like the user interface.

The one downside is that the iOS client is unmaintained. I know nothing about
crypto so I'm unfortunately not in a good position to contribute.

------
yingw787
I use Bitwarden on Linux, macOS, and iOS. It works fine; you may need to sync
by clicking a button, and I use AppImages on Linux and I think I need to
manually download updated images, but otherwise it's free and open source, the
pricing reflects hosting and development costs. I think Bitwarden also
supports 2FA.

I tried 1Password and switched halfway to Bitwarden; I think there's a quant
firm that reviewed password managers and recommended Bitwarden, which I
trusted more than those consumer-grade sites.

~~~
wtmt
Bitwarden has a free tier in its hosted version. And even the hosted version
with a paid subscription is very cheap compared to 1Password. Like 1/5th the
cost or lower, depending on the plan.

------
swozey
1passwordx nowadays is actually better than my 1password OSX experience. You
should try it. I'm slowly moving myself off of OSX over to manjaro and I was
shocked at how good 1px worked. It's more "the full app" than it is a "mini
mini" like I assumed it'd be, but admittedly I haven't used it for a full 8
hour work day yet so maybe I'll have complaints in a few months.

I cannot wait to finally get off of 1password completely, though. Their latest
mini update is an absolute joke. They break app functionality or they shove a
detour in my workflow several times a year. Usually connectivity between the
miniapp and full app break and when you're someone who enters passwords all
day long you really start to notice how much slower you are when your workflow
changes. I've had to reinstall the app multiple times this year because some
$bug broke connectivity between the browser and the full app.

1pass's android app STILL does not have a password generator built inso you'll
never want to create accounts using it but the rest of its functionality is
pretty good. This is a huge annoyance of mine. I shouldn't have to go grab my
laptop to make an account just to make sure I'm not using one of my in-memory
passwords. Whatever password manager I pick would need full android
integration.

~~~
CraftThatBlock
1Password's Android app definitely has the password generator, it's the little
gear next to the password field.

~~~
swozey
I mean in the context of creating a new account, when the 1p app pops up in a
password field, AFAIK there's no way from that to create a password. So you
have to go into the app, generate one, then back out of the app and back to
the app you're creating the password for.

Unless I'm just missing a part of the UX, which is totally possible.

~~~
CraftThatBlock
Ah yes you are totally right. My bad!

------
igorstellar
Bitwarden on Amazon Lightsail server. It costs $3.50/mo to self-host which is
very competitive comparing to paid password managers.

I use bitwarden_rs[0] server written in Rust which is much lighter
implementation you can run on cheapest 512mb instance. Official bitwarden[1]
server is using docker and mssql which requires a lot of RAM.

You can run it on Linux through Firefox extension as well as on any operating
system, including iOS and Android (native app). iOS and Android apps have
system Password Manager integration which allows you to skip running app
manually in most cases.

[0]: [https://github.com/dani-garcia/bitwarden_rs](https://github.com/dani-
garcia/bitwarden_rs)

[1]:
[https://github.com/bitwarden/server](https://github.com/bitwarden/server)

~~~
wtmt
Have you tracked or checked how well bitwarden_rs keeps up with mainline
Bitwarden on changes and fixes?

I’m usually concerned about these forks getting way behind or getting
abandoned after sometime. At least mainline Bitwarden has paid subscription
tiers to support ongoing development and maintenance, which may provide some
predictable income for that.

~~~
igorstellar
Their Github page has activity, and the last merged PR commit was 7 days ago.
Running this for 3 months now after I've migrated from 1password, I can say
that everything that extension has (password generation, notes, file upload
etc.) is supported by the server as well as nice web UI.

Security-wise, I used nginx over my custom domain to enforce HTTPS and put
bitwarden app itself behind a firewall.

As a bonus, bitwarden_rs also enables all premium features for you ("You are a
premium member!" label is by default in every client).

------
Blackstone4
Why not use Bitwarden through their Browser add-ons (Firefox, Chrome etc.)?
I’ve only used the desktop app on OSX but I tend to default back to the in-
browser experience since it’s more integrated.

~~~
Wowfunhappy
I use both. When I need to login to a desktop application (iTunes, Steam,
etc), opening up my web browser just to copy out my password is a little
awkward.

------
awill
I used to use KeypassX. They Keypass switched to C# and mono, and I wasn't
interested in running that on Linux. Then I found enpass. The Linux app is
high quality, it syncs with my cloud of choice, and has Win/Mac and
Android/iOS apps for a seamless cross platform experience. I can't recommend
them enough. Plus it's $10 per app with no other fees and no fee to upgrade to
new versions. Much better than paying subscription fees, or a fee for each new
major version.

------
alfalfasprout
I use lastpass. It's very reliable, I can use Duo 2FA with it, works perfectly
on OSX/Windows as well, AND they have an open source
[CLI]([https://github.com/lastpass/lastpass-
cli](https://github.com/lastpass/lastpass-cli)) for linux that's blazing fast
to use. Wasn't super popular here b/c of the parent company, but their
security seems to be great and it "just works".

------
fimdomeio
I use Pass[1]. before I had some magic ways to invoke it via keyboard
shortcuts on Mac with keyboard maestro but now since I always have a terminal
window one key away (f12), I just use that.

[1] [https://www.passwordstore.org/](https://www.passwordstore.org/)

------
highhedgehog
Bitwarden

~~~
rochacon
This! I’ve moved from LastPass to BitWarden and I like the clients way better.
Browser extensions, Desktop, Mobile (iOS), CLI all work pretty great.

It’s core is opensource and you can run your own server if you want.

For my less critical accounts even the 2FA token is stored in it.

~~~
Wowfunhappy
I was actually under the impression the whole thing was open source. Out of
curiosity, what is closed?

~~~
highhedgehog
I think all of it is open source

------
entropyworks
For all-around use I like [https://keeweb.info/](https://keeweb.info/) It uses
Keepass formats. Save your DB to WebDAV, Dropbox, Google Drive, and One Drive.
You can download an app and run it or run it in your browser. I run the app
version and use KeePassHttp-Connector and auto-type (works in other apps
beyond a browser) to fill in username and password. You can also store Google
Auth TOTP (HMAC-based OTP) as a backup too. I would store it in a separate DB.

------
siphon22
[http://www.masterpasswordapp.com/](http://www.masterpasswordapp.com/)

I use this. Check it out to see if it meets your requirements.

------
beilabs
I quite like keepassx. Sync's with a dropbox file and I can use it across all
my devices. It's not that fancy but has done the job for years on my systems.

~~~
SteveArmstrong
I've used KeePassX + Dropbox for 5 years across Windows, Linux, OSX, iPhone
and Android. With Dropbox's restriction to 3 devices, and since this is the
only thing I use Dropbox for, I'm currently looking at LastPass instead

~~~
anotherevan
I would recommend BitWarden over LastPass any day of the week and twice on
Sundays.

I originally used LastPass for a long time, but it went downhill fast with its
sale to LogMeIn and the retirement of the old Firefox extension.

Switching to BitWarden was a delightful experience and I haven't been
disappointed with it yet.

------
stunt
I stumble upon Buttercup a while ago.
[https://buttercup.pw/](https://buttercup.pw/)

It's cross-platform with decent user experience. The only thing that bothered
me was using a lot of NPM packages from random vendors. It is a minor thing. I
assume they do NPM audit and everything. worth to take a look.

------
towb
I used Enpass for a long time but it's just not good. It was, got a big update
that made it worse, I waited a long while for it to get better but nothing
happened so I decided to move on. This is when I found out that there was no
way to export passwords from Enpass in the latest version, so I had to do it
manually. Not cool.

------
jfreier
pass is simple and kind of neat.
[https://www.passwordstore.org/](https://www.passwordstore.org/)

or passit looks kind of cool, but I haven't used it.
[https://gitlab.com/passit](https://gitlab.com/passit)

------
jpalmer
I've used Linux as my daily driver for over 10 years. While not popular with
some I've had zero issues with Lastpass. Browser plugin, Android App, supports
MFA, just works.

Most importantly, I can share select passwords with my wife who uses
Windows/IOS.

------
benologist
I'm using Keeweb with Dropbox, it's nice enough and accessible on my other
devices.

[https://github.com/keeweb/keeweb/](https://github.com/keeweb/keeweb/)

------
asdkhadsj
To amend that, it seems Lastpass has a CLI! While this may not be the best UX,
I can likely make it good enough. Even writing a client myself might be
possible with a CLI backing it. So at least that is promising.

------
Nasreddin_Hodja
I use own tool written in bash:
[https://github.com/rekcufniarb/pswrd#readme](https://github.com/rekcufniarb/pswrd#readme)

------
sqrt17
KeepassXC - it's not as comfortable as Keepass on MacOSX but it does the job.
And it's open source with no one in danger of running away with your
passwords.

------
mruts
Honest question: why doesn’t everyone just use hash functions for passwords.
Generating a Base64 string from a secret salt + the website name sounds ideal.
This is what I do, and it works very well.

~~~
ben509
Standard issues with these derived password schemes:

* Are you sure your algorithm can't be reversed?

* What do you do if your normal username is taken?

* What do you do when the site's name changes?

* How do you handle forbidden and mandatory characters?

* How do you handle forced rotation?

* What about extraneous crap like security questions, phone PINs, emails, related sites, &c.?

* How do you access it on other devices?

* How can you track down old accounts to close them down?

If you go on listing the issues, you wind up writing the requirements document
for a password manager.

~~~
tzs
> If you go on listing the issues, you wind up writing the requirements
> document for a password manager.

One difference, though, is that most of the issues can be addressed by some
sort of persistent data store that does not need high security. Once you've
taken the passwords themselves out of what your password manager stores, I
think this is the only thing on your list that requires storing highly
sensitive data:

> What about extraneous crap like security questions, phone PINs, emails,
> related sites, &c.?

For the rest, such as some sort of per site version serial number to handle
password rotation, or a map from current site name to original site name for
sites whose names have changed, it is also sensitive data, but it is on a
level of sensitivity like a contact list or browser bookmarks for which your
ordinary OS security mechanisms for file protection should be sufficient.

------
rootshelled
I'm lazy so I use FF's built-in for anything web.

Then gnome keyring with PAM auth upon user login.(again, lazy)

~~~
auscompgeek
I'm curious; how do you generate your passwords?

~~~
rootshelled
Google chrome has a nice feature for that. Yeah I know it isn't an efficient
workflow but to lazy to change at the moment.

