
Ask HN: What is your password management solution? - ericb
I&#x27;m a bit unhappy with 1Password. I don&#x27;t want a subscription service, I want something that keeps an encrypted file that I can put in dropbox.<p>What is everyone else using these days?
======
benjaminjosephw
`pass` is a nice command line tool that stores gpg2 encrypted password files.
It's simple, super handy and doesn't require you to trust any third party with
what you're storing. website:
[https://www.passwordstore.org/](https://www.passwordstore.org/) man page:
[https://git.zx2c4.com/password-store/about/](https://git.zx2c4.com/password-
store/about/)

~~~
raamdev
+1 for `pass`. I wrote a handy Bash script [1] that lets me easily search my
passwords without having an exact match (e.g., `fpass fin cap one` quickly
finds my password info for "Financial/CapitalOne.gpg"). It makes pulling up
passwords so much easier as I only need to remember fragments of how I stored
it instead of trying to remember exact folders and names using auto-complete
to find the password.

I also use iTerm2's system-wide hotkey [2] to quickly show/hide a dedicated
terminal window that I use for retrieving passwords.

I've been using this setup for years now and I absolutely love it. The only
downside is no access from my phone, but I always have my laptop with me and I
memorize passwords that I frequently use.

1\.
[https://github.com/raamdev/bin/blob/master/fpass](https://github.com/raamdev/bin/blob/master/fpass)

2\.
[https://apple.stackexchange.com/a/48805](https://apple.stackexchange.com/a/48805)

~~~
nikital
> The only downside is no access from my phone.

On Android, I use Password Store to sync my `pass` directory and use it from
the phone. It a very high quality app, I had no issues after years of usage.

[https://github.com/zeapo/Android-Password-
Store](https://github.com/zeapo/Android-Password-Store)

~~~
JoshuaRLi
Keepass user here wanting to switch over to pass, this is exactly the missing
piece of the puzzle I needed - thank you!

~~~
pigpigs
I'm looking into using pass / keepass, any particular reason you are switching
over to pass?

~~~
JoshuaRLi
I think I'm currently in a minimalist phase; the KeePassX UI is too feature
rich and cluttered and makes me want to configure everything but I don't want
to manage that.

If that's not a problem for you, KeePassX is definitely a solid password
manager!

------
dannysu
I use KeePassXC [1], which is open-source, and I sync it across my iPhone,
Windows laptop, and Linux desktop via Tresorit [2] (like Dropbox but end-to-
end encrypted). It's secured with a password that I know, and a keyfile that I
have. I don't sync the keyfile and always manually transfer to new computers.

I also use Arq [3] to automatically backup to S3 every hour, and I also do
manual backup to my external backup drives once in a while.

    
    
      [1]: https://keepassxc.org
      [2]: https://tresorit.com
      [3]: https://www.arqbackup.com

~~~
Jedd
Agreed on use of keepassxc - fantastic utility.

I don't, and wouldn't, use dropbox or any other non-free non-self-hosted
system to manage the storage or synchronisation of my secure data, so it's
unison(rsync) and/or ssh'd between desktop and laptop.

~~~
dannysu
If only there's a way to do that with my iPhone :(

~~~
ZenoArrow
There are file sync apps that work with iOS devices that work with self-hosted
file sync solutions.

~~~
dannysu
do you have a particular one you recommend?

~~~
ZenoArrow
I don't use one, but to give an example, Google for "nextcloud iphone".

------
dheera
This is my password manager.

    
    
        password = b64encode(hashlib.pbkdf2_hmac(
            'sha256',
            (master_password + '/' + domain).encode(),
            b'',
            100000 + n
        )).decode()[0:16] + 'Aa$1'
    

master_password = some master password that you never write or store anywhere

domain = domain name for the service in question, e.g. 'facebook.com'

n = the nth password being generated for the domain (typically 0)

The 'Aa$1' is to ensure satisfaction of stupid password rules on various
websites.

Advantages:

\- Open source. You don't have to use some random person's password manager
software that you have no clue how or where the passwords are being stored or
the trustability of the people who wrote the software.

\- Portability. You can run this on any OS including a phone with a Python
implementation, and it's pretty easy to port the above to any other language
with a hash library.

\- No files to lose. You don't need to worry about losing a password manager's
database, you don't need to worry about syncing the database across machines,
and you can compute the above on any machine that you own and trust. Kernel
panics while you're on vacation? No worries! Reformat your PC with a fresh
Ubuntu install and compute the above to get access to your bank account, plane
tickets, and e-mail again.

~~~
weinzierl
The problem with this solution is that it is only as strong as your master
password. Because you suggest to 'never write or store [it] anywhere' it can't
be strong enough. To say it in Bruce Schneier's words: "Pretty much anything
that can be remembered can be cracked."[1]

[1] [https://boingboing.net/2014/02/25/choosing-a-secure-
password...](https://boingboing.net/2014/02/25/choosing-a-secure-
password.html)

~~~
dheera
I memorized 1024 digits of pi in high school. I can deal with a strong
password.

Keep in mind that most password managers also encrypt your password database
with your master password, so my solution isn't any worse than those.

Memorizing a even a 16-character (upper/lower + symbols) random string as your
master password would be 16*6 = 96 bits of entropy which is more than enough.

Dealing with memorizing ONE good 16-character random string is within the
abilities of most people. Dealing with multiple ones is what is hard.

~~~
weinzierl
I don't question your memory, that is not my point. How long do you think it
takes to crack a password that consists of digits of Pi or anything derived
from it? And it's not about Pi either, it's just that you can't beat a
computer in that regard.

For me, playing around with hashcat, was an eye opening experience and I truly
believe in the Schneier quote from above.

~~~
tuxxy
I agree with Schneier's quote, but you're also forgetting about password
hashing. If it takes 10 seconds to derive the key (assuming the use of a
strong hash function), anything with a good enough amount of entropy (60-90
bits) should be fine.

When an attacker acquires a leaked database, they're not cracking high
entropic passwords.

~~~
weinzierl
Yes, what speaks for dheera's method is the use of a strong KDF and especially
(a point that I missed initially) that they use a truly random master
password.

------
jzast2
[https://www.lastpass.com](https://www.lastpass.com)

Free to use, auto password generation, has an iOS app with thumb print unlock
(saves you from typing in a long master password).

I personally really enjoy it.

~~~
6ak74rfy
I don't understand the hate against Lastpass. Why would I trade it's awfully
simple features (autofill on Android, automatically save/update passwords from
website forms in browser, cheap etc.) for something like Keepass, even if the
latter is purportedly a bit more secure? Some people also say that Lastpass's
UI isn't great, but who cares about a password manager's UI as long as it does
the job?

~~~
ktta
>purportedly a bit more secure?

The worst bugs in LastPass are:

1\. Four months ago a bug was discovered by project zero[1] about how all of
your passwords can be stolen just by making a user visit a webpage. Moreover,
any code can be executed remotely, compromising your entire computer.
Discussion[2]

2\. Later on the day vulnerability (1) was published, another was found.
Project zero bug report. [3]

3\. Last year a software engineer who wasn't a security researcher found a
bug[4], which again, gives all your passwords.

4\. The bug in (3) wasn't fixed properly, which lead to this [5]

Other bugs, but not as terrible as the ones I listed above

Jul 27 2016 [6]

Mar 25 2017 [7]

Jun 17, 2015 [8]

Nov 17, 2015 [9]

You are also forgetting a whole another class of attacks - Phishing [10]

[1]: [https://bugs.chromium.org/p/project-
zero/issues/detail?id=12...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1209)

[2]:
[https://news.ycombinator.com/item?id=13924737](https://news.ycombinator.com/item?id=13924737)

[3]: [https://bugs.chromium.org/p/project-
zero/issues/detail?id=12...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1217)

[4]: [https://labs.detectify.com/2016/07/27/how-i-made-lastpass-
gi...](https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-
your-passwords/)

[5]: [https://bugs.chromium.org/p/project-
zero/issues/detail?id=11...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1188&desc=2)

[6]: [https://bugs.chromium.org/p/project-
zero/issues/detail?id=88...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=884)

[7]: [https://bugs.chromium.org/p/project-
zero/issues/detail?id=12...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1225&desc=6)

[8]: [http://www.businessinsider.com/security-expert-describes-
las...](http://www.businessinsider.com/security-expert-describes-lastpass-
vulnerabilities-posted-to-pastebin-in-2013-2015-6)

[9]: [http://www.martinvigo.com/even-the-lastpass-will-be-
stolen-d...](http://www.martinvigo.com/even-the-lastpass-will-be-stolen-deal-
with-it/)

[10]:
[https://www.seancassidy.me/lostpass.html](https://www.seancassidy.me/lostpass.html)

~~~
6ak74rfy
Oh my. Thanks for taking the time to list these down. Will work right away to
get off Lastpass. No, seriously!

~~~
ktta
What ever password manager you move to, chose something that will stay far
away from your browser. And don't use anything that autofills your passwords.
This includes KeePassHTTP.

------
linopolus
1Password. Don't know what they're about on Windows, as I'm happy to not use
this shit anymore. On Mac and iPhone, I can happily use the newest version
without any subscription or anything (which I didn't even knew about)..

~~~
copperx
The OP stated "I'm a bit unhappy with 1Password".

~~~
eddieroger
OP also asked what people are using. They're not mutually exclusive
statements.

I use 1Password and I don't pay a subscription. I pay them outright, per
platform, and call it a day until they give me a reason to do something else.
I've also set up other recently in similar patterns. If OP's only issue is the
subscription, they may now be aware that there are non-subscription options.

~~~
linopolus
Also, they're the only ones with relatively wide-spread support in Apps (on
iOS). In many apps, I can just tap 1P like I do in the browser to log in. And
they have a decent user interface.

------
onetom
Subscription to 1Password is not mandatory. Or at least it was not in the
past. Without a subscription, you can create local vaults which can be synced
via Dropbox, iCloud or over WiFi within the same subnet (which means over VPN
too).

Here is some documentation on the Dropbox sync for example:
[https://support.1password.com/sync-with-
dropbox/](https://support.1password.com/sync-with-dropbox/)

~~~
curun1r
The subscription isn't really mandatory, but I've been quite disappointed at
the transparency with which they've been pushing people towards that...even
those of us that purchased the full version somewhat recently. For instance,
the complete lack of a Windows version that isn't subscription based is a huge
pain since I got a cheap Kodi box recently and my keyboard is a remote control
that sucks for typing passwords.

I get that they want to transition people to that revenue model for their own
benefit, but they haven't made a convincing argument that it's in our
interests and they've definitely made those of us "offline" customers feel
like second-class citizens. Normally, I'm all for subscription services, but
password management is one area that I want complete control over and if they
keep pushing me towards a model that requires their online presence, I'll end
up switching.

~~~
latkin
[https://1password.com/downloads/](https://1password.com/downloads/) still
links to the 1Password v4 version for Windows, which supports local vaults.

And shameless plug for my own cross-platform powershell-based 1Password
client, which can read both formats of local vaults:
[https://github.com/latkin/1poshword](https://github.com/latkin/1poshword)

~~~
curun1r
I tried the v4, but it wouldn't accept my v6 license key :(

My workaround was to write a small utility that I run on both my Mac and
Windows boxes that sits in the background and keeps the two clipboards
synchronized. So I just copy from Mac 1p and paste in Windows. Not ideal,
since it makes the browser extension useless, but it works well enough for the
few times that I need to enter passwords on that box. But on the plus side, I
can also use it for entering commands in cmd.exe and Powershell too.

------
mhw
PasswordSafe - [https://pwsafe.org](https://pwsafe.org)

I use the open source version on Linux and Windows, and
[https://pwsafe.info](https://pwsafe.info) on Mac and iOS, all syncing through
Dropbox.

~~~
antisthenes
Was expecting more mentions of this wonderful utility. It seems to work well
in conjunction with a sync service (use Gdrive personally).

------
temporaneous
I memorize my passwords and reuse them to a large extent. Strength of the
password is actually a lot less important than the website's security and the
value of the account.

* relatively weak/old passwords for sites I don't care about and would lose nothing if they were compromised (vast majority)

* a couple relatively strong passwords for the 5-6 sites I don't want compromised, but wouldn't have huge consequences and could be email recoverable.

* unique strong passwords for a couple vital services such as email account.

The re-use depends somewhat on how much I trust the site's security. Also I
cycle occasionally by introducing new passwords at the "top" and moving those
passwords "down" to less important sites.

~~~
atacama
I used to do exactly the same and even the moving passwords to less important
sites. Now I use iCloud generated pwds for all but vital services.

------
zachrose
1) Make up a unique password on the spot. 2) Log in and forget it. 3) Reset
password.

Works every time.

~~~
oAlbe
Not when resetting your password requires physically going to the bank to sign
a document and get it mailed to you after a week...

But yeah, it works in most cases.

~~~
kintalo
seems like a reason to switch banks.

~~~
codefined
Don't all banks do this? Here in the UK it basically seems mandatory. Try to
change your password/phone/email, they'll send you an actual letter which has
a passcode you need to enter in to the website. Although mine took only a day
to arrive.

~~~
OJFord
No, (I'm also in the UK) I've changed a few recently-ish and in each case had
only to answer some security questions and then receive a phone call/text
message with a code to enter.

------
dewey
1Password & gopass
([https://www.justwatch.com/gopass/](https://www.justwatch.com/gopass/), it's
"pass" compatible if you are using that already). I don't really mind the
subscription service as it works fine across all platforms I use.

~~~
m1keil
Do you sync 1password and gopass? or one for home and other for work?

I love 1Password but the lack of linux support is irritating. (I know about
the web client)

~~~
dewey
1Password for all my private stuff and I also have a vault for work
credentials (websites, external services, third party APIs etc where autofill
in the browser comes in handy)

I use gopass for everything that's company internal.

------
jobvandervoort
> I want something that keeps an encrypted file that I can put in dropbox

FWIW You can do this with 1Password. Preferences > Sync > Sync with Dropbox

~~~
falcolas
This, IIRC, requires an older version of 1Password. Version 4, from the "Who
moved my cheese" discussion of 1Password's most recent subscription changes.

~~~
dvcc
I can confirm this option still exists in 1Password 6 (I'm using the iCloud
sync but I see the option for dropbox as well). I'm not sure how to get the
license though. I only see the upgrade path that I took - not the outright
purchase.

~~~
jonnytran
[https://agilebits.com/store](https://agilebits.com/store)

You can still purchase a Mac license there. I don't see a Windows option, but
I'm viewing this from a Mac, so not sure if they're just hiding it. (Some
people in this thread have said that there's no longer a non-subscription
version for Windows.)

------
joshuahutt
I used KeePass on Windows, and I use KeeWeb on Mac. KeeWeb is fast to search,
allows for the inclusion of arbitrary data and tags, has a password generator,
and it does autotype, which is nice. Also, it's open source.

[http://keepass.info/](http://keepass.info/)
[https://keeweb.info/](https://keeweb.info/)

------
richardpetersen
Enpass all the way. Free and works with dropbox

~~~
bsilvereagle
I would be much more eager to use Enpass if they made the code available to
people who pay.

~~~
stefanve
They use SQLCipher which is OSS. I understand they don't release the UI code
as it is what they use to make money. If you are afraid that they secretly
copy your passwords you can easily check this. As you keep the file on your
device or place it at a third party service it is more secure than a service
like LastPass. Also don't use browser plugins but copy and paste the password

------
stirner
I use iCloud Keychain on macOS and iOS. Both operating systems include a
rudimentary interface for managing passwords, and automatically store
passwords entered in Safari. Keychain Access on macOS also allows to create
secure notes on iCloud Keychain.

~~~
khn1
iCloud Keychain works great for me. Although, if I could change one thing, it
would be to add a dedicated iOS app, instead of having to go to Settings >
Safari > Passwords.

~~~
markwhiting
Its somewhat easier in iOS 11, there's a more dedicated area in settings.
Also, in iOS 11, it provides usernames and passwords within apps, which is
super convenient.

~~~
stirner
What do you mean by a "more dedicated area"? I don't have a spare device to
test the beta on.

~~~
khn1
On iOS11 beta, To get passwords you will go to Settings > Accounts & Passwords
> App & Website Passwords [0]

[0]
[https://www.youtube.com/watch?v=Yy1JEyxRzIc&t=23m42s](https://www.youtube.com/watch?v=Yy1JEyxRzIc&t=23m42s)
(@ 23 minutes and 42 seconds)

------
odammit
All of my passwords are kitt3nZ!PIzZA837591&#! Which I simply copy and paste
out of an iCloud Note.

I use HashiCorps vault running on a micro EC2 with a small API written around
it. Then I access it using a CLI I built and a key pair.

Pros:

\- I don't pay for a service (the ec2 instance was already running)

\- I don't use someone else's software that is hopefully secure

\- I got to play with Vault for an afternoon

Cons:

\- I've probably done something wrong and I'll end up paying for it the hard
way eventually

\- I had to spend about an hour building something

------
FfejL
Enpass, all the way. Free (Gratis) on Mac, Windows & Linux, US$10 for iPhone
or Android.

100% local storage, or sync the encrypted file via Dropbox.

~~~
conorcleary
My favourite, and I'm happy to support financially.

------
ameister14
I just use lines of poetry for my passwords. They're long enough, complex
enough, but extremely easy for humans to memorize.

~~~
Luc
If it were me I'd add a bit of salt (some random string) to those...

~~~
ryanSrich
This is what I do. Music lyrics with characters mixed in. I have the
alternates memorized so it's fairly easy to remember. Ex: 5, S, and $ are all
interchangeable.

------
wazoox
I'm using KeepassX with Dropbox. I store the database on Dropbox, so that it's
available on my computers running different OSes (Ubuntu, Slackware, MacOS)
and my phone at all times. I'll probably get rid of Dropbox at some point, but
I'll keep the same method, which gives me complete satisfaction.

------
duebbert
Oh I gotta show off my Keepass ([http://keepass.info](http://keepass.info))
with Ubuntu on Win10 setup which I just sorted out this week. The Keepass DB
is saved on Dropbox.

I use it for all my passwords but crucially also as a SSH Agent for Bash, Git,
Pycharm and WinSCP. My SSH keys are in Keepass and it gets used by Git,
Pycharm and WinSCP. So all I need to do is unlock the database and it just
works when using SSH in Bash or Pycharm or WinSCP or Git.

Anyway, the setup was a bit tricky to find out but it works very well (for me)
now. I have documented it here because it might be useful to others:
[https://gist.github.com/duebbert/6a152ad2030e8dcb6d860802758...](https://gist.github.com/duebbert/6a152ad2030e8dcb6d8608027588e4a8)

------
retor
Google passwords. I trust their engineering, it's free, passwords are
accessible as long as I have a browser and it comes with Chrome.

Negatives: I can't do backups, easily migrate to another supplier and it won't
work automatically with other browsers. And it's Google (feels privacy
invasive)

~~~
beckler
This isn't a really great solution, in my opinion. Anyone with access to your
google account, or anyone with physical access to any of your synced devices
could lift your passwords easily.

~~~
retor
Wouldn't anyone with access to my two factor authenticated Google/gmail
account be able to reset most of my passwords anyway? The biggest risk is
perhaps a rogue Chrome extensions scraping the password page when I visit it.

------
danieldk
If the problem is storing data in the cloud, you can still store data locally
(outside the 1Password cloud) with the subscription version. Go to _"
Preferences" -> "Advanced" -> "Allow creation of vaults outside of 1Password
accounts"_.

------
SirLJ
My best solution is to not discuss password management on public forums...

------
wodenokoto
I use a system where I mix a counter, a master password and website URL.

I don't hash it via a software algorithm, it is a system simple enough to do
in my head.

I basically only have to keep track of the counter for the few websites that
have forced me to change password.

The counter exist both as a number and spelled out, ensuring that changes in
password differs enough for websites that require new passwords to not be
similar to old passwords.

It is as secure as any 8-10 character password, except if a person is
targeting me, and manages to get 2 or more passwords, there is a chance that
they'll notice the system.

But if I am targeted by someone who can crack multiple of my online passwords,
then I have pretty much given up hope for my safety.

------
lazard
I used pwclip [1] for several years but I no longer believe that hash-based
password managers are the best plan. Now I'm using Seal [2], which is like
pass but doesn't depend on gpg.

[1]
[https://github.com/davidlazar/pwclip](https://github.com/davidlazar/pwclip)

[2] [https://github.com/davidlazar/seal](https://github.com/davidlazar/seal)

------
grigory
I use passpack to generate/store passwords, remember them in Firefox, and let
Firefox Sync get them onto my different devices. Works pretty well!

My host of devices includes multiple laptops (Linux, OS X) and many different
phones - both Android and iOS. Since Firefox runs everywhere, this works
nicely. Firefox Sync has end-to-end encryption, but data stored at-rest on
devices is guarded purely by physical access, which is fine for my use cases.

------
makmanalp
Of the open source password wallet solutions, which ones have actually been
audited?

------
rdl
I currently use 1Password (local) on iOS and OSX, and use 2FA wherever
possible as well.

I'm unhappy with support for windows/linux/chromeos, so I was already looking
for alternatives.

I manage certain passwords (PGP keys, some very high privilege accounts, etc.)
separately (primarily offline, and some split).

Considering building/paying to have built something that truly meets my needs,
since my needs are fairly general.

------
0xTJ
I use Keepass 2. With a plugin, it's synced to Dropbox, where I can access it
on my Android device with one of the compatible apps.

------
skinnymuch
I use 1Password and have used it for 5+ year a now and love it. I used to pay
one time fees. They were doing a sale for their pricey subscription service
when my business partner got interested in using a password manager. So he
bought an annual subscription for the both of us at a sale price. I think it
ends up being $60 a year for the both of us.

Being able to use different shared password vaults has helped us a lot. As our
business entails going through lots of quick sites before moving on to new
ones, along with working with different partners.

Sure it still isn't "cheap", but I get a good app and browser plugins on all
major platforms.

I highly prefer 1PW to Lastpass because it is much easier to get a lot of
different form fields saved into 1PW along with easily adding any number of
your own. Lastpass plugins also aren't the greatest.

I'd move to KeePass if I hadn't to stop using 1PW. But I doubt I'll switch
while doing business. Shared repos integrated tightly into the UX is too
helpful.

------
jchw
Interestingly enough, I immediately moved from LastPass to 1password when I
heard about the subscription service. Why? Because I trust AgileBits but last
time I wanted to run 1password I was going to need to pay a shit ton of money
just to get it on Most of my platforms. Now, overall I'll pay more money, but
I don't have to worry about how many platforms I use or upgrading
periodically.

Plus, syncing is done right automatically. Sure, AgileBits could go out of
business and I'd not be able to use 1password anymore. That's fine. It took
one day to switch from LastPass. The lock-in is minimal. I'd rather not
continue using a piece of security software without updates being released.

(Even if they did, I have a gut feeling they are classy enough to open source
the server, though. It looks like the app already is built with the
possibility of connecting to 3rd party sync servers.)

And it looks like a real solution is in the works for Linux finally, so
there's that.

------
leemck
I have been managing passwords for more than 12 years with an encrypted vi
file. Inside the file, every login uses a unique password. I generate unique
passwords in batches of 100 or so using a script that I list below.

This scheme has the obvious single point of entry weakness and a further
keystroke logger vulnerability. I have never had any of the 360+ accounts and
logins compromised.

It is very important to not use the browser for secure activity if one has
been browsing Internet junk recently. I have no doubt that all kinds of
keystroke logging scripts do get started. I occasionally run rkhunter and top
looking for intrusions and compromises.

Script for making big batches of passwords:

    
    
          File of passwords. First 99 are lettes usable for names, next 100 is pasword strings. 1-6-2008
    
          Here is the command line:
    
          (/usr/bin/apg -a 1 -n 99 -m 11 -x 13 -M CL; /usr/bin/apg -a 1 -n 100 -m 17 -x 23 -M NCL ) | cat -n

------
miguelrochefort
> I want something that keeps an encrypted file that I can put in dropbox.

KeePass.

------
JesseAldridge
I have one simple master password. I modify it slightly based on the url of
each website. I have a text file backed up on Dropbox with any special rules
for the password on each website (e.g. "turbotax: capitalized + bang").

Works great as long as you can resist the urge to tell other people about your
system!

------
bgschiller
I wrote about my (mac-specific) pass setup at
[https://brianschiller.com/blog/2016/08/31/gnu-pass-
alfred](https://brianschiller.com/blog/2016/08/31/gnu-pass-alfred)

It uses Alfred to get fast, autocompleted access to passwords.

------
jvehent
I wrote [https://github.com/mozilla/sops](https://github.com/mozilla/sops) to
manage secrets in our deployments, and also use it as my personal password
store, to encrypt a file stored in a private git repo.

~~~
TokenDiversity
That is so cool! Just what I (and so many others) are looking for. Can it
handle typesafe's config too?
[https://github.com/typesafehub/config/](https://github.com/typesafehub/config/)

------
jasonincanada
I rolled my own solution a couple years ago:
[https://gridpass.io/](https://gridpass.io/)

Your master password is remembered _visually_ , instead of as an arbitrary
string. My contention is that you're less likely to forget specific spots on
distinct images than an arbitrary sequence of characters. The method has
worked perfectly for me since I began using it, but only one other person I
know uses it, and it has NOT been audited or scrutinized by an expert in the
field. Nonetheless, check it out. It's free, being more of an idea than a
technology. Besides, I can't charge you for something you've stored in your
own visual cortex!

~~~
chippy
I like this idea. Giving it a go, I found generating the passwords time
consuming - as in sometimes I would be okay to get a simple 2 image throwaway
password without having to go throuugh all 6 images. However I suspect that my
impatience was just curiosity in wanting to find out how it worked, and what I
would see whan I finished :-)

I also didn't feel much attachment to the image - which could be addressed and
has got me more interested about. Memory palaces. Genius loci - ancient way of
remembering things using space, places. This works in a similar way, images
exist on 2D space - the genius loci work best when the mental image is
something you know well, that you remember well.

Thanks for sparking some ideas in my head!

------
Leftium
I use [https://pwdhash.com](https://pwdhash.com) algorithmic password
generator. It is the sweet spot of more security without too much added
frustration.

Usually I use the Chrome extension, but when that fails I built a more user
friendly web interface: [https://ph.leftium.com](https://ph.leftium.com)

To avoid having to change all my passwords at once when one password must be
changed, I suffix my master password with a sequential suffix. In the worst
case, the last few suffixes don't work and I use the service's password reset
feature to update the password to the latest suffix.

~~~
dannysu
Note that the algorithm used by pwdhash is very weak. It uses just one round
of 1 round of HMAC-MD5. Not even a slow hash function.

See [https://github.com/dannysu/hash0](https://github.com/dannysu/hash0) for
comparison of other similar sites that all have the same flaw and the reason I
coded hash0 (no longer maintained though).

~~~
Leftium
I've considered making a version of PwdHash that uses a stronger hash function
(and I think my brother did make one)...

But to be honest, if a hacker specifically targets you, you _will_ probably be
compromised, no matter how strong a hash function you use. (They will probably
just use one of the many other attack vectors.)

And there's that joke about two guys running from a bear. "I don't have to
outrun the bear; I just have to outrun _you_ "

PwdHash lets me have unique, non-trivial passwords for every site with minimal
fuss. There will be probably lots of lower hanging fruit before hackers start
targeting PwdHash-generated passwords.

------
marvelous
I use Firefox sync for my web needs and a plain text file (on my encrypted
laptop) for everything else that doesn't fit into that. The more sensitive
stuff (credit card, computer unlock) is in my brain with a hidden paper
backup.

------
standalone1p
MacOS version still able to buy standalone license here without signing up for
an account:

[https://agilebits.com/store](https://agilebits.com/store)

------
cmcginty
I use MacPass (KeePass OS X client) and sync the DB with a (2FA enabled) Box
Sync account.

I use the Chrome ChromIPass plugin for user/passwords autofill. There is also
a FF plugin, but I usually stick with Chrome these days.

I tried to switch to Lastpass but I found that a) the plugin was a terrible
resource hog and b) would make some sites unusable due to ridiculous page load
times. Obviously it works for some people, but the attack vector of sites like
LastPass are so large, I was never comfortable following the masses.

------
latkin
1Password synced w/ Dropbox. Using Windows, MacOS + Android support. Very
unhappy about the recent push toward subscription-based model, though, so I'm
starting to look around for something new. Lots of good options in this
thread.

For those in need of a cross-platform (Windows, Mac, Linux), open source
1Password CLI client, check out
[https://github.com/latkin/1poshword](https://github.com/latkin/1poshword)
(disclaimer: my project)

------
fgcbs
I have used for year a KISS (Keep it simple) solution: I have a directory
encrypted with encfs where I keep all sensitive data. The directory is shared
through dropox by all my devices. In this directory I keep a plain text file
with all passwords, domain, used email.... It is actually a YAML file cause I
also have a simple groovy scripts that pastes the password (given domain or
key) in my clipboard, but any text file would do the job. As simple as that.

------
ruanmartinelli
Enpass is what you are looking for!

~~~
jordz
I too use enpass. Syncs your password vault to OneDrive, Dropbox. (It's just
an encrypted file)

------
TazeTSchnitzel
I use an encrypted disk image (in this case a macOS .dmg, but it could be any
similar format) filled with text files that I edit in vim.

I don't use random passwords, I use (mostly) memorable ones. I mount the disk
image only when I forget one. It's an aid to help me memorise passwords and
keep track of important information (reference numbers etc), not a single
point of failure without which I can't get into anything.

------
jlft
Secrets is a good alternative (Mac + iOS only):
[https://outercorner.com/secrets-mac/](https://outercorner.com/secrets-mac/)

Details on how Secrets store data:
[https://outercorner.com/2016/08/01/storage_format.html](https://outercorner.com/2016/08/01/storage_format.html)

------
free_everybody
I use keeweb as a desktop app, and I save the file locally, backing up to
gdrive and cold storage hard drive weekly.

My laptop is my primary device so I'm not too concerned with logging into
accounts on mobile, but if I really needed to get my passwords without my
laptop, I could get use the keeweb web app with my gdrive backup.

[https://keeweb.info/](https://keeweb.info/)

------
nzealand
I use firefox bookmarks synced using Xmarks.

Each account has a unique email address, and important accounts have a unique
password element added.

I use firefox bookmarks to note down in a cryptic manner any variations to the
common themes I use. The bookmarks are synced across computers.

The upshot is I always use firefox bookmarks to log in to a site, which means
I am not clicking links from emails and I am always in an extension free
browser.

------
peterwwillis
I memorize multiple passwords.

------
bantunes
I use a Mooltipass Mini
[https://www.themooltipass.com](https://www.themooltipass.com)

------
bgrohman
I switched from LastPass to KeePassXC a few months ago after reading about
some LastPass security problems. I really like KeePassXC.

~~~
rekshaw
As I am currently a LastPass user, could you fill me in on the security
problems?

~~~
bgrohman
Sure, take a look on Google's Project Zero and search for "LastPass":

[https://bugs.chromium.org/p/project-
zero/issues/list?can=1&q...](https://bugs.chromium.org/p/project-
zero/issues/list?can=1&q=LastPass&colspec=ID+Type+Status+Priority+Milestone+Owner+Summary&cells=ids)

Or search the news for LastPass security issues:

[https://duckduckgo.com/?q=lastpass+security+issues&t=iphone&...](https://duckduckgo.com/?q=lastpass+security+issues&t=iphone&iax=1&ia=news)

~~~
rekshaw
thanks, but all I see is 5 issues, all of which fixed (and rather quickly).

~~~
bgrohman
Yep, it's good that LastPass seems to respond quickly to reported
vulnerabilities. Who knows how long those issues existed before getting
discovered, though. And some of them were quite serious.

------
rnentjes
A while back I was looking for an online password manager that you can host
yourself (I don't trust my passwords with anyone else).

I couldn't find one that matched my requirements so I build one myself:

[https://github.com/rnentjes/simple-password-
manager](https://github.com/rnentjes/simple-password-manager)

------
paulrd
I use Universal Password Manager (UPM). It runs everywhere, syncs to dropbox
(or wherever), pretty fast start time even though it's java. Github link:
[https://github.com/adrian/upm-swing](https://github.com/adrian/upm-swing)

------
rntksi
[https://spideroak.com/personal/encryptr](https://spideroak.com/personal/encryptr)

You can have this on MacOS, Windows, your smartphone.

Great when you only have your phone with you and you need to login somewhere
to do stuff.

------
madhadron
I still use a GPG encrypted org-mode file. Emacs/org-mode opens it seamlessly.

I feel like I should move to Keepass at some point, but it's one of those
cases where if I'm apathetic long enough, Keepass will be gone and I'll still
have my Emacs setup.

~~~
gkya
I use pass nowadays but used to use org for passwords, but in my setup I used
to only encrypt the contents of entries, i.e. headings were in plain text.
Then I used the function below to decrypt them. Made it easier to browse the
file.

    
    
      (cl-defun gk-org-decrypt-element ()
        "Decrypt the element under point, show in a new buffer."
        (interactive)
        (save-excursion
          (let ((transient-mark-mode t))
            (org-mark-element)
            (epa-decrypt-region
             (region-beginning) (region-end)
             (lambda ()
               (let ((decrypted-elem (org-get-heading t t))
                     (bufnam (buffer-name)))
                 (prog1
                     (switch-to-buffer (get-buffer-create "*Org Secret*"))
                   (read-only-mode -1)
                   (fundamental-mode)
                   (erase-buffer)
                   (insert ">>> " decrypted-elem " (" bufnam ")")
                   (newline)
                   (insert ">>> Hit `Q' in order to *kill* this buffer.")
                   (newline 2)
                   (special-mode)
                   (local-set-key [?Q] 'kill-this-buffer))))))))

------
cagey
Password Safe[1] (almost entirely on Windows clients) and version control on
home server via ssh. And most of my passwords are memorized by my Google
account.

[1] [https://pwsafe.org/](https://pwsafe.org/)

------
3pt14159
I use this ruby script:

    
    
        print ((rand * 1_000_000_000).to_i.to_s + \
               ("a".."z").to_a.sample(10).join + \
               ("A".."Z").to_a.sample(10).join + "_")
    

It solves a number of annoyances. First, it's easy to type on mobile if you
need to for some dumb website that clears your input field when you alt-tab,
since it sticks to numbers, letters, then capitalised letters. It contains a
non-alpha numeric character, but at the end for stupid forms that don't allow
them.

As for keeping the passwords around, you can do one of a couple things, but I
generally just forget the password after logging in with it everywhere. I'm
signed into chrome, so what's the point in remember the password myself?
Unless it's something sensitive I don't bother. It's easier to generate a new
one than to dig it up.

------
diimdeep
I have made plugin for original keepass to import from 1Password 1pif
[https://github.com/diimdeep/1P2KeePass](https://github.com/diimdeep/1P2KeePass)

------
hampo
> I'm a bit unhappy with 1Password. I don't want a subscription service, I
> want something that keeps an encrypted file that I can put in dropbox.

> What is everyone else using these days?

I use a self made password matrix in paper.

~~~
copperx
How does that work?

------
traeblain
Surprised no one has mentioned BitWarden.

[https://bitwarden.com/](https://bitwarden.com/)

Open-source, multi-platform, etc.

I haven't switched from Lastpass yet, but I'm seriously considering.

------
jokoon
Sheet of paper and pen.

Change it every 3 years or so.

Reset my passwords often, have to use my email often.

------
SRR0712
It seems from all the comments, that there is no consensus. I use LastPass,
and I don't trust any expert. Even the LastPass guys claim expertise. I don't
believe them.

------
mosodede
KeePass and KeeWeb are both great interfaces that can read KDBX format. I sync
with Dropbox and encrypt with a private key that I carry with me or keep on my
main machines.

------
raverbashing
gpg -c / gpg -d with master passwords for different things

also one .sh to save the data to a tmp file, open it in your editor then
override it (the tmp file) with random data upon exit

------
tarp
[https://keeweb.info/](https://keeweb.info/)

You can self host the webapp, or run the desktop app. You can store your file
on Dropbox

------
justifier
What are the hidden requirements of your question?

As asked you can just use gpg [https://www.gnupg.org](https://www.gnupg.org)

------
erikpukinskis
Answering this question publicly is a very bad idea.

~~~
skinnymuch
Lie! Now any would be culprits if you are actually targeted will go after the
wrong thing.

I answered publicly because I don't put my few most important info into my
password manager I have mentioned here (or do I?) - 2 main emails, FB, main
bank accounts, main brokerages. Few most important SSH keys and pws. Anything
else getting taken would suck, but I don't think too much harm can as long as
the above are safe. Maybe I'm being myopic.

------
joshbaptiste
[https://github.com/ejcx/passgo](https://github.com/ejcx/passgo)

------
paulpauper
write it down and put piece of paper in pocket

~~~
tentaTherapist
Congratulations for having the patience to write out long strings of
characters on paper and type them out repeatedly, but that doesn't sound very
safe.

~~~
sgt101
You can make it safe by using a secret key in conjunction with the keys. For
example; all passwords as written but the third character must be # instead of
what's written. This renders the book useless if stolen or copied.

If you keep the book in a locked draw and use some tell tails to ensure that
you will know if it's been opened you have a strong chance of being able to
know if you have been physically compromised.

Any online key store is vulnerable in a number of ways, end to end security is
hard. The biggest issue is that your provider might be placed under
significant physical pressure relieved only when your account is compromised.

And you will be unaware.

~~~
leipert
Well "safe". Once your written down password is compromised (e.g. with a photo
of a page), the entropy for cracking the password is tremendously minimized.
In combination with dumped hashes of the site in question even more.

Maybe a password card is a better solution? [1]

[1]: [https://www.passwordcard.org/en](https://www.passwordcard.org/en)

------
sakawa
Just a follow up: what do you use for secrets files, like ssh keys?

Everytime I find my self in some mess with too many keys to manage. :\

~~~
politelemon
For SSH, KeePass + KeeAgent with the private/public keys as attachments to the
KeePass entries. For other files, like a GPG export, again KeePass with its
file attachment feature.

------
mnm1
Enpass. Does exactly what you describe.

------
mongol
I think PasswordSafe is good. Combined with storage in OneDrive and the
Android app it solves my needs.

------
louismerlin
[http://lesspass.com](http://lesspass.com)

No database, no problem.

------
GlassOuroboros
KeePass inside of a Qubes OS qube.

------
SAI_Peregrinus
KeePass2 is my preferred password manager. KeePass2Android is a good Android
app version.

------
Havoc
Lastpass. Not super convinced their security is bullet proof, but meh close
enough

------
krapp
Simple. I only use one password for everything: "Melody Nelson"

------
Piccollo
Dashlane

~~~
skinnymuch
I wonder how successful Dashlane is. HN is not the best place to gauge how
something is doing, but barely any mentions of Dashlane. Enpass the other
known password manager got a number of mentions besides the "big 3" (Lastpass,
1PW, KeePass).

------
petraeus
You can use 1 password stand alone with dropbox as the storage.

------
josteink
Firefox + Firefox sync + ssh keys.

That's all I need and that works for me.

------
srinathkrishna
vim has a command line switch to encrypt files when they are written. I use my
password file on mac, linux and windows and vim works on all these platforms.

------
narak
Password Safe + pwSafe ios and mac clients + Dropbox

------
maxxxxx
I use passpack.com.

~~~
skinnymuch
Do you know people who run it? Doesn't seem very popular. The prices are
pretty expensive with their in my opinion bad limitations on their plans.
Limiting by number of password seems lame. Their allowance of a lot of shared
users might be good but I'm not completely sure what that means.

Not sure why anyone would use them over Lastpass or 1Password.

~~~
maxxxxx
I chose them a long time ago for reasons I don't remember. It seems to be
working well so I don't see a reason for changing. I would probably to
something open source now.

~~~
skinnymuch
Yep same here for sticking with 1PW. Anything goes too bad with it, I'll
probably go open source.

------
Geee
1Password is still available without subscription.

------
tavish1
pass - passwordstore, syncthing on laptop and phone, and password manager and
openkeychain on phone

------
jedisct1
Enpass.

------
carlmungz
Enpass is a good solution.

------
proactivesvcs
KeePass with a Yubikey for TOTP. Database and metadata is synced between
devices via Syncthing.

------
Adam89
1password

------
teddyqwerty
Roboform

~~~
tim333
Ah. I used to love Roboform and bought it for $20 for life but then they
changed their minds about honouring that so I went elsewhere. Lastpass
currently.

~~~
skinnymuch
Same happened to me. 1PW for me now.

------
X86BSD
I use Vault from hashi corp for everything.

------
hungerstrike
I use KeePass on my desktop and KeePass Touch on my phone. It does exactly
what you want.

