
Evaluation of five password managers - jik
https://medium.com/@QuantopianCyber/head-to-head-evaluation-of-five-password-managers-8faa4851c767
======
zmmmmm
In the end I've just been using the Unix pass password manager [1].

It's just cobbling together of GPG and git with shell scripts but it works
like a normal git repository so you get all your synchronization, from that,
your security from GPG which are all things I know and trust without
introducing other components that I don't know / understand.

[1] [https://www.passwordstore.org/](https://www.passwordstore.org/)

~~~
zeveb
My one concern with pass is that it doesn't encrypt filenames; it's a real
pity, as that's an information leak itself.

~~~
tanderson92
Have you tried to use pass-tomb?

~~~
ufo
I'm not the parent poster but the added friction and configuring for pass-tomb
made me choose to just use keepassxc instead. IMO, this kind of feature should
be the default.

------
zmix
I wonder, why not a single word has been spoken about Keepass/X, which is
available on all platforms (not sure about iOS, though), can work with
UbiKeys, afaik, has huge im- and export support and is free from any corporate
interests.

~~~
abrowne
If you want the Qt one, make sure to use KeyPassX _C_ , the active fork of
KeePassX.

[https://keepassxc.org/](https://keepassxc.org/)

~~~
stcredzero
I use keepassxc on MacOS, Windows, Linux, along with MiniKeePass on iOS. It's
synced through my free Dropbox account. I just make sure to set the
preferences so that every change to the key database results in a file save.

~~~
faitswulff
> synced through my free Dropbox account

I was always a bit paranoid about this, even though I did it myself.

~~~
n4r9
The decentralised alternative is to use something like SyncThing[0]. It's what
I use and is only slightly more involved.

[0] [https://syncthing.net](https://syncthing.net)

~~~
otachack
What about Resilio Sync? They have a discount for one-time license. And it was
formerly BitTorrent Sync. I'll have to check out Sync Thing.

~~~
n4r9
Well, SyncThing is open source as well as being free.

------
mithr
> Mac OS, Windows, Linux, Android, and iOS ... full functionality can’t be
> dependent on an app which is only available on Mac OS and/or Windows. In
> other words, lack of full Linux support is a show-stopper for us. This ruled
> out 1Password...

...Huh? 1Password supports all of those platforms (including Linux)
[https://1password.com/downloads/linux/](https://1password.com/downloads/linux/)

~~~
vhost-
It really doesn't. I'm a full time linux user and I can tell you the support
from both lastpass and 1password is abysmal. I have to copy and paste my
passwords from both of those platforms using their half-baked browser plugins
that rarely work with linux clipboards.

~~~
tyingq
Interesting. Browser plugins, by nature, include source code. I wonder if
there's an easy fix. Can you describe the issue in a little more detail?

~~~
paul167
I took a shot at building a browser plugin for 1pass [1] a little while back.

Turns out, the hardest thing is not the crypto or the browser to app
communication, but parsing the HTML to accurately find the login forms. If I
remember correctly, the browser plugin on Mac actually sends the entire HTML
to the app for parsing. The parser is probably quite complicated and they
avoid reimplementing it in extensions that way.

[1] [https://medium.com/@paulsc/making-a-1password-
client-15dd39a...](https://medium.com/@paulsc/making-a-1password-
client-15dd39ac1642)

~~~
tyingq
Of course that also protects the IP :)

Also, great post. I love reading reverse engineering stories.

------
faitswulff
Just idle curiosity, but I'd be curious to see BitWarden's commit on GitHub:

> ...at one point during our evaluation we submitted a bug report about
> Bitwarden through its Github project; one of the product’s maintainers
> committed a bug fix _seventeen minutes later_ , and just a few days after
> that the fix was released to the public.

~~~
callalex
That tells me that their testing is either extremely excellent , or extremely
nonexistent. Rumors seem to point towards the latter, which is concerning for
security software.

~~~
cassianoleal
I don't know about the rumours, but "a few days" is a long time to test a bug
fix.

It should ideally take from a few seconds to a few minutes. That's not
extremely excellent, it's just good practice.

More than that and it hints towards heavy reliance on manual testing, and
that's something I'd be worried about.

EDIT: Despite the parent comment's misguided logic, it seems his/her fears are
actually in the right place.

An issue was opened about 6 weeks ago asking where the tests are and it
received zero responses from the maintainers:
[https://github.com/bitwarden/core/issues/399](https://github.com/bitwarden/core/issues/399)

~~~
jik
It was a cosmetic, not a security-critical bug, so there's really no reason
why it needed to be released right away.

Also "a few days" was just a guess. I noticed that it was a problem, then I
noticed a few days later that the fix had been release. I don't actually know
exactly how long it took to release the fix after it was committed.

------
vbezhenar
For me an important selling point of 1Password was that their software looks
like native Windows software and native iOS software while Bitwarden is just
Chrome wrapper or something like that for desktop and C# for mobile and I
don't want to support that kind of cross-platform software.

~~~
amanzi
1Password felt like Mac/iOS software ported to other platforms.

~~~
dawnerd
Their windows app definitely needs some love. Actually kinda wish it was a
direct port, UI and all.

------
amanzi
Glad to see Bitwarden up on top. They tick all the boxes for me - open source,
transparent security (including recently published audit), feature-rich,
optional self-hosted, and easy to use.

~~~
h1d
Except there isn't much info on who 8 bit solutions is. It seems like a 1 man
effort and apparently he doesn't want to reveal much.

A few requests aren't exactly answered.

[https://github.com/bitwarden/website/issues/12](https://github.com/bitwarden/website/issues/12)

[https://community.bitwarden.com/t/who-is-hosting-
bitwarden/1...](https://community.bitwarden.com/t/who-is-hosting-
bitwarden/1614/12)

~~~
jik
This is informative: [https://opensource.com/article/18/3/behind-scenes-
bitwarden](https://opensource.com/article/18/3/behind-scenes-bitwarden)

My impression is that Kyle cares more about spending time writing software
than about hyping his company. ;-)

It's an unfortunate flaw in a founder, but not a fatal one if he hires people
to do the communication that he doesn't want to be doing. It feels to me like
he's moving in that direction.

~~~
h1d
It's not about hyping.

Just a general "About" page of where it's located, who's behind and a photo of
CEO with added bonus if there's a photo of their office.

It's a very security oriented product. Not showing who they're can be taken as
hiding.

~~~
jik
In this day in age it is common for a two-year-old SaaS startup not to have an
office. I mean, I suppose it's possible that they have one, but my assumption
is that the entire company is remote.

I don't see why their location is particularly important, but if you care, you
can look on Kyle's LinkedIn profile, which I was able to browse my way to in
about 45 seconds from a standing start from their web site.

The article I just linked to makes it perfectly clear "who's behind"
Bitwarden, and you can find it out easily with a few seconds of Googling like
what I just did. They're not trying to hide anything from anyone who cares to
spend 30 seconds trying to find out.

I care a lot more about the fact that hundreds of vulnerabilities have been
submitted to LastPass's bug bounty program and they haven't chosen to disclose
any of them, whereas a much smaller number have been submitted to Bitwarden's
program and they've disclosed several. P.S. I, personally have reported three
different security issues to LastPass, none of which have been fixed
([https://medium.com/@QuantopianCyber/hi-
george-a16d88a37355](https://medium.com/@QuantopianCyber/hi-
george-a16d88a37355)).

It's clear to me that LogMeIn, which owns LastPass and has a big-deal, flashy
"About" page, is much less security-focused than Bitwarden. What you're asking
for feels more like security theater than anything that's actually relevant to
security.

------
yinyang_in
No mention of enpass.io, i found their method to be completely safe. Encrypted
sqlite files, shared across Dropbox/onedrive/Google-drive.

Apps used for Mac, Linux, windows, browser integration also works fine. All
boxes are checked, don't know why isn't it popular among masses or nerd
community.

~~~
jik
We did not set out to evaluate every single password management product. We
set out to evaluate the products which where enough "in the ballpark" of what
our company needed that there was a chance we would end up using them.

There was never any chance that we would use a product which required every
user to set up their own cross-device synchronization. Turnkey synchronization
across devices as a first-class feature is a hard requirement for us.

Also, as far as I can tell, Enpass doesn't support sharing credentials between
users, another hard requirement for us.

The family of password managers like KeePass and Enpass have their place, but
they aren't good solutions to password management for businesses.

------
moulidorai
Hi folks,

That's a thorough comparison. I just wanted to make an attempt on why someone
should consider using Zoho Vault for password management.

Zoho Vault is an online password manager for teams, used by more than 20,000
small and medium sized companies across the globe. We offer client-side
encryption, multi-platform support, auto-fill, auto login websites and cloud
apps, fine-grained password sharing, bulk folder sharing with user groups,
audit, reports, two-factor & multi-factor authentication, US/EU data centers,
browser extensions (Chrome, Firefox, Safari), and mobile apps (iOS, Android,
Windows), option to maintain personal vault.

Integrations: G Suite, Microsoft Office 365, Zoho Mail, Zoho Desk, OKTA,
OneLogin, Single Sign-On for 90+ Cloud Apps, Windows Active Directory/LDAP,
Azure Active Directory

Disclaimer: I work for Zoho Vault. If you need a comparison document of Zoho
Vault with any product, drop an email to support@zohovault.com.

~~~
jik
I've added Zoho Vault to the comparison grid.

------
redwards510
> Yubikey support in browser (Personal) BitWarden: no

huh? I use my yubikey in the Bitwarden browser extension.

Otherwise, a very extensive collection of comparison data. Not surprised to
see Bitwarden come out on top.

~~~
drdaeman
"Yubikey support" is a meaningless phrase, anyway.

Bitwarden supports 2FA with Yubico OTP - although there's a bug so it works
only for QWERTY layouts. Or you can use Yubikey's static password feature for
your master password, I guess.

There's also OpenPGP Card and PIV, which, to my knowledge, is not
used/supported by any password manager software except for `pass` and some
compatible implementations.

~~~
dmoy
No u2f support? :(

~~~
village-idiot
U2f support is badly hampered by half-assed browser support. Only chrome
enables it by default, Firefox disables it by default, and no love from
safari. Even LastPass in the browser uses yubico’s proprietary otp algorithm
rather than u2f.

~~~
danieldk
It seems that Apple is working to add support for hardware tokens. It is all a
bit vague, but the latest Safari Preview notes state [1]:

 _Added support for CTAP HID authenticators on macOS_

It also gives me "Web Authentication" under "Experimental features" in the
Develop menu.

[https://developer.apple.com/safari/technology-
preview/releas...](https://developer.apple.com/safari/technology-
preview/release-notes/)

~~~
sebazzz
Isn't that WebAuthn suppport? That is different from U2F.

~~~
tialaramex
Yes and no. U2F is basically the MVP of WebAuthn. If you're doing this today
you should ignore U2F and just implement WebAuthn.

Firefox has WebAuthn out of the box, and there's a hack behind a pref to half-
arse U2F if you still need that.

~~~
StavrosK
It doesn't, though. I've been trying to implement WebAuthn and, as far as I
know, CTAP 2 doesn't work on any browser yet.

------
notatoad
What did you find changed in lastpass after the logmein acquisition? We've
been using lastpass since before the acquisition, and i can't say i've noticed
any substantial changes (either positive or negative)

~~~
humantiy
Not sure if its related to the acquisition, but if you're a firefox user the
app has gotten very slow in past few years. I think the issue is related to
the move to chrome extensions but really that shouldn't be an excuse. Lots of
add-on have done this move and haven't had a problem.

~~~
PuffinBlue
In the last few days it's had a good improvement. Copy username/password
directly from the window is back (had to previously edit and view password,
then copy) and speed is just as good as I see on chrome.

I'm using Windows an Linux and these improvements have come in the past week
or so for me. Perhaps they recently updated, I haven't checked.

Worth taking another look if you can.

------
thedanbob
I rarely see it mentioned, but when 1Password changed to a subscription model
I switched to Enpass ([https://www.enpass.io](https://www.enpass.io)) and I've
been very happy with it.

~~~
clairity
they don't make it very obvious, but note that 1password doesn't _require_ a
subscription. i use it with vaults shared and kept in sync via dropbox for
example.

~~~
rrdharan
Same. I recently purchased an upgrade and consider it well worth the price,
although I'm considering switching to the subscription model / family plan to
make it easier to support my parents and in-laws. However my main concern is
that you can't _disable_ browser access when using ay of the subscription
plans:

[https://discussions.agilebits.com/discussion/80105/cant-
disa...](https://discussions.agilebits.com/discussion/80105/cant-disable-web-
browser-access-from-1password-com-to-unencrypted-passwords)

~~~
eridius
I'm confused as to what the security issue is here.

> _Limiting the access of unencrypted passwords to only properly setup 1PW
> applications would seem to eliminate the possible (probable?) web based
> attack vector to a 1password.com account._

This doesn't make sense. What's a "properly setup 1PW application"? Presumably
that's an instance of 1Password that has been given both the master password
and account key for the account. But when you use the web-based portal, you
have to give it, yep, the master password and account key.

Anyone who is able to access the passwords using the web portal _can already_
set up a local instance of the 1PW application that syncs with the same
account.

Ultimately, asking to "disable browser access" is basically the same thing as
asking to "disable the syncing API", which would obviously defeat the entire
point of having the family account.

~~~
rrdharan
Right - I don't want 1Password to handle syncing and I don't want Dropbox
handling / offering decryption of the encrypted store.

I trust the local 1Password apps enough to supply them my master password to
unlock vaults locally.

I trust Dropbox enough to not sync the encrypted store somewhere I don't want
it ending up.

It's a separation of concerns argument. I likely won't hold up to any targeted
attack on my personal property given how careless I am with local devices but
I should be somewhat protected against a your typical dragnet / mass attack
against either service remotely.

------
CiPHPerCoder
I'm surprised there was no mention of recent security audits.

BitWarden just famously had one.

~~~
tptacek
Many of these have had audits, not just this Bitwarden audit. There are some
disquieting things in that audit, for what it's worth.

I don't understand how this information is actionable. It would be worth
knowing whether something has _ever_ been audited (again: most of the major
password managers have been), but just knowing an audit has been done isn't
sufficient to know whether it's secure.

~~~
beatgammit
Sure, but if it has been audited, it's more likely that security issues were
found and resolved than if it hasn't gone through one.

Our company went through an audit and did quite well, and we fixed most of the
findings. However, I know for a fact that there are things we can do to
improve that weren't covered.

Not all audits are created equal, no audit will catch everything, and there's
no guarantee that findings were patched sufficiently. However, I feel much
better knowing that an audit was done, which means the author cares at least
somewhat about security.

~~~
tptacek
I think Scott knows that most of these other password managers have been
audited, and I _know_ he knows audits are of varying quality and are virtually
never conclusive, so I'm not sure what he's trying to say by pointing
Bitwarden's audit out.

~~~
CiPHPerCoder
I thought the checklist was aiming to be _comprehensive_ and that the omission
of the audits was an oversight.

The one for bitwarden being, as you said, disquieting, makes its omission a
little suspicious.

~~~
jik
We didn't use the word "comprehensive", "complete", or "thorough", and
obviously we didn't include every password manager in our evaluation, so I'm
not sure what reason you have to believe that we were aiming to be
"comprehensive."

We were aiming to evaluate the features / issues we care about against the
password managers we were most likely to want to use. We published the results
of our evaluation because we thought it might be useful to some people, not
because we thought or intended for it to be all things to all people.

We didn't include security audits in our evaluation because, we are skeptical
of their value and do not consider them a significant differentiator.

For example, in our experience trying to keep our own application secure, our
HackerOne bug-bounty program has identified far more issues than the white-box
security audits we've commissioned, at far lower cost.

------
codesuki
Question about bitwarden: I found this issue saying there are no tests.
[https://github.com/bitwarden/core/issues/399](https://github.com/bitwarden/core/issues/399)

Also in the comments here someone said there are no tests. Does anyone have
any info about that? I am interested in the software but no tests would be
worrying. (Had no time to browse the code yet.)

------
tejado
As I want to protect all my passwords offline at one place but have them also
available mobile, I developed Authorizer.

It is an Android password manager based on PasswdSafe with USB HID keyboard
support to enter paaawords automatically on any device. Also stores TOTP/HOTP.

The idea is, to have a complete offline device (hardend android without
network stack/always flight mode on, baseband overwritten, ...).

[https://github.com/tejado/Authorizer](https://github.com/tejado/Authorizer)

------
scndthe2nd
This SAAS bias is untenable. "Use a big target" they say. "Store them with a
big company" they say. "Give your data to someone, let them worry about it"
they say. Meanwhile, breach after breach tells us that regardless of security,
the likelihood of successful attack comes closer and closer to 1 as the size
and exposure increases.

It's likely that these services have already been zerodayed, and we're just
waiting for the shell to drop on an upswing.

~~~
ozim
Take in mind the whole evaluation was from company perspective. What those
services are solving is company employees slacking passwords around, sending
those via emails and using generic passwords like 'CompanyName123' or
'CompanyName!!!'.

Personally I am also not going to use cloud based solution.

------
VectorLock
I like the functionality comparison but I'm really curious how they stack up
to each other security wise.

~~~
tmikaeld
Bitwarden recently completed a 3rd party Audit[1] and Bitwarden is the only
one to be completely open source[2] (server and client).

[1] [https://blog.bitwarden.com/bitwarden-completes-third-
party-s...](https://blog.bitwarden.com/bitwarden-completes-third-party-
security-audit-c1cc81b6d33) [2]
[https://github.com/bitwarden/](https://github.com/bitwarden/)

~~~
woolvalley
It also has pretty much zero automated (unit, integration, etc) tests as of a
few weeks ago.

~~~
jopsen
But you only know that because you can see the source.

------
Kiro
I'm using Chrome's built-in password manager. What are the drawbacks besides
it being Google?

~~~
Wowfunhappy
You're forever locked into Google Chrome!

I realize this is becoming an increasingly minor problem in the modern world,
but it still bothers me. I don't know what future situations I'll find myself
in, and I don't want to be locked out of all my accounts.

• What if a new browser comes out that's actually better than Chrome? (I don't
want to admit to myself how unlikely this actually is.)

• What happens if I'm using a Windows 10 S device, or a locked-down library
computer, or a Wii U, or some other weird gadget with a non-Chrome browser?

~~~
quicklime
I recently starting using Firefox again, and getting my passwords out of
Chrome was by far the most difficult part of the process for me. A few things
I learned:

Chrome has a feature to export passwords to a CSV file, but I had to enable it
via a chrome:flag, so who knows if/when support for this will disappear. This
created a bit of a sense of urgency for me, as Google aggressively removes
features that they don't want to support.

My employer MITMs all web traffic, so I would never log into my Google account
from work. They also have an ridiculously strict password change policy (every
3 months). But having a password manager on my phone lets me store passwords
for my various work-related accounts somewhere, which makes each password
change fairly easy, and also lets me log into certain work-related apps/sites
(e.g. Slack) from home.

If you have multiple accounts on a single website, it's a bit easier to do in
a password manager (at least Keepass or Bitwarden).

Chrome is a web browser, so it only remembers passwords to websites. If you
have passwords that don't map to a website - e.g. hard drive encryption
password, a pgp/ssh key, a wifi password), it's a bit easier to do in a
password manager.

Some password managers have OTP generators built-in, which can be convenient.

~~~
yoklov
Does firefox not import passwords from chrome as part of the profile import?
It's... certainly supposed to.

EDIT: Oh, you probably didn't mean getting them out and into firefox, you
probably wanted to use something different to avoid the same issue (but with
firefox) if you switch browsers again in the future.

~~~
quicklime
Actually, at the time, I would've been perfectly happy to have just imported
the passwords into Firefox!

But I don't think it is able to import them, at least not on my machine. I'm
using the latest Chromium/Firefox on the latest Ubuntu, and I just had another
look. When I select the option to import data from another browser, I get a
dialog that says:

Import Preferences, Bookmarks, History, Passwords and other data from:
Chromium

When I select Chromium, I see a list of things I can import:

Select which items to import: [x] Cookies [x] Browsing History

For some reason, "Passwords" does not appear in the list, and when I browse to
a site in Firefox, it doesn't use the password that Chromium had stored.

Maybe this is an OS-dependent thing?

------
Wowfunhappy
One feature I didn't see mentioned—LastPass has a Bookmarklet that can be used
in leu of a proper extension. This means that if I ever decide to start using
a random niche web browser, I won't have to start copying and pasting from a
web vault in order to log in to sites.

The freedom to do this is important to me regardless of whether I ever
actually use it.

------
xte
My personal password manager: GNUPG-encrypted text file (org-mode). No extra
fuss.

Reason? I have too much code to look/trust to add more and I do not keep log-
in anywhere during my day, I do my best to avoid web-(cr)app as much as I can
and try to live asynchronously connects via Emacs, being capable of operate as
much as I can offline...

------
Avery3R
No keepass? Disappointed.

~~~
com2kid
The one issue I had with Keepass is that on iOS (and this is Apple's fault!)
it is not possible to choose different cloud storage providers to keep the
password database file on.

This silly thing alone would preclude me ever buying an iOS device! (My wife
ran into it when I tried to get her up and running with Keepass, she gave
up...)

I love keepass's simplicity, no browser plugins with pop up dialog boxes or
UIs that conflict with the browser's own password management, just, a list of
accounts and passwords.

~~~
asutekku
It’s not Apple’s fault as it’s possible to change the cloud storage to store
your password with 1Password for iOS.

------
beat
Has anyone gone through the process of switching? I use Keeper for personal
stuff, and I suppose there's always the chance to switch if one turns out to
be technically or politically much superior, but there are dozens and dozens
of passwords in there to transfer...

~~~
Reedx
I switched from LastPass to 1Password. It was a quick and simple export ->
import process.

~~~
fokinsean
As a current LastPass user, what prompted you to switch?

~~~
CharlesW
Not the person you asked, but I also switched from LastPass to 1Password. The
reasons were (1) 1Password's more integrated/more convenient 2FA support, and
(2) AgileBits seems to care more about design.

------
sakisv
I only found out about Bitwarden a few weeks ago and it got me to change from
KeepassXC and I'm overall very happy with the change.

The main selling points for me were that it's open source and they allow you
to host it yourself.

Apart from these, I really enjoy the browser addons which don't require any
jumping through hoops[1] and that they provide their own Android client and
you don't have to play Play Store Columbus to find a decent one. It can also
be used as an autofill service which allows it to interact with other apps
which is incredibly useful.

But because nothing in this world is perfect, the downsides so far are:

1\. Lack of shortcuts to copy only the username or only the password and
forcing me to reach for the mouse. That's really annoying.

2\. With KeepassXC you could have a keyfile that you was necessary to unlock
your database while Bitwarden doesn't have that option. They do provide 2FA[2]
but only TOTP and email for the free version (although $10/year for the
premium subscription, arguably, is not much).

1: [https://keepassxc.org/docs/keepassxc-browser-
migration/](https://keepassxc.org/docs/keepassxc-browser-migration/) 2:
[https://help.bitwarden.com/article/setup-two-step-
login/](https://help.bitwarden.com/article/setup-two-step-login/)

~~~
ekianjo
> The main selling points for me were that it's open source and they allow you
> to host it yourself.

KeepassXC is open source too. And it does not require hosting. You can simply
store your db onto a synced folder between devices and that's about the same
anyway.

As for your comment regarding browser addons, I am not sure what "hoops" you
are referring to. I installed the browser addons for KeePassXC and it took 5
minutes to setup and I have had no issue since. And the link you refer to is
pretty self explanatory. Maybe Bitwarden makes that even more simple, but it's
not that KeePassXC is utterly complex in the first place either.

On Android, KeePassDX is a good client that works with KeePassXC databases.

~~~
sakisv
You are right about the synced folder, and that's pretty much the approach
that I was using. But I was keeping my DB in one provider and my keyfile in
another, which means that I had to remember (or have otherwise access to) a
total of 3 passwords to unlock my db. It worked, but when I recently had to
change phones two times in a period of a few days it was increasingly
annoying. Of course I could have kept my keyfile and the DB in the same
provider, but still that's one password too many for me.

Thanks for the recommendation for KeePassDX, I will take a look.

------
rollinDyno
I've been using masterpassword [1] which is stateless and requires no sync. I
wonder what the HN crowd thinks of its features. Another option with the same
paradigm is lesspass [2].

1\. [https://masterpassword.app/](https://masterpassword.app/) 2\.
[https://lesspass.com/#/](https://lesspass.com/#/)

~~~
sdfjkl
There's a few issues with the master password derived password system,
including:

What if you need to change your password for a site to a different one?

What if the site changes its URL?

~~~
bdibs
There's a counter on Master Password, so if the password expires or you need
to change it, you just +1 and it's new.

They also have settings depending on password requirements (no special
characters, etc.).

I'm unsure what the URL really has to do with it, you could just generate a
new password for the new URL and change it.

~~~
loeg
Sometimes different URLs share credentials (LDAP). Changing isn't necessarily
an option?

~~~
bdibs
I guess in a situation like that you'd just choose the base URL you'd remember
best.

------
jiveturkey
i find it hilarious, hilarious i tell you, that he felt the need to put a
quasi-legal disclaimer at the bottom of his _medium post_. i suppose it is
demanded by the field he is in (investment banking) but it just strikes me as
nonsense.

too bad the article is quite thin.

------
JJseiko
If someone is still looking for a good one, I use Keepass and can very much
recommend it.

------
banku_brougham
i was using dashlane for a while. The features were great, but one thing
really bothered me:

On macOS everytime I opened safari it launched a dashlane.com page reminding
me to install the plugin. I did not want the plugin, and after much googling
never was able to prevent this behavior. I had to uninstall it.

Switched to KeepassXC, its good.

------
w8rbt
Here's a plug for DPG (zero storage password manager). I wrote it years ago
and it meets my needs well.

[https://github.com/w8rbt/dpg](https://github.com/w8rbt/dpg)

------
ape4
[https://pwsafe.org/](https://pwsafe.org/) by Bruce Schneier

------
fosco
anyone use passbolt[0]?

interested to know your experience good/bad/etc...I am considering installing
on a vm at home to use for family.

[0] [https://www.passbolt.com/](https://www.passbolt.com/)

------
the_duke
A comparison matrix would help.

~~~
VectorLock
Does the one further down on the page hosted on JSFiddle count?

------
CompuHacker
_we decided that Bitwarden is the best choice for our company, and we’ve begun
the process of migrating from LastPass to Bitwarden._

    
    
      whois lastpass.com
      LogMeIn, Inc.
      whois bitwarden.com
      WhoisGuard, Inc.

~~~
gregmac
What is your point?

~~~
CompuHacker
WHOIS Privacy on the website wasn't a consideration on the table the company
used. Maybe it's not important in 2018, or is enabled by default, or an
oversight, or they're using the spam filtering. But:

 _It’s at the bottom of the page._

So why the discrepancy?

