Hacker News new | past | comments | ask | show | jobs | submit login

Any password manager recommendations such that people don't need to deal with 1Password's cloud-based storage?

I use KeePass to store my passwords plus other sensible data. It's multiplatform and I can have access to my passwords file on macOS using MacPass, on Linux and Windows using KeePassX, and on Android using KeePass2Android.

I use Dropbox to sync the file through multiple computers including my Android phone. I don't fully trust Dropbox for sensible stuff, but since the passwords file is encrypted by KeePass, I consider that if Dropbox ever gets compromised, they won't be able to access the contents of the file right away without a lot of work.

The passwords file uses a long password, one of the few passwords I still have to remember, plus I use a keyfile for encrypting the file. That file is not allowed to be uploaded to the cloud. I have a copy of the keyfile in my laptop, another one on my Android phone, and another one on a Veracrypt partition in my thumb drive.

It is not a perfect setup, because I still have a few issues that I haven't considered, such as how should I proceed if my phone or laptop bag ever get lost or stolen; but it's convenient for me at this moment.

This is exactly what I've done for years. The only difference is that I'm so paranoid about losing my keyfile (and with it all my passwords) that I also put it on the cloud -- just not on the same cloud provider as the keepass database.

Copy it to thumb drive and put in a bank deposit box as a backup. You can then do away with having your key in the cloud.


command-line, encrypts passwords with gpg, synchronises using git and by default only copies the password to the clipboard and automatically wipes the clipboard after a minute

This is what I've used for quite a while. It's not the fanciest, but it is simple and easy to use.

For backup, I use duplicity to encrypt my .password-store and all other private files. I have it spit the output to my dropbox folder so it syncs automatically.

This keeps what sites I have passwords for hidden from the outside world.

I've looked a little into keeping the entire .password-store folder encrypted locally until I try to use it, but I guess I'm not paranoid enough for the hassle.

Last time I checked this it would store metadata about the passwords in plain text (file and directory names). Did that get fixed yet?

This "issue" has been fixed with the pass extension 'pass-tomb' that keep the whole tree of password encrypted inside a tomb

See https://github.com/roddhjav/pass-tomb

I really enjoy LastPass -- haven't used any others though. Your passwords are encrypted locally so even if their servers are compromised your data is safe.

I recall seeing some domain-hashing solution on hackernews some months back, and built https://gist.githubusercontent.com/bradbeattie/c688e567e8564... in response. It's been working pretty well for me.

    $ ./pgen.py foobar.com foobar.net foobar.org
                    foobar.com: Aa0$d8~04h4W}Oj-MWA5  Aa0$eaxxF4XzaDaOnx5o
                    foobar.net: Aa0$q;7uc=@(4nSS5PIF  Aa0$pG5+6ekXTONYJXrE
                    foobar.org: Aa0$%YY$Dle*&(egUuL1  Aa0$y4AhSpO64xF+Aa/l

I recently switched from 1password to Enpass and have been very happy. If you want to use more than 20 passwords on their mobile app it will cost you a one time fee of $9.99 per platform. Very reasonable in my opinion. https://www.enpass.io

Enpass works the best for me as well.

I use Mac for work and Windows/Ubuntu at home. Enpass is the only solution I found that works for all three OS perfectly.

After evaluating pretty much all free and non-free alternatives to 1Password, I eventually switched to Enpass as well.

I'm happy with PasswordSafe. It's very oldskool, you'll have to run it under Wine on MacOS and Linux, and you'll have to do your own syncing (I just use Dropbox, but want to switch to Owncloud some time).


Just curious, is there a reason why you decided to design your own storage format instead of reusing kdbx4?

Thanks for the question. Frankly, at the time, I was under the impression that Keypass what a quite powerful and thus complex beast. I wanted something simple with just the data I needed saved (ie app name, username and password, nothing more) so I went ahead and created the new format.

It was actually interesting to work on a new file format. The version 1 was not formally versioned. I realised that for the version 2, I would need to add a version number to the file format. Of course, the world doesn't care about any of that, but I learned something doing it and am happy about that.

I can definitely understand the simplicity argument; it is much lower barrier to just throw something together than to start reading some spec that has lot more stuff than what you need.

Designing things yourself is enjoyable and educational, so that is also a good reason.

The flipside here is that keepass format has passed quite a lot of scruitny over time, so the design should be pretty decent at this point (especially from security perspective). All that complexity that might feel overwhelming at the beginning also gives you room to grow over time.

As long as your code is well architected and your featureset somewhat conservative, switching out the storage layer shouldn't be too difficult if you ever change your mind. So from that perspective it makes sense to keep going with your own format as long as you feel like it, and focus on more important things.

I really wish folks would just use kdbx4 as a standard. Or any other format, I just want portability.

I think there are better ways to have portability. Pass [1] handles this nicely with import-scripts. Unfortunately, it seems like it can import into pass, not into any other password managers.

[1] https://www.passwordstore.org/

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact