Also, AgileBits has 80 employees now!? Wow, I guess that subscription model really is paying off for them. :/
Off-topic: The author, "jcs", is also an OpenBSD developer and the guy behind "Pushover"  ("receive unlimited push notifications on all of your devices") which is an awesome service some HN'ers might be interested in.
(No affiliation, just a very happy user.)
Edit: Somewhat related... for the LastPass users who are terminal junkies, like me, you might like "lastpass-cli" . I actually use it in place of the LastPass browser extension, along with several shell aliases:
alias lpl='lpass login email@example.com'
alias lpls='lpass ls'
alias lppw='lpass show -G --password --clip'
alias lpsh='lpass show -G'
alias lpst='lpass status'
I use it on both Windows and Linux, synced via Dropbox.
Personally I use Keepass2Android on Android. It's quick and has a nice interface.
It uses git for storage so you can host a private instance as easily as you can host a git repo.
Also the reference got re-used and overwritten for lastpass-cli. The corrected reference is below.
It's a cheap and easy service that you'd use anywhere where "then send an SMS" would be your reaction - it's like an SMS but without the cost and/or length restrictions
Personally it's a perfect combination of security and convenience. The design is incredibly simple, if all these apps fail I can just use gpg to decrypt secrets.
The only downside is that filenames are stored unencrypted in git repository so Bitbucket can see what sites do I use but can't see usernames or passwords (obviously).
there's an extension to fix that:
I was wondering if anyone has more details about setting up and using a hardware key like the Yubikey in conjunction with Pass works?
edit: removed a redundant part that parent already mentioned
Find a guide on using Yubikey with gpg (such as this one ) and if you configure it it will work seamlessly.
Enabling touch-to-decrypt  can also reduce risk of decrypting stuff without you noticing.
When I've looked, Bitwarden had official (beta/experimental) self-hosted option, but it required MS SQL Server, which memory and architecture requirements made me uncomfortable. Now there's alternative implementation, I guess I'll need to take a look. Client software looked nice (well, or maybe I just want some changes, huh) so it makes sense to try.
> Since all of your data is fully encrypted before it ever leaves your device, only you have access to it. Not even the team at bitwarden can read your data, even if we wanted to.
I wish all these password manager companies would stop telling this lie. Your passwords may be encrypted on their servers, but since they provide the clients, an attacker only needs to slip in a single commit to any of the clients' source code repositories. In less than 10 lines of code, one could decrypt every single password locally on the device and then ship the payload out to an external API.
All it takes is a single disgruntled employee. Or one of these companies to be coerced by government to backdoor the clients. Or a third party attacker to social engineer their way to having write access to the source code repositories.
Unlike the popular proprietary options, at least bitwarden has an open source option. This means you could audit it yourself, and compile the software for your personal use. Of course, you have to audit every update to make sure you're not pulling compromised changes.
tldr; No password manager provided by a 3rd party company is ever completely safe to use. You're trusting that company to never betray you. Do they monitor their source code to the point where ever single write operation is explicitly approved by world-class security experts? Probably not.
I use an alias like this to easily copy a password onto the clipboard:
alias lclip='lpass show --password --clip'
(I'm a happy user of the Firefox extension although I'm considering moving to bitwarden.)
FWIW, I'm pretty happy with my personal passwords being managed by the 1Password for Mac desktop client.
I'd love to see an easily self hosted version of this.
Apple really should just make their own and be done with it. Few apps really cry out for Apple, but this is one of them.
A few things about bitwarden I would love to see improved:
- A stand-alone Windows desktop app. Somewhat annoying to have to open up Firefox every time I want a password. Also, I would love to have a persistent window to Bitwarden.
- iOS app is not polished. Browser extension works flawlessly, however.
- I would love to be able to search item entries that are not of that specific domain on the iOS extension. Sometimes, I have other info in secured notes or password entries without a domain that I want to get to from the extension. In these cases, I've had to leave the browser and open the actual app to get access to them.
If your computer were a city, the web browser would be the high crime area. I may have my valuables in a locked safe, but it's a little bit self-defeating to carry that safe with me in the places where I'm most likely to be mugged.
On the other hand a website should not be able to get at any password stored in (or pasted into) the browser except its own.
Edit: Spent 30 seconds to troubleshoot. If I disable uBlock Origin and then login to LastPass (extension), it works fine. So just a small conflict somewhere. YMMV.
It's flexible and there are many storage options so just don't use Dropbox, if you don't trust it as well. Install Syncthing. Or just use any SFTP-capable SSH server you have and can trust to hold the encrypted data. Or enable password-protected WebDAV under some path on any of your nginx or Apache servers. Or set up Nextcloud.
 If you use KeepassXC, it would be a little noisy about the lock files. I heard the plan is to just remove those (and always merge on save) as they don't serve their purpose any well. Same as with Dropbox, though.
 It could be also certificate-protected, but software support may vary.
1) They can't read your data.
2) They can see your favicons, but users like this feature. In Bitwarden, you can disable it.
3) Furthermore, Bitwarden is completely open source and you can decide on which cloud or server you want to host. Although using a good password is much more important.
Because in principle the files on Dropbox could just be dumped on the open internet -- Dropbox never sees anything unencrcypted. There is a lot more trust in a single tool.
LastPass says the same thing
EDIT: No, I'm wrong. I was thinking in terms of login credentials (which neither are able to see); but LastPass does look at the URLs associated with your credentials so they can pull favicons
This is open source, has browser plugins, and supports 2FA. And it’s less than 1/3 the price of the 1PW subscription.
Thanks for sharing.
The only complaint I have is it appears the FIDO support is limited in Firefox, but I believe that's a Firefox issue based on what I've seen in other applications.
I'm grandfathered in to their one time pay use and I have an Agilekeychain so my perspective is only of that, however, I like 1Password because I only have to sync it with dropbox. The iOS 1Password allows me to store TOTP secrets and generate them on the fly /and/ I can access my vault from inside python which allows me to access my secrets and generate one time keys from a basic python script. (either via subshell substitution for commandline things or a 10 second clipboard replacement)
I looked for an alternative before, lastpass was one of the options but it felt janky and did not support TOTP.
I've not tried bitwarden, but from what I can see it's basically doing the same thing in terms of 1Password and its lockin.
If anyone is interested in mucking around with my python scripts that interact with my vault, I am happy to give them out- they're quite ugly though.
I recently swapped from LastPass to Bitwarden because LastPass subscription went from 12 USD/year to 24 USD/year (a 100% price increase) without reason or benefits. Or well, the only reason is that Marvasol got acquired by Logemein. However compared to 1Password that's still cheaper; they cost 3 USD/month (36 USD/year).
Bitwarden is completely open source and free, unless you'd like to use premium features such as YubiKey (single use license cost 10 USD/year). Which I happen to use. Furthermore, there are more 2FA options available, and you can self-host.
> I'm grandfathered in to their one time pay use
Yeah, that explains your post. You bought a lifetime subscription and therefore don't feel the need to switch. Likewise, I got a lifetime subscription for Emby, so why would I care for Plex?
Ah, I'd missed that price increase since my renewal was a couple months before it, but I saw that "jack the price" from Logmein in 2015 and I'm pretty sure it wasn't a one time jump. Cost them a bunch of users in a community I'm on where people were seeing their prices go from $300/year to several thousand for no improvements because they wanted to focus more on the more profitable enterprise area.
Guess I should start looking at options now so I'm not doing so with a looming deadline (and probably another price increase to at least match the 1Password subscription price).
Bitwarden is programmed by a "Microsoftie" (that used to be more of a problem back in the 00s and 90s than it is in the 10s). Its programmed in .NET, they host at Azure, and they use MS-SQL for data storage. But that's about the only negative thing I got against it. Because you don't have to store in the cloud (and you can even run the Ruby code native on *NIX now).
Ideally I'd prefer to have say GPGed databases of my passwords and my calendar on one or two clouds (like say Google Drive; 15 GB should be enough) and have seemless integration with Android, iOS, macOS, Linux, Windows but that isn't feasible. You'll end up with browser extension because it is practical.
I could be wrong of course, but there are quite a few of us I think. With my version of 1Password I feel quite in control though. (Even if the business is moving away from freedom)
Even offline software needs to be maintained. The author is preemptively moving away from 1Password since they're actively pushing their subscription business, and he's unsure how long his lifetime app purchase will remain working. The author is involved in Pushover (a Pushbullet alternative) which uses the (traditional) lifetime app model as well. So he understands the disadvantages of the model.
A few months ago I moved preemptively away from LastPass because my sub was running out end of nov 2017 and as announced the price was going up by 100% which I found unreasonable. Also a preemptive decision since I had to pay for two services for a few months but I didn't know if my transition to Bitwarden would be flawless. Turns out it was pretty much flawless (partly cause of the open data format from LastPass, CSV), but I didn't went with self-hosting. The author did go with self hosting but didn't wanna self-host .NET and MS-SQL which is fair enough. So they wrote their own server written in Ruby.
Browser plugins can have issues, but they also improve security by only allowing you the enter the password when legitimate domain is requesting it. With copy-paste approach you might enter the password to some phishing site (obviously browser plugins can introduce their own security issues, so this is a trade-off).
Dedicated applications may take steps to protect the sensitive information in the memory while a normal text editor probably does not do that. With AES encrypted file you would need to think the workflow to make sure the unencrypted contents is not exposed for example via temporary files. Dedicated appliation can also automatically lock the contents after some timeout, with text files you need to take care this manually.
But there should be no essential differences between the two. In fact since GPG's code is more battle tested than most password managers it might even be more secure, other factors disregarded as you mention.
I would be willing to pay (even subscription) for a nice set of UI clients (android, iOs, mac, Linux, Windows), plugins (Chrome, Firefox) that can just work with an encrypted file on ANY cloud or p2p file sync solution (i.e. resilio sync).
Unfortunately there seems not to be such a thing that is open source and does not want to lock you in to their infrastructure and services.
I suppose that is what OP meant by 'reliant on microsoft'.
> ... such as pass which stores PGP-encrypted files in a Git repo, but that doesn't improve my situation over 1Password. I would still have to manually look up passwords and copy them to the clipboard. These command-line packages also lack mobile apps and syncing.
This is misleading as there are plenty of clients and extensions for pass (which is also open source) 
Part of what works great about it is the TouchID/FaceID integration on both iOS and OSX.
Having broad UI and plugin support with good usability will likely be the key to success.
Truth is, most people are shockingly poor when it comes to security. I'd bet that 80% of computer users just store their password in the built-in browser password managers (without even a Master password set) and be done with it. Even worse, I've come across folks storing their passwords on a plain text file.
For the minority who do want secure password management, there are a plethora of solutions, but nothing is completely integrated and seamless. It's all a mish-mash of standalone desktop programs, browser plugins & extensions, web services, cloud storage and so on, all stitched together ad hoc.
This is doable for those who're familiar with security/encryption and can set it all up, maintain and update it, but utterly a non-starter for an average user or smartphone consumer.
If not then it seems you need physical access, for most people once you access their home then you can access enough info to fraudulently use their identity. So being more secure makes little sense for them, which seems logical. Sure it's increasing the ways an intruder can attack, making a broader attack surface. Once someone had access to your home from a security perspective you'd need to consider all that info compromised, unless you carefully use a home safe, I guess.
I use a plaintext file for some credentials. It seems to me less likely to be recovered than using a widespread service. Would you seek out my house on the promise of pocket change (protected only by my doorlocks and one passphrase) or attack a bank?
On the other hand, passwords stored in the browser are vulnerable to a compromise of the browser as well as a system compromise, so that is one additional weakness. I agree that a local system compromise is almost always game over. The same as physical access.
To answer your question, I'm not sure, but IIRC the Lastpass client was compromised more than once. There were also weaknesses in the way Chrome stored passwords, and of course the Firefox credentials file is easily readable without a Master password set.
Is that true without local access, presumably Moz use a key of some sort to encrypt the passwords before uploading and distributing to your other browsers rather than doing all that in the clear?
The misconception here is that setting a master password provides any real security. It isn't much different if you use a master password or not, once you have autofill, you're already compromised in that threat model.
From the point of view of cracking the password file I'd assume that Mozilla use an encryption key for passing the password file around, just that the key is available to anyone who has access to any of your browsers?
- Mainstream GNU/Linux DEs: Gnome Keyring and KDE KWallet (both implement common XDG API)
- Android: Smart Lock Passwords
Neither is interoperable with each other, at least not without external tools (I'm unaware if those exist). I wrote a comment about it the other day: https://news.ycombinator.com/item?id=15697011 (it was about syncing passwords across browsers)
If my interpretation is correct, then I think I need to be the cliche bearer for the XKCD reference: https://xkcd.com/927/
If your interpretation is correct then yeah, Apple has Keychain.
Also, I think I recently got an OS-level 'save password' prompt for something recently on my machine running Win10 Pro v1709... Can anyone confirm or refute this? No clue if this is just a new skin for the existing Credential Manager, something new entirely, or just confusion on my part.
 I just now tried Googling for information about this, but I nearly drowned in the sea of links about IE password saving and Edge support for password manager plugins
For local keychains there is /usr/bin/security, but it does not see iCloud keychains.
- Password export (button) in Chrome (62) is not available
- Importing passwords from Chrome to Firefox works
- Exporting password from Firefox Quantum (57) is not available
Also, what are the disadvantages of the hosted version?
Choose a random static site generator, use/build a lightweight style. Done.