Hacker News new | comments | ask | show | jobs | submit login
Switching from 1Password to Bitwarden (jcs.org)
298 points by signa11 on Nov 19, 2017 | hide | past | web | favorite | 124 comments

This is very cool. After going from KeePassX to LastPass to 1Password, I'm back to using (mostly) KeePassX (and occasionally LastPass since $work has LastPass Enterprise). I would very much love to be able to host a private instance that everyone at $work can use and a private one that myself and my family (for example) can use.

Also, AgileBits has 80 employees now!? Wow, I guess that subscription model really is paying off for them. :/

Off-topic: The author, "jcs", is also an OpenBSD developer and the guy behind "Pushover" [0] ("receive unlimited push notifications on all of your devices") which is an awesome service some HN'ers might be interested in.

(No affiliation, just a very happy user.)

Edit: Somewhat related... for the LastPass users who are terminal junkies, like me, you might like "lastpass-cli" [0]. I actually use it in place of the LastPass browser extension, along with several shell aliases:

  alias lp='lpass'
  alias lpl='lpass login user@example.com'
  alias lpls='lpass ls'
  alias lppw='lpass show -G --password --clip'
  alias lpsh='lpass show -G'
  alias lpst='lpass status'
[0]: https://github.com/lastpass/lastpass-cli

You may also want to try KeePassXC. An actively maintained port of KeePassX with some nice quality of life changes.

I use it on both Windows and Linux, synced via Dropbox.


I am an active XC user, been one for about a year, give or take. I like using it that I love that it's FLOSS, just waiting for the browser extension to usable. It'd be nice to have some way of easily syncing to my phone as well. Outside of that, great app.

It's the same database format, so regular KeePass mobile apps will work just as well if synced through Dropbox or similar.

Personally I use Keepass2Android on Android. It's quick and has a nice interface.


I switched from LastPass to KeePassXC, and I like that I don't have a browser extension anymore. It seems like many of the security vulnerabilities discovered in LastPass were in the browser extension. Plus, the stand-alone app is nice.

You might like pass: https://www.passwordstore.org/

It uses git for storage so you can host a private instance as easily as you can host a git repo.

I'm a big fan ... you can sync between devices by encrypting everything with two or more keys and stashing the file in keybase.io.

Yes, I've seen it (every time we have a related thread here on HN) -- and about every other password manager out there. I like pass and the idea, but it just doesn't fit my use case. Thanks, though.

Thanks for the mention of Pushover [0]. I've been looking for a general notification API. I was going to use Slack but this is even better.

Also the reference got re-used and overwritten for lastpass-cli. The corrected reference is below.

[0]: https://pushover.net/

Oops, sorry! Thanks for posting the correct link.

What are some uses of Pushover? I've been looking for a solution to "sync" my notifications between Linux, iOS, and macOS. Is this it?

Pushover is great for events that are delayed or infrequent - say you have a job running on an AWS server and want to be notified when there is a result, or you want some alert when your traffic reaches (say) 80% of the possible load.

It's a cheap and easy service that you'd use anywhere where "then send an SMS" would be your reaction - it's like an SMS but without the cost and/or length restrictions

I found pass [0] to be extremely useful especially if one is using OpenPGP (e.g. GPG) already. For desktop there is QTPass [1] for Android Password Store [2]. There is pass-otc [3] for storing TOTP secrets. There is browser pass extension [4] for Chrome and Firefox. Coupling this with hardware token such as Yubikey one can require PIN and touch input to decode password. In the same time the password repository can be stored in private bitbucket git repository.

Personally it's a perfect combination of security and convenience. The design is incredibly simple, if all these apps fail I can just use gpg to decrypt secrets.

The only downside is that filenames are stored unencrypted in git repository so Bitbucket can see what sites do I use but can't see usernames or passwords (obviously).

[0]: https://www.fossmint.com/pass-commandline-password-manager-f...

[1]: https://qtpass.org/

[2]: https://play.google.com/store/apps/details?id=com.zeapo.pwds...

[3]: https://github.com/tadfisher/pass-otp

[4]: https://github.com/dannyvankooten/browserpass

+1 for pass. I've been using it on Linux and iOS without a flaw. Using a private git repo to automatically sync between devices. It all works flawlessly.

>The only downside is that filenames are stored unencrypted in git repository so Bitbucket can see what sites do I use but can't see usernames or passwords (obviously).

there's an extension to fix that:


But then won’t compatibility with implementations of pass on other platforms suffer?

Keybase provides free encrypted git repos that even they can's access.

Can't be used on Android (Password Store app uses jgit which doesn't support remote helpers[1]; libgit2 is also not an option at the moment[1][2])

[1] https://github.com/zeapo/Android-Password-Store/issues/344

[2] https://github.com/keybase/client/issues/9458

interesting. First time I heard about pass! Maybe it's a good thing to combine this with encfs (reverse for backup only) or encrypted git from Keybase https://news.ycombinator.com/item?id=15401211

I have been using pass for months now and love it. I use a private git repo to synchronize my passwords to multiple computers of mine (Chromebook and two Macs) plus my iPhone without any major issues and it is completely free.

I was wondering if anyone has more details about setting up and using a hardware key like the Yubikey in conjunction with Pass works?

edit: removed a redundant part that parent already mentioned

> I was wondering if anyone has more details about setting up and using a hardware key like the Yubikey in conjunction with Pass works?

Find a guide on using Yubikey with gpg (such as this one [0]) and if you configure it it will work seamlessly.

Enabling touch-to-decrypt [1] can also reduce risk of decrypting stuff without you noticing.

[0]: https://www.yubico.com/support/knowledge-base/categories/art...

[1]: https://developers.yubico.com/PGP/Card_edit.html#_yubikey_4_...

Which one do you use on a Chromebook (I assume on ChromeOS)? Because I've seen only extensions that require installing regular pass so probably on a Linux machine.

That's a good article! The important take here is that Bitwarden Server was re-implemented in Ruby/Sinatra: https://github.com/jcs/bitwarden-ruby with SQLite3 for database.

When I've looked, Bitwarden had official (beta/experimental) self-hosted option, but it required MS SQL Server, which memory and architecture requirements made me uncomfortable. Now there's alternative implementation, I guess I'll need to take a look. Client software looked nice (well, or maybe I just want some changes, huh) so it makes sense to try.


From bitwarden's home page[1]:

> Since all of your data is fully encrypted before it ever leaves your device, only you have access to it. Not even the team at bitwarden can read your data, even if we wanted to.

I wish all these password manager companies would stop telling this lie. Your passwords may be encrypted on their servers, but since they provide the clients, an attacker only needs to slip in a single commit to any of the clients' source code repositories. In less than 10 lines of code, one could decrypt every single password locally on the device and then ship the payload out to an external API.

All it takes is a single disgruntled employee. Or one of these companies to be coerced by government to backdoor the clients. Or a third party attacker to social engineer their way to having write access to the source code repositories.

bitwarden, like their competition, offers a web-based UI for managing your passwords. If done properly, the decryption of your stored items is performed directly in the browser with javascript - not on the server side. And yet, this web client is another target for attackers to attempt to compromise.

Unlike the popular proprietary options, at least bitwarden has an open source option. This means you could audit it yourself, and compile the software for your personal use. Of course, you have to audit every update to make sure you're not pulling compromised changes.

tldr; No password manager provided by a 3rd party company is ever completely safe to use. You're trusting that company to never betray you. Do they monitor their source code to the point where ever single write operation is explicitly approved by world-class security experts? Probably not.

[1] https://bitwarden.com/

LastPass have open-sourced their client, IIRC

I am using 1Password. I used KeePass before and looked into other solutions, like Bitwarden. I am fine with the lock-in, because I don't want to manage the infrastructure to keep my secrets available and secret. Reliably and securely running a solution like Bitwarden is not something I want to spend time on.

IIRC Bitwarden can also host your secrets for you. Self-hosting is just an advanced option you needn't go for.

My approach: Use keepass mainly (here KeepassXC) and do not care about the plugins. For the browser use the build in password management as addition for accounts you need frequently (Chrome, Firefox, Safari they all have this). With this approach you have a sync to all of your other browsers like e.g. on your smartphone and the browser vendor takes care of security of this system.

Using LastPass Enterprise for work, I try to keep its plugin only installed in my fallback browser. I really wish they would make a desktop client... Though, now that LogMeIn owns them I'm more fearful than optimistic with regards to what their next move will be.

Lastpass has a nice official commandline client:


I use an alias like this to easily copy a password onto the clipboard:

alias lclip='lpass show --password --clip'

Lastpass has a Windows desktop client. It's the single most amazingly slow commercial software I have used lately. (It locks itself entirely between each keypress.)

(I'm a happy user of the Firefox extension although I'm considering moving to bitwarden.)

Wow, I feel like a dumb-dumb. I have no clue how I've missed this. Though, from what you say, it sounds like I'm not missing much at all...

FWIW, I'm pretty happy with my personal passwords being managed by the 1Password for Mac desktop client.

Lastpass has a Windows 10 Desktop app.

I agree that Keepass isnt't optimal, but what I find to be its main advantage is that you're fully self reliant.

I'd love to see an easily self hosted version of this.

Agreed single machine is exactly why I chose it. I don’t want my key storage app making network calls. Simple export to email would be good enough for backup.

Apple really should just make their own and be done with it. Few apps really cry out for Apple, but this is one of them.

Pretty sure Apple would just point to iCloud Keychain as a solution here, and any deficiency in the security model a facet of the UX

Apple did make their own - iCloud Keychain does most of what most people need from a password manager, and is built into their OSs.

Pleasant Password Server is a Self-Hostable Solution, just expensive and not open source.

My biggest issue with this seems that it only is a password manager. I use 1Password A LOT. And I use it for more than just passwords. I have my banking info in there as well. 1 Click credit card filling is awesome, wish it would work the same for my checking info. Also all of my software keys are stored in there. Until someone adds support for all that I wont consider switching away. I have however upgraded to AgileBits new subscription version it seems. Might not either as I don't wanna pay for it every year.

Bitwarden has secure notes format for this kind of stuff. Although of course, it's nowhere as polished as 1Password.

I was a very happy user of the old pre-subscription 1Password on both macOS and iOS until I upgraded my MBP to a Dell XPS 15. 1Password for Windows was not available unless I signed up for the subscription. I've been using Bitwarden since this past summer and have been very happy with it.

A few things about bitwarden I would love to see improved:

- A stand-alone Windows desktop app. Somewhat annoying to have to open up Firefox every time I want a password. Also, I would love to have a persistent window to Bitwarden.

- iOS app is not polished. Browser extension works flawlessly, however.

- I would love to be able to search item entries that are not of that specific domain on the iOS extension. Sometimes, I have other info in secured notes or password entries without a domain that I want to get to from the extension. In these cases, I've had to leave the browser and open the actual app to get access to them.

I switched to bitwarden when I started using firefox 57 beta and lastpass didn't yet have a webextension version. Now that lastpass does have a webextension version, I haven't bothered switching back.

I use password manager browser extensions... but honestly they make me a little uncomfortable, and I'm slowly migrating away from them.

If your computer were a city, the web browser would be the high crime area. I may have my valuables in a locked safe, but it's a little bit self-defeating to carry that safe with me in the places where I'm most likely to be mugged.

If you have a malicious extension, then under XUL I think it is game over. WebEx probably offers more isolation and/or protection. Also note that a malicious addon can possibly also record passwords that are pasted in manually from a password manager, or auto-typed.

On the other hand a website should not be able to get at any password stored in (or pasted into) the browser except its own.

Exactly the same for me, Bitwarden works great, even on mobile.

Probably just a conflict w/ other extensions or something but, for me, LastPass's "beta" WebExtension quit working after upgrading from FF57 (developer edition) to FF58 (developer edition) on Arch Linux. It worked fine until then, though. It just throws an error saying my list of sites/passwords/whatever can't be downloaded and to try again. Likewise, the newer "non-beta" extension does the same thing.

Edit: Spent 30 seconds to troubleshoot. If I disable uBlock Origin and then login to LastPass (extension), it works fine. So just a small conflict somewhere. YMMV.

Same boat here, happy with the switch to BitWarden. I'm happy to have a mobile app that isn't subscription based and developers that are willing to go after the new (unlike lastpass' disinterest).

this is exactly what happened to me also. now, i have fully migrated to bitwarden on all my browsers.

Why is it a deal-breaker security concern for him to have his passwords stored on 1password servers or LastPass servers but not with Dropbox servers?

I can only speak for myself - I consider it more safe to trust different parties for encryption and storage of data. Keepass don't know how to get to my dropbox, dropbox doesn't know how to unlock my keepass file.

Can't speak for OP, but I maintain my standalone 1password app and have resisted upgrading to the subscription version because I already have enough subscriptions in my life and this is not a problem that needs a dedicated service. With the standalone version I am in control of when and how my passwords are synced over the net. The sub service adds little value for me and introduces costs and complications I am not really interested in.

Well, guess because he trusts Dropbox but not 1Password or LastPass. Makes sense as they stand out "passwords are here".

It's flexible and there are many storage options so just don't use Dropbox, if you don't trust it as well. Install Syncthing[1]. Or just use any SFTP-capable SSH server you have and can trust to hold the encrypted data. Or enable password-protected[2] WebDAV under some path on any of your nginx or Apache servers. Or set up Nextcloud.


[1] If you use KeepassXC, it would be a little noisy about the lock files. I heard the plan is to just remove those (and always merge on save) as they don't serve their purpose any well. Same as with Dropbox, though.

[2] It could be also certificate-protected, but software support may vary.

For me: Dropbox treats my data as dead text, mostly. The password people want to track what accounts I have, add favicons, all sorts of parsing and storage with expectations—and so opportunity for error.

> The password people want to track what accounts I have, add favicons, all sorts of parsing and storage with expectations—and so opportunity for error.

1) They can't read your data.

2) They can see your favicons, but users like this feature. In Bitwarden, you can disable it.

3) Furthermore, Bitwarden is completely open source and you can decide on which cloud or server you want to host. Although using a good password is much more important.

I do a similar thing.

Because in principle the files on Dropbox could just be dumped on the open internet -- Dropbox never sees anything unencrcypted. There is a lot more trust in a single tool.

> Dropbox never sees anything unencrypted

LastPass says the same thing[1]


EDIT: No, I'm wrong. I was thinking in terms of login credentials (which neither are able to see); but LastPass does look at the URLs associated with your credentials so they can pull favicons

A random DropBox isn’t a tempting target to break into, but a security flaw with 1Password might open up the data of tens (hundreds?) of thousands of accounts.

In not saying it's a bad idea but this is basically the oft decried security by obscurity (something I often rely on tbh).

I use Password Safe as the manager and OneDrive to share to my other devices.

Wow this actually looks really promising. I’ve used KeePass off and on over the years but always defaulted back to 1Password because of the browser plugins and mobile experience. I even tried Pass but it was just too painful to setup and maintain and I don’t have the know how to get my data out of it if I really commit.

This is open source, has browser plugins, and supports 2FA. And it’s less than 1/3 the price of the 1PW subscription.

Thanks for sharing.

I went ahead and paid the 10 bucks for a subscription and was able to get everything setup with a FIDO U2F YubiKey in under 10 minutes. The 1PIF import was flawless.

The only complaint I have is it appears the FIDO support is limited in Firefox, but I believe that's a Firefox issue based on what I've seen in other applications.

Every site I've tried with U2F in Firefox works great (after enabling it in about:config on FF54)...as long as I spoof the UserAgent to say that it's Chrome.

Interesting. I've seen it work natively on Fastmail, and recently even Google, but the add-on itself wouldn't work in FF57. Maybe it will soon.

Firefox acquired a proper native implementation in 57 and 58, enabled via security.webauth.u2f and security.webauth.webauthn in about:config; I think it might be enabled by default from 58 onwards. See https://bugzilla.mozilla.org/show_bug.cgi?id=1065729.

The trouble with support for this across services is that Chrome implemented the u2f API in an utterly ridiculous way (via an extension, and you have to hardcode the extension ID and use weird APIs to access it), and then provided as the basis for other services to support it (in a supposedly-compatible way) u2f.js, extracted from a demo. And it is terrible code, clobbering the u2f global in its very first line in a way that indicates that the writer didn’t understand how globals work in JavaScript (`var u2f = window.u2f || {};`, in the global scope), and making IE give weird prompts about chrome-extension: links in an app. At FastMail we made it behave properly, but basically anyone that wants it to work properly will have to go out of their way to figure it out, because the state of documentation of all of this stuff is appalling, and the generally extant code is only slowly getting better. (We got the `u2f-api` node package fixed up, so anything that uses its latest version should work in Firefox.)

I have look into Bitwarden twice now but I am still Dashlane user. However, I can see Bitwarden https://bitwarden.com/ has now family plan. This is great as I want my wife and kids to use password manager but it is quite expensive to buy and manage license for everyone.

10 bucks a years isnt expensive.

Sorry, I meant Dashlane is expensive since there is no familyplan. Just individual license for everyone. Bitwarden is very appealing.

I'm an avid user of 1password. Although I'm not keen on the new vault format, or the subscription module.. But I guess they need to eat.

I'm grandfathered in to their one time pay use and I have an Agilekeychain so my perspective is only of that, however, I like 1Password because I only have to sync it with dropbox. The iOS 1Password allows me to store TOTP secrets and generate them on the fly /and/ I can access my vault from inside python which allows me to access my secrets and generate one time keys from a basic python script. (either via subshell substitution for commandline things or a 10 second clipboard replacement)

I looked for an alternative before, lastpass was one of the options but it felt janky and did not support TOTP.

I've not tried bitwarden, but from what I can see it's basically doing the same thing in terms of 1Password and its lockin.

If anyone is interested in mucking around with my python scripts that interact with my vault, I am happy to give them out- they're quite ugly though.

> I've not tried bitwarden, but from what I can see it's basically doing the same thing in terms of 1Password and its lockin.

I recently swapped from LastPass to Bitwarden because LastPass subscription went from 12 USD/year to 24 USD/year (a 100% price increase) without reason or benefits. Or well, the only reason is that Marvasol got acquired by Logemein. However compared to 1Password that's still cheaper; they cost 3 USD/month (36 USD/year).

Bitwarden is completely open source and free, unless you'd like to use premium features such as YubiKey (single use license cost 10 USD/year). Which I happen to use. Furthermore, there are more 2FA options available, and you can self-host.

> I'm grandfathered in to their one time pay use

Yeah, that explains your post. You bought a lifetime subscription and therefore don't feel the need to switch. Likewise, I got a lifetime subscription for Emby, so why would I care for Plex?

> I recently swapped from LastPass to Bitwarden because LastPass subscription went from 12 USD/year to 24 USD/year (a 100% price increase) without reason or benefits

Ah, I'd missed that price increase since my renewal was a couple months before it, but I saw that "jack the price" from Logmein in 2015 and I'm pretty sure it wasn't a one time jump. Cost them a bunch of users in a community I'm on where people were seeing their prices go from $300/year to several thousand for no improvements because they wanted to focus more on the more profitable enterprise area.

Guess I should start looking at options now so I'm not doing so with a looming deadline (and probably another price increase to at least match the 1Password subscription price).

Yes, I also looked into options. The options I considered were Bitwarden and the CLI open source solutions such as pass. I don't mind paying for a service like this, but it has to be reasonable.

Bitwarden is programmed by a "Microsoftie" (that used to be more of a problem back in the 00s and 90s than it is in the 10s). Its programmed in .NET, they host at Azure, and they use MS-SQL for data storage. But that's about the only negative thing I got against it. Because you don't have to store in the cloud (and you can even run the Ruby code native on *NIX now).

Ideally I'd prefer to have say GPGed databases of my passwords and my calendar on one or two clouds (like say Google Drive; 15 GB should be enough) and have seemless integration with Android, iOS, macOS, Linux, Windows but that isn't feasible. You'll end up with browser extension because it is practical.

One threat model they don't protect against is hostile JavaScript code. All browser extensions suffer from that problem though.

I mentioned it because the author was also using 1Password, I can only assume he had copy before they started their subscription model.

I could be wrong of course, but there are quite a few of us I think. With my version of 1Password I feel quite in control though. (Even if the business is moving away from freedom)

> I mentioned it because the author was also using 1Password, I can only assume he had copy before they started their subscription model. > I could be wrong of course, but there are quite a few of us I think. With my version of 1Password I feel quite in control though. (Even if the business is moving away from freedom)

Even offline software needs to be maintained. The author is preemptively moving away from 1Password since they're actively pushing their subscription business, and he's unsure how long his lifetime app purchase will remain working. The author is involved in Pushover (a Pushbullet alternative) which uses the (traditional) lifetime app model as well. So he understands the disadvantages of the model.

A few months ago I moved preemptively away from LastPass because my sub was running out end of nov 2017 and as announced the price was going up by 100% which I found unreasonable. Also a preemptive decision since I had to pay for two services for a few months but I didn't know if my transition to Bitwarden would be flawless. Turns out it was pretty much flawless (partly cause of the open data format from LastPass, CSV), but I didn't went with self-hosting. The author did go with self hosting but didn't wanna self-host .NET and MS-SQL which is fair enough. So they wrote their own server written in Ruby.

Question, assuming I have solved the problems of inputting the passwords and syncing and all other non-security-related items, are these password managers any more secure than an AES encrypted file?

With files and reasonably secure passwords you are probably using copy-paste to move the passwords. Keeping sensitive information on clipboard is a risk. Not just because of malware, you might also accidentally paste the information to wrong place.

Browser plugins can have issues, but they also improve security by only allowing you the enter the password when legitimate domain is requesting it. With copy-paste approach you might enter the password to some phishing site (obviously browser plugins can introduce their own security issues, so this is a trade-off).

Dedicated applications may take steps to protect the sensitive information in the memory while a normal text editor probably does not do that. With AES encrypted file you would need to think the workflow to make sure the unencrypted contents is not exposed for example via temporary files. Dedicated appliation can also automatically lock the contents after some timeout, with text files you need to take care this manually.

Would definitely not use the clipboard. Might use stdout of a quick exe run, or might use native OS keyboard messages... but that's a different concern. My question here was just about the contents themselves and less about the handling. Maybe, as the author here did, I can just run a server conforming to bitwarden's API.

I personally like deterministic ones. I recently wrote about that [1] and we’re building an app. Would love to hear what do you think.

[1] https://hackernoon.com/how-i-manage-my-passwords-technical-v...

Yes, a good password manager ought to securely erase temporary files and encrypt working memory and zero released memory. You don't get these extras dealing with a GPG encrypted file in a standard text editor.

I would assume no temporary files and short-lived process which reads/writes and dies. Then, of course, the burden is on the caller not to be careless with the state. I dunno. Just more curious here about the data at rest more than its use.

I'd assume data encrypted with AES (say by GPG) to be as secure as a password manager's DB, at rest. Provided you take care of adjust the iterations of the KDF, use a good KDF (like argon or scrypt), and tweak other parameters (like using a keyfile along with your passphrase) that a password manager might automatically set for you.

But there should be no essential differences between the two. In fact since GPG's code is more battle tested than most password managers it might even be more secure, other factors disregarded as you mention.

I recently switched to BitWarden and have had zero problems. The Firefox and Chrome extensions work great as does the Android app. Overall it has been a pain free experience and I'm very glad I did it.

I wished bitwarden would not need a backend and for sure not one tied to the windows and .net ecosystem.

I would be willing to pay (even subscription) for a nice set of UI clients (android, iOs, mac, Linux, Windows), plugins (Chrome, Firefox) that can just work with an encrypted file on ANY cloud or p2p file sync solution (i.e. resilio sync).

Unfortunately there seems not to be such a thing that is open source and does not want to lock you in to their infrastructure and services.

Bitwarden backend is cross platform and can run on Linux as well.

cross platform but dependent on mysql and .net.

I suppose that is what OP meant by 'reliant on microsoft'.

The article talks about a new Ruby/SQLite backend, making it no longer reliant on .NET, MSSQL, or Bitwarden's servers at all.

Correct but then it's nothing official yet with an uncertain future? Even if it would become community backed it still is a backend that needs to be secured, maintained, updated, etc. Therefore a file only based solution is imho preferable from this point of view.

Another alternative the author neglects is to use KeePass and to sync files between devices using Resilio or some alternative. The added benefit is redundancy and no reliance on a 'third party' server for operation!

Nice implementation but

> ... such as pass which stores PGP-encrypted files in a Git repo, but that doesn't improve my situation over 1Password. I would still have to manually look up passwords and copy them to the clipboard. These command-line packages also lack mobile apps and syncing.

This is misleading as there are plenty of clients and extensions for pass (which is also open source) [1]

[1] https://www.passwordstore.org/#other

I think that for enterprises a Vault backend would be great. This way you got a great access log and compartmentalization What do others think?

For me 1Password's client, not the backend, is the winning story. I'm sure someone could build a great client and browser plugins for Vault (or any other backend) that could compete with 1Password, but right now, I've seen nothing. (LastPass in some ways is close, in other ways, not so much)

I agree the 1password client is very good.

I'm guessing you and GP are using macOS and probably iOS? 1password lacks a Linux client and my experiments with both the Linux Chrome extension and the Windows client were not great.

Yes. I've used the Windows client, and I'll admit it's not bad, but not great. The Chrome extension (actually works on any version of Chrome; I'm running it on OSX in addition to the extensions that plugs into native version) is a bit lacking.

Part of what works great about it is the TouchID/FaceID integration on both iOS and OSX.

While the vault backend is certainly too powerful I could also imagine this as a solution for private/family use.

Having broad UI and plugin support with good usability will likely be the key to success.

Why’s there no standard and then MS, Apple etc. can include a pw manager straight into the core OS.

I voiced this same question a few days back on HN. I presume this is just not an important enough area to bring all the big corps and orgs together to brainstorm a standard and then implement it across their devices and OS.

Truth is, most people are shockingly poor when it comes to security. I'd bet that 80% of computer users just store their password in the built-in browser password managers (without even a Master password set) and be done with it. Even worse, I've come across folks storing their passwords on a plain text file.

For the minority who do want secure password management, there are a plethora of solutions, but nothing is completely integrated and seamless. It's all a mish-mash of standalone desktop programs, browser plugins & extensions, web services, cloud storage and so on, all stitched together ad hoc.

This is doable for those who're familiar with security/encryption and can set it all up, maintain and update it, but utterly a non-starter for an average user or smartphone consumer.

Are there known exploits, or have there been major exploits, for remote access to browser credential stores on personal computers?

If not then it seems you need physical access, for most people once you access their home then you can access enough info to fraudulently use their identity. So being more secure makes little sense for them, which seems logical. Sure it's increasing the ways an intruder can attack, making a broader attack surface. Once someone had access to your home from a security perspective you'd need to consider all that info compromised, unless you carefully use a home safe, I guess.

I use a plaintext file for some credentials. It seems to me less likely to be recovered than using a widespread service. Would you seek out my house on the promise of pocket change (protected only by my doorlocks and one passphrase) or attack a bank?

Well, you don't need physical access if you can successfully get your malware installed on the target's computer. At that point a text file would be easier to scrape that a password protected file, but only a few more steps away, i.e., by logging keystrokes or impersonating a login prompt or whatever.

On the other hand, passwords stored in the browser are vulnerable to a compromise of the browser as well as a system compromise, so that is one additional weakness. I agree that a local system compromise is almost always game over. The same as physical access.

To answer your question, I'm not sure, but IIRC the Lastpass client was compromised more than once. There were also weaknesses in the way Chrome stored passwords, and of course the Firefox credentials file is easily readable without a Master password set.

>of course the Firefox credentials file is easily readable without a Master password set //

Is that true without local access, presumably Moz use a key of some sort to encrypt the passwords before uploading and distributing to your other browsers rather than doing all that in the clear?

Yes, local access is needed since Mozilla do encrypt the file, but the key is stored in the same profile...

>I'd bet that 80% of computer users just store their password in the built-in browser password managers (without even a Master password set) and be done with it.

The misconception here is that setting a master password provides any real security. It isn't much different if you use a master password or not, once you have autofill, you're already compromised in that threat model.

Huh? So, someone boots your computer, assuming no login password, then launch your browser to get your passwords but need a master password -- how is that not protection?

From the point of view of cracking the password file I'd assume that Mozilla use an encryption key for passing the password file around, just that the key is available to anyone who has access to any of your browsers?

Apple has this; it's called iCloud keychain.

- Microsoft: Windows Vault aka Credential Manager

- Mainstream GNU/Linux DEs: Gnome Keyring and KDE KWallet (both implement common XDG API)

- Android: Smart Lock Passwords

Neither is interoperable with each other, at least not without external tools (I'm unaware if those exist). I wrote a comment about it the other day: https://news.ycombinator.com/item?id=15697011 (it was about syncing passwords across browsers)

Idk if I'm right or you are, but I read the GP as meaning "standard _across platforms_".

If my interpretation is correct, then I think I need to be the cliche bearer for the XKCD reference: https://xkcd.com/927/

If your interpretation is correct then yeah, Apple has Keychain.

Also, I think I recently got an OS-level 'save password' prompt for something recently on my machine running Win10 Pro v1709... Can anyone confirm or refute this?[1] No clue if this is just a new skin for the existing Credential Manager, something new entirely, or just confusion on my part.

[1] I just now tried Googling for information about this, but I nearly drowned in the sea of links about IE password saving and Edge support for password manager plugins

Speaking of iCloud keychain, anyone know of a command line tool for manipulating its contents?

For local keychains there is /usr/bin/security, but it does not see iCloud keychains.

I seam to have a bad timing moving my password from Chrome to bitwarden:

- Password export (button) in Chrome (62) is not available

- Importing passwords from Chrome to Firefox works

- Exporting password from Firefox Quantum (57) is not available

They all removed the ability to export. Chrome is suppose to be adding it back in 63.

Enpass [0] offers a native Linux app. However it's not opensource.

[0]: https://www.enpass.io/

FYI 1password just released an excellent Chrome extension that makes all their important functionality accessible to all platforms that Chrome runs on.

Where? https://chrome.google.com/webstore/detail/1password-beta/phi... still says it requires the separate Mac and Windows apps.

Wrong link. The new product is 1password X, see blog post here (has link to extension): https://blog.agilebits.com/2017/11/13/1password-x-a-look-at-...

no one mention passman.cc ?

Can I use this solution on iOS?

> At this point I've been using Bitwarden's iOS app and Firefox extension exclusively.

Password safe utilities seems to be growing too complex, IMHO. Vim's blowfish encryption is a straightforward alternative and the editor seems easy enough to install anywhere it's needed. There are other standalone command line utilities which can create random passwords, and vimscript could probably perform the task without too much trouble.

Question if anybody gets to this: I'm taking a break from work and computers for a year. How would you guys suggest I store my kbdx data securely In a failsafe manner?

The site says that it can be self-hosted. But will I be able to configure my browser extension to work with the self hosted version?

Also, what are the disadvantages of the hosted version?

> "However, all of their browser extensions and phone apps support setting a custom API URL before logging in, to allow for private installations."

Slightly offtopic - Any suggestions for a lightweight site engine, to produce equally simple personal websites?

Totally offtopic...

Choose a random static site generator, use/build a lightweight style. Done.

Could you explain the part that is on-topic?

'equally simple' implies they are talking about creating a site as simple as the site that hosts the article. Maybe 'side-note' might be a better phrase here than 'slightly off-topic'

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact