Bitwarden. Works well and the integration with 2FA/TOTP is amazing. I highly recommend to not rely on a single (mobile) device for 2FA. Loosing or breaking it might shut you out of certain accounts forever.
Same, used to be LastPass but the more I learned about them as an entity I realised that they were not what they once were and I switched to Bitwarden.
I also found this suited my devices and usage, Linux, Android, Mac, Windows... happy across the board.
Also... employers tend not to use Bitwarden, they pick 1Password or LastPass, so it means I can have both work and personal on my BYODs.
Yea, I used to keep my passwords and backup codes in two separate KeePass vaults. Now I use Bitwarden for passwords but still use KeePass for my backup codes.
I use the notes for each entry in Bitwarden to indicate what kind of 2FA I have enabled and whether I have a backup code already stored in the other vault.
I guess answers here will be skewed towards Bitwarden, because those who already use it will likely be more interested in this thread.
I also use it at my company, and personally with my wife. Also got my mum to use it!
At my company, we also use it for server secrets, using envwarden: a simple wrapper we created and open-sourced[0] for managing server secrets with Bitwarden.
Love this and currently testing it for deployment at my company. Thanks for making it, it feels 1000x more straightforward than Vault, etc.
I'd love to hear an official stance on it from Bitwarden to know their take and whether they're considering supporting this important use case in an official capacity (e.g., sponsoringor providing some kind of support for the project). Seems like it could be a big differentiator over other password managers.
BitWarden. Used to use 1Password, and while I don't mind paying for a service, especially a 'security' related one, I couldn't see the benefit over what I was getting with BitWarden.
I use Bitwarden_rs (https://github.com/dani-garcia/bitwarden_rs) and self-host it in a Docker container on my Synology NAS. I only allow access to it from my internal home network.
The nice thing about Bitwarden_rs is that you get features which you would have to pay for with normal Bitwarden. For example 2FA with U2F. As a note Bitwarden_rs is written in Rust.
That’s not what I would call the nice thing about bitwarden_rs. What I would call the nice thing is single-user total disk usage under 20MB and memory usage under 30MB, with totally negligible CPU usage. The official server requires SQL Server and quotes recommends 4GB of RAM and 25GB of disk space as a minimum, though I imagine the true minimum it could survive with would be a good deal less. (Still, I do appreciate being able to generate TOTP codes, which is paid functionality with the official server.)
While you can used the premium features without paying, I would strongly urge you to pay for a license anyway. It doesn't cost much and the Bitwarden folks are a small team doing a great product. I really like bitwarden_rs and wish the official server would adopt it or something similar. The official server is pretty darn heavy.
I also use Bitwarden_rs so I don’t have to host a MSSQL database, but it’s worth noting that the Bitwarden_rs server hasn’t been audited. It uses the same upstream clients (including web), but that doesn’t fully cover the implementation.
BitWarden. Switching our business from LastPass at the moment.
I found LastPass painful to use and sync between local vault and server side to be broken. No thought has been given to layout, commonly used options are buried and basic things like selecting the right credentials by subdomain do not work. Their recent UI refresh has simply made things slower rather like Google's admin UIs. They have rather annoyingly decided, against NCSC advice, that I need to see a reminder to pointlessly cycle my master password every time I log in.
The final straw was when they applied a large renewal charge without authorisation to a card they were not given permission to keep and then mishandled the resulting complaint in every way you could possibly imagine.
Bitwarden is cheaper and far more usable, I can't find any single thing that LastPass does better for twice the price.
Bitwarden. I used to use LastPass but I prefer Bitwarden because the clients are open-source (including optional self-hosting and a mobile app on F-Droid), the URL matching seems to be more flexible and intuitive to configure than I found on LastPass (more than just separate subdomains), and the syncing across devices and auto-fill using standard Android APIs works perfectly with the mobile app. I also pay the $10 USD/year for the premium plan mainly for native YubiKey 2FA without using TOTP codes.
I've considered using Pass or other open-source self-hosted/synced alternatives but I don't really want to fiddle with something like this quite yet because Bitwarden meets my needs perfectly.
Bitwarden, so does my (tech savvy but doesn't work in IT) wife. I'm using it in ipad OS, Android, Firefox, and Chrome. It works great with several different second authentication factors like hardware keys and the Google authenticator app.
One fantastic feature is that you can add the second factor 6 digit generator to a given password, just like an authentication app. When you log in by filling the username/password and hitting enter, your second factor is copied to the clipboard. That lets you just paste it in, which is very convenient for those annoying sites that make you log in with 2FA every 30 to 60 minutes.
I used pass (unix passwordstore) before. I found it extremely comfortable when I'm working with just my system. I did find the inconvenience of setting it up cross platform when it depends on my gpg key. How do people access their gpg keys in phones or a new laptop for example? Do you store it somewhere online? How do you make sure not to lose the gpg key? When I got my new system now, I forgot to backup my key and lost my previous passwords. This is the only challenge(?) I face. Other than that I love everything about pass.
Now I'm testing waters with bitwarden. I like the cross platform functionality so far and the self hosting option. I also like that I just need a master password and don't have to worry about keeping any extra keys safe. I'm not a security expert so I'm not sure whether encrypting before syncing with bitwarden servers is actually safe (this is what bitwarden does afaik). I'm yet to try out their cli option. I also wonder what would happen to my passwords if it shuts down abrubtly. Do I have a backup/copy of the passwords somewhere? This is something that concerns me, where I feel pass is superior. Maybe if there was an option for pass, to use passphrase for encryption rather than gpg, that'd be really cool (maybe not good security wise? I'm unsure on this aspect)
I also liked that when I add the URI of the website login, it gives the icon for it too. Bitwarden's user experience is top notch. I recommended my parents to try it out, except for a few basic questions they were up and running within a few minutes. That's something I really appreciate.
If anyone has self hosted bitwarden, how do you make sure that it is safe from attacks? I'm still exploring this option. Bitwarden uses azure and lets the MS team take care of managing the infra (I'm guessing this includes taking care of attacks).
I've used LastPass for years before switching to Bitwarden due to peer-pressure on HN/Reddit (posts like these, praising Bitwarden).
After a few months, I watched back to LastPass. Bitwarden never quite worked right and as far as I know doesn't provide a way to review access history (I was hacked and wanted to see if other IP addresses accessed Bitwarden).
I'm currently using MacPass on macOS and KeePaasium on iOS, and syncing both through Dropbox. But that means I need my Dropbox credentials, in addition to the KeePass file secrets, if I lose both the Mac and the iPhone (after a fire or a robbery for example). Not sure I'm comfortable with that.
I'm considering switching to 1Password or Bitwarden. But I'm not sure about BitWarden using the same password both for encrypting the vault and accessing Bitwarden server. Chrome for example has an encryption password which is different from your usual Google Account password.
I may be a little off in my description, but I believe that the Bitwarden server never sees your password. The client sends a derived key to authorize your access to the vault and then your password is used on the client side to decrypt the vault.
It all depends on the risk you’re trying to mitigate. A MITTM or a server attack won’t be able to gain access to your passwords, even if they intercept the data. A user with knowledge of your password or a key logged on your client could. However in either of those cases, you’re not protected all that much by having two passwords as opposed to one long one.
Bitwarden. Migration from lastpass took just a few minutes. I don't need fancy features and Bitwarden seems less likely to have RCEs in the client and other screwups.
1Password, and I've been happy with it, but I generally recommend Bitwarden to anyone who asks because of the free tier.
I intentionally use other things for my 2FA and TOTP so that my most important accounts are still not accessible even if you somehow get into my password manager. I use YubiKeys where I can, Google Authenticator when it has to be TOTP.
BitWarden for less "important" things like gaming, streaming, store, and forum logins. Things that would be more of an inconvenience if it were to be hacked.
For more important things I use KeePass and keep it all offline.
Pass and Browserpass or gopass bridge. There is also QtPass and Password Store for Android. Love having my passwords synced using Git and backed up encrypted in the cloud using GPG.
I'm another bitwarden user. I used to use lastpass but back when firefox switched to their webextensions lastpass didn't update right away so I switched.
I switched from KeePass to Bitwarden. KeePass worked great, but I decided it just wasn't worth it, as well as being potentially riskier, to manage it myself.
For example, if you use a third-party KeePass app on your phone, besides having to figure out a secure way to sync it, you also now have to trust the developer of the phone app as well. Larger attack surface.
This! Just sync your keepass file with your NextCloud (or Google Drive or whatever) and you're good to go. Has a mobile App and there are probably Browser Add-Ons available. Costs nothing and works like a charm.
