+1 for Bitwarden. It is literally the best solution out there. Been getting to increase uptake in personal circles with (very) limited success. The wife keeps trying to convince me that the ship has sailed in trying to protect info online. She's probably right.
Now that I'm not only using a Macbook and iPhone, I've been looking for cross-platform solutions.
For a week I've been using KeePassXC + Syncthing between four devices. Syncthing is also syncing my Obsidian vaults which has replaced Apple-only Notes.app.
Bitwarden is definitely more polished, and Syncthing is definitely (much) more fiddly than using Bitwarden's and Obsidian's ($5/mo) native syncing tools.
But I like the idea of having the same syncing solution across all apps on all devices. Curious if anybody can recommend this setup or if collisions will make it unbearable.
If you have a nas, I highly recommend you set up a VPN back to your network. It's been a bit of a game changer for me. I don't fiddle around with Dropbox or gdrive anymore, it's just on my nas and it just works. I was even mounting /home from it but that was a bit of overkill and still caused some hassles when I was completely offline- like on an airplane. Vpn has other advantages as well like no longer really having to worry about sketchy wifi networks. It felt annoying and like overkill at first, but I'm never going back to relying on any sync apps again.
> I was even mounting /home from it but that was a bit of overkill and still caused some hassles when I was completely offline- like on an airplane.
I solved this by having /home for desktops/workstations on my NAS, but laptops had their own /home (with the NAS /home mounted somewhere locally). It’s not perfect but was way easier than dealing with the offline case.
I have used this setup for 6 years or so with KeePassXC and it's fine. Just being mindful of not editing stuff on other devices before the first one has had the chance to sync has been enough to avoid pretty much all sync conflicts. I have only had to resolve those a few times so far, iirc my android client was misconfigured at the time or something.
I still recommend Bitwarden for password management for any "laypeople" since it will just work. Also worth noting that the basic functionality is free.
I do something similar with Syncthing, except I use pass and go-pass on my and my spouse's devices. Those utilities store their data in a git repo already by default, but rather than syncing those repos directly, I have set their upstream remotes to local bare repos which is what Syncthing actually syncs. This avoids contention internal to the git repos which I could see causing some problems through normal git operation and the actual sync between devices should be mostly atomic.
(go-)pass automatically does a push/pull due to several operations which keeps the password store in sync and Syncthing does its thing with the bare repos.
This has reduced my maintenance burden on my spouse's devices down to practically zero. The worst case to fix things is I need to `git pull --rebase` in the bare repo. The pass repo format uses individual encrypted files for each password entry (for better or worse) so I have yet to run into a conflict in the same entry.
Why not just push/pull git branches normally? I had previously been doing that but if you want devices to sync that may not always be online, then you must involve an always online git server (which isn't a great idea due to one of pass's weaknesses).
Even when you do get a sync conflict, Syncthing will rename one of the copies and then you can have KeePassXC merge the two files back into one. So that's still pretty much hassle-free.
Probably due to Obsidian's aggressive autosaving, I did cause a syncthing collision my first day by clicking into a note that I was editing on my other device. Kinda wish desktop Obsidian had a save system more like code editors and less like smartphone apps.
I suppose I can avoid the issue with some discipline.
This is the same setup I used for years with no issues, both KeePassXC and multiple Obsidian vaults, along with some other random files and folders. Syncthing is pretty much rock solid. Now I have the KeePassXC database stored on my NAS which is even simpler.
I use a similar setup, but with Onedrive instead of Syncthing (and, before that, Dropbox).
In the almost 10 years I've been running this setup, I think I hit a conflict one single time. I don't quite remember the details, but I think I accidentally edited something in the mobile app, and before saving, edited something else in the desktop app or vice-versa. So it was pretty much my fault.
Other than that, literally never had an issue. Password managers are by their nature mostly reads, and very occasional writes, so it's very hard to put yourself in a situation where conflicts happen, even if you don't pay attention to it. I've made an identical setup for my (fairly savvy but non-technical) fiancee, and she's never hit an issue either. I had to insist a bit for her to get on board, but years later she actually loves using KeePass. She's thanked me multiple times for how convenient it is not having to remember passwords anymore!
One consideration is that Bitwarden seems to not work fully in an offline state the same way your setup would. I constantly try to edit or add a password while offline and can't.
I think this somewhat negates the collision situation though.
That came up during my research and it's one of the reasons I couldn't choose it.
Forcing a read/write right before and after each edit probably simplifies the sync scenario for them but I don't like relying on permanent internet access in my life since it's just not the case.
Unfortunately strongbox was sold a few months ago to a somewhat notorious app firm that has the nasty habit of buying popular apps and adding a whole bunch of telemetry. Not something I'd want in a password app.
I've switched to KeePassium. Not quite as polished UX, but works for me
I'm using KeePassium and SyncTrain for the syncthing integration on iOS.
SyncTrain has been working well, but all the knobs in the advanced folder settings definitely reminds me that I would never recommend it over Dropbox/iCloud/etc to almost anyone, heh.
But as long as I don't run into frequent problems, I like the idea of p2p device syncing over LAN. The phone in my pocket ends up passing around the latest copy since my other devices are almost never on at the same time. It's kinda cute.
No matter how you sync, a Keepass file is a file. I can't be logged out. It will still be on my phone if my house burns down. Every device it's synced to is an additional backup copy.
The Bitwarden client will sometimes log you out if something happens on the server side, which has the potential to make worst case recovery from annoying to impossible. The circular dependency of having my cloud backup password in the vault made me nervous.
Yes, you can back your vault up, but it's a manual step and likely to be forgotten.
1password has better UI/UX and is faster but Bitwarden is cheaper, supports prompting of the master password for specific passwords, and better security options (such as app idle settings instead of just device idle)
I started paying for 1Password years ago when an annual family plan was $48, and to their credit, they've kept me grandfathered in to that price this whole time.
1P is closed source and have had a number of breaches in the past. Bitwarden have had none that I'm aware of, and they're FOSS. I however have been preferring ProtonPass lately (also FOSS) and really like the layout over BW.
Do you have a source for this claim of multiple past breaches? The only one I know of is the Okta breach.
For me they're still firmly in the 'one of the best options out there' category because cross-platform usability is incredibly good imho. I will admit it's been quite a while since I migrated from KeyPass so maybe these other options have improved too.
This is either ignorance or throwing shade at 1Password. Outside of their Okta thing (which didn't impact vaults as far as I'm aware, and was more Okta's fault) they never had a compromise. They are definitely an excellent provider.
I might be that guy soon. I really don't like Bitwarden's extensions, they have clunky UX, are slow and often don't even respect my settings. Autofill is a crapshoot, especially on Android. And they have performance issues with the Firefox and Chrome(-based) extensions so it's not even platform specific.
I use a similar service, I always wonder what sort of risk having one point of failure has though. I know 2FA helps, but a particularly motivated person with access to you physical still may be able to get both, espically if it for an investigation of some sort.
I switched from Bitwarden to Proton pass (because we got Proton family) and I find to be equally good. Ineven find sharing credentials a bit easier as it does not require organizations, you can just share with individuals.
Bitwarden Families plan is $40 a year and supports up to 6 users. It has TOTP built-in, is open source[1] and has been audited multiple times[2].
The individual plan is $10 a year. I've been a happy user for many years. I converted the last business I was at to exclusively using Bitwarden for Business as well.
I don’t know the “correct” answer, but here’s my answer as someone whose TOTP are split across a YubiKey and Bitwarden: I store TOTP in Bitwarden when the 2FA is required and I just want it to shut up. My Vault is already secured with a passphrase and a YubiKey, both of which are required in sequence, and to actually use a cred once the Vault is authenticated, requires a PIN code (assuming the Vault has been unlocked during this run of the browser, otherwise it requires a master password again).
At that point, frankly, I am gaining nearly nothing from external TOTP for most services. If you have access to my Vault, and were able to fill my password from it, I am already so far beyond pwned that it’s not even worth thinking about. My primary goal is now to get the website to stop moaning at me about how badly I need to configure TOTP (and maybe won’t let me use the service until I do). If it’s truly so critical I MUST have another level of auth after my Vault, it needs to be a physical security key anyway.
I was begging every site ever to let me use TOTP a decade ago, and it was still rare. Oh the irony that I now mostly want sites to stop bugging me for multiple factors again.
My Bitwarden account is protected with YubiKey as the 2FA. I then store every other TOTP in Bitwarden right next to the password.
I get amazing convince with this setup, and it’s still technically two factor. To get into my Bitwarden account you need to know both my Bitwarden password and have my yubikey. If you can get into my Bitwarden, then I am owned. But for most of us who are not say, being specifically targeted by state agents, this setup provides good protection with very good user experience.
2FA most commonly thwarts server-side compromised passwords. An API can leak credentials and an attacker still can’t access the account without the 2FA app, regardless of which app that is. The threat vector it does open you up to are a) a compromised device or b) someone with access to your master password, secret key and email account. Those are both much harder to do and you’re probably screwed in either case unless you use a ubikey or similar device.
How is it possible to have compromised password but not compromised the second factor? I don't understand the theory of leaking not enough factors. What is stopping webmasters from using 100FA?
> How is it possible to have compromised password but not compromised the second factor?
Server-side (assuming weak password storage or weak in-transit encryption) or phishing (more advanced phishers may get the codes too but only single instance of the code, not the base key).
> What is stopping webmasters from using 100FA?
The users would hunt them down and beat them mercilessly?
Mostly for the sites that insist on MFA and I need to use daily. Using two separate stores would be too annoying, and the increase in security is minimal - I consider Bitwarden to be secure enough (password + yubikey), and the main scenario somebody could get to my account would be on the server side, or phishing. For that, MFA helps somewhat, but storing MFA code in a separate app doesn't do much.
I self-host through Vaultwarden but I think I miss this. Besides, I feel like paying these guys anyway just for the great product. We use 1Password at $dayjob and it's so primitive by comparison.
Here are the things that get me, and maybe it's because I haven't configured it well yet.
1. On firefox first start-up is slow after unlocking to actually find a password for a site. The interface says, "No logins for xyz.com" for maybe 5 seconds before the login loads.
2. Along those lines when I open it first thing in FF the box for its password isn't focused and I have to click it.
3. The keyboard combo to open it also only works in Chrome.
4. To add a new login I have to go to the site. I haven't figured out how to do it from within the plugin.
5. We get alerts at least once a week about service disruptions but they don't seem to actually affect me.
6. I like Bitwarden's command line tool but I bet 1Password has something at least as good that I haven't found yet.
How is 1password primitive? It does totp. It integrates with TPM in Windows hello. It does sh keys and has its own agent which is a huge help. It's sync is nearly instantaneous. It handles multiple accounts with ease.
The moment you put TOTP in Bitwarden it is no longer a 'second factor'. Pretty bad security advice to be honest. Better to use hardware tokens or a secure phone (with enclave) instead (never SMS though).
In most cases a true second factor isn't really what any involved party cares about.
My bank (I mean, they use SMS, but pretend they use TOTP) just care about not having to spend money on support because I used "password1!" as my password for every account and lose all my money.
I just want to log in to my bank.
If I've got a long, random, unique, securely-stored password, I don't actually care about having a second factor, I'm just enabling TOTP so that I don't have to copy/paste codes from my email or phone.
> If I've got a long, random, unique, securely-stored password, I don't actually care about having a second factor
I'm not comfortable with my entire online identity being protected by a single line of defence which is a company that I'm paying a few dollars a month to. Not having to type 6 digits off a phone is a pretty minor convenience for me.
Do you then avoid syncing any passwords to your phone to avoid having your two factors in the same place? (And similarly, avoid syncing SMS to any devices where you do have passwords.)
If I only store passwords in Bitwarden, not TOTP tokens, then I don't have to pay for it. So, it's an argument for spending less money while being more secure.
I convinced my wife to start using a password manager, too (Bitwarden). Now she stores all of her very guessable, short, similar passwords in a manager. Sigh.
