Password manager: Bitwarden, KeePassXC, or something else?

Is it a good idea to use a password manager? Why/why not?

For those who use one, which password manager do you use, and why?

1 Like

If you use a good password manager, this is a good idea :slight_smile:
I have been using KeePassX since 2016. Why? Convenient and secure cross-platform open source password manager. Uses a local database compatible with the KeePass database format.

3 Likes

I chose BitWarden, and have zero issues with it.

2 Likes

Three notebooks, each in different places. One in a fire safe. Use pencil so you can erase an entry when the password changes.

Some makers of little address books also make password books. Instead of name and address they use the same lines for site, username, and password. With alphabet tabs and gold trim.

1 Like

I prefer to use an offline VM on Qubes OS to store my passwords.

3 Likes

https://pwsafe.org/yubi.shtml

I use Password Safe which is supported by Bruce Schneier. I started using it, because I looked for something supporting two factor authentication and am now using it together with an yubikey.

2 Likes

As always, there’s no simple answer.

Compared to what?

Compared to remembering every password in your head? That’s the most secure option. However forgetting passwords may be a problem, particularly if not used for a while - and it could encourage sloppy habits like using weaker passwords or reusing passwords.

Writing them all down? That’s a fairly secure to very secure option, depending on your threat model. A work location is inherently less secure (more threatened) than a home location. Some home locations might be inappropriate for this. Can be inconvenient if you need a password while out and about. If your threat model includes government agencies or other criminal organisations then this is not a secure option. Poorly integrated also, so you always need to type in the password, which can be error prone and may encourage slightly weaker passwords.

Overall, yes, I would say using a password manager is a good idea.

Sub-question: Is it a good idea to use a password manager with network integration / synchronisation?

I have never been comfortable enough with that idea - so it would be local database for me.

It can’t be fully open source if you rely on an external server for network integration / synchronisation. You can of course provide your own server. Some people though really want the network / synch side of it.

The ideal answer would be one that is well-integrated with the underlying system, including being able to be protected by an ‘hardware’ security token (like a Librem Key).

I don’t know how well seahorse stacks up against the above requirements or anyone else’s requirements.

1 Like

Allows you to have multiple password store, example to split passwords and OTP seeds to different git repos.

It still uses gpg, which can be complex to less experimented users.

Personally I have been using this on multiple machines/os.

I’ve been using KeePassXC and I really like it because it only does password management. You get to choose where the passwords are saved.

It creates and manages an encrypted file on your device. If you want to access your passwords on different machines, you simply share that file between machines. If you want to share certain passwords with somebody else, you can create a separate file and share it with them.

I’ve been using KeePassXC on three different machines running Windows 10, LineageOS and PureOS seamlessly. I share my password vault using Nextcloud.

For a school hackathon, a buddy and I created a program that encoded encrypted passwords into a barcode and then printed the resulting barcode onto a piece of paper. When you scanned the barcode, the program would decrypt it and insert the text into whatever text field the cursor was in. The hardware was his, but this is making me want to buy my own and write that program again…

3 Likes

If you use nextcloud for sharing your files between your devices (and with other people), you can use the passwords app. It’s not the best but good enough if you are already using nexctloud (note that as far as I know, the browser plugins do not encrypt the passwords locally unless the nextcloud E2EE app is activated… bringing a whole lot of different issues).