Bit of Background on Password Managers
The key benefit of password managers is to allow humans to use passwords that it’s hard for machines (controlled by humans, normally) to crack.
It means we can use unique, long, non-memorable passwords across the various online accounts we use.
That reduces 2 of the key security risks for password-based authentication:
- password re-use - it’s easy to use the same password in many accounts - less to remember - so many people do it. The trouble is, if any of those accounts are compromised, all of the accounts are potentially pwned (check your accounts on haveIbeenpwned.com).
- simple passwords - vulnerable to brute-force and dictionary attacks - the simpler the password, the easier to remember, but the more trivial it is for a machine to break
The more online accounts we have, the harder it is to maintain strong unique passwords as a human, so we need a hand from the machines in the form of a password manager (hardware keys are another option for some accounts).
Shopping Around
After LastPass changed their Policies and have a bit more tracking than seems appropriate (trackers can be a potential way for malware to enter an app as well as the creepy factor of tracking).
Pass
Hollie mentioned the CLI tool Pass
that Mesar introduced her to, which sounds awesome for desktop use.
PassBolt
I’ve been considering self-hosting PassBolt - pretty much fully featured, multi-user password manager (obviously that means you need to keep it up to date for security, but it looks pretty good & covers all platforms).
BitWarden
For free Password Manager options with mobile apps, I’ve been leaning towards BitWarden - slightly restricted (no file storage or hardware key - e.g. YubiKey)
Buttercup
There’s also Buttercup - it uses several popular cloud storage providers as a backend (Google Drive, Dropbox etc.). An encrypted password vault is stored as a file in the cloud, and decrypted by mobile app or browser plugin. Not the best UI, but free, opensource & effectively multi-user, so it was my choice last year for a cheapskate option to allow several users to share a password vault.
Any suggestions and discussions would be very welcome!