Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Password manager with best experience on Linux?
38 points by asdkhadsj on June 25, 2019 | hide | past | favorite | 76 comments
I've been really happy with 1Password, but it seems 1Password does not have a Linux client. They have what seems to be a browser extension (1PasswordX), but so far I've hated the 1Password browser extension on OSX, so I can't imagine using that full time on Linux.

With that said, I'm super happy with 1Password's UX on OSX. It sits in the tray, can be activated with a toggle, allows me to search a password name, and then keeps that site/etc active while you toggle back and forth between the app and 1Password Mini. Copying in this manner is quick and easy. This, plus excellent support for Windows/OSX/Mobile makes 1Password a joy.

What are you using on Linux and do you enjoy it? Any problems with it?




I use pass[0], which is essentially just a wrapper on top of Git and GPG. All your secrets are stored in text files that are then encrypted by your GPG key, which is then tracked in a Git repo that you can store anywhere. I use the PassFF extension[1] for Firefox, and Password Store for Android[2]. There are plenty of pass-compatible clients for all platforms and extensions for pass on the first site.

If I need to get my password for eg. GitHub outside of Firefox, I just type `$ pass -c dev/github`, decrypt, and it's in my clipboard for 45 seconds.

[0]: https://www.passwordstore.org/

[1]: https://addons.mozilla.org/en-US/firefox/addon/passff/

[2]: https://github.com/zeapo/Android-Password-Store


The passmenu script for dmenu makes it even easier - just hit a keyboard shortcut, start typing “git”, hit enter and it’s on the clipboard.


Plus as it's based on the tried and trusted GPG, it can be secured with a hardware token like a Yubikey


I actually do this with the subkeys I put on my Yubikey, and thanks to the NFC capability, I can use it on Android.

I've been wanting to switch to a Yubikey with USB-C, since both my laptop and phone have that port and I don't have to rely on NFC, but this has been working fine so I can't really justify the cost.


Also using pass here.

Someone has an opinion/solution for the problem of exposing the list of everything you are using a password for? The fact that pass doesn't encrypt that makes me somewhat uncomfortable about hosting the remote git repo on an Internet accessible machine / service. Keeping the data "offline" (if such a thing exists) makes the sync across devices more challenging...


I originally used pass too and it's excellent, there's gopass too which is an improvement on pass and works well for teams.

https://www.gopass.pw


What makes it better for teams than just pass?


Pass has no out of the box multi user support. Gopass allows encryption for multiple keys, hence better for teams.

I use it for the same reason to encrypt different folders with different keys (work vs. private).


I use gopass a lot, but they direction in which they took the pass API is absolutely horrible. The ammount of irrelevant commands they added made it an UX nightmare.


Does this store in a format that can be pushed to any git repo? It isn't clear from the docs, or maybe I missed it.


It's essentially encrypted text, which Git handles just fine.


I use pass as well, along with a dmenu/rofi script.


> along with a dmenu/rofi script.

You make it sound custom, so I wonder if you know that pass's source repository and at least Archlinux's package includes passmenu which lets you access your passwords with dmenu.


I didn't know about this one, but looks perfect.

Thank you.


KeepassXC (https://keepassxc.org) combined with:

* It's browser plugin (https://addons.mozilla.org/firefox/addon/keepassxc-browser/)

* Syncthing (https://syncthing.net/) to synchronize across devices and mobile

* Keepass2Android Offline for Mobile access (https://play.google.com/store/apps/details?id=keepass2androi...)

Then the experience is close to Lastpass but only using opensource components.


Another vote for this setup. It works on all of my devices, it's FOSS, and my passwords are stored in a regular file that I can synchronize however I want. I also like the user interface.

The one downside is that the iOS client is unmaintained. I know nothing about crypto so I'm unfortunately not in a good position to contribute.


Take a look at https://keeweb.info/ too. It has built-in support for Dropbox, Google Drive, and One Drive. I also recommend Keepass2Android and sync to Dropbox. With the addition of a secret key file as an added requirement to unlock. So, in theory, you would need that key file and your master password to unlock the Keepass DB.


I too use KeePassXC, because I've used KeePass on Windows (and Android) for years and KeePassXC distributes an AppImage[0]. I just store the DB on Dropbox though. However, I've used Syncthing for projects at work and can recommend it as an alternative.

[0]https://github.com/keepassxreboot/keepassxc/releases/downloa...


This is pretty much what I do. I ran into issues getting the browser autofill stuff to work so I've been copying passwords manually, but it's still better than typing even if I could somehow memorize them all.


Same setup, but I use Nextcloud to synchronize across systems.


I use Bitwarden on Linux, macOS, and iOS. It works fine; you may need to sync by clicking a button, and I use AppImages on Linux and I think I need to manually download updated images, but otherwise it's free and open source, the pricing reflects hosting and development costs. I think Bitwarden also supports 2FA.

I tried 1Password and switched halfway to Bitwarden; I think there's a quant firm that reviewed password managers and recommended Bitwarden, which I trusted more than those consumer-grade sites.


Bitwarden has a free tier in its hosted version. And even the hosted version with a paid subscription is very cheap compared to 1Password. Like 1/5th the cost or lower, depending on the plan.


I'm also a big fan of Bitwarden. I use it on Linux, my wife uses it on macOS, and we both use it on iOS. It allows us to share passwords seamlessly across all platforms.

I also like the command-line app that I can integrate into dmenu and the fact that it allows self-hosting.


1passwordx nowadays is actually better than my 1password OSX experience. You should try it. I'm slowly moving myself off of OSX over to manjaro and I was shocked at how good 1px worked. It's more "the full app" than it is a "mini mini" like I assumed it'd be, but admittedly I haven't used it for a full 8 hour work day yet so maybe I'll have complaints in a few months.

I cannot wait to finally get off of 1password completely, though. Their latest mini update is an absolute joke. They break app functionality or they shove a detour in my workflow several times a year. Usually connectivity between the miniapp and full app break and when you're someone who enters passwords all day long you really start to notice how much slower you are when your workflow changes. I've had to reinstall the app multiple times this year because some $bug broke connectivity between the browser and the full app.

1pass's android app STILL does not have a password generator built inso you'll never want to create accounts using it but the rest of its functionality is pretty good. This is a huge annoyance of mine. I shouldn't have to go grab my laptop to make an account just to make sure I'm not using one of my in-memory passwords. Whatever password manager I pick would need full android integration.


Funny enough, I just saw a blog post saying that the 1px does give some nice benefits:

https://blog.1password.com/why-i-switched-to-1password-x/


Wanted to bump this. I used 1Password for years on Mac. It is truly amazing.

I now use Linux about 60% of the time, and was worried about needing to switch password managers. But I was happy to learn that I can mostly rely on 1PasswordX in firefox on Linux. It is really good.


1Password's Android app definitely has the password generator, it's the little gear next to the password field.


I mean in the context of creating a new account, when the 1p app pops up in a password field, AFAIK there's no way from that to create a password. So you have to go into the app, generate one, then back out of the app and back to the app you're creating the password for.

Unless I'm just missing a part of the UX, which is totally possible.


Ah yes you are totally right. My bad!


Bitwarden on Amazon Lightsail server. It costs $3.50/mo to self-host which is very competitive comparing to paid password managers.

I use bitwarden_rs[0] server written in Rust which is much lighter implementation you can run on cheapest 512mb instance. Official bitwarden[1] server is using docker and mssql which requires a lot of RAM.

You can run it on Linux through Firefox extension as well as on any operating system, including iOS and Android (native app). iOS and Android apps have system Password Manager integration which allows you to skip running app manually in most cases.

[0]: https://github.com/dani-garcia/bitwarden_rs

[1]: https://github.com/bitwarden/server


Have you tracked or checked how well bitwarden_rs keeps up with mainline Bitwarden on changes and fixes?

I’m usually concerned about these forks getting way behind or getting abandoned after sometime. At least mainline Bitwarden has paid subscription tiers to support ongoing development and maintenance, which may provide some predictable income for that.


Their Github page has activity, and the last merged PR commit was 7 days ago. Running this for 3 months now after I've migrated from 1password, I can say that everything that extension has (password generation, notes, file upload etc.) is supported by the server as well as nice web UI.

Security-wise, I used nginx over my custom domain to enforce HTTPS and put bitwarden app itself behind a firewall.

As a bonus, bitwarden_rs also enables all premium features for you ("You are a premium member!" label is by default in every client).


Why not use Bitwarden through their Browser add-ons (Firefox, Chrome etc.)? I’ve only used the desktop app on OSX but I tend to default back to the in-browser experience since it’s more integrated.


I use both. When I need to login to a desktop application (iTunes, Steam, etc), opening up my web browser just to copy out my password is a little awkward.


I used to use KeypassX. They Keypass switched to C# and mono, and I wasn't interested in running that on Linux. Then I found enpass. The Linux app is high quality, it syncs with my cloud of choice, and has Win/Mac and Android/iOS apps for a seamless cross platform experience. I can't recommend them enough. Plus it's $10 per app with no other fees and no fee to upgrade to new versions. Much better than paying subscription fees, or a fee for each new major version.


I use lastpass. It's very reliable, I can use Duo 2FA with it, works perfectly on OSX/Windows as well, AND they have an open source [CLI](https://github.com/lastpass/lastpass-cli) for linux that's blazing fast to use. Wasn't super popular here b/c of the parent company, but their security seems to be great and it "just works".


I use Pass[1]. before I had some magic ways to invoke it via keyboard shortcuts on Mac with keyboard maestro but now since I always have a terminal window one key away (f12), I just use that.

[1] https://www.passwordstore.org/


Bitwarden


This! I’ve moved from LastPass to BitWarden and I like the clients way better. Browser extensions, Desktop, Mobile (iOS), CLI all work pretty great.

It’s core is opensource and you can run your own server if you want.

For my less critical accounts even the 2FA token is stored in it.


I was actually under the impression the whole thing was open source. Out of curiosity, what is closed?


I think all of it is open source


+1. I migrated to Bitwarden from LastPass last year and haven't looked back. The desktop apps and browser extensions are fantastic and the UX is wonderful.


+1 for Bitwarden.

Free for teams of 2 (perfect for my wife & me) and has a linux app. Runs great on my thinkpad running pop_os!


Curious, how did you come to the decision to run pop_os on non-System76 hardware? I've found pop_os and ubuntu similar enough that they've proven interchangeable.

And how is the experience?


Actually I haven't used plain Ubuntu since 14.04, so can't credibly say how close they are now.

For 16-18 I used Lubuntu. This required a bunch of little customizations and 3rd party apps to get it close to OSX (the standard for me).

Pop_os didnt require me writing scripts to get the touchbar or brighness keys to work. Plus, since it was bundled with nvidia drivers, it was by far the most seamless install experience. The defaults fit my workflow better than Lubuntu at a minimal cost. It's very slick without taking away functionality.


For all-around use I like https://keeweb.info/ It uses Keepass formats. Save your DB to WebDAV, Dropbox, Google Drive, and One Drive. You can download an app and run it or run it in your browser. I run the app version and use KeePassHttp-Connector and auto-type (works in other apps beyond a browser) to fill in username and password. You can also store Google Auth TOTP (HMAC-based OTP) as a backup too. I would store it in a separate DB.


http://www.masterpasswordapp.com/

I use this. Check it out to see if it meets your requirements.


I quite like keepassx. Sync's with a dropbox file and I can use it across all my devices. It's not that fancy but has done the job for years on my systems.


I've used KeePassX + Dropbox for 5 years across Windows, Linux, OSX, iPhone and Android. With Dropbox's restriction to 3 devices, and since this is the only thing I use Dropbox for, I'm currently looking at LastPass instead


I would recommend BitWarden over LastPass any day of the week and twice on Sundays.

I originally used LastPass for a long time, but it went downhill fast with its sale to LogMeIn and the retirement of the old Firefox extension.

Switching to BitWarden was a delightful experience and I haven't been disappointed with it yet.


I stumble upon Buttercup a while ago. https://buttercup.pw/

It's cross-platform with decent user experience. The only thing that bothered me was using a lot of NPM packages from random vendors. It is a minor thing. I assume they do NPM audit and everything. worth to take a look.


I used Enpass for a long time but it's just not good. It was, got a big update that made it worse, I waited a long while for it to get better but nothing happened so I decided to move on. This is when I found out that there was no way to export passwords from Enpass in the latest version, so I had to do it manually. Not cool.


pass is simple and kind of neat. https://www.passwordstore.org/

or passit looks kind of cool, but I haven't used it. https://gitlab.com/passit


I've used Linux as my daily driver for over 10 years. While not popular with some I've had zero issues with Lastpass. Browser plugin, Android App, supports MFA, just works.

Most importantly, I can share select passwords with my wife who uses Windows/IOS.


I'm using Keeweb with Dropbox, it's nice enough and accessible on my other devices.

https://github.com/keeweb/keeweb/


To amend that, it seems Lastpass has a CLI! While this may not be the best UX, I can likely make it good enough. Even writing a client myself might be possible with a CLI backing it. So at least that is promising.


I use own tool written in bash: https://github.com/rekcufniarb/pswrd#readme


KeepassXC - it's not as comfortable as Keepass on MacOSX but it does the job. And it's open source with no one in danger of running away with your passwords.


Honest question: why doesn’t everyone just use hash functions for passwords. Generating a Base64 string from a secret salt + the website name sounds ideal. This is what I do, and it works very well.


I actually tried doing this at some point before 1Password. One obvious problem with this approach is when you’re forced to change your password. You can’t change salt, or hash function for obvious reasons, so you have to change site name.

At some point guessing the original input becomes tedious, when you’re trying to remember if your github password has name “github.com2” or “github.com-3”

Edit:

Completely forgot about another huge usability issue. Some sites enforce weird rules for what symbols are allowed, or what length your password should be. Every time your function generates something that doesn’t pass validation, you’re forced to pretty much revert to your pre-password-management behavior. Obviously you won’t remember that a year later when you suddenly realize that generated password doesn’t work.


Standard issues with these derived password schemes:

* Are you sure your algorithm can't be reversed?

* What do you do if your normal username is taken?

* What do you do when the site's name changes?

* How do you handle forbidden and mandatory characters?

* How do you handle forced rotation?

* What about extraneous crap like security questions, phone PINs, emails, related sites, &c.?

* How do you access it on other devices?

* How can you track down old accounts to close them down?

If you go on listing the issues, you wind up writing the requirements document for a password manager.


> If you go on listing the issues, you wind up writing the requirements document for a password manager.

One difference, though, is that most of the issues can be addressed by some sort of persistent data store that does not need high security. Once you've taken the passwords themselves out of what your password manager stores, I think this is the only thing on your list that requires storing highly sensitive data:

> What about extraneous crap like security questions, phone PINs, emails, related sites, &c.?

For the rest, such as some sort of per site version serial number to handle password rotation, or a map from current site name to original site name for sites whose names have changed, it is also sensitive data, but it is on a level of sensitivity like a contact list or browser bookmarks for which your ordinary OS security mechanisms for file protection should be sufficient.


https://tonyarcieri.com/4-fatal-flaws-in-deterministic-passw...


Passwords are not just for websites, same services has different domains, sync is free, autocomplete on mobile, passwords are not the only thing I want to save, etc.


For one, you only get a single password per site, so you can't rotate them, or have multiple accounts unless you add the account name to the inputs.

Secondly, different sites have different requirements, so your generated passwords might not work everywhere.

Finally, a password manager lets you store more than just a password for each site, and it can let you store passwords and secrets for things other than websites.


> For one, you only get a single password per site, so you can't rotate them

Well I know Lesspass[0] has a 'counter' so that if you need to change a pass you simply increment it by one and you get a new hash

https://lesspass.com/#/


Huh? How is this a solution?

If your password gets leaked I can just: recognise that it's base64, decode it, see your salt and then all of your other passwords are essentially open to me?

Edit: Oh, is the salt different for each site? I don't get why you'd ever do this instead of generating an entirely new password though, you aren't solving the storage problem.


I think you missed the "use hash functions" part. it would be something like base64(H(salt||example.com:1)). The ":1" suffix is there for when you have to change your password, you can increment to ":2" because : is not valid in a domain name.

This doesn't solve all the other problems with this system, like what if there are multiple logins on the same domain? what if the site has esoteric password requirements? what if the requirements change? if your salt leaks you don't have a list of sites to know to go change your password. etc etc. Not my favorite solution for practical reasons, but it's cryptographically reasonable at least.


I’ve thought about a similar method but I’m not sure it would be portable for me. First I do not always have access to a bashing function. Secondly what happens if a website url/name changes? For me, I can’t remember all the exact details so I use a manager


https://crypto.stackexchange.com/questions/5689/a-single-pas...


How do you handle password rotations? I am intrigued regardless.


A new salt probably


base can be decoded. hash cannot be reversed (should not be able to). That means if someone gets the hash, he can only guess the password based on hasing all his guesses and checking the outputs. that takes a long time compared to being able to decode and read the password directly.


I'm lazy so I use FF's built-in for anything web.

Then gnome keyring with PAM auth upon user login.(again, lazy)


I'm curious; how do you generate your passwords?


Google chrome has a nice feature for that. Yeah I know it isn't an efficient workflow but to lazy to change at the moment.




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: