If you're using a *nix system: https://www.passwordstore.org/ I switched over from LastPass a few months ago. It uses gpg for encryption and supports git for password syncing between systems. Pretty simple to set up and use. There are quite a few third party apps for it already (both desktop and mobile)
`pass` is based on well-established cryptography implementations: GnuPG. GnuPG is recommended by many security experts and used widely by journalists dealing with sensitive disclosures, e.g. the edward snowden documents.
It also doesn't try to NIH some complicated database format or syncing technology but instead uses well-established software (git, plain directory structure and gpg-encrypted text files) which makes it robust, flexible and future-proof, and also responsive to changes in cryptography as it benefits from upstream GnuPG updates. You can use any PGP key structure you want, or even hardware PGP devices like the YubiKey.
KeePass on the other hand seems to be based on mostly homegrown techniques written by people with no or limited understanding of cryptography. (see e.g. [0]) That said, I don't know how much KeePassX continues this trend - but it's based on the same file format so it presumably has to reimplement at least some of KeePass's homegrown crypto.
I don't know how much more convincing you need, but personally I wouldn't even dare consider using anything other than `pass`.
I tried LastPass, but didn't trust them, so I found https://www.passwordstore.org/ some year ago. I can't emphasize enough how good it is, mainly because it is so dead simple and transparent in how it works, and also because it has great bash integration, and uses git which makes it easy to sync between your machines. There is also a firefox plugin that integrates with it, but I don't really see that you need it: it is so easy to use at a prompt.
Don't use anything that runs in the DMZ (browser), if you care about your secrets.
I use keepassx, which requires manual search, copy, paste but it can store its vault on a cloud drive, mobile etc. and can have a key file or password.
Autotype is a bit risky because it assumes you've got the correct window/element focused. All it takes to expose your passwords is for a pop-up (e.g. instant message) to appear at the right moment.
Even if you don't hit the enter key/submit the form it is still possible for that incorrect window/app to grab your keystrokes.
I switched to 1Password after Lastpass got acquired. I obviously have no special knowledge how secure it is but it's serving me well. OSX browser integration excellent, iOS integration mediocre.
How easy is it to migrate from Laspass to 1Password? I've had the worst experience with their tech support (reported 2 bugs that have both been scrapped as WONT FIX) and really don't want to support them as a premium subscriber anymore.
If you encounter any trouble please write into support at agilebits dot com and mention "Kyle" somewhere in the body of the email and I'll get notified. You should be fine though, but every once in awhile we have someone encounter trouble with the import from LastPass.
I checked out the pricing model and didn't see anything that made sense to me as an individual user. Is there any plan for an affordable individual plan (in the range of 10-20$/ year)?
As a Mac/IOS user, I don't see myself shelling out 60$ for a desktop license and then another 10$ for an IOS license on top of it. I'm sure your profit margin is great, don't get me wrong, but as a buyer that is just overkill.
The individual plan is the lowest cost subscription option, and standalone is an option if you would like to try to spread the cost out between releases, but you would have to pay for any major upgrades as those are not included.
I'd say many people don't need the Pro features in the iOS version, it's possible that maybe you won't either? Depends on how you use it I guess. Probably the biggest reason to get the Pro features is multiple vault support (you can add additional vaults that were created from the desktop versions). With the free version you only get the one vault.
If you use the app like most people, you'll be using it dozens of times a day. Even if it's in small interactions those do add up. I've been trying to convince the team to add some sort of individual statistics that were stored locally for users to see, but I suspect this would probably help you decide that regardless of price it would be worth while :)
In the end, the choice is yours though. We certainly want to hit the price point for all users that we can, but we do have to keep the lights on or the product disappears. We aren't priced at a point where we're trying to acquire users in bulk so we can sell to another company. AgileBits is privately owned and has never taken outside funding. Something to be aware of when you're talking pricing I suppose. At least one factor.
I put my elderly parents onto 1Password and they "got" it.
The hardest part of the migration for my parents were 1) demystifying the spaghetti mishmash my Dad had in place to manage his passwords, 2) getting Dropbox set up correctly between Mom & Dad for vault sharing, 3) training my Mom how to use, and 4) educating Data on how to manage website edge cases.
I would hope that 1PW has a LP migration tool, but if they don't, Dad was able to clean up his historical garbage one by one. The password capturing process in 1PW is good enough that this worked nearly seemlessly.
Finally, I've had nothing but positive results from posting questions in the 1PW forum.
Disclaimer: I work for AgileBits, makers of 1Password
Yea, we hear you there. I (and others on the team) wish we could make this happen, but priorities are a tough one. Linux in general didn't fit all that great in our standalone license model before, along with being closed source. Now with the subscription option for individuals (new today), families and teams we have made the payment side a little less of a concern but we still have the closed source nature of things making Linux a harder target to hit.
We're probably in a better position now than before though. Every time I asked a Linux user who wasn't asking for this they said they had no interest in paying for closed source software. I wanted all the positive response I could get to show to the decision makers but I fell short in getting it.
This is all to say it's simply a complicated situation. It has to either make money to pay for its development, or the others have to offset it enough that it's a win for us so we can keep the lights on.
Hope that helps a little anyway. I know it's not the answer you wanted but I hate leaving people like yourself wondering why it feels like we aren't listening.
Is there a feature comparrison or reasoning you may have about why 1password may be better than Keepass? I have been using Keepass as I use Linux, Windows, and Phone for accessing my passwords. I am wondering if 1password has some neat helpful features that Keepass doesn't. I am considering switching to a new password manager.
We don't generally do feature comparisons. So many products operate under different sets of requirements that comparison charts can be very easily rigged to make one thing look significantly better than the other.
I can tell you one thing that is indisputably better about 1Password though.
Support.
Quite literally. We have a team of over 30 customer support personnel (in addition to myself and other developers who pitch in for a part of our day). We're here to help if you run into problems, encounter a bug, have feature requests, or generally just want questions answered about how we do things or why something is done the way it's done.
Keepass, as noble as it is to have an open source and free product, is run and improved by volunteers. I realize that not many people on hacker news really care that much about support since we're all typically very capable people, but as someone who has been with AgileBits for nearly 5 years now and seen a whole lot of the weird edge cases that can exist because some webpage is doing something incredibly weird or some particular computer setup is causing problems. It can be really helpful to know that there are people who can look into these things for you instead of having to know it yourself.
1Password does have a 30 day trial (both for our standalone product and for our individual/family/team subscriptions). You can try it yourself and see how it works for you. And as always, if you have questions during this time you're welcome to get in touch (support at agilebits.com, mention my name if you want and it'll notify me) and we'll help you get things setup. We think the product speaks for itself and we're happy to fill in any gaps if you need more :)
Coincidentally, a bunch of Dropboxers are working on a version of 1Password for Linux written in Rust (it's Dropbox's "Hack Week" right now). Hopefully we can open source it soon. Looking good so far!
If you have any questions that we might be able to answer, please shoot me an email. kyle at agilebits.com, or support at agilebits.com. I work on our Mac/iOS teams and security teams. I can probably answer most of your questions and at least get them in front of people who can answer them.
I really hope you're not making this work with AgileKeychain, we've put that one out to pasture. :)
I have been using 1Password since version 3 and highly recommend it. I personally am quite happy with the iOS support, synchronization, and mobile Safari extension.
I just read the whitepaper (I am a long time Dashlane user) and they have a section on security of their javascript/browser extensions. They say that their extensions all use c++ so execute entirely outside of the javascript context. This would not have prevented the Lastpass exploit since all that was required as a malformed URL, but it is nice to see that Dashlane is thinking about this stuff. Also, had Lastpass not used js this exploit would've been harder to find (though not impossible).
Hello Julsimon, this is Simon from Dashlane's Support team. Thank you for your feedback. We have indeed ran multiple checks on our end and can confirm that we are not vulnerable to this type of issue. The code used for our auto-fill functions is shared on all our platforms and has been audited multiple times.
I don't know about best practise but it integrates closely with Git. I store the encrypted passwords in a remote git repository. That means if someone else had the same GPG key and the password for that key, they could simply clone the repo and obtain the passwords. Equally they could add passwords and push them to the repo.
So that seems like a reasonable way for people to share them. However, I only use it for myself so I may not have thought of all the gotchas.
I found this alternative when LastPass was acquired by log me once. I was not happy with this. This app doesn't have hacking or vulnerability history like LastPass.
Why not? I've been using it for about a year now (switched from LastPass) and haven't had any issues. Kind of miss the in-browser features of LastPass, but seeing as how those are what's being exploited, maybe not so much!
There are browser extensions that work with KeePass. This LastPass vulnerability makes me wonder, too. I wish the KeePass site would be 100% HTTPS, though, but the maintainer is a jerk in that regard.
My team and I have been using 1Password Teams (https://1password.com/teams/) for this. They also have a Families service if for some reason you want to do the same thing with family and friends.
That's a very bad recommendation. Very few people are capable of remembering unique 10-character passwords for each site. I have like 100 passwords and accounts for various systems and I'm certainly not able to remember each of them. So either I start reusing passwords or I use a password manager.