I moved from LastPass to KeepassX. It's not perfect, but it's pretty darn good. I use Dropbox (I know, I know) to sync my vault across devices (I also have the vault backed up externally), and I use Passlfox + KeepassHttp to autofill the browser.
It was a total pain in the ass to set up, but now that it's working it's almost totally pain free. On iOS I use MiniKeepass. I would love to use KeepassTouch, but they won't release their source code (GPL fork of MiniKeepass) to check, so I'm stuck with MiniKeepass.
I have a similar configuration, a KeePass file synced across my devices with Syncthing and it's pain free. I never think about Syncthing every since I configured it. My only worry is if all devices fail at once, I could lose all my password safe, but that's highly unlikely.
We tried passpack at work for a while to be able to share passwords across a small group of people and it wasn't a great experience, mostly because we always had to manually share everything to everyone in the group.
We moved to Lastpass recently because we can have group passwords. Turns out that you cannot even copy the password without displaying it, which I'm very surprised of.
In comparison, the KeePass would be worst if it comes to sharing between a group, but for a single individual, KeePass + Syncthing is amazing. I don't use any plugin, I just open up KeePass, ctrl + f to find the entry, ctrl + b to copy the username, ctrl + c to copy the password. With those shortcuts, it's quick enough for me.
I'm not overly interested in maintaining my own sync service. I'd happily pay for a hosted version of SyncThing (assuming I could verify it) that I don't have to maintain.
I try to balance convenience with security, without being too zealous about either.
Syncthing runs locally, you don't run a separate server with it (although you can, as another participant in the list of clients). When two clients see each other on a local network, or over the internet when you allow the use of the open discovery servers, they sync data. There is no cloud or central service (beyond the optional use of the global discovery servers).
You don't have to maintain anything beyond setting it up and reconfiguring the clients allowed after reinstalling the OS on a client, and occasionally checking on it and updating the software. It's pretty low maintenance.
Passwordstore¹. A single, simple back-end specification — a file and folder hierarchy where each plain text file is encrypted using GnuPG — and a number of clients for any common platform.
If you want to keep it simple, just use the command-line `pass` utility. You can verify the workings of that fairly simple script yourself.
If you want to share your database across multiple machines, you can use git, or a non-cloud synchronisation tool such as Synthing². You can even encrypt
(parts of) your password tree for multiple recipients (all using OpenPGP key-pairs).
Personally, I really like the setup I have with Syncthing and `pass`.
We tried the multiple recipients thing. For operations staff and technical users it is fine, but pass just doesn't work for non-technical users. Even with some of the GUI apps out there.
I was looking for a password manager for a long time and ended up with KeePass. There is KeeWeb version, which looks neat but I think original KeePass app is better because of better plugin support.
I use key file and Master password to access my password storage, which is hosted at Dropbox which is behind 2FA. Key file is hosted locally. So I believe this is more secure than just using Master password.
For iOS , I use minikeepass, you can export the password database from Dropbox if you install the app. The need of exporting password database to Minikeepass each time you make update on other devices is kind of annoying tho.
There is a plugin for connecting KeePass to Dropbox and Firefox has plugin for autocompleting and saving passwords to Keepass, so for me it works perfectly fine on desktop.
But in the end, I don't pay for password manager, and I can control my own data.
What do you mean by powerful? I was a very happy user of 1Password, but their lack of Linux support caused me to leave.
I migrated to https://www.passwordstore.org and am perfectly happy. I always used the keyboard driven password search to retrieve passwords in 1Password. On Linux I just use dmenu. It is as good as any other password manager and I don't have to worry about problems like the ones in this article.
I still like 1Password, but I won't be going back.
I still recommend 1Password if you need cloud sync. KeePassX is a good local storage GUI alternative. Or just use Keychain on a Mac.
I meant powerful in terms of the features it offers - for example strong password generation, keyboard shortcut driven UI, browser extensions, fingerprint scanner integration, different storage engines, categories for secure non-password stuff like credit cards, OTP support, shared vaults (over third party storage providers) and even stuff like the icons for each service are useful.
1Password has so many useful features, but the push towards the subscription model feels like Agilebits might phase out all other storage engines eventually, regardless of what the official line is right now. At least maybe they'll branch into Linux support if the subscription model brings in more revenue.
`pass` is a CLI application. It has tab-autocompletion and everything. It doesn't get more efficient than that (tip: use `pass find` to search for entries).
> different storage engines
It's just OpenPGP encrypted plain text on disk, not sure what more you could want, but there is support for Tomb (https://www.dyne.org/software/tomb/) as well. Anything you expose to the filesystem works of course, including services like SFTP.
> shared vaults
Syncthing or git, and the use of multiple OpenPGP recipients. (See `.gpg-id` in the `pass` man-file.)
> categories for secure non-password stuff like credit cards,
It's plain multi-line text. The only convention is that the first line is intended for the password or secret data that clients would copy to the clipboard. You can store whatever text you want.
And because it is open and just files it took me 30 minutes to hack up a Python+dmenu script. Combined with the speed of SSD an entire walk of the tree is <100ms.
The shell interface is good. Especially `pass search`. Simple but effective.
It has gotten quite popular as well (amongst technical folks anyway). It is basically just a giant shell script. You can almost sense the authors frustrating. FINE I will just write a password manager myself. This started a simple 30 line shell script. Then you get into hacking on it. The you figure FINE I will polish it and release it. :)
I changed from Lastpass to Enpass. It has clients for OS X, Windows, Linux iOS and Android
And it can be synced with Dropbox, Onedrive, Box, Google Drive, iCloud or Owncloud/WebDAV
I am not necessarily recommending this, but presenting it as an option. I use a VeraCrypt (nee TrueCrypt) archive with a plaintext file in it. This has advantages (simplicity, security through obscurity) and disadvantages (no auto-form-filling, which is a good protection against phishing[1]). It's worked for me for well over a decade.
I'm using Forgotit?http://www.peppermind.com because I wrote it. However, it's not equivalently powerful - no syncing, no browser integration at all, etc.
It's also not open source so I don't recommend it to anyone but me. :-)
My gmail account is my password manager.
I click on the forgotten password every time I need to log in pretty much everywhere and paste in some random thing I typed in notepad
KeePass or KeePass X. But keep in mind that not having cloud storage also means you have to worry about syncing yourself. And if your solution is to sync the database as an amorphous blob, you can basically kiss multi-user access goodbye.
KeePass 2 has built in synchronization functions.
But I have to admit that I never tried using it because I keep my database stored on a pen drive which I take with me if I know I need my stored passwords.
> KeePass 2.x features a powerful, built-in synchronization mechanism. Changes made in multiple copies of a database file can be merged safely.
> After synchronizing two files A and B, both A and B are up-to-date (i.e. KeePass saves the merged data to both locations when performing a synchronization).
It was a total pain in the ass to set up, but now that it's working it's almost totally pain free. On iOS I use MiniKeepass. I would love to use KeepassTouch, but they won't release their source code (GPL fork of MiniKeepass) to check, so I'm stuck with MiniKeepass.