As a 1Password customer who's been pretty unhappy with how the company took my money for a full version and has, since, been pushing me towards a subscription (making the non-subscription version/features harder to find, no Windows version, etc), I'm seriously considering switching over to Enpass [1]. The UI is pretty similar to 1Password and most of the features are there. It can sync with Dropbox and a few other cloud storage services and their monetization strategy seems pretty reasonable (desktop is free, mobile costs $9.99). I'd encourage any disgruntled 1Password users to give it a test drive.
Have you put much energy into making sure that Enpass is secure? Do you know who's reviewed it, and what their review looked like?
It bothers me when people point to other password managers as alternatives to 1Password because of packaging and pricing issues. It's easy to find other commercial password managers that have attractive packaging and pricing! That's not the hard part!
I happen to like 1Password as a product, but that's not why I recommend it.
> Have you put much energy into making sure that Enpass is secure? Do you know who's reviewed it, and what their review looked like?
I'd really like to know this as well.
I'm aware that LastPass doesn't have a perfect security record, but because of its prominence it gets lots of attention from hackers and security researchers, security issues tend to be well-reported, and the responses to them seem to be reasonably transparent and proactive.
In contrast, Enpass appears to be a side-project of a small app development house in India. Did a miss a memo where Security Expert X said Enpass is better than LastPass?
Since neither of them are open source, I haven't put energy into making sure either of them is secure. Not being a security researcher or having access to either product's code, I'm not sure how I could be expected to perform that level of evaluation, but I've built systems that have passed security reviews and, from a non-privileged access point of view, I see little difference between the two. Enpass does seem to handle security incidents in a pretty responsible fashion. They post blog updates on vulnerabilities (e.g. https://www.enpass.io/blog/an-update-on-the-reported-vulnera...) after releasing fixes. It's great that you recommend 1Password based some other criteria, but I'm not sure why your recommendation should mean anything to me unless you've been given some privileged access to their code that the rest of the world doesn't have and if you have been given that type of access, it's irresponsible of you to denounce other products unless they've denied you similar access.
What I can see is that 1Password is pushing users towards a model that's fundamentally insecure. Their web-based products require a level of trust in 1Password (the company) that none of us should be willing to place in any company. What we've learned from Snowden is that any cloud provider can be secretly made to bend to their governing body's will. Running closed-source software on our own computers involves a level of trust in the authors of that software. That's just a fact of life when software isn't open source. But when code is pushed out into the world, it can, at least, undergo some scrutiny/testing by people outside the company. This is not true of software running on the company's servers. In so much as the security of 1Password requires executing a single, line of code on servers controlled by 1Password, the product is insecure and fundamentally unauditable because that line of code can be changed at any time without users being made aware.
The other point that should probably not get lost is that we're dealing with levels of security. In advocating for password managers, the interface absolutely does matter. Most computer users haven't adopted any password manager yet. When comparing a secure but difficult to use password manager, a potentially insecure password manager with an easy-to-use UI and a combination of insecure passwords, post-it notes and all the other terrible ways that users have of "managing" their passwords, the middle ground is likely to come out ahead for all but the most technically adept users. Need proof? PGP/GPG passes security reviews but has terrible UIs...what percent of emails are PGP/GPG encrypted? We shouldn't let the perfect be the enemy of the good. There can be different classes of security products for those that need protection from state-level actors and those that don't. Because people who are worried about that level of attack are generally willing to undergo a lot more pain to stay secure than your average user is.
I don't understand this mentality of getting angry that a company wants to migrate to a subscription fee so they can have sustainable income. You have a full version, so continue using it, but it's not fair to expect updates for free in perpetuity across platforms and browsers in today's churning software ecosystem.
1Password is an incredibly complex, solid and polished suite of software products that provides an essential security function. It absolutely boggles the mind that people get up in arms over the idea that they would be forced to pay $36 each year to use it.
Did I ever say that I expected "updates in perpetuity"? I said (in another comment from the one you replied to) that I expect the software to "work in perpetuity." That's a very different requirement that requires AgileBits to do absolutely nothing except not tie it to their own cloud services. But I did pay them over $60 a little over a year ago, so I think it's fair to expect a few bug fixes. And it's fair to expect them to not hide the download link for when I need to install it, since that's explicitly allowed by the license I purchased. And, since the software auto-updates, I think it's fair to expect them to not push out updates that make it harder to use the software or otherwise push me towards a subscription model that I'm never going to accept.
It boggles my mind that people are so quick to support a company that's making changes solely for their own benefit to the detriment of their customers. I want AgileBits to succeed too. That's why I bought the software despite having access to a license from work. But try this for math...if they release a major update to their software every year and charge, say, $36 to update, it costs the same exact amount to stay on the latest version. As a bonus to them, they get the money all up-front and get to collect what little interest you can get these days. The main difference is that I don't have to worry about their company imploding and taking all my passwords with it. My software will work in perpetuity without any cloud service they provide. That's piece of mind that I need when it comes to my passwords.
Keepass and its various forks are open source. Keepass itself uses dotNet so Linux guys need mono which not all people like. Those people use KeepassXC (a fork of KeepassX which is Keepass in C++ and is unmaintained).
I use Keepass. Reasonable security but ugly gui in linux due to mono. Has plugins. Completely offline.
I use KeePass on Linux via Mono (Arch and Gentoo). The UI is no worse than on Windows if you sort out your fonts. We have about 20 concurrent users of the same several DBs (one at least of which has many hundreds of entries) on a network share.
It is absolutely rock solid.
I'm not sure that KeepassXC can be considered unmaintained - their last release was in June, this year - https://keepassxc.org/blog/ . Also note the monthly tone of the updates - even the koolist of kool dev kids kant complain that is slow 8)
I've used KeePassXC, and I think it's the best KeePass variant. I don't like stock KeePass because it's horribly slow under Mono (Linux/OS X). And I like but am not as satisfied with KeePassX because it lacks some features I like. From what I recall, the maintainers of KeePassXC got frustrated with the feature set and development pace of KeePassX, so they made their own fork. And they added nice things like TOTP code generation (i.e. Google Authenticator style) and YubiKey support.
I can't yet wean myself off of LastPass though, just because it's synced everywhere and is more reliable when doing form fills on websites. For example, KeePass and its variants don't have a concept of equivalent domains. For "equivalent domains" I should be prompted with the same lists of auto-fillable credentials, such as:
LastPass gets this right, but I sadly haven't seen any other password manager that does. I think there's an open issue with KeePassXC to address this but it's not merged or production ready.
With KeePassXC you would do this by adding new entries for each alias and then reference the username and password values of the "base" entry. I believe the feature still isn't in a release, and the UX isn't there at the moment.
The problem is that they can't deviate from the official KeePass database format, so adding something like aliases requires hacks like the above.
With KeePass you create a new entry for the domain, then make it refer to the original to avoid duplication of user/password. But yes: allowing one single entry to be used for multiple domains would make much more sense.
KeepassXC does not support the latest kdbx 4 format which was recently released with Argon2 support. (which is supposed to be more secure). It will be supported in the next release 2.3.0. So for now I use Keepass until it supports kdbx 4 then I will move back. It has no plugins though compared to keepass.
Other than that it has better gui if that is your thing (Keepass is ugly). It is mostly a fork of keepassx which is still usable but KeepassXC merged all pull requests and fixed a load of bugs in keepassx after the maintainer stopped maintaining. Try it. It works. It also has mutilple releases (snap, appimage etc.).
+ kpcli for TTY use, keepassdroid for android,
sync to owncloud, voila.
If you are extra concerned with security after storing your file remotely, you can have it use an addtional external keyfile in addition to the which you manually copy to 'authorize' devices
I wouldn't let any password manager touch my browser. Giving attackers access to your password manager's APIs via JS or DOM elements is how most (all?) of the dozens of severe LastPass bugs have happened.
pass has a variety of 3rd party browser plugins and phone apps that work with it. Admittedly, it's not a turnkey solution and so is unsuitable for a non-technical audience.
I recommend website-based password managers to my non-technical friends because they're easiest to use and therefore most likely to actually BE used, and the security vulnerabilities noted in the article are very small compared to not using a password manager at all.
Total aside here, because I know what you mean, but it's interesting that many people include open source software in their definition of "commercial" software, the DOD and other government agencies, for example. https://www.dwheeler.com/essays/commercial-floss.html
A very large number of free software projects are commercial (either because distributions sell support for them, or the project itself costs money). The license for a piece of software has nothing to do with whether you sell it or give it away for free. Richard Stallman used to sell copies of GNU Emacs back in the day.
Very true. But what's interesting and non-obvious about the way the DOD defines "commercial" is that it doesn't depend on money exchange (or lack of money exchange) at all, and that's what that article by David Wheeler is trying to say.
The DOD defines software commerce as anything available to the public and used for any non-government purposes.
So to take your comment one step further, for some organizations, the definition of commercial also has nothing to do with whether you sell it or give it away for free, even though many people reasonably assume commerce==sales.
It's not quite ready for prime time yet, but my company is working on Passit[0], which is going to do open source cloud-based password management. Feel free to check it out; we hope to do a 1.0 release soon.
I've been working on the marketing a bit, and the sense I get in this space is that, like home security, password security is a series of trade-offs. One size doesn't fit all; different situations require different needs, and everyone tries to balance the safety they want to feel with convenience that they desire.
So, in our case, there are a couple of good options. You could operate on a hosted service and get the cloud-based benefits without needing to worry about infrastructure or updates, or you could self-host and trade a bit of hassle in exchange for trusting the host and verifying that the updates will do what they say they're going to do.
[1] https://www.enpass.io/