[zmmmmm]

In the end I've just been using the Unix pass password manager [1].

It's just cobbling together of GPG and git with shell scripts but it works like a normal git repository so you get all your synchronization, from that, your security from GPG which are all things I know and trust without introducing other components that I don't know / understand.

[1] https://www.passwordstore.org/

[hkri]

For developers/tech-savvy people it is more or less perfect. I love the fact that it is based on git giving you a history and great control over synchronization. I use it to store all kinds of things such as passwords and files containing environment variables that can be sourced directly from the output of pass (source <(pass dotenv/project)). It even exists a great open-source iOS client: https://github.com/mssun/passforios

[pietroglyph]

I love the iOS app, but things like this concern me (not quite a dealbreaker though): https://github.com/mssun/passforios/issues/223

[zapzupnz]

It's insane that people working on a password manager thought it was a good idea to put passwords in UserDefaults. Apple expressly states in its documentation that sensitive information should be stored in Keychain; how does someone setting out to make a password manager miss that?

[otachack]

What's crazy is Apple makes it super easy to use Keychain. APIs are great and there are good examples of how to use them.

[Boulth]

And because it's using GPG one can easily have secrets unlocked with a Yubikey and only when the blinking button is touched. On a PC and Android both using the same Yubikey token.

For me the combination of features in pass is just perfect! But it's from the same person that created Wireguard so it's no surprise...

[zeveb]

My one concern with pass is that it doesn't encrypt filenames; it's a real pity, as that's an information leak itself.

[oscii]

I mitigated this by storing username in the gpg file itself using the 'user:' tag, while having the file named jdoe or something similar instead of a login name.

[tanderson92]

Have you tried to use pass-tomb?

[ufo]

I'm not the parent poster but the added friction and configuring for pass-tomb made me choose to just use keepassxc instead. IMO, this kind of feature should be the default.

[mnussbaum]

When I switched to pass one thing I felt the lack of was a keyboard shortcut triggered HUD style search interface on os x. I've been working on a project to do this in case anyone else is in the same boat - https://github.com/mnussbaum/PassHUD

[indiandragon]

Password store is an excellent alternative to paid applications.

I have recently submitted a bug, be careful when saving a password with duplicate name (it replaces old password without warning); not sure if it has been fixed.[1]

[1]:https://github.com/zeapo/Android-Password-Store/issues/451

[techntoke]

I love this as well. It supports OTP and there is an awesome Android app for it called Password Store, and a browser extension called Browserpass.

[codyb]

OTP as in Open Telephony Platform?

Edit: it turns out OTP is one time password, that's neat!

I'm only familiar with that through Erlang and consider it an architectural pattern for supervision trees, would you be willing to expound a teeny bit more on what you mean?

[Boulth]

Search for TOTP or HOTP, basically one time passwords, usually shown to end users as QR codes stored in an authenticator on a mobile phone.

[MrSaints]

I've been using a similar one: https://github.com/gopasspw/gopass. Only problem is getting non-technical people to use it is hard. And it is not super intuitive to get it working on mobile.

[nickjj]

This is what I've been using for a long time too.

Currently have over 250+ passwords in it, and it's great.

I like it because of its multi-line ability too, which makes it useful for storing blobs of text (such as API keys).

I wrote a bit about that at https://nickjanetakis.com/blog/managing-your-passwords-on-th....

[slim]

And since it's just gpg+git you can share some passwords using a git repo. We use this with my team at work