Also, a quick skim of the source code shows that the program keeps the decrypted file on-disk[1]. That seems like a huge vulnerability if you don't have FDE enabled.
I think you need FDE no matter what. e.g. Hibernation will dump your passwords to disk, even if they're only kept in in unmanaged, VirtualProtect'ed memory.
I unfortunately agree with the sentiment of others from this only being supported on windows. I built a CLI password manager[1] sort of as a learning exercise, but to this day I use it daily and have over 250 accounts managed in it. I temporarily back up the encrypted file to S3 in case my computer blows up, but for some reason I have a small sense of satisfaction that my passwords don’t live in a 3rd party like LastPass, even though I’m aware of the auditing and scrutiny they go through consistently to maintain credibility for what they do.
Same. And I'm surprised by how rarely it gets mentioned in these kind of HN discussions. I would have thought given it's origins (originally designed by Bruce Schneier and open-sourced in 2002 [0]), it would have a bigger following.
In the world of Windows applications, portable means that the program can be run without any installation or storing anything locally. So you could run it off a usb or other portable storage. This is a common usage.
But this can't go everywhere my password are needed, why would I use this?
Not to be harsh, but LastPass (and others) works across Mac, PC, IOS & Android in multiple ways. A password manager to a degree needs to make my life easier, this means being portable and compatible.
I have been using Keepassx[1] with Syncthing[2] for synchronizing the password database. It has been a great experience due to following reasons beyond the crypto advantages:
- Open source
- Peer to peer without having to share file contents with central server like Dropbox etc.
- Full featured Android and Linux (KeepassXC) clients with nice UIs (on Android I have the option of using fingerprint auth to open my database)
- Autofill integration on Android (I haven't tried on Linux)
I use KeeWeb[1] on MacOS, iOS and Windows, and KeePass2Android[2] on my Android device which has decent autofill.
They all also supports cloud storage natively, so I don't have to worry about keeping them in sync.
I’ve been using Bitwarden for a little more than a month and it is by far the best password manager I used. And being open source is a very nice bonus. I’m going for tue paid option to support the company behind it.
It does have a decent browser integration, OTP support, history support (last 5 passwords) support for arbitrary additional data and icons.
Having not read the source code, or investigated the details, my understanding is the sync is entry based over file based. On multiple occasions I lost data to Keepass's insane lack of sync functionality, I've never once done the same with Bitwarden. Google drive sync is kind of moot as the sync happens on a server (which you can run yourself).
> my understanding is the sync is entry based over file based
> Google drive sync is kind of moot as the sync happens on a server
Confused, so are you saying there is a server that does entry-based syncing? KeePass it's the KeePass client that resolves conflicts at the entry level with whatever is on Google Drive (which it connects to via plugins).
Apologies, I spoke too quickly. I'm unable to edit my original post to fix it.
The sync is client side according to [0]. I can't find specifics in any documentation on whether it works at an entry or file level, however I wonder is that actually important? Just because you sync at a file granularity doesn't mean you can't resolve entries individually.
My experience with Keepass was that my changes would get stuck in a conflict file that Dropbox would generate if you happened to use Keepass in 2 places at once, as they don't support syncing and force you to manually go through [1] on every device.
I was using "syncing" and "resolving" synonymously. What I was distinguishing between was keeping the most recent file (which is what happens if you use typical cloud syncing for the whole database file) vs. the most recent entry in a given file (which is what you get when KeePass itself gets a chance to actually examine both versions and figure out conflicts internally).
I can't figure out how the KeePass (or the plugin you use, or whatever it is) was handling your Dropbox syncing; it sounds like it was doing a dumb file-level merge, when in fact it's capable of doing much better than that. I use the Google Sync Plugin which has never failed me, even when I'd modified databases on two clients independently before syncing. It uses the ImportUtil.Synchronize() function which I think is what handles the dirty details. See the Technical Details section here: https://keepass.info/help/v2/sync.html
It has browser integration but it has a client server model so there is nothing to sync with gdrive or Dropbox. So it's more like lastpass than keypass.
You can host your own server and there is at least one alternative server implementation.
Seconded. I used LastPass for probably 5 years, and moved to Bitwarden a few months ago. No regrets. It was a breeze to setup the Docker image, migrate my data, and the TOTP support works even better. It'd take a lot for me to consider another open source implementation.
When your vault is locked it won't offer to save or update passwords.
When your vault is locked it won't respond to the "fill login" shortcut. 1Password would have you enter your master password and then it would fill the login. Bitwarden just doesn't respond.
You can access your username/password from the main window but if your TOTP code expires before you log in you will have to go digging.
I moved to Bitwarden from 1Password. Use it on iOS. Can’t say I miss anything at all. I pay the yearly fee for it too to support them because it’s pretty damn awesome.
Any particular reason for leaving 1Password? I've been using it for almost a year now and haven't had any complaints. Though I literally did just switch from Android to iOS yesterday, so maybe I'll find a reason shortly :P
I paid for the desktop version of 1Password. When it went subscription based I was annoyed. Started hearing about bitwarden and after trying it (after trying others) I really liked it. So I moved to it cos it was free. But I just got more impressed with it on iOS, windows, and on linux I always have Firefox open so I just use that. I decided to pay for a year to support their effort.
So no particular reason other than not liking the subscription plan of 1Password.
I too tried to like Bitwarden but have been disappointed. In the meantime I've made a basic linux CLI for read-only access, seems to be sufficient for the time being: https://github.com/vinc3m1/1pa
Hmm. Not a great start - 'select all' on the linux client selects all the page text, rather than the items, so there's no way to bulk edit. Doesn't engender much confidence.
[Edit: OK it turns out to be an electron app, and a barely functional one at that]
In this particular case it's because I wanted to move all the items from a single imported 1Password vault (I have a few for different purposes) into a Bitwarden folder.
But more generally, when trying new software I tend to exercise its functionality as a first QA pass. There's a 'select all' entry in the Edit menu, and a keyboard shortcut, so it seems reasonable to try it. The failure isn't in itself a show stopper, but it's a mark against the app for me.
Folder organization makes sense. My guess is this shows up as a shortcut “for free” as a result of it being electron based. I think the “native” client is the newest client Bitwarden offers and probably hasn’t gotten as much polish yet.
I'll shamelessly plug my own open source password manager, not because it's mine but because I believe it is better.
And it is more portable, just put it in your pocket!
It's at https://finalkey.net/
The first thing I do whenever someone writes their own password manager is to read the Encrypt function. This one is AES-CBC with its own hand rolled integrity scheme. Not very strong by modern standards
Doesn't look very hand rolled to me. It's standard HMAC. The only unusual thing is the timing-unsafe comparison[1], which probably needs fixing. It looks like an attempt was made at a constant-time comparison (|= ^ pattern sure looks like it), but the early return breaks it again. I'm not sure if much can be gained from a timing attack in this particular instance though, since the key fully depends on user input in the first place.
(By the way, even Microsoft's own documentation doesn't use constant-time comparisons for HMAC[2]!)
That would be a really serious flaw. If not, hand rolled AES-CBC-SHA256.... why not just use an AEAD implementation? This is exactly why I look at these. There's a lot of nuance to that one decision, and so it usually gives quite a bit of signal about the project as a whole.
All password managers and form fillers I've tried are quite terrible at correctly finding and filling fields/text boxes. They all seem to rely on finding patterns for things to fill from code. Which doesn't work. As there is no clear pattern accross billions of non-standard web-forms.
Does anybody know of pw managers that work using image recognition (OCR-like) on the GUI to find fillable fields? AKA: using the same form-API that humans do?
I would guess that it wouldn't be worth the hassle of the inevitable inaccurate identifications. The most ergonomic password entry tool I've used is rofi-pass [1]. It's so effortless that I don't think anything smarter could improve on it in practice. It works in a predictable and way in any application (eg SSH pw in a terminal) without any complex integrations being needed and once you get used to using the hotkey it's basically as quick as form autofilling.
Hmm unfortunately I don't have an answer for your question. Though sounds like KeePass is the next best thing. You can define custom auto-type patterns, for forms that don't follow the typical <username><tab><password><enter> format. It's great for saving ftp sites for filezilla, or ssh logins.
I tried this briefly under Wine in Linux. On the surface it doesn't look like it has 2 features I really like about Keepass:
- Folders. I like using folders and subfolders to keep related sets of passwords together.
- Support for attachments. Keepass lets me keep track of keyfiles, notes, and certificates in addition to passwords. Ylva has a notes field but I really like Keepass's ability to attach files.
The QR integration is interesting I guess, I don't have any apps that allow QR code for password input but if I did it would be useful.
This is nice and all, but what am I going to do with a Windows only password manager? I use several different OSs and a phone. It's pretty much a must that my password manager works on all of them.
In the context of Windows applications, "portable" is also used to mean "runs without installation/further dependencies, you can just run it from a folder somewhere".
Also, a quick skim of the source code shows that the program keeps the decrypted file on-disk[1]. That seems like a huge vulnerability if you don't have FDE enabled.
[1] https://github.com/nrosvall/ylva/blob/2a4afcfb3727151fa09fdd...
https://github.com/nrosvall/ylva/blob/2a4afcfb3727151fa09fdd...