I'm avoiding the browser extensions, they seem to be a security nightmare. KeePass and similar are a better way to go, if slightly more labor intensive.
Anything that isn't context aware (i.e. knows which website you're on so can provide the relevant information) is doomed to failure right out the gate.
I'd prefer people are using any password manager than go for perfection and then quit completely because it was a terrible UX. KeePass may be more secure against certain specific attacks, but it is largely irrelevant if people are going to contrast it against using no password manager at all because it was too cumbersome.
The bigger issue is that anything that's not context-aware is vulnerable to phishing.
You might think you'd notice if the site you're on had a different URL than the one you're expecting, but that level of constant vigilance might turn out to be more difficult to maintain than you expect. Especially when you take into account some of the more exotic phishing techniques like IDN homograph attacks.
>> Anything that isn't context aware (i.e. knows which website you're on so can provide the relevant information) is doomed to failure right out the gate.
Sorry, not doomed to fail.
I'm not gonna use a password manager that is "context aware" and has the capability to auto-fill for sensitive sites - that's just my threat model. I'm okay with context aware storing of less critical passwords.
It's not just usability: The context awareness means it will prevent you from filling a password on a phishing site. I share your wariness of the browser extensions, but you're betting that a software bug is more likely than human error. Even skilled security-aware users fall victim to phishing on a regular basis, so I'd rather trust the software.
> The context awareness means it will prevent you from filling a password on a phishing site.
This is literally one of the last major attack vectors since password managers became somewhat more popular.
They all do encryption well, even the ones that keep the database on a server you don't control it's most probably actually encrypted, etc. They do the basic password manager thing. They keep your passwords.
Every time there's something wrong/vulnerable with a password manager, it is because it's a browser extension and the attack surface between the password manager and the browser is being attacked.
> I share your wariness of the browser extensions, but you're betting that a software bug is more likely than human error.
Well, it literally has been.
(this is why I'm using Keepass and no browser extension for my passwords)
The vast majority of people don't have the same threat model, and unfortunately just want the product to work, or they won't use it at all. If you can't provide relevant information for the current website, you just won't be able to succeed as a password manager outside of niche markets.
Yes, but that's the essence of the whole problem: there are ways to spoof what the current website is, causing your context-aware password manager to spit out data it shouldn't. Diabling autofill pretty much eliminates the whole vector though, without breaking UX that hard.
What is your concern exactly? Bitwarden by default doesn't autofill forms, you have to open the Bitwarden menu and click on the title of the website you're on.
There is an option to autofill, but it's buried in advanced settings and Bitwarden will display a warning if you try to enable it. (This message ought to be worded more explicitly—it currently says "this feature is in beta" rather than "this feature will decrease you're security"—but, still, not a default.)
What about the threat of misspelling the address or phishing? I get a lot of comfort from the fact that the extension verifies that I'm on the website I think I'm on.
Yes, for less technical people that's great, but for people who are willing to deal with it for improved security, it's worth it. I'm not suggesting it to mom and pop here.
> Anything that isn't context aware .. is doomed to failure
> ... I'd prefer people are using
why should I as someone who is securing my own passwords care about your preferences or what will and won't work for someone else too lazy to be concerned?
KeePass isn't a solution in case you want to share passwords with family or team members.
KeePass is barely decent for personal use only, and only for the desktop.
The quality of the available apps differs from platform to platform. For example Bitwarden has a decent iOS app, 1Password has a superb iOS app and in contrast the available KeePass app for iOS is a piece of shit – no offense intended but it's basically unmaintained, barely usable and does no sync so you'd better watch out for conflicts.
I dunno what you're using, but KeePass' Android app and the Linux desktop app are pretty great. Sync goes via a separate sync service (Dropbox currently but it could be anything), which is the way I want it.
And just like I think a password manager shouldn't be a browser extension, I also don't think it should encourage behaviour like sharing passwords among people ... I mean, really? That's literally password reuse, don't feel good about it. Of course a password manager shouldn't encourage it.
"Our son Jim made this password using his password manager thingy so it's probably really secure and now we use it for all our banking and government stuff"
I mean it's sincerely better to keep a "family password" on a post-it, so you don't confuse it with passwords you're actually trying to keep secure.
I use KeePassXC in multiple groups with different synchronization software (Dropbox, self hosted client side encrypted Seafile, etc.), for each group I use a different .kdbx and .key (of course that one not synchronized).
There are multiple .kdbx apps, like MiniKeePass on iOS, which is decent, but it's lacking active development at the moment.
We use Keepass2Android[1] on Android and KeePass Touch[2] on iOS, synchronize it via Google drive and share it with family across various devices on Linux and Windows. Separate DB for family outside the country and it works beautifully.
I store the keepass file in a cloud sync service. The file is encrypted.
The keepass application can perform "auto-type" which works for all sensible applications and websites that have username/password input fields and a log-in button.
Recently, more and more websites split the log-in into two screens, first email and then password. This completely breaks auto-type and is horrible in every way. Please don't do it.
You're able to adjust auto-type for accounts that break the login into two pages. I learned this fairly recently as I had the same frustration as you. Ref: https://keepass.info/help/base/autotype.html
> This works if your environment allows a) installing applications and b) cloud sync using consumer clouds (dropbox, gdrive, etc
Re a) https://keeweb.info/ toss this onto any ol' free tier web host you want. No app install necessary. It's not as nice as the apps, but it works.
Re b) Is there an environment that both has a web browser that you want password management with and doesn't let you access any consumer cloud sync service?
There sure is. Most big companies work that way I would imagine. I can install browser extensions, no problem but local apps are restricted. Also Dropbox and others are blocked at the corporate firewall level.
Surely in such a place, blocking all that access means they care about security and therefore provide you with a password management solution that you also have no choice over.
I mean, installing browser extensions to deliberately get around their security measures seems a little bit counterproductive. They aren't more secure than local apps. Do you take this company's security measures seriously or is it just some hurdle to get around for you?
You can configure this in KeePass as well, I've done this for a few sites I actually use a lot. But I can't be bothered for every single service that decides to re-invent login.
If you don't require real-time diffing, i.e. only one user modifies the file at a time, dropping your keyDBs in a Keybase shared folder might solve your problems.
For just over a year I've been using Syncthing with a folder specifically for KeePass, and it's worked really well - I just have a raspberry pi running 24/7 so my phone and PC pick up the changes whenever I reopen my database. I imagine it's similarly hassle-free with a self-hosted cloud like Owncloud, too.
> Slightly? Just thinking about the synchronization between machines makes this an understatement in my opinion.
What are you on about? Synchronization is easy, you can use just about any service you like.
The fact that it's not kept on a server by the same commercial party that also sold you the security product, is a feature. And obviously necessary, since KeePass is free and open source.
I see leaking credentials bugs with browser-extension operated online storage commercial password software all the time on HN. Obviously you're paying for shiny, not security.
what people keep forgetting is that not everyone is in the situation where they are able to use those services. Using Keepass with cloud sync via Dropbox (or Gcloud, etc) is not possible in a lot of corporate contexts.
I've had my KeePass file stored in the cloud for years. I use the KeeAnywhere plugin on my Windows boxes for syncing there. And the Keepass2Android app natively supports cloud syncing also. Both even handle merging if the underlying file changes since load.
I used to use KeepassXC and I just kept my keepass database in a private github repo. It had the added advantage of being accessible from any command line as well as full version history of my passwords.
Just add the original URL into the specified field and copy paste it each time you need to access said website.
KeePass is the best at what it does and stays local as any password manager should do. If you need more security & portability encrypt the DB with VeraCrypt, sync with whatever service you trust.
Just a note that URL is the one field in Keepass where you may not need to copy/paste. As long as your default browser setting is set to the browser you want to use for the URL double-clicking on the URL in Keepass opens it in said browser.
I wish keypass didn't feel so awful to use. I hate that you can't change the font of the notes section, especially since it's the only section I use in their entry type.
Crazy amount of hate on KeePass in this thread ... I really don't get why it's not a more common solution on HN, it's free and open source and leaves the syncing to you, and doesn't live inside a browser extension ... it literally ticks all the boxes that a good password manager should have.
I don't know if the iOS client is that bad, but the Android one is just fine.
I'd prefer people are using any password manager than go for perfection and then quit completely because it was a terrible UX. KeePass may be more secure against certain specific attacks, but it is largely irrelevant if people are going to contrast it against using no password manager at all because it was too cumbersome.