Ask HN: Why should I trust password managers?

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

Our great sponsors
  • SonarQube - Static code analysis for 29 languages.
  • Scout APM - Less time debugging, more time building
  • SaaSHub - Software Alternatives and Reviews
  • pass-import

    A pass extension for importing data from most of the existing password manager.

    You don't need to trust them. I use "pass" (https://www.passwordstore.org), a simple CLI password manager that operates using a GPG key you control (which I have on a Yubikey). Then, you can upload the GPG-encrypted password store wherever your want in order to sync-up your passwords.

  • vaultwarden

    Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs

    I self-host Vaultwarden[1] on a $6/mo DigitalOcean droplet. It took awhile to set up, but I know that I control the data, the backups, and the security.

    [1] https://github.com/dani-garcia/vaultwarden

  • SonarQube

    Static code analysis for 29 languages.. Your projects are multi-language. So is SonarQube analysis. Find Bugs, Vulnerabilities, Security Hotspots, and Code Smells so you can release quality code every time. Get started analyzing your projects today for free.

  • git-secret

    :busts_in_silhouette: A bash-tool to store your private data inside a git repository.

    I use https://git-secret.io for this. But it's not user friendly enough to be used for everyday web browsing and account access. I personally use it to store things like root passwords or reset tokens, which I very rarely access.

  • KeePass2.x

    unofficial mirror of KeePass2.x source code

    > I've been having my own methods for safe handling of passwords on the web.

    I use a local password manager, KeePass: https://keepass.info/

    It's probably the only good middle ground for keeping track of passwords, SSH certificates and other data, a password protected local database that i can move to USB sticks or SD cards for backups, or keep inside of an encrypted 7z archive, or a VeraCrypt file if i cared that much.

    You not only get to have a simple way to use it (it's just a file that's compatible with the software, like SQLite is also really easy to use), but also get to pick where/how you want to store that data in an easy to understand manner.

    Right now it's great for all of my vaguely relevant access credentials, from numerous e-mail accounts, to online shopping accounts, to even access data for online platforms, hosting solutions, servers etc. with as many separate databases as i choose.

    In my eyes, it's also really great for letting you randomly generate secure passwords - i don't know almost any of the non-essential service passwords and because it's so easy to generate new ones for accounts, i'm not plagued by "password-reuse-itis" either. When coupled with 2FA, it's pretty decent from a security standpoint.

    It also has a clearly understandable attack surface - infected password manager binaries, stealing passwords when in memory or malware on the system (like keyloggers, clipboard watchers), someone stealing the database AND the master password, asking me nicely for it with a 5$ wrench: https://xkcd.com/538/

    For why people use web based ones which aren't so clearly understood or dependable (your list of risks would be a lot longer with those), i'm not sure. It's probably just convenience.

  • git-remote-gcrypt

    PGP-encrypted git remotes

  • Android-Password-Store

    Android application compatible with ZX2C4's Pass command line application

    In addition, plasma-pass, qtpass, android password store (https://github.com/android-password-store/Android-Password-S...) are nice as well. Throw in a NFC Yubikey and OpenKeychain on android, then you can lock them with hardware keys. Since pass uses git, syncing can be done to a private repo on your home network or even just a cheap usb stick.

  • In addition, plasma-pass, qtpass, android password store (https://github.com/android-password-store/Android-Password-S...) are nice as well. Throw in a NFC Yubikey and OpenKeychain on android, then you can lock them with hardware keys. Since pass uses git, syncing can be done to a private repo on your home network or even just a cheap usb stick.

  • Scout APM

    Less time debugging, more time building. Scout APM allows you to find and fix performance issues with no hassle. Now with error monitoring and external services monitoring, Scout is a developer's best friend when it comes to application development.

  • passff

    zx2c4 pass manager extension for Firefox, Chrome and Opera

    Also, there's a firefox extension https://addons.mozilla.org/en-US/firefox/addon/passff/ (on github: https://github.com/passff/passff)

    It requires the user to run a daemon that reads ~/.passwordstore passwords and feed it to the extension https://github.com/passff/passff-host - but the design is pretty transparent to inspection if you're inclined to check

  • passff-host

    Host app for the WebExtension PassFF

    Also, there's a firefox extension https://addons.mozilla.org/en-US/firefox/addon/passff/ (on github: https://github.com/passff/passff)

    It requires the user to run a daemon that reads ~/.passwordstore passwords and feed it to the extension https://github.com/passff/passff-host - but the design is pretty transparent to inspection if you're inclined to check

  • hashpass

    A simple password manager with a twist.

    It's a good idea that I've considered. However, I didn't anticipate the need for this when I originally designed Hashpass in 2014, and adding it now would be a breaking change.

    I am still considering it, but there would need to be a very slow, very careful rollout plan. Probably some transition period where users can opt into the new scheme, and then eventually make the new scheme the default but still support the old scheme, and finally remove the old scheme to make things simple again.

    Since this is a Chrome extension which collects no information from users, I have no way of contacting users about this. So I would need to wait long enough that users discover it themselves in the UI. All told, I'd guess it would take about a year for the full migration.

    Still, it's not unlike me to go to great lengths to remove minor annoyances like this.

    Anyone is welcome to discuss things like this with me via GitHub issues: https://github.com/stepchowfun/hashpass

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts