DEV Community

Cover image for What password manager should developers use ?

What password manager should developers use ?

Aahnik Daw on April 04, 2021

What is the best open-source password manager out there? Should we use password managers built into browsers like Firefox or Chrome? Or should we...
Collapse
 
stevedejo profile image
Steve

After having used it personally for years, 1Password is also a great fit for teams. I have shared vaults with the people I work with and can even provide guess access to individuals for short projects at no additional charge.

Besides unique and long passwords, 1P also handles 2FA perfectly well. Not only for your personal accounts, but also the accounts in shared vaults. So even the shared login credentials benefit from OTP, on your phone and laptop.

Collapse
 
moopet profile image
Ben Sinclair

1password started as Mac-only so when I used the 1password interface the first time I actually had to search online for how to do things. It's not particularly intuitive, but once you learn how to do things it's ok. We use it at work, but I'm not a fan of using proprietary solutions for things like this and don't particularly understand why people want to pay for it, either.

Collapse
 
murkrage profile image
Mike Ekkel

The same reason people want to pay for any other type of software: it brings them value.

Thread Thread
 
moopet profile image
Ben Sinclair

Ok, without getting too reductionist, I don't particularly understand what value it brings them.

Thread Thread
 
murkrage profile image
Mike Ekkel

Which is fine. You might be using something that I don’t see any value in, and that’s fine too. I’m a 1Password user myself and it brings me value. I’m not here to sell you on that product 😄

Thread Thread
 
moopet profile image
Ben Sinclair

They are though. They exist because people are prepared to pay for their product instead of using a free software product, so there must presumably be things people like about it that aren't in other apps.

Thread Thread
 
moopet profile image
Ben Sinclair

More importantly, and something I forgot to mention, is that the question is explicitly about open source software, and 1password isn't that.

Collapse
 
geobrodas profile image
Georgey

I made my own password manager
Check it out at main.d3qwkjcxzk7m67.amplifyapp.com/
Fork and make your own on github.com/GeoBrodas/aws-password-...
Check out the whole blog I made
dev.to/geobrodas/secure-password-m...

Collapse
 
aahnik profile image
Aahnik Daw

This is awesome

Collapse
 
moopet profile image
Ben Sinclair

When you join a company you probably have to use whatever they give you access to.
For personal stuff, I use Bitwarden. I think I was turned on to it from a thread here a couple of years ago, actually.

I used to use LastPass, and Bitwarden is mostly a copy of their UI, so the transition was simple. It's free software though.

You can roll your own if you want, it's no different from hiding passwords in a notebook under your bed - it's not like you're writing a crypt library and telling other people to use it or anything.

Other things I've done include keeping text files GPGd in whatever cloud storage I had at the time.

Collapse
 
jbeachy21 profile image
Jasper Beachy

I literally did the same thing. Good decision I think though now that lastpass has gotten greedy about allowing you to only use the app on either your phone or computer but not both.

Collapse
 
moopet profile image
Ben Sinclair

It's not really greedy when it's a service and product they're supplying without a cost attached.

Collapse
 
jones268 profile image
jones268

Software is not safe to store your passwords. If your computer is breached, they can simply copy your passwords database. Not good.

A similar problem existed with the early Bitcoin users. They stored the bitcoin keys on their computer and if some malicious user got access to the computer, they lost everything.

You could assume your computer will never be breached, but this is very optimistic. I recommend using a hardware solution or not storing them on the computer at all.

Collapse
 
mileswatson profile image
Miles Watson

I disagree. Modern encryption is plenty secure to prevent malicious disk access, and if malware has memory access then you have bigger problems to worry about (they could just log your keystrokes). The Bitcoin situation was different as the key files were unencrypted - any good password manager will encrypt data before saving it to disk.

Collapse
 
jones268 profile image
jones268

In the bitcoin space you can find lots of malware. Once installed, it will just wait for you to decrypt your wallet (RAT). A hardware wallet prevents this, because the private key (encryption key) never enters the computer.

The encryption used on both is the same. The difference is in attack surface. With a hardware wallet every password is encrypted and an attacker cannot copy all passwords at once with one master password (keepass). I've seen this happen in a demo of Blackhat USA.

Sure, if your computer is powned you have a bigger problem. But not having a single master key and single file is the more secure way to go imo.

Collapse
 
thalitadev profile image
Thalita G.

A lot of these password managers offer the option to use 2FA though, which makes this progress a lot harder.

I think the idea of storing passwords under one master password is a bit like solving one problem and creating another one. The problem that's created is what you described.

However, it also solves the problem that whenever websites and applications you have an account have been breached, it's got a password that people can only use on that specific account, protecting you everywhere else. I believe that's a much more common situation than what you are saying.

People who don't store passwords and memorise all of them are going to reuse passwords. Unless they're that good at memorising every single password. I know plenty of people who just use a single password because they can't be bothered to memorise a multitude of them. Even I had a ton of different passwords but still had to reuse them because it'd otherwise be simply too hard to remember each one of them. Reusing passwords is a lot more problematic than using a password manager, and for the average person it'd be better to opt for the latter in that case. Even moreso with 2FA turned on.

Of course, you're right to say that a hardware solution is the best way to store passwords, and I'd recommend it above everything else as well. It's definitely even more important if you're in the cryptocurrency realm, but that's not so much the majority of people.

Collapse
 
moopet profile image
Ben Sinclair

A computer is a hardware solution.

Collapse
 
jones268 profile image
jones268

It is, but a computer is a general purpose device with lots of software and apps running. Compared to a Trezor or similar device that can only do one thing. That means the attack surface is a lot smaller compared to a general purpose PC. It literally saved people thousands of dollars. On top of that, every password is encrypted instead of a single password (like keepass)

Collapse
 
tbroyer profile image
Thomas Broyer

We use Bitwarden at work, and it's great to share passwords with the team (not something I'm fond of, I'd prefer individual accounts, but necessary when all you have is a generic account)

I personally use Google passwords as it syncs between Chrome and Android.

Collapse
 
nop33 profile image
nop33.eth

I used LastPass while it was free for all devices and I keep using it now that they added the 2.5$ per month fee cause I didn't want to bother switching to Bitwarden. It works well with all my devices (MacBook, Android). When I think of the money I spend on so many silly things, 2.5$ per month is a totally acceptable amount to pay for password security on the internet.

Collapse
 
vinayhegde1990 profile image
Vinay Hegde

For personal passwords, I use Bitwarden protected with 2-Factor & Biometric lock on mobile devices. (planning to self host this soon)

Enterprise passwords are relatively better off stored in an offline medium like MacPass or its equivalent in Linux/Windows with a passphrase on the secrets file. Storing them in online platforms (1Password, Lastpass) could be risky, especially if they're exploited

Collapse
 
aahnik profile image
Aahnik Daw

self hosting means ? a server in your home or rented vps like Digital Ocean or Linode ? what is better ?

Collapse
 
vinayhegde1990 profile image
Vinay Hegde

A homegrown server would offer total privacy (due to being on local network) but would be inaccessible elsewhere.

Either of DigitalOcean/Linode or AWS/GCP can be used depending on one's budget, latency, support & ease of use among other parameters.

Thread Thread
 
aahnik profile image
Aahnik Daw

Why ? Is it not possible to expose the home server to the outer world ?

Some configuration in router can be done ?

Honestly I have no experience

Thread Thread
 
vinayhegde1990 profile image
Vinay Hegde

No problem, let me attempt to clarify as much I can.

A server (here the Bitwarden software) needs a DNS record with public IP Address(es) to be reachable by clients (smartphones, laptops) over the internet.

Hosting it on a home server won't help as home routers have private IP addresses unreachable via the internet & thus the above stated DNS as well.

It'd also be a security breach of one's computing device if the router gets compromised whilst exposing it as a server.

Hoping this helps!

Collapse
 
eransakal profile image
Eran Sakal • Edited

Ok, sounds reasonable for me that some features are only available for paid plans.

I prefer using a service that I trust to keep my passwords safe.

btw once I started using them my passwords become much stronger as im always generating them.

Collapse
 
eransakal profile image
Eran Sakal

Hi
I'm using LastPass for the last few years and enjoy it a lot:

  1. it is very intuitive
  2. it has cool features like a password generator
  3. you can share passwords with your family
  4. it is available in multiple devices like Android, chrome extension, and dedicated mac app (my favorite, I prefer it over browser extension)

I think they managed to simplify features with minimum impact on security; at least this is what I'm hoping for :)

Collapse
 
matthijsewoud profile image
⚡️

I might be an odd duck here, but I use Apple iCloud’s password syncing. I only have a Windows machine for gaming and testing, and it works pretty well. Nearly integrated, free, and with support for things like checking for leaked passwords.

Definitely worth a try if a Windows/Linux box isn’t your main machine.

Collapse
 
itsarsile profile image
Arsile

I use Bitwarden for my password management. It's free, easy to use and available for all devices. You can generate password with great customizability.

If you use the extension, every time you close the browser, it'll ask the master password. but this allows more secure verification if there is another person using your devices

Collapse
 
kodekrash profile image
James Linden

Short answer: BitWarden

I've been using Keeper (paid subscription) for about 7 years. Recently, after an app update, it randomly dropped/ate an entire folder structure of passwords (about 40 entries in total). Their support wasn't able to do anything. Unfortunately, I was bad about backups, and didn't have anything more recent than 8 months so I was unable to recover most of them.

Work uses LastPass, which I've also used personally in the past. I gave it a shot, but even after mapping my Keeper export to LastPass's csv format, it would not import correctly. To be fair, I didn't have high hopes, as we had the same issue when we merged into LastPass a couple years ago at work and essentially had to manually import almost 1000 items by small batch.

So, enter BitWarden. I setup account online, imported the Keeper csv file (no manipulation), and tada! All good now. Been using it every day for a couple weeks, and very happy so far.

Collapse
 
christopheek profile image
Christophe El-Khoury • Edited

After years of development, I've noticed 2 things:

  1. Almost all password managers have features that you don't need.
  2. Almost all password managers don't give you the fast results that you need.

Sometimes I'm browsing, on a website, creating an account, and as a developer, I've gotten used to getting my tasks done quite fast. I was able to do all of those pretty fast, except for creating a complex password.

That's why I created a repo (which currently runs for Mac OS only due to one small command that could be tweaked). Running that script would generate and copy a complex password onto your clipboard, which is pretty seemless.

So I use a combination of that and MYKI Password Manager.

Collapse
 
hunttom profile image
hunttom • Edited

I use safe-in-cloud for my passwords. - super simple, cross platform (window/Mac/iOS/android) and pretty straightforward and nice IU. (It does cost for the mobile apps but it’s a one-time purchase and I don’t mind supporting a fellow dev). The concept is pretty cool, you own the backend storage so there are no monthly fees. Just that initial software purchase for life and $8 USD isn’t bad compared to a monthly charge like some of the other password solutions.

For api creds/access keys I use Unix pass because, again cross platform and I can integrate directly into my terminal. Git and GPG backed, it’s a good solution.

Collapse
 
russsaidwords profile image
Russ Edwards

A $10 Bitwarden subscription for a year beats self hosting it and dealing with the security of your self hosted solution, and definitely beats the security of your home grown solution. For that, I have installed Bitwarden's extension into Firefox and downloaded the app on my phone, and I don't have to think about passwords at all anymore. Magnificent.

Collapse
 
aahnik profile image
Aahnik Daw

Exactly. I am on the Bitwarden free plan. And that's fine for me.

In future may upgrade.

Collapse
 
cjpartridgeb profile image
Chris Partridge

Using pass + git + yubikey
passwordstore.org/

Collapse
 
nake89 profile image
Kevin Kivi

The only one that I know that works with Android Firefox and Desktop Firefox is 1Password. I use their services and love them. I used to use LastPass but they no longer support Android Firefox, so to hell with them.

Collapse
 
olexsmir profile image
Smirnov Aleksander

KeePassXC for PC and KeePassDX for android. Sync with dropbox, Google drive, etc.

Collapse
 
bkis profile image
bkis • Edited

After using 1Password for a year, which works okay but costs money and doesn't have a proper Linux desktop app (you have to use a browser plugin instead, which feels weird), I am now using the exact same combination (KeePassXC on Linux, KeePassDX on Android). Both are really good software and I am pretty sure I won't switch to anything else. Synchronization across devices is a drawback, though. It's not built in (you store a password DB file locally). But as you said - there are different solutions for that. I am currently using SyncThing. Feels like a bit of an overhead just for syncing passwords, but works. And the local DB file has a strong encryption with a good master password, so I feel safe storing it wherever I want, even in unencrypted backups.

EDIT: LPT: I set a Shortcut on my desktop for Ctrl + . to open KeePassXC (the same 1Password uses for it's browser plugin, I got used to it) - it gives a very smooth workflow. KeePassXC is a great recommendation IMO.

Collapse
 
patarapolw profile image
Pacharapol Withayasakpunt • Edited

KeePass series is a good one, if you are interested in development.

It is file-based, just like SQLite.

Collapse
 
nezam05 profile image
Nezam uddin

Keepassxc

Collapse
 
stdyrm profile image
stdyrm

I use LastPass but I'm planning to switch after their policy change with multiple devices. Reddit's privacy sub is a good place to look; lots of them seem to like Bitwarden as it's open source.

Collapse
 
thalitadev profile image
Thalita G.

Bitwarden is free and open-source. No reason not to make that your go-to.

Collapse
 
ashley10167 profile image
Ashley

Thanks for the question and hopefully I would be able to guide you on the same.

Recently, myself and my team is onto using a product called Securden Password Vault. The product has been on our premises for the past six months and it is working like a charm. If desired, you can create your own onboarding process and it is quick and straightforward.

Their website is right here in this link: securden.com/password-manager/inde...

Collapse
 
blackarck profile image
Vivek

google chrome/edge just works fine

Collapse
 
luccabiagi profile image
Lucca Biagi de Paula Prado

I really love to use Firefox Lockwise, as it can keep logins and passwords from browser and apps.

Collapse
 
souksyp profile image
Souk Syp.

What about this ? Use Vercel for hosting and env as your passwords.

Collapse
 
aziz_amghar profile image
aziz.amghar

I am using keepass.

Collapse
 
mrdulin profile image
official_dulin

Core principle:

  1. Don’t use any cloud backup
  2. Cross-platform
  3. Private key + password to unlock the database

So the answer is: KeePass