Currently for my password manager I'm using KeePass by LuckyRat on my UNIX laptop. I want to considerably expand the scope of my password manager. Will KeePass support what I want to do, or will I need a new product?
A password manager has a database containing a map from URIs (or other IDs of password consumers) to loginIDs and passwords that will let the user authenticate and get service from that consumer. The usual mode is for a browser plugin, or an app running in the background, to monitor web pages, or other apps' authentication windows, and to fill in the loginID and password. Thus the user does not have to remember the password and is willing to make it long and random, resisting nefarious attempts to crack it.
These acronyms and jargon words are often used:
consumes), to induce it to provide service.
Issues for the password manager. Obviously some of these goals conflict.
zero knowledgedesign, which I insist on: when adding or changing an item the app on the client encrypts it and the database in the cloud stores ciphertext, sending it back for the client to decrypt when the loginID and password are to be filled into a login form. The key never leaves the client. In case of a subpoena or hacking, the crypto strength is typically set so the Black Hat will have to spend at least a billion USD and work for at least a year to crack the private key, which is feasible, but is only justified for the most important national security issues.
The first step is to search on Google for
password manager. I
found quite a number of digest reviews and
10 best lists; I concentrated
on recent ones in mainstream media. But PMs are fairly similar and so are the
articles rating them; I'm showing details mostly for the first
On PC Magazine by Neil J. Rubenking & Ben Moore, 2021-02-17. They reviewed quite a number of products, which were also reviewed in other similar articles. While each author had his or her own opinions on which aspect of the product would drive the ranking, the information I was getting from all the reviews was generally similar. Here are four selected products from the PCMag review, products which seemed relevant to my needs.
MSRP $21/yr for 1 user, $45/yr for
family of up to 5.
Does 2 factor auth. Keeps a password history. Free trial limited to
one client. Windows, Android, iOS, Linux, Firefox, MSIE, Safari,
others that we don't have. Zero knowledge: they store ciphertext;
you encrypt and decrypt it on the client device using your master PW.
Has password inheritance (your executor can extract your PWs if you
die). Has password capture. Can recognize password change pages;
can generate a random PW here and save it in the DB. It fills in app
passwords. Can share PWs (individually) with other users. Or you
can create one or more shared folders. Editor's choice.
Comment: watch out for auto renewing the subscription; it's hard to
MSRP $60/yr (highest in this set?), $120/yr for premium pro. Free trial. Handles Windows, MacOS, Android, iOS. Where's desktop Linux? Use via web browser extension. In functions it's very similar to Keeper. Includes a VPN service (to which the extra price is attributed). Dashlane recently made some kind of change to the terms of service (I had trouble to understand the issue but I think it involves secure storage for attachments), which pissed off a lot of users and led them to read this article to find a different password manager. Editor's choice.
MSRP $60/yr for family plan, 5 users ($1/mo per user for more), 1Gb
secure storage; single user plan costs $36/yr.
Covers Windows, MacOS, Android, iOS, Firefox (+others)
browser extension, no native desktop Linux. PC Mag's complaints:
UI of apps and browser are different leading to confusion. Prefer the
X extension style vs. the
regular extensions. No
dedicated inheritance feature (but in the family account you can
designate multiple people as administrators, which should be enough).
Sharing is limited to within the family. Setup: to add another device
or browser, you need to type in the 34 byte random symmetric key
(obviously base64 encoded, about 204 bits). Or there are various
maneuvers to pass a picture of a QR code to the new client. It does
2FA, both via an auth app and U2F keys. Don't try to get 1Password to
do 2FA for 1Password, it's a chicken and egg issue. Our son uses
Open source! The free version offers most of the features.
Premium is $10/yr (only!) plus $1/yr to share passwords. OS support:
Windows, macOS, iOS, Android, Linux; Firefox, Safari, etc. Also many
activites are available from a plain web UI. Breaking news, it now has
emergency access, which is equivalent to legacy inheritance.
The paid version has these features: Authenticate with YubyKey or FIDO
U2F key. Attach files to items (1Gb max). Get a report of PWs stolen
in data breaches.
All the reviewed products have generally similar features and functions, although there are significant differences in price, in the slickness of the user interface, in flexibility, and in meeting non-core goals from jimc's list.
One question that often comes up is, can you use it without an Internet connection? It's my impression that most/all of these apps store the database (containing ciphertext) on each client device and sync to/from the cloud instance. So you can read and alter your items without a connection; alterations will be synced when the net returns. However, web pages in which you would fill passwords come in from the Internet, and password protected mobile apps almost but not quite invariably perform their service (e.g. controlling your thermostat) by an Internet connection from your phone and from the thermostat to the mother ship, so you will (almost) never have an opportunity to use your password manager when the Internet is down.
YubiKey 5Ci by Yubico is a dongle with USB-C (type C) and Lightning connectors. It does smart card things, specifically FIDO2 U2F (WebAUTHN) for authentication. MSRP $70. There's a version with USB type A plus NFC; MSRP $45 street $27.
Since Google required 2FA hardware keys internally, phishing
successes dropped to zero. But their security guru says it's useless
to deploy this to most users, who will just get frustrated with the extra
steps. 2FA is really useful for people subject to targeted attacks, like
It discusses aspects and vulnerabilities of PW managers in general, but does not compare specific products.
KeePass: 3* (dated 2016-06-27, 5 years old). For me, this review was not useful because of improvements to KeePass in the last 5 years.
By Clifford Colby & Rae Hodge, 2021-03-17. Their #1 is/was LastPass because the free version includes most of the features. However, they've changed terms of service, and someone discovered 7 web trackers in the Android app, so the authors are re-evaluating their rankings. #2 is 1Password.
They also have a short review of KeePassXC. They say,
for advanced users only: Its user interface takes a bit of fiddling to get
all the independently built versions of KeePass to work together.
On SuSE Build Service, Bitwarden is not apparent, but there are packages for keepass (v2.47, in Mono) and KeePassXC (keepassxc) (v2.6.4, uses Qt5).
healthreport; TOTP management; custom fields in entries; file attachments; has a CLI; can share database.
(2021-03-16) Their #1 is Dashlane. Keeper at #6. Bitwarden #7.
(2021-03-12) Their #1 is 1Password; #1 in free category is Bitwarden.
Wirecutter: Best Password Managers
(2021-02-05) Their #1 is 1Password; #1 in free category is Bitwarden.
OP _usererror_ about 2020-06-xx. He currently uses LastPass and is considering switching to Bitwarden or 1Password. His goals: Features (report of weak/duplicate PWs; sharing PWS); security particularly with cloud sync; privacy particularly with browser extensions. Main questions: What are the main benefits of the 3 products? Which is considered the best for security and privacy? 1Password being closed source, can it really be trusted? Why has the 1Password Firefox extension not received Mozilla Recommended status?
Snips of discussion posts:
I tried BitWarden out and it is absolutely a great product, but I think the BW vs 1P debate comes down to what you value…for me, I value your design and ease of use above all else, because the nicer it looks and easier it is to use, the more likely it is I can get my wife to use it, and that's why I'm still on 1P…if it were just me, I'd honestly probably be on BW because I can handle it being a little rougher around the edges.
When you change a PW, 1Password recognizes it and saves it in the database; Bitwarden doesn't. He's using Safari exclusively and Safari support is poor, so he says.
Several users point out that 1Password started as an Apple app and its Apple incarnation is better than for Windows. Jimc is not sure whether the iOS app is closer to the macOS or the Windows desktop app. And what about Android?
By Bjorn Johansson, date 2021-xx-xx.
LastPass: winner in basic and extra features, ease of use, and customer
support. Bitwarden: winner in security and pricing, but only recommended
Bitwarden integrates with TOTP generators (Google Authenticator etc). and biometric ID if the OS has it. USB tokens and the builtin TOTP generator require the premium product. Useability: with Bitwarden you have to copy and paste the TOTP, whereas LastPass can auto-fill the form. (Jimc says: in 2021-04-xx on Firefox for desktop Linux, it offered to fill a TOTP form.)
Basic features of both products:
Sharing: LastPass is much more slick, and you can share in the free tier. With Bitwarden, the premium users can share with one partner, while you can share a whole vault with multiple users if you have the family plan (up to 6 partners) or business plans.
Summary of the various review articles: All of the PW manager packages have a lot of similarity. Common features, starting with the most common:
It stores a mapping between a server/consumer identifier (URL, etc.) and a loginID and password that you can use to get service on that server.
Most packages offer database hosting in the cloud (not free) so you can use the PW manager on multiple client devices when at or away from home. A few, specifically KeePass and friends, tell you to use your favorite file sharing solution, like Dropbox or ownCloud, to host the database. Of course you can omit this feature if you have only one device. A few, specifically Bitwarden, can use either their cloud hosting or your own.
All PW managers have browser integration so you visit a login page and the manager will recognize it and (offer to) fill in the appropriate loginID and password. Some (including BW) but not all can handle servers like Google that put the loginID and password on separate pages.
PW managers for mobile devices usually can recognize and fill in apps' own login pages.
Most PW managers can copy your loginID and password to the clipboard, one at a time, for use on a login page that it fails to recognize. Beware: if you do this on an iDevice, the clipboard is shared among all of them, and while the PW manager clears the clipboard after the PW is used, this clearance is (or used to be) ineffective on remote iDevices.
Some but not all PW managers can recognize a password changing form and (in the better cases) can capture the new password and update the database entry. Many can recognize a login page for which it has no entry, and can create one on the spot with varying completeness and convenience.
Some packages keep a history of modifications, specifically historic passwords, so a botched PW change can be reverted easily in the database.
Many packages say they have a zero knowledge design, meaning that the database stores ciphertext, and the client device encrypts it when creating the entry, and decrypts it when filling in a login form. So in case of a subpoena or an illegal hack on the cloud host, the booty is useless.
A few packages, specifically KeePass and Bitwarden, are open source. Bitwarden gets a professional security audit every 2 years (expensive).
The database entries can contain other information, like notes, credit
card numbers, etc., and the packages are more or less agile at filling
these into appropriate fields. (KeePass is in the
Some packages let you attach files (of modest size) to entries.
Facilities for sharing passwords vary in convenience, agility and scope. The sharing feature seems to be a profit center for many packages.
All (?) packages can organize entries in groups, generally called
folders,with varying convenience and effectiveness.
Operating systems covered are (in order of commonness): Windows, MacOS, iOS, Android, desktop Linux.
KeePass is the devil I know. However, it's a fringe operation with only one developer, and it doesn't have some of the modern features. I'm seriously considering switching to Bitwarden. It has these advantages over other commercial competitors:
Bitwarden components: If you're installing Bitwarden you will want these web links:
This page has the current links for the apps listed below. It's probably better to refer to the download page, rather than following my links which are possibly outdated.
Use this on both Firefox for desktop Linux and for Androoid (and presumably for iOS.) Current version in 2021-03-xx: 1.49.1 Biometric auth if supported by the OS. The download page has extensions for eight different browsers.
4.7*. Snips from reviews: No auto fill (with which browser and
version?) but their UI for cut and paste is good. Another user says
fill doesn't always work. Jimc says, auto-fill works for me. Current
version in 2021-03-xx: 2.9.2
4.7*; not much info on this page.
The main useful feature is a command line interface so you can possibly automate backups. On the desktop you will mostly need passwords for web pages, for which you will use your browser extension. Maintenance operations, like adding or editing items, can be done from the app but (in jimc's opinion) are better done from the web GUI; see the next item.
The web GUI has most of the features of the native apps (but not auto-fill). It can be used from any web browser (whether or not you have the browser extension installed). Major activities are adding, editing and deleting items (loginID-password pairs), organizing items in folders, sharing, importing and exporting (downloading) items (e.g. for backup).
The first step when instailing bitwarden is to select a service plan. These are the personal plans (there are also business plans).
|Bitwarden Send||text only||text+file||text+file|
|Encrypted attachments||--||1Gb||1Gb personal + 1Gb family|
|2 factor authentication||2FA||2FA + etc||2FA + etc|
|(+etc means Yubikey, U2F, and Duo)|
Some (but not all) Bitwarden features.
-F marks features not
available in the free plan; all are in the Premium and Family plans.
Unlimitednumber of storable items (PW entries etc)
Which paid features do we really want?
legacy accessbut the grantor doesn't have to actually die to activate it. We definitely need this.
Creating a free account. Pick a password first. You will need to remember it to open the service; you can't store it in the PM if you're going to use it to open the PM.
Terms of Service (Jimc's summary; IANAL),
optimize product design. Google Analytics combines data from a lot of sites for their own purposes.
The account creation form requires these items:
Tidbits and web resources from the welcome e-mail message:
If we're going to convert to a paid family plan, we really want to start out with a CFT organization (sharable collection). The free tier still can create an organization. (Actually it's a little less confusing to create the organization after you've upgraded your account.) Steps to create one:
New Organizationon the main page, right sidebar, bottom.
Manage/Peoplethe creator is prefilled as the owner.
I worked out a test plan in advance:
Mozilla Firefox(or whatever your browser is). It opens a new window/tab in the Firefox extensions store. Review what you're installing, then hit
Add to Firefox. A box pops up: yes allow this extension to run in private windows (unless you're too paranoid). (But this is ignored; make this settings under Manage Add-ons - Plugins.)
>>for a dropdown list. One of its choices is
Customize Toolbarwhich would let you change the order of the icons.)
Bitwarden. Hover over Auto-Fill. Click on the desired login title (not always unique, e.g. work and home e-mail on the same service). The page gets auto-filled. In these tests the loginID and PW were on the same page, but later I tried Google (Gmail), with the PW on a separate page, and it worked.
Auto-fill with Bitwarden, go to my vault. Click on it. If your session has timed out it will ask for uour BW password. A list of login entries will appear (usually unique). Click on it. The login form will be filled in.
Auto-fill Service(select BW in the pop-up),
Use Accessibility(allow full control), and
Use Draw-over(which for me was already on).
iicon if there's an active icon menu), click on Advanced (at the bottom), scroll to the new bottom, and the version and the name are shown there.
close) the app.
My Vaultshould be showing.
Auto-fill, go to vault. Click on it, it auto-fills. Ring: For the test, if you're already logged in, do hamburger/Account/Logout (at bottom). Re-launch the app. You get the splash screen, hit Login. Click in E-mail (other apps/pages may need you to click first in Password). It pops a tag saying Auto-Fill with BW. Click on it. It shows a list of 1 matching item. Click on it. Ring wants a 2FA code sent by SMS (and they won't divulge the TOTP seed, otherwise BW could take care of this). It let me on.
Encrypted JSONis encrypted with your session key, and if your vault gets trashed and you have to re-create it, the session key will change and you can't read the backup. CSV represents almost all of the vault data but loses certain arcane features.
shredis ineffective on a solid state disc.
password manager is a flat file (encrypted) with a
fairly consistent format. I wrote a script to convert it to JSON, and when I
botched the format and couldn't find what was wrong,
I changed to convert to CSV. That took some work, but less
work and less errors than cutting and pasting 127 items from the flat file to
Bitwarden's item form. For checking that my JSON is correct as to form, I used
https://jsononline.net/json-checker. Of course the attribute names have
to be what Bitwarden expects;
will get you started creating the JSON or CSV file but for gory details you
will need to export and inspect a backup of test data.
I now have all our passwords in Bitwarden. Both my wife and I agree that this is a low friction way to get passwords onto login forms, much less hassle than copying by hand from the flat file or the paper copy. The workflow in Bitwarden has to be learned, but it's pretty simple and convenient, particularly if you go through the settings and turn things on or off according to your preferences, and adjust the timeout to balance security and useability. Comparing BW's user interface with competitors that I didn't install, some promise a slicker experience and/or more focus on useability (vs. security) in the out-of-the-box setting defaults, but the PMs that lost this competition didn't match BW in other important core criteria.
These jobs still need to be done: