Ask HN: How do you manage password security?

17 points by donohoe 2 months ago

I'm a huge fan of 1Password but I'm balking at the idea that I will need to pay nearly $4000 ($60 a year by remaining life expectancy) over the course of my remaining lifetime for a password security subscription. Can anyone recommend a free or paid alternative?

tomtompl 2 months ago

I recently switched from lastpass to locally kept keepass passwords database and I am using https://keepassxc.org/ client as it supports many operating systems.

It's not as comfortable as lastpass but it gives me a control of where do I store that data, how do I keep backups etc. I can't really recommend that setup, I am keep experimenting myself.

  • donohoe 2 months ago

    I hadn't seen this before and this might be what I need. I'll also give it a go and see how the experiment goes. Thank you.

ascar 2 months ago

I want to second keepass2 here. I'm using it for a years and the database format is uncoupled from the client. There are many different clients (I use the official one for windows and Keepass2android, but there are also linux and macOS clients available) and addons that make it better. E.g. "kee" previously "keefox" automatically fills in passwords to webpages and saves new logins, if you want to and use Firefox (which is definitely worth a try after the big upgrade last year if you are currently in Chrome).

The database file is strongly encrypted and you can lock it with a keyfile and a password. It's easily synced with Google Drive or Dropbox. Keepass2Android even provides direct connection with a Dropbox or Google Drive database file. Conflicts are easily resolvable in case an update didn't get pushed until you change something at another device. I sync the 1024bit keyfile using usb sticks (only needed when setting up new devices) and a long password (the only one I have to remember).

You can even import passwords from your local firefox password manager and from 1password (though import from 1password seems to run through unencrypted csv files.

And you get all that for free.

aosaigh 2 months ago

Another person happily paying $60 for a subscription. Software needs to be maintained and improved, it's never finished. I'm happy to pay for the continued security of my passwords, as well as new features and the ability to seemlessly sync everything across all my devices.

harianus 2 months ago

I'm happy I can pay for my password manager. It's also great that it's a subscription. You know why? I want people to have money to improve the security of my personal data, I'm using the service every day, so it makes sense to pay for it via a subscription.

I would never want to use a free password manager, because it's likely they have different intentions with your data or are can shut it down any time.

amorphous 2 months ago

Bitwarden is free and working better

retzoh 2 months ago

I'm using keepass2 / keepassX with google drive to sync the database, works like a charm on any device. For devices where I cannot install the drive syncing utility, as my work computer, I use this python script: https://github.com/Retzoh/keypass_google_drive_sync

swah 2 months ago

I've been letting Chrome/Google generate and save passwords for me the last months - its incredibly convenient. (Only for throwaway kind of sites)

  • davchana 2 months ago

    +1 I am using Chrome's password manager with Chrome Sync Phrase. Phrase makes it impossible for passwords to leave my device & thus making passwords.google.com also unusable, but no complaints. I use bookmarklet to reveal password in case I need to see it.

    I use keepass2 for various serious passwords.

sotojuan 2 months ago

I only pay $48 a year for 1Password, but even if it was $60 it doesn't bother me. If that means thousand of dollars by the time I die, it's fine. I like the service.

$4,000 over 40-60 years is insignificant. If it's useful and doesn't mess with your monthly budget, why not keep paying?

Not trying to change your mind, but I don't see the problem, and you could say that about anything you pay monthly for.

  • donohoe 2 months ago

    Yeah, I kinda noted its a small amount but it seems odd to have it as subscription service.

    I feel I'm paying for almost everything as a "subscription" and I own zero.

      $60 1Password
      $156 Netflix
      $120 Amazon Prime
      $1200 AT&T (estimated, Family Plan)
      $720 Internet 
      $260 NYTimes
      $168 Spotify
    
    So thats $2684.00 for services and content per year - with nothing to show for it if I cancel. Fine for most people, but part of it gnaws at me. To each their own.
    • rocannon 2 months ago

      But it's not "nothing to show for it" if you use the subscriptions... people pay money to go to a movie, go out to dinner, go to the gym, etc. When you leave each of those venues, do you think you have nothing to show for it? Okay, maybe the movie was bad, or the meal was poorly prepared. Hopefully, most of the time, you enjoyed the experience and it fortified you mentally (and even physically, if the meal was nutritious and the gym workout was a good one). The same applies for any of these subscription services. You get value while you are paying. It is not nothing :)

    • muzani 2 months ago

      When you compare it, it's still pretty cheap. I considered buying all the movies and songs I used to pirate and it adds up for a whole lot more than registering for Netflix and Spotify.

      It's more suited for things that we consume once then throw away. We only watch a movie or episode a few times, we do play songs often but get bored of them in 40 years.

      Password managers are another category, but even then I'd rather pay $4000 over 60 years than $1000 today.

      • donohoe 2 months ago

        Prices will go up... :)

        I do take your point. The point is, if you cancel your subscription you are left with nothing.

  • ascar 2 months ago

    I get why it doesn't bother you, if you like the experience and think it's worthwhile. I also happily pay for Netflix, while a friend of mine just asked me, if he can use my account to save a few bucks. Everybody values different things.

    But there are very good free alternatives out there like keepass, with clients for every major operating system, including mobile.

donohoe 2 months ago

While I can't update my original post here its worth noting that 1Password got in touch and said there is a standalone plan with a license purchase - and you do not need a monthly/annual subscription.

https://support.1password.com/upgrade-mac/

CM30 2 months ago

I use KeePass 2. Works pretty well for me, and the fact its self hosted means neither having to subscribe to anything or trust any rich people/companies.

The database file is then stored on a removable piece of media that can be plugged into any other machines I use, then accessed via KeePass on that one.

limpkin 2 months ago

I designed www.themooltipass.com, a hardware-based password keeper, fully open hardware / firmware / software.

  • donohoe 2 months ago

    I need to know if the name is a reference from The Fifth Element?

rmurri 2 months ago

Check out enpass. Small, one time payment per platform. (Free for certain usage). It is a native client that supports sync. It also works well cross-platform, including linux. The mobile clients are also good.

https://www.enpass.io/

  • Nadya 2 months ago

    I wasn't happy with how shady they were around their security audit or the fact they redesigned their entire program that made it super clunky and broke my workflow. I had been using Enpass since 2014 maybe 2013. I had even purchased a lifetime license. I didn't like the idea of a closed source password manager but never found anything better than Enpass. I wouldn't personally recommend it to anyone, even when I was using it, because of it being closed-source.

    I've since moved to a self-hosted Bitwarden [0]. Open source and free and weren't shady with their security audit.

    [0] https://bitwarden.com/

    [1] https://blog.bitwarden.com/bitwarden-completes-third-party-s...

deanmoriarty 2 months ago

Lastpass all the way, perfect (for me) Chrome and iOS integration. On top of that, I enable 2FA whenever possible, and every couple months I export my Lastpass data on a couple USB keys (they offer csv export).

  • muzani 2 months ago

    I second LastPass and the free tier is very functional.

phakding 2 months ago

I keep passwords in a text file encrypted using gpg. I also don't write the entire password in the file, just enough digits/alphabets to remind me what the password would be.

zunzun 2 months ago

My passwords are all in the form of "salt + 4 digits", where the salt is only known to me. I keep lists of the useless-without-the-salt 4 digit numbers in several places.

  • muzani 2 months ago

    I used to do this, but there are always a few leaked passwords - shared with colleagues, password for my PC shared with wife, companies that store plaintext passwords, things like the Adobe leak.

    It's quite easy to guess once they do have the salt. I just do this as a minimum security alternative to calling my password "password"

  • donohoe 2 months ago

    I've done that too and its been great until now.

    I would say that while I am looking for an alternative that works for "me", I'm also thinking of approaches (like this - or apps) that would work for my kids.

stevenwliao 2 months ago

Does Chrome or Apple saved passwords work as a workflow for you? I find Apple's integration quite nice.

mijndert 2 months ago

I rely on 1Password for my password management. You can also sync 1Password through other means.

  • donohoe 2 months ago

    Right - but it seems they have switched to a subscription-only service for any new users

codegeek 2 months ago

Locally used keypassx and synced with a cloud provider like dropbox, s3 etc.