تحديث: 24th Aug 2024 قراءة: 9 دقائق

Password Managers

Privacy-friendly Alternatives to Google's password manager

Lately it seems like theres a new security breach every other day, exposing the PII of millions. That includes full legal names, usernames, email addresses, physical addresses, and yes, passwords. Very often the goal of hacking some obscure forum is not to gain access to your account on that forum. Instead, its to get your login credentials that you likely use on other websites too. Now hackers can access all accounts that use your email/username and password.

There are entire services like Have I Been Pawned dedicated to this. They check if your password has leaked by looking in databases of stolen passwords. Hackers often use these databases in dictionary attacks. There are even services that automatically alert you when your password has leaked. Many password managers come with this functionality built-in.

Obviously, the first thing you should do when this happens is change your password. But if youre using the same password on other websites, you now have to change all those other passwords too. And thats where password managers come in. Their core functionality is to store your login credentials for each service. That way, you dont have to remember every single password. With this freedom, you no longer have to create passwords that are easy to remember. You can create strong, impossible to guess passwords without needing to remember them. As such, most password managers also allow you to generate strong passwords.

Password managers also protect you from fishing attacks with their autofill service. If you click on a link to log into a website and your credentials dont appear, youre not on the real website. Thats because password managers show your credentials when you visit the right URL.

You can take this a step further by using different email accounts for each service. This way, login credentials become disposable and leaks have minimal impact. Some password managers integrate with email forwarding services. This allows you to create masked emails on the fly for new accounts. If you have your own domain, you can manually create an address for each service. This protects your real email address from getting leaked as a login credential. If a throwaway email gets leaked, change it. Email forwarding services also allow you to stop receiving emails from leaked addresses. This helps avoid spam as well.

Many password managers also include 2FA functionality for added convenience. Some security experts recommend using separate services for your passwords and 2FA. The logic is that if you one gets compromised, you dont lose everything. But most people are likely not willing to manage two different apps for security. So until they get used to it, the convenience of having both in one is worth the minor security sacrifice. Security always comes at the expense of convenience. Where you draw the line is up to you and how much convenience youre willing to sacrifice. You can check my recommendations for dedicated authenticator apps to help you decide.

Speaking of convenience, passkeys are the future hailed to replace passwords. They get saved on your device (or in your password manager) and you dont have to remember anything at all. Services can log in as soon as they detect a passkey and ask you to authenticate using biometrics. Passkey adoption is on the rise as they are more secure (and convenient) than passwords. The downside to passkeys is that they are tied to the device, meaning you need a new passkey for every device. This adds an extra layer of difficulty if you lose access to your device. For now, its still recommended to use password authentication as a backup.

Cloud

ProtonPass

ProtonPass is Proton‘s recent foray into the password management space. It’s actually rather impressive. It lags behind Bitwarden in features, but its leagues ahead when it comes to UI/UX. Looks dont seem important to security purists. But for the average person, UX is what determines if theyll use a product.

ProtonPass is a Swiss open-source password manager that supports all devices and browsers. Like Bitwarden, it also includes 2FA and e-mail masking as paywalled features. If you plan to use a separate authenticator app, youll likely find the free tier satisfactory.

Unlike Bitwarden, you cant self-host ProtonPass. Although you can self-host their email forwarding service, SimpleLogin, which Bitwarden also supports.

IronVest

IronVest is not open-source!

IronVest is a browser extension that has evolved over the years. I first started using it when it was MaskMe. All it did was create masked email addresses on the fly and forward emails to your main address. It had dedicated inboxes for each masked email address. MaskMe also offered masked phone and masked cards, but I never tried those paid features. MaskMe then turned into Blur and added tracker blocking. This is also when they developed mobile apps.

Today, its called IronVest and their overly-corporate website is deliberately confusing. Underneath all the the jargon, it largely mirrors other password managers in features. Masked emails are no longer free, but also no longer unique in the market. What sets it apart is the masked phone and cards, but their marketing focuses more on security. They claim theyre more secure than other password managers thanks to blockchain technology. Since they arent open-source, its anyones guess whether this is actually true.

If I hadnt personally used their product for many years and loved it, I wouldnt even include it here. Based on their website, their current marketing material doesnt inspire confidence. That said, its obviously aimed at businesses and not me.

Self-hosted

Nextcloud

Nextcloud users are likely already aware of the simply-named Passwords. Its a fully-featured password manager you can install from Nextclouds official app store. It supports E2EE, QR codes, and password sharing with other Nextcloud users. You can organize using tags, folders and favorites. Each password can also have a note, as is standard, but here its taken to another level with a rich text editor.

The developer only offers official browser extensions for all browsers. But since its open-source, the community has built mobile apps for it. Android users can use this or this. iOS users can use this.

Note that certain features like passkeys and 2FA are client-side features. Their support depends on the app youre using, not the server backend. This is important to keep in mind when it comes to community apps.

Bitwarden

Bitwarden is the default recommendation for an open-source self-hosted password manager. It is very feature complete, covering not only logins but also identities and card info. This is because saving and managing passwords is only half the job of a password manager. The other half is autofill, inputting your info for you in browsers and apps.

Bitwarden not only supports every platform and browser, its also free to use. They paywall a few features, like 2FA, but full functionality only costs $10 a year. A year is plenty of time to decide if its worth self-hosting, which unlocks all functionality for free. Family plans are also available, for up to 6 members.

The biggest factor working against Bitwarden is UI/UX. Security software often neglects design, especially with the limited resources of FOSS. On the flip side, since its FOSS, there are many alternative front-ends for it. For Android, I recommend KeyGuard. It integrates added functionality like automatically checking if your passwords have leaked. It prompts you to update insecure, leaked, or duplicate ones. It also informs you of websites you use that support passkeys and 2FA. Passkeys are more secure and also more convenient than passwords. They cant be stolen or forgotten, and they allow you to log in without entering your password every time.

Offline

Passy

Passy is a smaller, lesser-known FOSS project. But dont let that fool you, as it is pretty feature-complete. It separates itself by focusing on being offline and local, but also capable of online sync. Automated sync is possible to a server of your choice, but you can also sync manually by scanning a QR code. An interesting approach.

When it comes to features, Passy pretty much matches all other password managers. In fact, it even allows for more customization in some areas. For example, you can choose your 2FA algorithm when setting it up for a set of credentials. Another notable inclusion is the ability to set both a username and an email address. This may seem obvious or even silly, but some competitors lack it. Passy supports credentials, identities, and payment cards, as is standard. Custom fields are also nice.

Passy works on all devices, including specialty features like biometric authentication and autofill. A browser extension is also available for all browsers.

Pass

Pass is the hackers password manager. Theres no GUI of any kind (there is a client that offers one though) and its completely managed and used through CLI. This might seem daunting if youre a Windows user, but if you live inside the terminal, it makes sense. Its very straight forward in its approach. It saves your passwords locally in GPG-encrypted files. This makes it very easy to share or migrate them to other devices, and only your GPG key can decrypt them.

It allows you to add, edit, and retrieve passwords using simple commands. Cross-platform sync is possible over Git or something like SyncThing. This offers a secure and decentralized way to manage your passwords. Being open-source, the community has, over the years, created clients for every device. Most of these clients also support 2FA.

Link copied to clipboard

اتصل بي