I have tried pretty much every one of the well known password managers (that are open source and work on linux), but never found any of them very convenient to use.<p>Until I came across this: <a href="http://www.zx2c4.com/projects/password-store/" rel="nofollow">http://www.zx2c4.com/projects/password-store/</a><p>It is simply the easiest, most intuitive password manager out there. One of those things that, once you come across them, you wonder why it took so long for something this logical to come into existence. I am not associated with the project, but these are just a few things I love about "pass"<p>1. Command-line based: which means I can script it, I can run it remotely, etc.<p>2. Uses Git to store the passwords: full revision history, changelog, and remote push/sync features that git is SO good at. Other password managers have to reinvent that whole wheel and none seems to do a good job. This also eliminates the need for "hosted" solutions - which I just simply refuse to use.<p>3. GPG for password encryption: once again, such a natural, awesome way to do things. GPG is already the safest way practical way to secure data-at-rest. I can rest easy that no silly homegrown encryption system was invented. Also, as long as I have the keys, in the worst case I can do the decryption myself, if I do not have access to "pass".<p>The only thing I believe it might lack is the fact that the names of the entries are in the clear. Which means I cannot setup a github(private) repository as remote for my pass store: the passwords themselves would still be gpg encrypted, thus safe, but the repository will leak names of all websites and userIDs.<p>In anycase, kudos and thanks to the devs!
I'm quite surprised to see this on HN homepage, I mean this is such a great and popular tool that I would expect everyone to know about it and find it just an obvious link not to upvote.<p>Does anyone know if there is a lib to read and write into keepass archives programmatically, e.g. from a C# app? that would be quite useful to manage in an automated way some credentials for production systems, sharing tha archive via versioning repos in a team.
And if you need multiplatform, there is always KeePassX [1]. I use it on Mac OS X, Windows, iOS, Android and Linux, and it just works.<p>[1]<a href="https://www.keepassx.org/" rel="nofollow">https://www.keepassx.org/</a>
I've been having it on my various systems (Windows, Linux, Android) in the sidelines for a couple months, and after initial fiddling, still haven't actually started using it.<p>This is mostly because I don't want to have to deal with copy-pasting my password between the KeePass app and the browser (where most of my passwords are needed). Luckily, there are autofill plugins that exist for Chrome [1], Firefox [2], and Android [3].<p>However:<p>- said plugins work with KeePass2 which on Linux the GUI theme to the point of being almost unusable (as a C# app using WinForms, it doesn't respect GTK/Qt themeing well).<p>- getting the KeePass2 plugin needed for the browser plugins requires jumping through hoops on Linux and I haven't gotten it to work (yet?).<p>- I'm sharing my KeePass database on DropBox (with its own security considerations...) to synchronise between the different systems and...<p>- The Android app just won't open the shared database.<p>So it feels like I'm 60% of the way there, but I still don't have a usable system. Hints appreciated.<p>[1] <a href="https://chrome.google.com/webstore/detail/chromeipass/ompiailgknfdndiefoaoiligalphfdae?hl=en" rel="nofollow">https://chrome.google.com/webstore/detail/chromeipass/ompiai...</a>
[2] <a href="https://addons.mozilla.org/EN-us/firefox/addon/passifox/" rel="nofollow">https://addons.mozilla.org/EN-us/firefox/addon/passifox/</a>
[3] <a href="https://play.google.com/store/apps/details?id=com.hanhuy.android.keepshare&hl=en" rel="nofollow">https://play.google.com/store/apps/details?id=com.hanhuy.and...</a>
For those looking for something ultra lightweight, I highly recommend pwdhash (<a href="http://pwdhash.com" rel="nofollow">http://pwdhash.com</a>). It's not a password manager, it's just an open source hashing algorithm that protects you from sites storing your password poorly. Instead of depending on them to store your password in a one-way hash, it does it on your end before sending the password to the site.<p>The algorithm is very roughly base64encode(hash(password + domain)), and then truncated to match your original password length.<p>The form on the site is just a demo (and backup if you need to use it outside of your own browser). What you really want is the extension (for most major browsers). You can type in the same strong password to every site and the extension will always hash it to the site specific password so you don't have to worry about them storing it poorly. You can also use unique master passwords for certain sites, if you so choose.
I recommend OneShallPass (<a href="http://oneshallpass.com" rel="nofollow">http://oneshallpass.com</a>) over KeePass. It's open source and auditable like KeePass, but:<p>1) It doesn't have to be compiled or installed, since it's just a monolithic HTML page with all JS/CSS inline.<p>2) It has a free, optional hosted service that stores encrypted passwords with pure client-side decryption, so you can get your passwords from any web-enabled device without having to trust the host.
I use a password locker.<p>It makes me wish there was an open standard for sites to negotiate a new entry with a password manager, something automatic in the background for new registrations.<p>Site could send password restrictions, like allowed and required character types, minimum length, even maximum length, though that last one would be frowned upon. The locker would reply with a preferred username and random password and add same to the database upon acceptance.
The only problems I have with KeePass are it is Windows-first (though I know there are third part native clients for Linux, OS X, Android etc) and that browser integration is not comparable to something like LastPass. I do want to get away from LastPass as my trust in the cloud (especially US based cloud services) took a dive after Snowdon.
I have been using this for right at 2 years now and I like it. I havent tried others but it serves my needs and satisfies whatever attributes I need to feel safe.<p>At times, it contributes to what I call "log in anxiety" in that it necessitates opening the program, and inputting a password to get my other password. But no one ever said the extra security was synonymous with convenience.<p>And I dont leave it open, nor do I allow it to store any information in browser plugins as this seems counter productive to the sensitive passwords I use in this program.
Being on OS X, I have moved to 1Password. I'm, to this day, a dedicated proponent of Keepass. Anyone, asking me to suggest a Password Manager - my first answer is Keepass (Windows or Linux). Even for OS X, if one cannot afford 1Password yet or do not want to buy it just yet, Keepass is the one.<p>* Spend some time learning the Keyboard shortcuts and you're all set.<p>* Keep the Keepass File on Dropbox, so it's sync across your machines and is backed up.<p>* Sharing common credentials with a team - server login details, team site details etc - have a common Keepass File on Dropbox and share it with your team. Suggestion is to open it as "read-only" unless you're adding new entries.<p>* You can also have an additional layer of security by using an additional (optional) Key Locker File (besides the main password) to lock Keepass. You can have that on a thumb-drive or some place you know.<p>* One thing I really wish 1Password has what Keepass has is the auto-generation a password when you enter a new entry. One can set parameters of what password is generated. I have click to get that in 1Password.<p>P.S. If I remember correctly, Keepass even has a portable version.
If I may, I have a question that was inspired by using password managers.<p>Does anyone see any security issues with supporting on a website allowing the user name and password to be entered together in one field? The normal way of entering the user name into one field and the password into another would continue to work. The site would simply check and if the user name field content is blank, and the password field content has a space in it, the password field content will be assumed to actually be the user name and password together, separated by a space.<p>The idea here is that you'd then be able to enter both the user name and the password with a single copy/paste operation. This would be convenient when using a password manager on an iPad. I sometimes get tired of having to do this:<p>1. unlock password manager<p>2. copy user name<p>3. switch to browser<p>4. paste user name<p>5. switch back to password manager<p>(If using most paranoid security settings, insert another step of "unlock password manager")<p>6. copy password<p>7. switch to browser<p>8. paste password<p>If the website supported my single-field option, I could just set the password manager to stop the computer user name and password is the password field, and then it is only unlock/copy/switch/paste.
A while back I set off half a day to setup KeePass, not that setting up KeePass takes that long - but generating random passwords for all the sites that I use did. KeePass is great, there's an app for Windows Phone that is great and there is a third party plugin for Chrome that will both enter and help me save passwords when the vault is open.<p>Great software, everyone should be using password vaults.
Really want to start using KeePass on Android with an NFC token, but it looks like the YubiKey Neo might get a new version soon to support U2F. Anyone know if the U2F thing is worth waiting for? Don't want to spend $50 (probably £50) to find it's obsolete next week.
I started using KeePassX because it was a good cross-platform way to store my passwords. I'd had a couple cases where a password had simply gone -missing- for me, so I figured it was time to put all my eggs in one basket and try to not drop <i>that</i>. I figured it was less of a security vulnerability than reusing the same password a bunch of times. I've currently got the kbd file up on the internet at large, in case my house burns down. I figure it'll make HN if the .kbd files are ever found to be hackable, right?<p>It's a sort of wishful, hopeful approach to password security, really.
I'm a long-time user of pass (<a href="http://www.zx2c4.com/projects/password-store/" rel="nofollow">http://www.zx2c4.com/projects/password-store/</a>). I prefer tools that integrate well with the command-line, but there's a few things I didn't like about pass, so I started my own password manager, called passman (<a href="https://github.com/manicolosi/passman" rel="nofollow">https://github.com/manicolosi/passman</a>).<p>I wouldn't recommend using it yet, but any feedback would be super helpful.
I have been using it since version 1. Unfortunately I have upgraded to KP2 which can't easily export/import to KeePassX which is what I want to switch to, mostly because I very rarely use Windows these days and when I do I don't really need my PW-DB.<p>I'm syncing it via ownCloud for as a testrun (https, non-US site) and it works fine. Not sure I ultimately want to do that via the cloud though. Might just switch to using a USB stick especially since merging DBs works pretty well.
Installed it, seen "I understand that my encrypted data will be sent to LastPass" then uninstalled it. O_O Yeah, definantly better use KeePassX software. Passwords should never be stored online no matter how secure the service claims to be. Especially with recent revelations about all this privacy/security issues in USA. The KeePassX is still in alpha stages, the only availble stable linux version right now for KeePassX is v0.4.3
Using it and loving it.
At the office, we have a usb key that contains the key file to open Keepass. So it's like a key that's also a key, you know...
Is this a desktop-only solution, i.e. no mobile? Then it is bound to be a no-go for most users. My checklist is pretty short:<p>1. Clients available on web and/or all platforms, must be able to add/copy to clipboard passwords on all platforms.
2. Synced or Shared database between all clients.
3. No subscription cost (upfront cost OK).<p>Nice-to-have things would be browser plugins, command line interface etc., but that isn't essential.
If I save the database to dropbox so that I have it on multiple PC's at once, how can I ensure I do not overwrite a database that has new entries?<p>For example say on PC-A I make a change and save it. On PC-B I have the old database still opened and loaded in KeePass. What happens if I then save in PC-B without opening the database up? That means I just lost the one password?
I put a tiny Truecrypt container on my file hoster (HiDrive, Skydrive, Dropbox, etc.) in which I store the KeePass keystore. The keystore itself can't get decrypted, but in case AES has weaknesses one first needs to crack the triple encryption of AES+Serpent+Twofish of the Truecrypt container.
Using KeePass combined with btsync - fairly decent combination. Have my db synch'd across all my devices, and available from any desktop machine I have access to. Haven't tried using the android version, but I'm sure it works well.<p>Now I just have to trust the security of btsync
I love this product. I found it via a stackoverflow question about how to store credentials safely. I started using it over a month ago because I have just stored everything in text files (ips, usernames, pass, secure urls, etc...) and wanted to be more organized and secure.
I use this small commandline application called assword[1]. Available on Debian and probably quite easy to get it to work on other GNU/Linux based systems.<p>[1] <a href="http://finestructure.net/assword/" rel="nofollow">http://finestructure.net/assword/</a>
(Disclaimer: I work for Dashlane).
I am sad and curious about the fact that nobody mentions Dashlane here.
Is it because you guys never heard of it? Or something else ?<p>I realize KeePass has they key advantage of being open source, but we have good UX :)<p>Very interested in your thoughts...
Does anyone know a way to read usernames/passwords from a KDBX file hosted on Dropbox/Google Drive (similar to 1passwordAnywhere)? That way, if I'm at a new computer, I do not need to download KeePass to open my KDBX.
I forget how I came to KeePass, but I've been using it since around late-2006.<p>I like how it [the .kdb file, really] can be accessed//written_to in both Linux and Windows, and that it has a usb-portable version.
I've been using Keepass2 for several years and I couldn't be happier. Although its slightly buggy at times on Linux and getting it running on Mac can be a bit difficult.
It doesn't look so flash using my dark theme unfortunately (Gnome 3, Blackbird theme):<p><a href="http://i.imgur.com/NQYDBQ8.png" rel="nofollow">http://i.imgur.com/NQYDBQ8.png</a>
if one would use projects like this or pass for storing website passwords, what more do those programs offer that firefox sync does not? legitimately asking here..
For some odd reason, KeePass conforms to the OSI model, so it is trivial to circumvent by NSA, since it communicates with its resource protocols (metadata) to XKeyScore via the presentation layer.
Guys, perhaps you should take a look at this and be a little careful with the use of this kind of programs. <a href="https://twitter.com/_sinn3r/status/429789012673302528" rel="nofollow">https://twitter.com/_sinn3r/status/429789012673302528</a>