All About Password Managers


… coming soon …. … coming soon …. … coming soon …. … coming soon …. … coming soon …. … coming soon …. … coming soon …. … coming soon …. … coming soon …. … coming soon …. … coming soon …. … coming soon …. … coming soon …. … coming soon …. … coming soon …. … coming soon …. … coming soon …. … coming soon …. … coming soon …. … coming soon …. … coming soon …. … coming soon …. … coming soon …. … coming soon …. … coming soon …. … coming soon …. … coming soon ….

Options

Online vs Offline

The general advice here is to use software that is open source, well adopted and has a good community for active develpment and support.

A lot of commercial options change their terms and pricing as they get more popular or get bought out by bigger companies. I now stay clear of those options like LastPass, Password1, Dashlane and a few other bug vendors.

BitWarden

BitWarden is my online password manager of choice. If you frequently work on many devices and need to sync your passwords across devices (phone, laptop, desktop), then an online password manager will make your life easy. BitWarden is open source, you can self-host it if you like (not many people do), they have a free and multiple paid tiers and they have enterprise options as well. They’re cross platform, have browser plugins and have Android and iOS apps. They have all the necesssary feature that other password managers do like backups, password audits, family sharing, next of kin assignment, TOTP code generation, username/password generatory etc. I don’t see a need to talk about other commerial options with such a robust product.

KeyPassXC

If you do not want your passwords stored encrypted in anyone’s cloud, then the best offline option is KeyPassXC. It stores passwords in a local file. You can create multiple files for different use cases. If has most of the features mentioned previously (including TOTP code generation) with the exception of anything that requires online access like sharing, password audits or next of kin.

You can still share and sync the password database file across devices, but you will have to do it manually or use 3rd party tools to sync it. But that is not the intended use-case for it.

Backup

No matter what option you use, you must backup the database. There’s always a chance of loosing it.

  • For the offline option, you can simple copy the db file from KeepassXC to your backup drive. Make sure you encrypt the drive with something like veracrypt.
  • For online options like Bitwarden, you can export your data to multiple file formats.
    • I prefer exporting it in clear text and not encrypted json. The drive storing the backup needs to be encrypted.
    • I prefer JSON instead of CSV as it maintains the folders, categories, notes, custom fields, etc. You loose [that] with the CSV output and may have trouble importing it back in if you need to.

There have been incidences where a bug in the application or plugin caused the database to be unsuable or whiped it clean. Some people will forget their master password. To avoid being in this scenario, always backup data, especially if it’s this critical. Always encrypt your backup as well as anyone with physical access can browse though everything.

Usernames

Notes

TOTP Codes

Besides just passwords, password managers can also generate TOTP codes (the 6 digit codes used for multifactor authentication that expire in 30 seconds).

For convenience, you can use the same application to store your passwords alongwith the TOTP codes. But security enthusiasts argue that this is keeping all your eggs in one basket.

Ideally, you should use a separate application for your multifactor authentication codes in case your password manager gets hacked, the adverary will not also have your login codes.

.

Glossary Of Terms Used

   
TOTP Time-Based One Time Passcodes. Typically generated by apps and change every 30 seconds or so. Sometimes sent via SMS with a 10 min expiry. These codes can only be used once and are used for multifactor authentication
Password Audits A feature that checks your passwords against known breached password lists, if you are repeating passwords or if your passwords look weak
Next of Kin Feature This feature allows your spouce, friend or anyone you assign in the settings to access your password files when you die or are unable to access them. The settings usually ask to set an email that can request access and a number of days where you have time to answe to that request. If you do not answer with a “deny”, that person get’s full access to all your passwords, but not your master password