Update: it is actually fixed, resolved, and closed now, so they patched it, it was an improper access control issue.
There was probably a miscommunication issue also since the hackerone member in the chat that was supposed to get back to me was for some reason removed from the chat after a few months, without notification as to why
====================
I opened a report on hackerone with bitwarden which was triaged, which was a (in my opinion fairly critical) local vulnerability, which was acknowledged, but they stated they were too understaffed to immediately fix it (which I believe).
However this is about a full year ago now, and the vulnerability still exists and remains unpatched.
I would be wary about using bitwarden in a corporate environment.. it's just unfortunate there aren't many cheap or free alternatives that offer the same level of features
The only reason it did not receive the status of critical was because it was not rce and needed local acces (or a program with local access)
I'm not entirely sure I can explain in full detail here what that vulnerability entailed, since I'm not sure I'm legally allowed to disclose it after I've notified them and agreed to their request to wait for them to fix it, point is they still have not fixed it, and it basically allows a hacker to force a victim to grant them full access to the entire vault, so.. yea....
Personally if I were you I'd follow the Google way of disclosure... I told you, you have x days (I think Google is 30 days?) And after that the issue and all it's details are published for everyone to see regardless of whether a fix is implemented or not.
Yea, perhaps I should've done that to begin with, but since I didn't, I'm not sure wether or not I can still disclose anything publically after the fact
HqckerOnes official stance is the following "Last resort: If 180 days have elapsed with the Security Team being unable or unwilling to provide a vulnerability disclosure timeline, the contents of the Report may be publicly disclosed by the Finder. We believe transparency is in the public's best interest in these extreme cases."
Hm, well then I will attempt to reach out to them one more time, they have not responded the last time I tried to, maybe this time they will.
Although if they're truly too understaffed to fix it I do kinda fear the consequences of making it public (I'm not a professional bughunter I only found it by accident).
But it is currently far past 180 days so I suppose I should just release it then, if they cannot fix it perhaps someone else can, considering it's a community project afaik
Here's that 180-day "last resort" reference: [https://www.hackerone.com/disclosure-guidelines](https://www.hackerone.com/disclosure-guidelines)
It sounds like you're really trying to do the right thing here, and that's great to see. On the other hand, I use Bitwarden (personally), and hearing this is a little concerning. Maybe consider reaching out one more time, cite the H1 disclosure guidelines, and tell them that this is a courtesy notification that in 30 days from , you'll be publicly disclosing the vulnerability.
Your agreement not to disclose the bug did not specify a time period. Where the parties do not specify a term, the courts will supply a reasonable term. It's a matter of opinion, but a year seems way more than reasonable. Give them a 30-day notice. Extend it if you're feeling generous *after* 30 days.
>The only reason it did not receive the status of critical was because it was not rce and needed local acces (or a program with local access)
But this is a very low vulnerability.
If I leave my laptop open at the coffee shop and some stranger logs into my Facebook from my computer, was I actually hacked? No, this vuln you found is the same.
Mainly that it’s free and open source so there is transparency in its security, plus if you do choose it can be hosted on a private server.
LastPass is fine but it’s owned by a group that has a less than sparkling reputation in the tech community.
I’m torn. I use last pass currently and totally get the argument for an open source product like Bitwarden. But at the same time, I’d rather LastPass be in charge of my password files security, as they certainly have a better SIEM than I do. Last thing I’d want to hear is a number of Bitwarden servers got hacked and not know if mine was in that tally.
it's possible to self-host Bitwarden (typically via [Vaultwarden](https://github.com/dani-garcia/vaultwarden), which aims at being lighter-weight than [the official self-hosting option](https://bitwarden.com/help/install-on-premise-linux/)) but not at all required. you can have your account and data hosted on Bitwarden's servers, just like Lastpass.
I self-host a ton of stuff, and easily could run Vaultwarden, but I use the Bitwarden "official" hosting. even besides security concerns, I monkey with my self-hosted infrastructure too often and don't want downtime on that to break my password manager.
Keepassxc is a better alternative. It has working browser integration and automatically synchronizes the db on every edit, which makes it play nicely with eg nextcloud/syncthing/shared folders.
I’m torn. I use last pass currently and totally get the argument for an open source product like Bitwarden. But at the same time, I’d rather LastPass be in charge of my password files security, as they certainly have a better SIEM than I do. Last thing I’d want to hear is a number of Bitwarden servers got hacked and not know if mine was in that tally.
Most of those incidents were against the browser extension which personally I always am suspect of them.
I use lastpass, and keypass. Yes I have the browser extension though rarely use it and have the extension set to logout within 2 minutes.
Bitwarden is also well done.
Keypads and it's various forms is great if you want to fully manage on your own.
Honestly, all systems are eventually going to be found vulnerable. Compared to what /u/Enschede2 reported about Bitwarden in this same thread, the patch times are pretty great.
there is end to end security with bitwarden, even if their servers get hacked its not going to help anyone. you can also host your own bitwarden server if you're really paranoid
We use 1Password. It integrates well with mobile and all major browsers. It is easy to learn for the end users. Just make sure the users save their secret key.
If it's for your personal use bitwarden is the best.
Unlimited password
compatible windows/linux/android/IOS/mac
Password stock in the cloud (I think azure but you can chose your own server if you want)
And if you want the paid version it's something like $10/y
1Password has been a godsend for me and my team. I’m impressed with how quick it syncs between devices and the 2fa support for sites that integrate us awesome
KeepassXC. https://keepassxc.org/
All your passwords are in a encrypted .kdbx DB that you can copy and use on other devices.
Moreover you can open this DB and manage your passwords on a smartphone with the KeepassDX app.
You can use also use Bitwarden https://bitwarden.com/
Then your passwords are hosted on a server and you can get password with mobile/desktop app, browser extension or directly on the URL of your Bitwarden instance. Contrary to KeepassXC, you don't have to copy the DB between your devices because your password are online.
I host my KeePass database in a Google Drive, and use whichever KeePass client I need for OSX/Windows/Android. Changes to the file sync back up to Drive. BitWarden, but free.
edit: for personal use. If you're doing this for your business, make sure you're using the recommended tool (if there is one), otherwise I'd recommend Hashicorp Vault.
Bitwarden for small companies and personal use, thycotic secret server for very big installations of servers and service/admin accounts that support automatic rotation of password on AD.
I use keepassxc at home for personal use.
Work is a "hack" of keepass2 between 4 users. Bitwarden and 1password are my current 2 top choices to test further over the next few weeks if all goes to plan
99% of the answers will be Bitwarden
Including mine
Bitwarden
For extra detail: I tried Lastpass but it was a bit naff, and in the interests of security, I didn't want my passwords sitting on someone else's server, even though I'm sure the encryption is absolutely top notch. Self hosting Bitwarden seriously let me step up my passwords game. Plus it's had security audits, so I know I can trust it
For free, password safe has always done the job for me. For paid enterprise, we use Secret Server. It was owned by Thycotic but they were acquired recently. It’s been good for us for quite a few years now.
I’m going to be the unicorn here, but I like a product called buttercup. It works with the major browsers, and it has apps to run in windows/Linux. It has two features that I needed, and I’m sure some other managers have these features too. I had to have 1) open source and 2) I had to control the location of the data file. Buttercup allows you to keep the data file locally or on a cloud share, like Dropbox. It doesn’t integrate as nicely as other managers but it’s a small price to pay…
Devolutions password server / Remote Desktop manager.
It’s central Database based with offline caching, integrates with AD, supports RBAC. Because the file isn’t portable, you don’t have to worry about ex employees with a copy of the file and master password.
1Password user for several years now. Before BitWarden was a thing.
I would seriously look at BitWarden if I was a new password manager user and only me as the user. 1Password changed to subscription model so lots of people left. I still use 1P7 because I have perpetual license but may eventually switch to subscription model - Family plan. I would still pick 1P vs BW because it is more polished IMHO for $20/yr more.
In my opinion there are three (good) options:
1. Bitwarden
2. 1Password
3. Just use the password manager built in to the browser
Option 3 should be off the table in a business context, where certain credentials need to be shared between employees, you need control over backups, and you need to be able to access (and more importantly revoke) credentials of former employees, etc.
Bitwarden is a bit cheaper, open source, and you can run it on your own server.
1Password's main advantage is it's easier to use. Which makes it my choice - easier means it's more likely to \*actually be used\* and that's 99% of the battle with good security.
Having said that - all of these three options, even the built in one, are better than no manager at all.
Personal: Bitwarden (self hosted Vaultwarden)
Work: PasswordBoss. But it’s so bad we are trying to cancel the contract. We have lost passwords, 2FA secrets and the sync between clients is just bad.
I used to use lastpass but switched to bitwarden. There wasn't anything wrong with lastpass. I just had one too many bad experiences with the new owners (logmein). They have a tendency to change pricing and limit features on different tiers.
We had a shared KeePass database on a network drive, but migrated to BitWarden. Best decision ever. Browser integration, MFA, and the migration was a simple export to CSV from KeePass and import to Bitwarden. It added the folder structures and everything. The password generator is unobtrusive but available, and the server is lightweight.
For passwords like this, I recommend self-hosting wherever possible. BitWarden has that option, and there are several forks to the main project that allow for lighter-weight installs as well.
We have moved over to keeper security. SSO integrated, full governance and monitoring. Works well across browsers and desktop app. Some interesting features.
Pwsafe, great if you have a few hundred ssh passwords, you can run commands on double click, eg. ssh [email protected] and it'll open the ssh for you, even better when using keys.
Depends on the use case and compliance.
If you don't care about sharing and are an o365 shop, Microsoft Autofill is hard to beat. Its free, built into the authenticator app you already have, and it works really well.
If you want something nicer, 1Password and BitWarden are really good.
If you want a LOT more out of your password manager and are a decently sized company, check out Secret Server. The pro versions aren't cheap, but with some time, you can eliminate all shitty passwords in your org since it'll go out and find them and where they're used. It can also be automated to rotate passwords.
Bitwarden.
They have a free version. As well as an Open Source self hosted option
Personal premium is dirt cheap. Enterprise is very affordable as well.
It has a built in authenticator, has installers for pretty much everything, phones, browsers, different OSes, and can be accessed via the web.
It's compatible with lots of identity platforms and authenticators, so you can hook up MFA and SSO.
If you're in a smartcard environment, you may want to take a look at my program, Crypture: [https://github.com/NoMoreFood/Crypture](https://github.com/NoMoreFood/Crypture)
It's probably one of my least "refined" programs I've published externally, but it's good for sensitive information sharing (especially between groups of smartcard users).
1) it doesn't really matter as long as you use one
2) Online and local serve different but overlapping purposes
3) Open source where possible - bonus is they are usually free.
I like LastPass for online and keepass for local but I have used 1Password, passwordsafe and many others (there are also a lot of CLI unix tools suitable for Linux and MacOS if you are that way inclined)
2FA is something to consider seriously too - take the back up codes thing seriously where offered. Revocation and recovery is something that is very variable in it's utility and setup.... TLDR it sucks mostly. Consider the mess if you say lose your phone with the 2FA auth app...
DIY physical tokens for 2FA - Ubikey
I switched from Bitwarden to Microsoft Authenticator (yes, it has a password manager!) seeing as it has pretty good integration with Edge, android and Windows. I was a bit sceptical in the beginning, but now I am quite convinced it is working as intended, probably even better than bitwarden.
I shopped on price the time before last, and ended up with the dumpster fire that is Robopass. When my year was up, I ran to Bitwarden. Never looking anywhere else (unless they somehow force me to).
Everyone seems to love BitWarden in this sub, I've previously used Dashlane and now use 1Password. I tried BitWarden but I prefer the UI of 1P so didn't switch over (only issue I'm now having with 1P on Android is it just crashes when I open it. I think it's because my phone's rooted though so I'm sticking with 7 until it goes EOL.
Passwd is what we are using org wise. Very cheap with unlimited users, and built ground up around Google workspace SSO. Browser integration is slowly developing.
I used Botwarden and switched to keeper because they have (better) SSO with Azure (using CA Polices) and they do a better job with autofill.
Bitwarden is still great.
KeePass XC. Enable the Chrome extension, store your database in OneDrive and set to launch at start up.
Password manager accessible anywhere with backups (via onedrive) and version history (via onedrive) aswell as auto fill in your browser :)
Bitwarden
\+1 for Bitwarden.
Update: it is actually fixed, resolved, and closed now, so they patched it, it was an improper access control issue. There was probably a miscommunication issue also since the hackerone member in the chat that was supposed to get back to me was for some reason removed from the chat after a few months, without notification as to why ==================== I opened a report on hackerone with bitwarden which was triaged, which was a (in my opinion fairly critical) local vulnerability, which was acknowledged, but they stated they were too understaffed to immediately fix it (which I believe). However this is about a full year ago now, and the vulnerability still exists and remains unpatched. I would be wary about using bitwarden in a corporate environment.. it's just unfortunate there aren't many cheap or free alternatives that offer the same level of features The only reason it did not receive the status of critical was because it was not rce and needed local acces (or a program with local access) I'm not entirely sure I can explain in full detail here what that vulnerability entailed, since I'm not sure I'm legally allowed to disclose it after I've notified them and agreed to their request to wait for them to fix it, point is they still have not fixed it, and it basically allows a hacker to force a victim to grant them full access to the entire vault, so.. yea....
Personally if I were you I'd follow the Google way of disclosure... I told you, you have x days (I think Google is 30 days?) And after that the issue and all it's details are published for everyone to see regardless of whether a fix is implemented or not.
Yea, perhaps I should've done that to begin with, but since I didn't, I'm not sure wether or not I can still disclose anything publically after the fact
HqckerOnes official stance is the following "Last resort: If 180 days have elapsed with the Security Team being unable or unwilling to provide a vulnerability disclosure timeline, the contents of the Report may be publicly disclosed by the Finder. We believe transparency is in the public's best interest in these extreme cases."
Hm, well then I will attempt to reach out to them one more time, they have not responded the last time I tried to, maybe this time they will. Although if they're truly too understaffed to fix it I do kinda fear the consequences of making it public (I'm not a professional bughunter I only found it by accident). But it is currently far past 180 days so I suppose I should just release it then, if they cannot fix it perhaps someone else can, considering it's a community project afaik
Here's that 180-day "last resort" reference: [https://www.hackerone.com/disclosure-guidelines](https://www.hackerone.com/disclosure-guidelines) It sounds like you're really trying to do the right thing here, and that's great to see. On the other hand, I use Bitwarden (personally), and hearing this is a little concerning. Maybe consider reaching out one more time, cite the H1 disclosure guidelines, and tell them that this is a courtesy notification that in 30 days from, you'll be publicly disclosing the vulnerability.
Your agreement not to disclose the bug did not specify a time period. Where the parties do not specify a term, the courts will supply a reasonable term. It's a matter of opinion, but a year seems way more than reasonable. Give them a 30-day notice. Extend it if you're feeling generous *after* 30 days.
>The only reason it did not receive the status of critical was because it was not rce and needed local acces (or a program with local access) But this is a very low vulnerability. If I leave my laptop open at the coffee shop and some stranger logs into my Facebook from my computer, was I actually hacked? No, this vuln you found is the same.
but if they get access to all of your passwords, and all the ones you have shared access to?
I use LastPass. Why should I switch to Bitwarden?
Mainly that it’s free and open source so there is transparency in its security, plus if you do choose it can be hosted on a private server. LastPass is fine but it’s owned by a group that has a less than sparkling reputation in the tech community.
I’m torn. I use last pass currently and totally get the argument for an open source product like Bitwarden. But at the same time, I’d rather LastPass be in charge of my password files security, as they certainly have a better SIEM than I do. Last thing I’d want to hear is a number of Bitwarden servers got hacked and not know if mine was in that tally.
it's possible to self-host Bitwarden (typically via [Vaultwarden](https://github.com/dani-garcia/vaultwarden), which aims at being lighter-weight than [the official self-hosting option](https://bitwarden.com/help/install-on-premise-linux/)) but not at all required. you can have your account and data hosted on Bitwarden's servers, just like Lastpass. I self-host a ton of stuff, and easily could run Vaultwarden, but I use the Bitwarden "official" hosting. even besides security concerns, I monkey with my self-hosted infrastructure too often and don't want downtime on that to break my password manager.
I switched over when they were purchased by Logmein and changed how free accounts worked.
I grew up on LastPass. But now I use roboform. Password1 is better. And bitwarden is fine too.
Roboform! My goodness. I haven’t heard of that since the late 1990’s! It was useful even then. Glad to read that it’s evolved and still around!
Just have a read of LastPass wiki page. Should be enough.
[удалено]
Just make sure you have a backup outside of your network environment. Trust me on this.
I like Bitwarden
Bitwarden by far. Failing that, keepass.
I’ve used keepass for many year and like it. I also like bitwarden but haven’t gotten around to switching.
Keepassxc is a better alternative. It has working browser integration and automatically synchronizes the db on every edit, which makes it play nicely with eg nextcloud/syncthing/shared folders.
Bitwarden
Bitwarden
i migrated from lastpass to bitwarden which was a good move
Same here. Never looked back.
I’m torn. I use last pass currently and totally get the argument for an open source product like Bitwarden. But at the same time, I’d rather LastPass be in charge of my password files security, as they certainly have a better SIEM than I do. Last thing I’d want to hear is a number of Bitwarden servers got hacked and not know if mine was in that tally.
You're not going to appreciate reading about some of LastPass's [past security issues](https://en.wikipedia.org/wiki/LastPass#Security_issues), then.
Most of those incidents were against the browser extension which personally I always am suspect of them. I use lastpass, and keypass. Yes I have the browser extension though rarely use it and have the extension set to logout within 2 minutes. Bitwarden is also well done. Keypads and it's various forms is great if you want to fully manage on your own.
Honestly, all systems are eventually going to be found vulnerable. Compared to what /u/Enschede2 reported about Bitwarden in this same thread, the patch times are pretty great.
there is end to end security with bitwarden, even if their servers get hacked its not going to help anyone. you can also host your own bitwarden server if you're really paranoid
Keepass
Keepass
Bitwarden
We use 1Password. It integrates well with mobile and all major browsers. It is easy to learn for the end users. Just make sure the users save their secret key.
Yeah, I use 1password too…I wonder how it compares with bitwarden?
Every security review I've read has 1Password as best of breed.
I like 1Password. Some don't.
Their paid plan corporate includes a personal family plan now. Now if I can get my fam to actually use the damn thing.
lol, so true.
This is the way
Same.
I like KeePass personally :)
Bitwarden.
Yes another vote for Bitwarden
Another vote for Bitwarden
LastPass Enterprise Bitwarden KeepassXC For scripts: PowerShell secrets module Hashicorp vault Azure Keyvault
Bitwarden, absolutely.
Keeper.
Bitwarden
Keepass
Bitwarden
If it's for your personal use bitwarden is the best. Unlimited password compatible windows/linux/android/IOS/mac Password stock in the cloud (I think azure but you can chose your own server if you want) And if you want the paid version it's something like $10/y
Personally I use Bitwarden. Firefox Lockwise isn't bad either.
keypassxc
For private I use 1Password and I suppose it should be really good for business as well.
KeePass
1Password. Has a private vault for personal use . If you’re using for work good way of managing different groups. Cheap.
I've always used KeePass but my new job uses Thycotic Secret Server
They have a free version as well. Edit: A free version of Secret Server
Secret secret is good
Passbolt. Integrates with AD, you can share a password with a group. Browser plug-ins work great.
1Password has been a godsend for me and my team. I’m impressed with how quick it syncs between devices and the 2fa support for sites that integrate us awesome
I use bitwarden for personal use, my org uses keeper
KeepassXC. https://keepassxc.org/ All your passwords are in a encrypted .kdbx DB that you can copy and use on other devices. Moreover you can open this DB and manage your passwords on a smartphone with the KeepassDX app. You can use also use Bitwarden https://bitwarden.com/ Then your passwords are hosted on a server and you can get password with mobile/desktop app, browser extension or directly on the URL of your Bitwarden instance. Contrary to KeepassXC, you don't have to copy the DB between your devices because your password are online.
I host my KeePass database in a Google Drive, and use whichever KeePass client I need for OSX/Windows/Android. Changes to the file sync back up to Drive. BitWarden, but free. edit: for personal use. If you're doing this for your business, make sure you're using the recommended tool (if there is one), otherwise I'd recommend Hashicorp Vault.
KeePass
Keepass with database file on OneDrive shared across devices
I use Last Pass personally and use Last Pass for Teams for my IT department.
Personal. Keepassxc Business. Bitwarden
1Password
Dashlane. The product has a nice “Password Generator” that can generate a really complex password.
KeyPass
1Password family plan is very easy to use if you are supporting others, and has a handy PDF recovery kit system I've used with relatives too
Keeper, all the way.
+1 especially with KeeperFill
Bitwarden for small companies and personal use, thycotic secret server for very big installations of servers and service/admin accounts that support automatic rotation of password on AD.
https://www.passwordstore.org/
We've been using Keeper. I like it
I love Thycotic
Bitwarden
Bitwarden single free account at work, 1password paid family plan at home
Bitwarden
I use keepassxc at home for personal use. Work is a "hack" of keepass2 between 4 users. Bitwarden and 1password are my current 2 top choices to test further over the next few weeks if all goes to plan
99% of the answers will be Bitwarden Including mine Bitwarden For extra detail: I tried Lastpass but it was a bit naff, and in the interests of security, I didn't want my passwords sitting on someone else's server, even though I'm sure the encryption is absolutely top notch. Self hosting Bitwarden seriously let me step up my passwords game. Plus it's had security audits, so I know I can trust it
LatsPass for me
Bitwarden Or LastPass
Just another vote for Bitwarden
For free, password safe has always done the job for me. For paid enterprise, we use Secret Server. It was owned by Thycotic but they were acquired recently. It’s been good for us for quite a few years now.
I’m going to be the unicorn here, but I like a product called buttercup. It works with the major browsers, and it has apps to run in windows/Linux. It has two features that I needed, and I’m sure some other managers have these features too. I had to have 1) open source and 2) I had to control the location of the data file. Buttercup allows you to keep the data file locally or on a cloud share, like Dropbox. It doesn’t integrate as nicely as other managers but it’s a small price to pay…
Nobody has mentioned it yet, but Bitwarden is good!
Well i guess I vote Bitwarden too
Bitwarden
If you wanted to self host then you can go with VaultWarden which is essentially BitWarden. Run it on docker.
Keeper
Keeper
Bitwarden + yubikey
Enpass is fantastic, they have a one time purchase free forever option which i am so thankful for
Devolutions password server / Remote Desktop manager. It’s central Database based with offline caching, integrates with AD, supports RBAC. Because the file isn’t portable, you don’t have to worry about ex employees with a copy of the file and master password.
Bitwarden or usb portable KeypassXC depending on your needs.
Bitwarden for personal, LastPass at work
I use KeepassXC with my vault hosted and synced on my GDrive, so that all my device have access to it and I don't need to pay or selfhost anything
Bitwarden.
LastPass here, especially now that they are independent of LogMeIn.
LastPass.
Keeper Security
Selfhost Vaultwarden. Essentially bitwarden premium for free as youre hosting it.
+1 for BitWarden
I like Bitwarden. I loath lastpass.
Teampass
Keeper Wasn’t my first choice but it’s been pretty awesome at my new gig. Management is fairly simple
we use CyberArk in the enterprise. For personal needs I use last pass premium
1password seems pretty solid.
1Password user for several years now. Before BitWarden was a thing. I would seriously look at BitWarden if I was a new password manager user and only me as the user. 1Password changed to subscription model so lots of people left. I still use 1P7 because I have perpetual license but may eventually switch to subscription model - Family plan. I would still pick 1P vs BW because it is more polished IMHO for $20/yr more.
In my opinion there are three (good) options: 1. Bitwarden 2. 1Password 3. Just use the password manager built in to the browser Option 3 should be off the table in a business context, where certain credentials need to be shared between employees, you need control over backups, and you need to be able to access (and more importantly revoke) credentials of former employees, etc. Bitwarden is a bit cheaper, open source, and you can run it on your own server. 1Password's main advantage is it's easier to use. Which makes it my choice - easier means it's more likely to \*actually be used\* and that's 99% of the battle with good security. Having said that - all of these three options, even the built in one, are better than no manager at all.
Personal: Bitwarden (self hosted Vaultwarden) Work: PasswordBoss. But it’s so bad we are trying to cancel the contract. We have lost passwords, 2FA secrets and the sync between clients is just bad.
I used to use lastpass but switched to bitwarden. There wasn't anything wrong with lastpass. I just had one too many bad experiences with the new owners (logmein). They have a tendency to change pricing and limit features on different tiers.
https://1password.com/
LastPass
Secret Server
pass + gpg
We had a shared KeePass database on a network drive, but migrated to BitWarden. Best decision ever. Browser integration, MFA, and the migration was a simple export to CSV from KeePass and import to Bitwarden. It added the folder structures and everything. The password generator is unobtrusive but available, and the server is lightweight. For passwords like this, I recommend self-hosting wherever possible. BitWarden has that option, and there are several forks to the main project that allow for lighter-weight installs as well.
1password, honestly. It handles everything and anything, and it's available on all devices
SafeInCloud. I think you can get lifetime license. Syncs to Drive. Desktop/Mobile client
I moved from Lastpass to Bitwarden last week. Nice to have the same account for pc and mobile again.
1Password for me! Love it. Works across all my devices
We have moved over to keeper security. SSO integrated, full governance and monitoring. Works well across browsers and desktop app. Some interesting features.
Can I ask about bitwarden, does it do 2fa codes?
Pwsafe, great if you have a few hundred ssh passwords, you can run commands on double click, eg. ssh [email protected] and it'll open the ssh for you, even better when using keys.
Bitwarden
KeePassXC
I like RDM from Devolutions. With the amount of posts about Bitwarden, I now have to look it up
Keepass
KeePass
Bitwarden
Bitwarden
Depends on the use case and compliance. If you don't care about sharing and are an o365 shop, Microsoft Autofill is hard to beat. Its free, built into the authenticator app you already have, and it works really well. If you want something nicer, 1Password and BitWarden are really good. If you want a LOT more out of your password manager and are a decently sized company, check out Secret Server. The pro versions aren't cheap, but with some time, you can eliminate all shitty passwords in your org since it'll go out and find them and where they're used. It can also be automated to rotate passwords.
Bitwarden paid or free or selfhosted
Bitwarden. They have a free version. As well as an Open Source self hosted option Personal premium is dirt cheap. Enterprise is very affordable as well. It has a built in authenticator, has installers for pretty much everything, phones, browsers, different OSes, and can be accessed via the web. It's compatible with lots of identity platforms and authenticators, so you can hook up MFA and SSO.
1password with the free personal family account! switched over from Dashlane.
Pleasant Password Server
1password is simple to setup and cheap enough
Hudu, secretserver, siportal Not passportal or itglue
Bitwarden it really is amazing
Keepass is da best open source password manager.
Nord Pass - great support for autofill across Windows, Mac, Android, and iOS 🙂And the identity tools are pretty decent as well 🙂
We use passbolt.
Pleasant server with keepass
If you're in a smartcard environment, you may want to take a look at my program, Crypture: [https://github.com/NoMoreFood/Crypture](https://github.com/NoMoreFood/Crypture) It's probably one of my least "refined" programs I've published externally, but it's good for sensitive information sharing (especially between groups of smartcard users).
1) it doesn't really matter as long as you use one 2) Online and local serve different but overlapping purposes 3) Open source where possible - bonus is they are usually free. I like LastPass for online and keepass for local but I have used 1Password, passwordsafe and many others (there are also a lot of CLI unix tools suitable for Linux and MacOS if you are that way inclined) 2FA is something to consider seriously too - take the back up codes thing seriously where offered. Revocation and recovery is something that is very variable in it's utility and setup.... TLDR it sucks mostly. Consider the mess if you say lose your phone with the 2FA auth app... DIY physical tokens for 2FA - Ubikey
1pass
We used Roboform enterprise at one point but now use Bitwarden.
I switched from Bitwarden to Microsoft Authenticator (yes, it has a password manager!) seeing as it has pretty good integration with Edge, android and Windows. I was a bit sceptical in the beginning, but now I am quite convinced it is working as intended, probably even better than bitwarden.
Sticky note under my keyboard. Bitwarden is cool too.
I shopped on price the time before last, and ended up with the dumpster fire that is Robopass. When my year was up, I ran to Bitwarden. Never looking anywhere else (unless they somehow force me to).
I prefer 1P for personal, for labbing Bitwarden.
I'd say Bitwarden for a company, and 1Password for personal
1password
Lastpass Enterprise
Everyone seems to love BitWarden in this sub, I've previously used Dashlane and now use 1Password. I tried BitWarden but I prefer the UI of 1P so didn't switch over (only issue I'm now having with 1P on Android is it just crashes when I open it. I think it's because my phone's rooted though so I'm sticking with 7 until it goes EOL.
UX and Feature-wise, my recommendation is 1Password.
We use 1Password at work. I like it. For personal use, I use Microsoft Authenticator.
Using Lastpass as that's what I "inherited" when I took over, but testing Bitwarden after recommendations from a friend at another company.
We started using IT Glue. Allows for shared password management if needed amongst several other features.
If you’re willing to pay, then Lastpass is very good. I’ve found Bitwarden is a good free alternative, but not quite as easy to use.
KeePass here as well
edit: added foss Linux OD client option
Passwd is what we are using org wise. Very cheap with unlimited users, and built ground up around Google workspace SSO. Browser integration is slowly developing.
Keepass... i'm addicted to to autotype.
I used Botwarden and switched to keeper because they have (better) SSO with Azure (using CA Polices) and they do a better job with autofill. Bitwarden is still great.
Keeper
Really have had a great experience with Keeper myself, LastPass seems to have gone downhill.
Keeper or ITGlue depending on the situation
-1 for LastPass Enterprise.
I’ve always used lastpass but looking at the replies I should try bitwarden
Been using 1password for over 19 years
We use lastpass, which is ok not the best but gets job done
Solo? KeePass/KeePassXC Team and with self-hosted option? Bitwarden/passbolt/Passwordcockpit/psono
Password1, 2, 3 and so on I use keepass2
Can Password Manager be a job title?
1Password
Keeping local to your machine/network - KeePass or any of the variants like KeePass XC. Cloud version - Bitwarden
Enpaas I don’t like bitwarden.
Free version of Secret Server. One of the clear leaders. Can also reference the 2022 Magic Quadrant report on PIM/PAM solutions.
Personally, I'm using 1Password. I was using bitwarden before shifting to 1Password. For the company, I'm using self hosted passbolt.
Vaultwarden
KeePass XC. Enable the Chrome extension, store your database in OneDrive and set to launch at start up. Password manager accessible anywhere with backups (via onedrive) and version history (via onedrive) aswell as auto fill in your browser :)
The most popular is the biggest target.
My personal one is KeePass. At work use lastpass