Ask HN: How do you manage password security?

17 points | by donohoe 194 days ago


  • tomtompl 194 days ago

    I recently switched from lastpass to locally kept keepass passwords database and I am using client as it supports many operating systems.

    It's not as comfortable as lastpass but it gives me a control of where do I store that data, how do I keep backups etc. I can't really recommend that setup, I am keep experimenting myself.

    • donohoe 194 days ago

      I hadn't seen this before and this might be what I need. I'll also give it a go and see how the experiment goes. Thank you.

    • ascar 193 days ago

      I want to second keepass2 here. I'm using it for a years and the database format is uncoupled from the client. There are many different clients (I use the official one for windows and Keepass2android, but there are also linux and macOS clients available) and addons that make it better. E.g. "kee" previously "keefox" automatically fills in passwords to webpages and saves new logins, if you want to and use Firefox (which is definitely worth a try after the big upgrade last year if you are currently in Chrome).

      The database file is strongly encrypted and you can lock it with a keyfile and a password. It's easily synced with Google Drive or Dropbox. Keepass2Android even provides direct connection with a Dropbox or Google Drive database file. Conflicts are easily resolvable in case an update didn't get pushed until you change something at another device. I sync the 1024bit keyfile using usb sticks (only needed when setting up new devices) and a long password (the only one I have to remember).

      You can even import passwords from your local firefox password manager and from 1password (though import from 1password seems to run through unencrypted csv files.

      And you get all that for free.

      • aosaigh 193 days ago

        Another person happily paying $60 for a subscription. Software needs to be maintained and improved, it's never finished. I'm happy to pay for the continued security of my passwords, as well as new features and the ability to seemlessly sync everything across all my devices.

        • harianus 194 days ago

          I'm happy I can pay for my password manager. It's also great that it's a subscription. You know why? I want people to have money to improve the security of my personal data, I'm using the service every day, so it makes sense to pay for it via a subscription.

          I would never want to use a free password manager, because it's likely they have different intentions with your data or are can shut it down any time.

          • amorphous 194 days ago

            Bitwarden is free and working better

            • retzoh 190 days ago

              I'm using keepass2 / keepassX with google drive to sync the database, works like a charm on any device. For devices where I cannot install the drive syncing utility, as my work computer, I use this python script:

              • swah 192 days ago

                I've been letting Chrome/Google generate and save passwords for me the last months - its incredibly convenient. (Only for throwaway kind of sites)

                • davchana 192 days ago

                  +1 I am using Chrome's password manager with Chrome Sync Phrase. Phrase makes it impossible for passwords to leave my device & thus making also unusable, but no complaints. I use bookmarklet to reveal password in case I need to see it.

                  I use keepass2 for various serious passwords.

                • java-man 194 days ago
                  • sotojuan 194 days ago

                    I only pay $48 a year for 1Password, but even if it was $60 it doesn't bother me. If that means thousand of dollars by the time I die, it's fine. I like the service.

                    $4,000 over 40-60 years is insignificant. If it's useful and doesn't mess with your monthly budget, why not keep paying?

                    Not trying to change your mind, but I don't see the problem, and you could say that about anything you pay monthly for.

                    • donohoe 194 days ago

                      Yeah, I kinda noted its a small amount but it seems odd to have it as subscription service.

                      I feel I'm paying for almost everything as a "subscription" and I own zero.

                        $60 1Password
                        $156 Netflix
                        $120 Amazon Prime
                        $1200 AT&T (estimated, Family Plan)
                        $720 Internet 
                        $260 NYTimes
                        $168 Spotify
                      So thats $2684.00 for services and content per year - with nothing to show for it if I cancel. Fine for most people, but part of it gnaws at me. To each their own.
                      • rocannon 192 days ago

                        But it's not "nothing to show for it" if you use the subscriptions... people pay money to go to a movie, go out to dinner, go to the gym, etc. When you leave each of those venues, do you think you have nothing to show for it? Okay, maybe the movie was bad, or the meal was poorly prepared. Hopefully, most of the time, you enjoyed the experience and it fortified you mentally (and even physically, if the meal was nutritious and the gym workout was a good one). The same applies for any of these subscription services. You get value while you are paying. It is not nothing :)

                        • muzani 194 days ago

                          When you compare it, it's still pretty cheap. I considered buying all the movies and songs I used to pirate and it adds up for a whole lot more than registering for Netflix and Spotify.

                          It's more suited for things that we consume once then throw away. We only watch a movie or episode a few times, we do play songs often but get bored of them in 40 years.

                          Password managers are another category, but even then I'd rather pay $4000 over 60 years than $1000 today.

                          • donohoe 192 days ago

                            Prices will go up... :)

                            I do take your point. The point is, if you cancel your subscription you are left with nothing.

                        • ascar 193 days ago

                          I get why it doesn't bother you, if you like the experience and think it's worthwhile. I also happily pay for Netflix, while a friend of mine just asked me, if he can use my account to save a few bucks. Everybody values different things.

                          But there are very good free alternatives out there like keepass, with clients for every major operating system, including mobile.

                        • donohoe 194 days ago

                          While I can't update my original post here its worth noting that 1Password got in touch and said there is a standalone plan with a license purchase - and you do not need a monthly/annual subscription.


                        • CM30 193 days ago

                          I use KeePass 2. Works pretty well for me, and the fact its self hosted means neither having to subscribe to anything or trust any rich people/companies.

                          The database file is then stored on a removable piece of media that can be plugged into any other machines I use, then accessed via KeePass on that one.

                          • limpkin 194 days ago

                            I designed, a hardware-based password keeper, fully open hardware / firmware / software.

                            • donohoe 194 days ago

                              I need to know if the name is a reference from The Fifth Element?

                          • rmurri 194 days ago

                            Check out enpass. Small, one time payment per platform. (Free for certain usage). It is a native client that supports sync. It also works well cross-platform, including linux. The mobile clients are also good.


                          • deanmoriarty 194 days ago

                            Lastpass all the way, perfect (for me) Chrome and iOS integration. On top of that, I enable 2FA whenever possible, and every couple months I export my Lastpass data on a couple USB keys (they offer csv export).

                            • muzani 194 days ago

                              I second LastPass and the free tier is very functional.

                            • phakding 193 days ago

                              I keep passwords in a text file encrypted using gpg. I also don't write the entire password in the file, just enough digits/alphabets to remind me what the password would be.

                              • zunzun 194 days ago

                                My passwords are all in the form of "salt + 4 digits", where the salt is only known to me. I keep lists of the useless-without-the-salt 4 digit numbers in several places.

                                • muzani 194 days ago

                                  I used to do this, but there are always a few leaked passwords - shared with colleagues, password for my PC shared with wife, companies that store plaintext passwords, things like the Adobe leak.

                                  It's quite easy to guess once they do have the salt. I just do this as a minimum security alternative to calling my password "password"

                                  • donohoe 194 days ago

                                    I've done that too and its been great until now.

                                    I would say that while I am looking for an alternative that works for "me", I'm also thinking of approaches (like this - or apps) that would work for my kids.

                                  • stevenwliao 194 days ago

                                    Does Chrome or Apple saved passwords work as a workflow for you? I find Apple's integration quite nice.

                                    • mijndert 194 days ago

                                      I rely on 1Password for my password management. You can also sync 1Password through other means.

                                      • donohoe 194 days ago

                                        Right - but it seems they have switched to a subscription-only service for any new users

                                      • codegeek 194 days ago

                                        Locally used keypassx and synced with a cloud provider like dropbox, s3 etc.