Keepass XC and its Android fork, keepass DX are the only password managers I use. I’ve never seen the appeal of online pwd managers. I can have a copy of my encrypted pwd database on a thumb drive that I keep in my pocket and an external drive that I keep hidden safely in my drawer and that’s all I need really. Maybe it’s a bit less convenient than a cloud pwd manager but that’s never been an issue for me. Plus, it’s so much more secure so it justifies the tiny bit of extra hassle. Keepass is impossible to compromise. Even if someone finds a critical vulnerability in the software used to handle the DB, and then in the database itself (2 extremely unlikely things) they still got nothing because they’ll have to get physical access to my storage media and this simply isn’t a relevant concern for me and 99.999% of people. This is why keepass has stood the test of time.
I started with LastPass - left ages before the hacks and that though! Also yes, I changed all my passwords since then (or at least almost all, definitely all the ones I care even slightly about or ever use), and I’m pretty sure I deleted my vault when I left. It worked pretty well, I can see the value in a cloud-based password manager. I just find myself much more comfortable with KeePass, and I’m disciplined enough to keep regular backups and don’t mind manually making sure the devices have the same copy (only have to do this every couple of months or so).
I use the Bitwarden free plan. It’s enough for my basic needs.
I recommend Bitwarden to the normies in my life, but I personally couldn’t live without TOTP. And if I’m going to pay for additional features, I figure I may as well spring for a subscription with Proton that include additional perks…
Yeah, after all I just prefer using a separate app for TOTP (Aegis).
Aegis is nice, but I’m an individual of convenience.
I got my family onto 1Password and for my threat model people around me leaking data is a concern. They aren’t computer savy so usability is a big factor for them, therefore 1Password seemed like a good solution.
So even if it isn’t the most ideal solution I consider it a win in my books.
I’ve been really happy with Keeper.
Dabbled with Bitwarden. Haven’t felt compelled to move yet. 1Password is also on the shortlist to investigate.
I used to use Bitwarden, as well as a selfhosted Vaultwarden instance. I switched to KeepassXC, using Syncthing to synchronize my database across devices. I prefer the latter’s UX a bit more, but BW was pretty good for me too. Bitwarden’s extension is great, but I prefer KepassXC’s autofill and entry organization more.
The BW mobile app was fine but unremarkable. I use KeepassDX now, and it’s alright. It’s annoying to enter my passphrase on my phone either way, so I tend to use a PW on my phone less.
People have said good stuff about 1password, but I can’t personally speak to how good it is.
Bitwarden for the win, I used to use Keepass but I once I made the mistake of deleting my entire vault. Besides, I prefer the convenience of Bitwarden and the alias generator.
I tried Proton Pass but it was fairly new when I tried it so I just stuck with Bitwarden.
I use Bitwarden, which I have configured to use the EU servers (bitwarden.eu). I have considered self-hosting Vaultwarden or requesting access to Tux.pizza’s instance, but I reckon Bitwarden themselves probably know what they’re doing.
Proton Pass looks promising, and it’s the logical choice as I already use ProtonMail, ProtonVPN, and Proton Calendar; but I’m happy with what I’ve got.
I use 1Password Families to protect my family and for account sharing.
TL;DR: Never use your browser’s built-in password manager, it has absolutely 0 security. I use KeePass, DX on mobile and XC on laptop with the supplement of Syncthing to access the latest version of the vault from both devices and backing the vault up to MEGA cloud, which has a memorable account password, just in case of unpredictable events. It can’t be bruteforced from all ends, thanks to Argon2 decryption algorithm, which you need to enable manually.
My journey on this began when I wasn’t aware of the privacy online, was happily using Chrome’s built-in password vault on mobile and Edge’s on laptop. Until I learned how Stealers work on Windows (programs that can read your browser cookies, bookmarks, password, etc.) Then I found out that password vault is a part of account sync, therefore it needs to be sent somewhere like Microsoft’s/Google’s servers. “It’s okay, because they’re encrypted, right?” Little did I know that they’re stored in a plaintext .csv file in both browsers. That’s the reason why I stopped using them.
But I loved the concept of password managers and started looking for alternatives that:
- Store the data encrypted
- Don’t share it over Internet
- Have the same autofill expirience
All popular managers I could find were having 1 concern - they’re all cloud based. You’re never sure what goes on on the server side of things.
Then I found a magnificent solution with all 3 criterias passed - KeePass. There was a lot of choice for the clients, and the one I chose was keepass2android (offline). Yeah, pretty attracting name. The UI definitely wasn’t the best, which is the reason I went to KeePassDX, but both worked and I haven’t encountered any bugs in them. The same database (that’s how password vaults are called in KeePass) works no matter from what client you use it.
But there was just 1 minor inconvenience - the lack of sync. By that time I started to use my laptop more frequently and manually typing 64 symbols long passwords (now I don’t know why I went full maximum with the randomizer, since bruteforcing passwords on websites is a long-gone issue) became uncomfortable I started to use Syncthing to have my latest database on both devices.
Realising that I could lose my database forever without proper backups I probably made a debatable decision - backing it up to MEGA cloud, basically to someone else’s computer. It has a memorable, not reused password. But if the tipping point happens, at least I would know what to do.
Have I violated the second premise? Yes, but at least I know where, how and what is being sent to the cloud. Database is useless without the key anyways.
Could it be bruteforced by the ops? There’s a key derivation function for the master key called Argon2, which is designed to be slow. For example it can only process 1 request per second (configurable) and considering that bruteforcing tries millions if not billions passwords in the run Argon2 significantly increases the time it takes. Though bruteforce is absolutely random: it can either go on for centuries (if the computer will even live for that long) still with no avail or unlock it first try. Yet Argon2 is not the default option on most clients for some reason. Maybe the variety of users’ hardware is the reason.
- Proton Pass (It is really trustworthy because came from famous privacy company and fully open source)
- Bitwarden (fully open source, but don’t have built in alias feature)
But, I don’t trust 1Password as it is closed source, so I have no guarantee that there is no government backdoor or something like that that prohibited to reveal by court (I am a little bit paranoid, I know 
)
They seem to have one : Go the password generator option and select “username” and you would see something like “Alias E-Mail”. Of course, it’s with external services. They support SImpleLogin, Addy, etc…
I meant built in, by own domains. That is only problem with Bitwarden for me
I’m slowly transitioning to Proton Pass, but 1Password (at least on macOS) has some pretty handy features, that Proton’s yet to match:
-
Quick view - so well designed for a keyboard-only flow.
-
SSH key handling - great for signing github pushes, and for initiating Vorta backups.
-
Wifi QR code sharing - not that there aren’t workarounds for this.
Overall, 1Password is very thoughtfully designed.
Proton’s good, but it weren’t for the Simplelogin integration, the fact that I’ve already paid for Proton unlimited, and that they’re improving fast, I wouldn’t have considered moving away from 1Password.