Try an Open Source Password Manager
There are a lot of password managers available in the market, most of them including free basic plans, and they really help to keep track of dozens of passwords we use in several services day by day. But I’ve always seen a problem in using one of those: You must blindly believe that your passwords are safe with them.
That’s why I was looking for an open source alternative, which anyone can check if the code is good and safe, so I asked for recommendations on the Tchelinux Google Group (pt_BR) and got some options…
OpenPGP (openpgp.org)
OpenPGP is not a password manager, but an encryption tool focused on sharing public keys across the internet, so anyone can encrypt content that only the specified receiver can decrypt. It is mostly used for e-mails, but it can encrypt anything, from text to files to binary data.
The caveat in using this for passwords is that it’s not much user-friendly and requires at least some terminal familiarity to encrypt, decrypt and copy passwords, as well a personal organization on how to store them. You can, however, use it in conjunction with other tools, like gnupg.vim script to crypt/decrypt by using vim.
OpenPGP is already included in many Linux Distros, the client is called GnuPG or just GPG and is easy to install in other systems as well.
Passbolt (passbolt.com)
Speaking of OpenPGP, some solutions use its technology for encryption and/or authentications. Passbolt is one of them.
Focused on teams and web-based, it can be self-hosted or used in their own cloud and has free and paid plans. Only the self-host option has a free plan, although.
The stronger con is that it lacks desktop or mobile clients or even browser plugins, being only web-based.
Pass (passwordstore.org)
Pass is another option based on OpenPGP. This one is terminal based and can use your standard GPG keys.
Command line, using standard keys, copy to clipboard and git integrations easily makes Pass a very familiar tool for GNU/Linux users. It also has several GUI clients including Android, iOS and browser plugins.
There is no Windows client, although and you have to backup your password store manually.
KeePassX (keepassx.org)
Originally a Linux port of the Windows password manager Keepass Password Safe, KeePassX became later cross-platform.
It is a GUI, local only, application with extra (optional) security features like password expiration and use of a key-file (e.g. a CD or a memory-stick) to access the database.
The only way to share the password store among clients or teams is by sharing the database file itself.
Teampass (teampass.net)
Another web-based and focused on teams. The goal of Teampass is to provide more fine-tune roles and customized access.
It is self-hosted only, no option for signing or paid plans.
Bitwarden (bitwarden.com)
Bitwarden is a full-featured, cross-platform password manager much like the market leaders in the area.
Cloud-based or self-hosted, support for teams and clients for virtually any platform or web browser. This is the option that I got more recommendations for.
Padlock (padlock.io)
Padlock is a personal minimalistic cross-platform password manager with a great look.
They have a cloud service for syncing data among different clients but no self-hosted option.
Lesspass (lesspass.com)
Lesspass is a stateless password manager, which means it doesn’t have a password store or database, thus not requiring subscription or synchronization. What makes the alternative at least peculiar.
Passwords are generated by an algorithm based on the user master password, site and login so the generated (not stored) password is always the same in different devices. The app has clients for Linux, Android and browser plugins.
I have discussed the security implications of this method with some colleagues and we decided that it is secure enough for most cases. There is a caveat, however, that whenever the user changes a master password all dependent passwords are changed as well — think of having to update the password in every site once you change the master password.
They also have an optional cloud service or self-hosted option, which stores sites and logins but not passwords (which, in the case, is almost the same).
The list is not extensive
…and there are actually other options as well, so further research is always recommended for anyone who wants to try one of those or migrate from a closed source option.
If you know any other open source password manager that is worth to be included in this list, please, let me know in the comments section below.
Try an Open Source Password Manager was originally published in The Miners on Medium, where people are continuing the conversation by highlighting and responding to this story.