We use Bitwarden at work. Bitwarden and Keepass are the two on my "trusted" list. Keepass has higher trust because it's offline only. But Bitwarden has a very good reputation and has open sourced both the clients and the server, so they are a close enough second for me, and it's much more convenient having cloud sync.
> I've personally never seen in my (for now short) career anything else than Keepass.
KeePass (https://keepass.info/) is excellent for personal usage or for infrequently changing credentials in a team setting, which is why i've also had a good run with it!
That said, for something a bit more centralized and more easily manageable, i've seen solutions like TeamPass be used: https://teampass.net/
Well, TeamPass in particular has a pretty horrible UI (not respecting what i click with my mouse and janky dragging of items around, as well as weird display rules), but in general i feel like many companies out there might want a web app of sorts, even if only available in the internal network and self hosted.
I'm not sure how big of a problem this really is. Yes, it's definitely more difficult for a non-technical user to manage this, but if they have an idea about how important keeping their passwords safe is then would they trust that to a third-party? I don't think my mom would trust any service with her passwords.
Workplace uses 1Password. I've been using it personally for years and I love it. Completely worth the subscription cost though it has its quirks
I like Bitwarden and the work they do and I'm sure they're trustworthy seeing as they've been audited and such but the android app and some of the UI is clunky to say the least. I tried switching from LastPass (which is awful) and ended up going to 1Password
I've not found much reason to swear or cringe at 1Password... maybe ever. I was a bit frustrated once when it gave the wrong popup when filling out my addresses. What is your use case if you don't mind me asking?
1Password once "forgot" an autogenerated password for a government webservice, where I had to used a snailmailed one time password. I needed to get another OTP for registration. It never happened to me again, but having a wrong password stored was really annoying.
I've switched to Bitwarden recently and, for the most part, am happier than before.
Same here. Like, literally. 1PW just seems so much clunkier and more difficult to work with. The thing being, 1PW does have a handful of enterprise-level features that seem to be more efficient for managing passwords across the enterprise. That seems to be about the only edge it appears to have, which is why it probably appears more attractive to corporations.
> I prefer supporting open source for personal use.
Same here. Opensource also adds to security in this case.
Also BitWarden's server has no knowledge of your phrase, and hence cannot, never ever, read your data. Forgetting your phrase means you lose your wallet. 1Pass and competitors do not have such guarantee, and allow one to retrieve access to the wallet by other means.
1Password's servers also cannot read your data. They use a client generated secret key in addition to your usual password to encrypt your vaults. It's been detailed pretty well
Are all clients open source? If I loose all my keys is there no way to recover the data?
And how does this work when I share passwords with my colleagues in a vault? They dont have my "client generated secret key", so how can they read my passwords?
I know companies write stuff to sell their products, but I dont trust that, I prefer open source and the laws of logic over marketing.
1Password has a pretty good white paper explaining their security design (PDF behind the link): https://1passwordstatic.com/files/security/1password-white-p.... The parts "How Vault Items Are Secured" and "How Vaults Are Securely Shared" go into sharing passwords in a vault.
So I'm reading on pg 22. The red block. How hard is it for 1Pass --basically a mandated MITM-- to send a false request to Alice when Bob made a request?
That whitepaper is a piece of marketing text. Not saying their audit did not take place. But they are soooooo powerful in their own system that they basically have access to everything.
If you loose bitwarden keys what will they do to recover data? They have similar security protocols so I doubt being open source would help that. It's not about being open source or not. That's just security
1Password says explicitly that you're not sharing the actual item in your vault and that it's creating a copy of it. It's probably generated client side and pushed to an external sharing service
I mean, I understand trusting open source but your statements seem like non-sequiturs. 1Password has been audited and has been an industry standard for a while. They seem to know security so at some level I don't find it difficult to trust them. Of course, I don't deny trusting open source and that's completely valid but not with these specific points
>If you loose bitwarden keys what will they do to recover data?
They cannot. That's closely related to why it is so secure, and why they can never see you data. That's why I use it.
It's sometimes called "zero knowledge".
> 1Password has been audited and has been an industry standard for a while.
MSFT products were also audited, and much used, and very insecure. Also 1Pass may be subpoena'd into sharing your data. I do not trust 1Pass, but you do you and feel free to do trust them :)
I moved to Bitwarden from Lastpass last year. Ironically I remember needing some premium feature, and having issues subscribing to premium. Support was 0/10, and made me move to Bitwarden, but I was really happy with Lastpass. Feature I miss today is security checkup.
Glad it wasn't just me. I was trying to get a repeatable issue with a particular site resolved, and support was beyond useless, i.e. unresponsive for up to two weeks, repeating the same scripted BS they had sent me previously, etc. Despite my pleading I was never able to get to a level 2 where someone could actually look at my problem.
Support USED to be great, ~2-3 years ago when I first signed up. I noticed around a year ago when I made a support request that it went way downhill. I get the impression that they outsourced it to India.
When I have to enter my master password into the browser, I'm left with the Lastpass tab focused instead of the site that I'm trying to log into. Although this is annoying for me, it's probably a major obstacle for people who aren't very good at computers.
Note for context - we are in a company that for obvious and less obvious reasons has a detailed list and tiering of allowed open source software for various purposes; while we have more control over our laptop than most companies such size, policies are fairly firm on what we are and aren't actually supposed to install.
> The most trusted open source password manager for business
OP here; this hype bothered me, but to avoid being accused of editorialising the target link, I try to include any strap line in full in the HN link description field.
PasswordState licensing and support was great. I administed it for a small robotics company. PasswordState devs added a requested feature in about 3 weeks from a forum post I made.
We're on the process of migrating from LastPass to self-hosted Psono[0]. I've not yet used Psono enough to say anything except that it seems better than LastPass, but that's not a hard goal to reach. With LastPass the whole UI/UX seemed awfully complex and cluttered and devoid of many handy QoL features like copying a password straight to clipboard. Their Chrome extension is also a true heavyweight[1].
I expected a blog article with actual feedbacks from companies and data, but ended up on bitwarden.com main page.
Baseless claims can be quite common when it comes to marketing, but I'm genuinely curious: which password manager is used in your workplace, if any?
I've personally never seen in my (for now short) career anything else than Keepass.