Use an open-source password manager
A COMPATIBLE WEB BROWSER Administrative rights to set up the password manager
1
BITWARDEN
Firstrelease: 2016
SupportedOS: Linux, macOS, Windows Browserextension: Chrome, Firefox, Safari,
Edge, Opera, Vivaldi, Arc, Brave, Tor
Mobileversion: Yes (Android & iOS) AvailableinMicrosoftStore: Yes
Bitwarden uses an open-source codebase, and all core functions are available for up to two users free of charge. The developers actually take their open-source credentials seriously, making all code available via GitHub. They also submit to regular security audits and offer a bug bounty program.
» This means that when Bitwarden claims that all user credentials are protected by zero-knowledge end-to-end encryption, it’s easy to take these claims at face value. Upon first registration, users are asked to create a ‘Master Password’ of at least 12 characters [ Image A]. Bitwarden then works client-side with PBKDF2 or Argon2 to stretch the master password using the user’s email as a salt to create a 256-Bit master key.
» Neither this master key nor the original password are ever stored on Bitwarden’s servers, meaning that even if a hacker were to breach them, they’d still have to crack your data, which is secured with AES-CBC 256 bit encryption.
IN LATE 2023, cybersecurity blogger Brian Krebs reported on the November 2022 breach of LastPass’ database, wherein the password vaults of 25 million users were stolen. Citing a recent spate of cryptocurrency thefts to the value of $35 million from security-conscious people in the tech industry, Krebs speculated that at least some of LastPass’ vaults were cracked.
It’s hard to tell if this is true, as like many password management platforms, LastPass isn’t fully open-source. Proprietary software can’t be subjected to public scrutiny, so it’s difficult to verify claims like ‘zero knowledge encryption' server-side. Open-source software is built on the philosophy that ‘many eyes make bugs shallow’, making it the gold standard for privacy.
In this guide, we’ve focused on three of the very best open-source password managers. By making the source code freely available, the developers are providing the best assurance that the software lives up to its claims. We’ll also focus on what KDFs (key derivation functions) are used, along with which encryption algorithms are deployed for savings sensitive data.
You’ll also glean tips on creating a strong, memorable master passphrase, and learn why you really can’t rely on your browser’s built-in password manager. –NATHAN JORDAN
» The downside to this, naturally, is that if you lose your master key, there’s normally no way to access your credentials, which is why some Bitwarden Enterprise tiers do allow user account recovery.
» By default, the platform stores your data in the cloud via Microsoft Azure, though for the ultra paranoid self-hosted solutions are available.
» After signing up, you can install the desktop client for your OS of choice, as well as the mobile version available for both Android and iOS—there’s no proscribed limit to the number of devices you can sync to your account.
» Bitwarden also offers a browser extension for virtually all platforms. During our tests, we initially weren’t able to get it to prompt us to save passwords until we opened it and actually signed in using the master key.
» Once you do this, Bitwarden will prompt you to save login credentials for all accounts each time you sign in. If you choose to create a new account, a ‘New Item’ option will appear when you click on the password field. From here, a pop-up will appear, prompting you for a username and password.
» Bitwarden can also automatically generate a new random passphrase. Special mention should go to Bitwarden’s password generator, which can not only create strings of random characters, but actual passphrases made of random words (and optionally numbers). When creating a password, you can also have Bitwarden avoid ambiguous characters like 0 and O.
» Whether you log in via the web portal or the desktop client, the interface is virtually identical. Still, its spartan look belies the fact that even free users benefit from a huge number of features.
» Starting in the left-hand pane, you’ll see by default that Bitwarden lists ‘ All Items’. You can filter these easily by clicking into various ‘Types’: Login covers any online accounts whose credentials you’ve saved while browsing.
» The ‘Card’ and ‘Identity’ categories can be used to store credit card and ID information respectively. We
were especially impressed by the ‘Secure Note’ feature, which you can use to store any other sensitive information that doesn’t fall into these categories, like a Bitcoin wallet seed. When creating new credentials, you can also have Bitwarden prompt for the master key in order to display them again.
» If you want to delineate your life further, you can also use the client to create custom folders such as ‘Work’ and ‘Personal’, then place existing/new credentials there.
» All of the above should provide everything you need in a password manager, but if you want to shell out an extra $10 per year, you can receive extra perks. For instance, while Bitwarden supports 2FA (two-factor authentication) login via regular authenticator apps, Premium users can use proprietary options like YubiKey and Duo.
» Premium users also benefit from a built-in TOP generator for stored accounts, as well as regular password hygiene and vault reports to make sure that none of your credentials have been compromised.
» Bitwarden’s password database has never been breached by hackers, but in early 2023, a vulnerability was discovered in the ‘autofill’ feature of the web extension, which could lead to the password being entered into an untrusted domain like a phishing website. The software has since been updated to warn users if they’re entering login details into a form other than the one for the page they’re visiting.
2
KEEPASSXC
Firstrelease: 2012
SupportedOS: Linux, macOS, Windows Browserextension: Chrome, Firefox, Edge, Vivaldi, Tor Mobileversion: No (Compatible mobile apps available) AvailableinMicrosoftStore: Yes
KeePassXC is an open-source fork of the now defunct KeePassX, which itself is derived from the original KeePass. We’ve selected this one over the original, as it’s cross-platform, plus setup is slightly easier [ Image B].
» This password manager is extremely lightweight, as it’s written in C++ using the Qt framework. However, this means that in order to use KeePassXC, you first need to install the Microsoft visual C++ Library, available via: https://aka.ms/vs/16/release/vc_redist.x64.exe
» Unlike other popular password managers KeePassXC isn’t cloud-based. Instead, during setup, you create a dedicated database file (.kdbx) to be stored on your device. Naturally, you can save the file to a cloud folder like Dropbox if you prefer. For best compatibility, KeePassXC recommends choosing the most recent KDBX4 format for your password database.
» Security consultant Zaur Molotnikov did an in-depth review of KeePassXC’s core functions in 2022, and came away impressed (read it at https://molotnikov.de/docs/ KeePassXC-Review-V1-Molotnikov.pdf).
» This may partly be due to the fact that during database creation, users are asked to specify a database decryption time. By default, .kdbx files are encrypted with 256-Bit AES, though you can choose Twofish or ChaCha20 if you prefer. Like Bitwarden, KeePassXC also uses the Argon2d KDF.
» The final stage of setup involves setting a master password, for which you can use KeePassXC’s own password generator. This can produce both passwords ( by default 17 random characters) or passphrases (default 7 random dictionary words). Both options offer around 100 bits of entropy.
» Users can also specify a ‘keyfile’ to open the database. KeePassXC can generate a (.keyx) file with random bytes, or you can use an arbitrary file such as one JPG in a collection of family photos. Database login via hardware tokens like Yubikey or Onlykey is also supported.
» Once a database is created, users can edit keyfiles and any other database settings from the main menu. There are no limit to the number of databases that KeePassXC can manage, so you can have a dedicated one to store banking information, for instance.
» Browser extensions are available, but first integration must be enabled in the software’s settings. KeePassXC offers granular control of this feature, allowing you to enable integration for some browsers, but not others. When you add passwords and other sensitive information, you can also choose to block the
browser extension from accessing it. KeePassXC can also store and generate TOTP credentials.
» During our first test, we signed into a Gmail account and noticed that KeePassXC stored the password, but not the username. After entering this manually, we then created a Wikipedia account. Right-clicking on the password field displays KeePassXC’s options, including suggesting a secure password. A pop-up then appeared, allowing us to store the credentials.
» The password manager allows creation of groups for particular credentials, eg. ‘Work’ & ‘Personal’. When adding online accounts, we also noted that KeePassXC adds an appropriate ‘FavIcon’ for each entry, making it easy to distinguish. This feature requires network access, so you may prefer to simply use KeePassXC offline and use the default favicons.
» KeePassXC seems to lack any simple automatic way to add other types of sensitive data, like credit card information or Bitcoin wallet seeds. True, each entry has a ‘Notes’ feature where you can store arbitrary
information. You can also modify entry attributes and create custom fields, but we feel that something as basic as credit card numbers should be offered, especially given most browserintegrated password managers can use autofill to add payment information these days.
» The developers also admit that an Android or iOS version of KeePassXC would require an extensive code rewrite, so doesn’t seem very likely. However, the KDBX database format is supported by a number of mobile apps, such as KeePass2 (Android) and Strongbox (iOS).
» You can also use the ‘KeeShare’ feature to specify credentials to share with others, provided they have compatible software.
3
PROTON PASS
Firstrelease: 2023
SupportedOS: Linux, macOS, Windows Browserextension: Chrome, Edge, Firefox, Brave Mobileversion: Yes (Android & iOS) AvailableinMicrosoftStore: No
Proton Pass is the newest password manager on the block, with its first stable release in April 2023. Still, its bona fides are assured by main developer Proton, who since 2014 has released a number of privacy-friendly products, including Proton Mail.
» The free version of Proton’s open password manager allows you to store an unlimited number of passwords and sync them across virtually all devices. It supports every major OS and mobile platform.
» All login credentials are secured using end-to-end encryption and synced to Proton’s servers, which are based in Switzerland, a country known for its strong privacy laws.
» You don’t need a Protonmail address to use Proton Pass, but you will need to provide a verified email and password to sign up. Upon registration, Proton also provides a ‘recovery kit’ PDF, which allows users to recover their account if the master password is lost.
» You are then prompted to install Proton Pass as an extension in your browser of choice. The setup screens also display a helpful introductory video on how to use the platform and prompt you to install the mobile versions of the app.
» Proton currently offers a seven-day trial of ‘Pass Plus’ features, where for just under $3 per month, you can benefit from an integrated 2FA authenticator and access to Proton’s ‘Sentinel’ platform.
» Still, the free version should be sufficient for most users, given that it not only supports storage of any number of passwords, but also card details and encrypted ‘notes’ for other types of information, like cryptocurrency wallet seed phrases.
» The extension allows users of the free tier to launch the web app, which allows easy creation of up to 10 email aliases, as well as more advanced features like auto-locking the database.
» In November 2023, a security flaw was discovered with this feature in that the lock didn’t automatically clear unencrypted credentials that Proton Pass was storing in the device memory. Proton has since released a fix for this.
» Both the web extension and web app contain a password generator, which by default creates a passphrase of four dictionary words separated by random numbers and hyphens (around 243 bits of entropy).
» According to the developer blog, instead of relying on a standard key derivation algorithm, the software uses Proton’s own implementation of bcrypt to hash passwords, which they claim is more secure than PBKDF2.
» They go on to explain that when users create a vault, Proton Pass generates a 32-byte random vault key. This is itself encrypted and signed with the user key, ensuring that only that user can decrypt their own vault. All items in Proton Pass are encrypted using 256-bit AES-GCM.
» Vault administrators can share their vault key with others. If they do so, Proton Pass encrypts it with the recipient’s address key, ensuring only they can access it.
» Another impressive Proton Pass feature is how it manages importing databases from other password managers. This can be accessed via ‘Settings’, and most major platforms are supported provided the data to be imported is in CSV, JSON or XML format.
» During our tests, Proton Pass initially failed to store the credentials for the Gmail account, possibly because it was already signed in. However, when we added the login details manually and restarted the browser, the web extension sprung to life and filled in the login credentials. When we tried to create a Wikipedia account, Proton Pass also immediately suggested a strong, unique password, and stored the login information.