Passwords/passphrases are almost most important part of our digital (and even non-digital) safety and security. A password is the first layer of our security. For long time, passwords were our only shield against infiltrators.
With progress of technology and computer science, we found more effective ways to infiltrate people’s accounts. Crackers are now more likely to sabotage our accounts and data. Although this sabotage is not always bad, one cannot ignore the unpleasant aspect of the story.
An strong password or passphrase can make you more secure. But, the problem is most of the times we can’t remember what password we set for our account.
We may be able to remember a 20-letter long ‘passphrase’ but it’s obviously hard for us to remember a 35-letter password which contains uppercase/lowercase letters, numbers, and special characters. This is why we need password managers.
A good password manager helps us to access our passwords everywhere, anytime. This can make us more secure, because we can set long and strong passwords, and not troubled, because we can access our passwords securely and easily. I also should mention that long password doesn’t mean security. Longevity is just one of the hallmarks of a good and secure password.
But, password managers are not all good. Sometimes, using a password manager is more risky and less secure than usual. A password manager should have some features to make us trust it. Here’s my opinion about those features.
Password manager features
A good password manager encrypts your data in a way that nobody, even the service provider, can’t access the data. A good password manager even doesn’t let you access the passwords if you lose the decryption secret key.
Encryption is one of the major required security feature. Without encryption, you’re not secure at all. The point of using a password manager is to be more secure and if the password manager itself is not secure, then it’s not worth using.
Without encryption, you can store your passwords in a plaintext file and you’ll be probably more secure.
A good password manager generates random secure passwords for you. A good password manager knows how a secure password should be, so it helps you to create a secure password.
A good password manager also checks the generated passwords to see if it was used before or have been pwned.
Human mind can process a lot of things but most of the times its a lot slower than a computer. It’s a good thing if we were facing a humankind problem; we’re not. It’s computers that work to find our passwords in different ways.
A good password manager generates passwords that are hard for computers to break or find. However, user should be able to decide the length, characters, and other components.
A password manager should be cross-platform. We use a lot of digital devices everyday and we sign-in to our accounts from different computers. I’m not saying that a password manager should have client for every digital device, but it should have a client for at least Android, iOS, Windows, macOS, GNU+Linux, and BSD.
This is to make sure we have access to our passwords anytime we want on any device we want. If a password manager is not cross-platform, it can trouble us and that’s not what we want, right?
A cross-platform password manager is useless if there’s no syncing. And I should mention that by ‘syncing’ I mean ‘secure syncing’. It would be really funny if we could install a password manager on our GNU+Linux computer but we couldn’t access the passwords because there’s no sync.
Now, syncing can be done in various ways but I can divide them into two main categories:
- Manual: Transferring files ourselves and importing the updated/new vaults to the password manager on the device we want.
- Automatic: The password manager imports the updated/new vaults itself and syncs the passwords on a certain/specific time period, continuously.
As I always say, nothing is safe online completely. Automatic sync is almost always done with storing password on the cloud. As you know, cloud means somebody else’s computer so strong passwords on the cloud is not the safest thing to do.
However, with good security measures, processes, and actions, you can trust a password manager with a web/online vault. You’re not still completely safe (you never are in any way) but the risk is at its least.
The other option is to manually syncing the vaults. I believe a good password manager can establish a secure connection between two devices and sync the vaults and updated/new passwords.
For example, a password manager can transfer vaults with Wi-Fi which is secured by AES (or any other safe encryption protocol) encryption. It also can generate a local one-time password for the synced vaults to make sure nobody but us can access the syncing files.
Needless to mention that vaults themselves should be encrypted separately with a chosen password by users. These two layers of encryption can assure us nobody can access those files except us ourselves.
A good password manager respects users anonymity. This can reduce and avoid security attacks on a specific person. Also, this can make attacks worthless as the attacker can’t find out what passwords belong to what people.
However, if a password were used for two different accounts, that can put a user at risk but as I said, a good password manager prevents this.
A good password manager lets you to purge data. Any data/password that belongs to you should be purged immediately, if you want. A good password manager won’t keep your passwords or data for any reason, at all.
As I mentioned before, a good password manager increases users’ security. By keeping users’ data and information, users are at risk, always.
A good password manager purges all the data, even smallest ones to make user as safe as possible.
What password managers to use?
Now that we know how a password manager should work, let’s check a few free software and secure password managers. You should know that nothing is completely secure and nothing is perfect.
Bitwarden is one of my favorites. It’s a free software password manager which is cross-platform. Bitwarden syncs passwords on the cloud but since all data is encrypted before leaving the device, you can be sure that you’re not at risk.
Bitwarden also has browser add-ons for more safety. Browser add-ons are wonderful things to make using password managers easy to use.
However, nothing is completely safe and secure online so if you don’t like cloud sync, you should install it on your own online server, or on a local server with no internet.
As it’s free software, you can host it yourself but there are free and premium plans on Bitwarden main website/service.
KeePassXC stores encrypted versions of all your passwords into an encrypted digital vault that you secure with a master password, a key file, or both.
The difference is that instead of it syncing passwords for you, you should do it manually yourself. Using OnionShare or encrypted drives can secure this transfer.
Syncthing is another software to sync your data. replaces proprietary sync and cloud services with something open, trustworthy and decentralized. Your data is your data alone and you deserve to choose where it is stored, if it is shared with some third-party, and how it is transmitted over the Internet.
Sadly, there’s no mobile phone official client for KeePassXC.
LessPass is another free software password manager that generates unique passwords for websites, email accounts, or anything else based on a master password and information you know. No sync needed. Uses PBKDF2 and SHA-256.
It’s currently only available on Android, Chrome, Firefox, and Snapcraft but you can host it yourself if you want.
Like Bitwarden, LessPass also has browser add-ons for more security and safety. Browser add-ons also make using it much more easy.
WARNING!: BUTTERCUP IS BASED ON ELECTRON, WHICH MAKES IT NOT ENTIRELY LIBRE. SOME MAY EVEN CONSIDER IT AS COMPLETELY NONFREE!
Read more: FSF opinion on chromium, QtWebEngine, electron
Buttercup is another great password manager. It focuses on simplicity and security. Buttercup is also cross-platform. It has clients for desktop (Windows, macOS, and GNU+Linux) and mobile devices (Android and iOS).
Buttercup also has browser add-ons to make sure you have access to your password easily.
Buttercup is also planning to release a file-attaching feature that makes it unique among other password managers.
Syncing your passwords can be with the “My Buttercup” system or manually with transferring vaults using cloud/local systems. It’s worth trying and I believe it’s a wonderful useful software regarding passwords.
Psono introduces itself as a self-hosted password solution for teams but it is also useful for individuals. The community edition of the software is free (of charge – free as in price) but not that easy to use.
It is recommended for people who want to make a password manager service instead of using a simple password manager for their own needs.
Cool thing about Psono is multi-layer encryption. Psono has multi level encryption starting with a client side encryption layer, allowing true end to end encryption for password sharing, followed by SSL and storage encryption.
The fact that it’s free software makes it amazing. You can host the server on your own grands and control every possibility. In addition you are independent and do not have to rely on public services.