Password managers, 2018 edition
February 11, 2018 3:13 PM   Subscribe

Pursuant to prior related queries, what are your thoughts on a preferred password manager?

I have been using 1Password 1 (Win) and 1PW3 since I purchased their full-boat access in 2011, with an add-on for iOS shortly thereafter, probably a combined cost of $125-150 or so. However, their upgrade pricing was never remotely attractive and so I never moved to new versions.

Sometime in the past year or so, they moved to an all-hosted storage system and more or less at the same time to an annual-billing subscription model, following the lead of paragons of responsible computing such as Microsoft and Quicken. I hate subscription model pricing, so I have even less reason to move to their new ecosystem now.

They've suspended support for older versions, understandably (if bluntly).

So I guess I am in the market to move on from 1PW. It is exhibiting transient instability on some of my devices but not others even given what should be a uniform operating environment. I am what you might think of as a trailing-edge adopter; I strongly prefer to purchase used machines and devices and stave off operating and software system upgrades until the bitter end.

Here are the baselines I'm looking to meet:

Locally-storable database
(which I can store in any given sync solution, including iCloud and Dropbox or local sync services such as Resilio Sync)
Multiplatform integration
Win 7, Mac OS X, and iOS at a minimum (SPECIAL POINT: I am eschewing iOS 11 for the foreseeable future)
Shareable between individual users
across all platforms and independent of Apple's AppleID system of associating one user on all platforms with SW installs
Family licensing
should allow installs in multiple geographic locations (as I will be migrating my parents as well)
No subscription fees

I suppose if 1PW had a local-storage implementation AND a full-boat upgrade one-time plan I might consider that, despite my frankly adversarial feelings about the company - the UI is great and for the most part implementation to even resistant users has been smooth. But every time I think about giving them money I get grouchy.
posted by mwhybark to Computers & Internet (22 answers total) 25 users marked this as a favorite
Unfortunately, I fear that most of the options that provide any sort of password sharing are going to have moved to a cloud/subscription model.

I've been generally very happy with LastPass, which offers a $48/yr family membership, but its default behaviour is to do the syncing for you. In theory, you could use your own tool to sync the files - everything is locally encrypted and synced encrypted to their servers, but I'm not sure how that would play with their syncing. (And, of course, it's a subscription model.)

Your other option would be to go with something old-school like Password Safe, which is a.) freeware (in most cases, though there are paid apps for Android and IOS), and b.) has no syncing of its own. It doesn't (or didn't at last check) have any way to share a given password across multiple users, but it really doesn't even have the concept of users, just specific vaults. I used it for many years before I moved to Lastpass, primarily for convenience reasons.
posted by jferg at 3:31 PM on February 11, 2018

LastPass has been good to me, though it doesn't hit all your points (no sync as far as I know). The single user version is free, but I think it's subscription for a family. The only thing I'd recommend is to make sure you create a number of One Time Passwords (OTP) and keep em in a safe place.
posted by pyro979 at 3:40 PM on February 11, 2018

I am in exact agreement with you with regard to everything on your baseline needs list and 1Passwword's overly aggressive upgrade fees and bullheadness on the local storage option and subscription fees. I have family licenses for both my Windows and Mac computers and each year customer service gets more and more obnoxious when trying to convince me to "upgrade" to their subscription services, no matter what type of problem I'm having and need help with. They've even given me two free licenses which I've yet to activate because they require the subscription service.

Anyway, I've tried a great many other password managers, mostly on Mac, but a few on Windows too and unfortunately I didn't like any as much as 1Password. They all have ugly UIs or dealbreaker usability flaws, imho. Enpass is probably your best bet, in light of your needs. The desktop version is free and the mobile version is just $9.99 (lifetime, per platform).

You might want to hold off on purchasing anything new for a while. I read on one of my Mac forums that 1Password's subscription model is deeply unpopular with a lot of longtime users and they've been taking a hit from people switching to other products. Rumor has it that they plan to offer non-subscription standalone products again soon, although they're not advertising this yet and continue to push the subscription service. I'll update this thread later if I can find a link.

As far as local storage, you might try hooking a backup drive to your network and backing up that way.
posted by LuckySeven~ at 3:53 PM on February 11, 2018

I'm still using KeePass 2.x, which has locally-stored, password-protected storage in a KDBX file, which I sync via a Dropbox-like service. On mobile, I have to set my phones/tablets apps for that service to maintain a local copy of those files.

I minimally use it on my one iOS device; I use the implementation called MiniKeePass, and it's not really working for me, but there are many more for me to try. I use KyPass for OSX, KeePassDroid for Android, and of course the main application for Windows; it ran fine on 7 back before I upgraded.

KeePass has a great PW generator that's very easily customized for the particular requirements one is likely to see, and even for some unlikely ones.

The price is the best part. It's free and open source. They do not offer cloud sync; that's your job if you want that feature.
posted by Sunburnt at 4:09 PM on February 11, 2018 [7 favorites]

Yes, KeePass 2. I have the same set up above. I’ve been using it for more than 10 years (previously used version 1 series) and have something like 100 passwords with good strength due to its autogen capabilities. E-mail yourself the file every few weeks (or months in my case) to synchronize across computers. Even if they aren’t in perfect sync it rarely causes me a problem. There is built in functionality to synchronize two files so you can reconcile randomly. Minipass In iOS is usable for occasional use — if you accessed a lot of passwords on iOS I guess you may want to consider something else like Apple’s built-in keychain.
posted by friendofstone at 4:21 PM on February 11, 2018 [1 favorite]

Yeah, I found myself in exactly your position very recently -- very satisfied owner of 1Password back when it was a permanent license, then I switched platforms and got a very rude surprise about their licensing change.

(On refresh, Sunburnt beat me to this recommendation.)
I've been able to get 95% of the functionality I want, though without the nice user interface, from KeePass on the desktop side, and KyPass on the iOS side. (There are other apps that can read and update the KeePass database format on both Android and iOS, this is just one.) KeePass is multiplatform and open source. With a plugin (1P2KeePass) you can import your existing 1Password database. You can use a Yubikey as an authentication token (KeeChallenge). I personally sync my database across Windows and iOS over WebDav provided by my email provider, which KeePass and KyPass both have native support for. It'll auto-type your username and password into a web form, though I've found that sometimes it guesses wrong about which fields to insert into.

The downside is that the user interface is nowhere near as slick as the big password managers. It's obviously an open source project. This is still better, to me, than supporting a subscription model for software.
posted by Nunya B. Zwax at 4:26 PM on February 11, 2018

The latest version of 1Password (6.8.6) does still support "Advanced Sync Options" including Dropbox/iCloud/Local folder sync and WiFi sync to iOS devices (none of which require a account).

The subscription pricing is annoying though.
posted by James Scott-Brown at 4:29 PM on February 11, 2018

Here's Agile's latest response about the upcoming standalone 1Password 7. It's "on the horizon", but they can't give a specific date.
posted by LuckySeven~ at 6:02 PM on February 11, 2018

Response by poster: I would characterize that thread as highly discouraging for 1PW users.

The Agile.bits folks in the thread tended to carefully specify that 1PW 7 Win was the specific, no-date-certain, standalone licensed planned release, which implies by omission that mobile and OSX will not be recieving standalone updates at 7.

Additonally, the infallibly-polite and chilly longtime Agile.bits employee known as Lars took special care to point out both that upgrade pricing was unlikely to be extended to future standalone releases and that the prior upgrade pricing was 50% of their stated retail, implying that he viewed that pricing as a terrific bargain! So I'll certainly take that, rolled up, as confirmation that it's time to move on from 1PW and their spirit of open-handed helpfulness.
posted by mwhybark at 8:43 PM on February 11, 2018 [2 favorites]

Response by poster: one other note re their current $4.99x12 pricing for family use. that's $59.88/yr.

If my $150 layout estimate is accurate, I have used 1PW for 7 years, with a resultant annual cost of about $22. so they are, in my view and based on my actual cost, overpricing by a factor of about 3. I certainly felt it was even more overpriced in inital layout. Some users (there, I think) noted initial buy-in costs of about $60, which had I had access to would have reduced annualized cost to about $8.50 a year. That strikes me as a reasonable price for the service.
posted by mwhybark at 8:54 PM on February 11, 2018 [1 favorite]

Its worth keeping an eye on the BoingBoing Store if you hate subscribing. They often have deals on lifetime subscriptions.
posted by KateViolet at 11:32 PM on February 11, 2018 [1 favorite]

I like Codebook. I think it hits many of your points, although I’m not sure about the family sharing. It does allow installation across multiple devices/platforms. Individual purchase for each, but the price point is pretty low.
posted by Kriesa at 5:06 AM on February 12, 2018

I've been using KeepassXC for a while on OS X and Linux. especially after a researcher found holes in JavaScript sandboxing that makes LastPass vulnerable. (They were fixed, but my entirely personal feeling is that browser JavaScript is too risky a vector.) Not sure how it works with Windows or iOS. I use Nextcloud for personal sync.
posted by GenderNullPointerException at 6:03 AM on February 12, 2018

I use the password generator as a javascript bookmarklet. It's free, works on every device that has a browser, does not depend on the cloud, is open-source, and will never stop working, but it's not quite as seamless as a password manager. Sharing passwords with family would be as simple as sharing a master password with them. I then also use the iCloud keychain to sync passwords between Apple devices. But if iCloud stops working tomorrow, or I decide to switch to Windows, I won't lose my passwords.
posted by spaghettification at 7:04 AM on February 12, 2018

I've been using the SuperGenPass bookmarklet for a while and it's pretty slick, but has a couple of issues - more and more sites seem to be blocking it from filling form fields, meaning you have to copy-paste your password, and it's a nuisance keeping track of which sites require a password that is longer or shorter or has punctuation in it.

Now I'm trying out KeePassXC, since I'm on Linux and want browser integration and KeePass2 is... clearly not quite native to Linux, and KeePassX doesn't have browser integration. KeeWeb seems like a good 100% browser-based option when I'm not on my own computer.

Seems like some combination of the KeePass variants might meet your needs.
posted by sibilatorix at 5:41 PM on February 12, 2018

Response by poster: Potentially positive developments in my support thread at 1PW.

I'll follow up with them in the morning
posted by mwhybark at 5:45 PM on February 12, 2018

Response by poster: An important note here re AgileBits and licensing that is not explicit in the preceding comment: they do appear to be selling a non-subscription-based single license for 1PW6 which covers multiple machine deployments and platforms at $64.99.

I am asking some detailed deployment questions including concerning eligibility for a discount. It looks somewhat as if I will be able to use this license to cover my local deployment but not my parents'.
posted by mwhybark at 11:55 AM on February 13, 2018

N'thing KeePass. I use the Mac version at home and the iOS version, syncing through iTunes (I used to use Dropbox but decided I wanted to keep the file offline). It's pretty basic visually and I don't bother with the browser integration, but it does the job and it's free.
posted by Happy Dave at 12:31 PM on February 14, 2018

Response by poster: Ah, good ol' Lars has stepped in on the AgilBits thread to make sure I don't buy anything. I'll get back to him next week making it clear he's blown a sale and *also* failed to answer my technical questions. Should be fun, if not terribly productive with regard to my goals.
posted by mwhybark at 9:07 PM on February 14, 2018 [1 favorite]

Please keep us updated, mwhybark. I really want to know how this works out.

It may interest you to know that I went through a rather lengthy back-and-forth dialogue with various Agile customer support people when I last dealt with them while trying to upgrade my licenses too. I've been a customer since they first launched, first as a single user, then later as a purchaser of Family Licenses for both Windows and Mac. Very shortly after I purchased my Windows + Mac family licenses from a promo they had going on their website, a newer Mac version came out, and as expected, I contacted them about it and asked if I was entitled to a free upgrade. I explained that I was still using a version of Mac OSX that was now unsupported and wanted to wait a while before upgrading my systems to let Apple work the kinks out. The agent told me (via email), no problem and said to contact them when I was ready and they'd upgrade me for free to the latest version.

I did just that, yet I got a different agent (not Lars) who gave me the worst customer service I'd ever received from Agile. He went back and forth with me trying to convince me that all of the money I'd spent on previous licenses was "a bargain", implied that I was trying to get something for nothing, and strongly tried to convince me to "upgrade" to the subscription service (which I'd told him from the beginning I didn't want). I had to go through my computers pulling up years of invoices, receipts, and emails to prove I'd spent the substantial amount of money I'd claimed and finally, another agent did some voodoo and switched my now-defunct family licenses to the upgraded non-subscription licenses I requested. The whole experience left such a sour taste in my mouth, I'm not sure I ever want to do business with Agile again after these current licenses cease to work.

So, yeah, I'm really interested in your outcome. Please post back when you can.
posted by LuckySeven~ at 12:24 PM on February 15, 2018 [1 favorite]

Response by poster: This project is on temporary hold until we resolve a more urgent problem. I noticed that my wife's iOS-hosted copies of 1PW were no longer properly syncing and concluded that it was because her version of 1PW was slightly out of date. When I attempted to sign her in to the App Store, I was prompted for a two-factor authentication code, which struck me as strange, as I had instructed her not to set up TFA on our iOS devices.

A bit of legwork later, and we found that on January first, persons unknown had logged in with her Apple ID from a device reportedly located in the region of San Francisco and activated TFA on her account. She had recieved a notification email on her iCloud email address, but that is not her primary address and she did not see the notification. Apple's policy in such cases is that non-response indicates consent and the link to disable TFA incporated in the notification email will cease to block TFA implementation by two weeks after initial dispatch.

Long story short, we don't know how her Apple ID authentication pair was lost, but there are at least two possible vectors, possibly more. This specific issue is a known problem and has been used as a means for leveraging device-lock blackmail via Apple's iCloud system - the posessor of the stolen Apple ID can wipe or lock signed-in devices seen as belonging to the account. The breach is not associated with device formerly in our possession, so the only data of ours that the fraudulent Apple ID holder has access to are iCloud-shared and stored information - which does not include the 1PW database.

We initiated a support call with Apple which was smoothly escalated but after a week of awaiting word from them we learned the unfortunate news that Apple's policy is to treat the holder of the TFA-enabled device as the legitimate account owner. We were advised to abandon her AppleID and move on. The fraudulent holder only made a single bogus purchase of an unknown song on iTunes and we were able to remove and cancel the charge and associated card.

So I am in the middle of scrubbing her iCloud-enabled data repositories for sensitive data. I have hit a roadblock that I will be creating a separate post on.

As her new Apple ID will not be associated with her extant 1PW purchase, and 1PW does not make the iOS version available for non-subscription use, we will likely be moving on to a new password-management system.
posted by mwhybark at 9:29 AM on February 25, 2018 [3 favorites]

Response by poster: Nearly a year later:

We resolved the iCloud issue, it was self-created - I had sent my dad one of her old iPads in what I had thought was a scrubbed state. Instead, he partially instantiated 2FA on her account before leaving the country for three months, which left us in an unresolvable loop.

As you might guess, we are in no hurry to implement Apple 2FA on anything now.

Regarding PW managers, I have tentatively shadow-deployed enpass for our needs. It appears to be an attempt to feature match 1PW without the subscription-model pricing. There are some UI bumps and rough spots but so far it seems a plausible alternative.
posted by mwhybark at 5:38 PM on January 9, 2019 [1 favorite]

« Older Want to make tasty vegetarian sandwiches!   |   Getting calendars in icloud to show up on iPad Newer »
This thread is closed to new comments.