3 open source password managers

Keep your data and accounts safe by using a secure open source password manager to store unique, complex passwords.
699 readers like this.
Locks on a bridge in Paris

Jason Baker. CC BY-SA 4.0.

Maintaining complex, unique passwords for each site and service you use is among the most common pieces of advice that security professionals provide to the public every year.

Yet no matter how many times it is said, it seems like a week doesn't go by where a high-profile hacking story hits the news, revealing that users of the service in question more often than not had such secure passwords as "12345" or "password" as the only wall of protection on their account.

Or perhaps a user offers up just enough variation on the classic password selection to get past the minimal rules of the service. Unfortunately, "Pa$$w0rd!" isn't secure in any meaningful way, either. At this point, almost every variation of words and phrases strung together with a few numbers or substitutions is simply too easy for a password cracking tool to make its way through, and the shorter the password, the easier.

The best passwords are long, random or pseudo-random combinations of every possible character allowed, with a different password for each unique use. But how could a normal person remember the hundreds or even thousands of individual passwords associated with each account they've ever created? The short answer is: they can't. And don't even think about writing a password down in plain text, whether in the physical world or the digital.

Perhaps the easiest way to keep track of these complex, unique passwords is with a password manager, which provides easy access to strong encryption. While proprietary commercial solutions like LastPass are popular, there are several open source solutions as well. And with passwords, being able to audit the source code of your password manager is especially important, as it helps ensure that your passwords are encrypted properly and are not vulnerable to backdoors.

So without further ado, here are a few open source password managers we hope you will consider.

KeePass

KeePass is a GPLv2-licensed password manager, primarily designed for Windows but also running elsewhere. KeePass offers multiple strong encryption options, easy exports, multiple user keys, advanced searching features, and more. Designed for desktop use, there are plugins that allow direct use from your web browser, and it can run from a USB stick if you'd prefer to physically carry your passwords from machine to machine. More on KeePass can be found in this past article from Ricardo Frydman.

KeePassX, which started as a Linux port of KeePass, is another project you may consider. KeyPassX is compatible with KeePass 2 password files, and has also been ported to run on different operating systems. In fact, the list of unofficial releases of KeePass covers ports to just about every system in common use.

Padloc

Padlock is a very new entrant into the world of open source password managers. Currently available for Linux, Windows, Mac, iOS, and Android, with a ChromeOS client in the works, Padlock is designed as a "minimalist" password manager. Its source is available on GitHub under a GPLv3 license. The project also has developed a cloud backend, also open source, which is a welcome addition to anyone tired of managing password files or setting up syncing across multiple computers.

Passbolt

Passbolt is another relatively new option, with plugins available for Firefox and Chrome and mobile and command-line options on the way. Based on OpenPGP, you can check out its online demo which shows off some of the features (you'll need to install the plugin for your browser, though). Licensed under the GPL Affero version 3 license, you can check out the source code on GitHub or view the project's roadmap for a list of current features and more on what is planned.

Bitwarden

Bitwarden offers an easy and safe way for teams and individuals to store and share sensitive data, and it works on all major platforms and devices. You can also integrate Bitwarden into your favorite web browser (including Firefox, Chrome, Opera, Safari, Microsoft Edge, and others). You can access your sensitive data from a "web vault" in your browser, too, so you're never without the information you need.I The data is fully encrypted end-to-end with AES-256. If you prefer, you can even host your own instance.

You can create a Bitwarden account for free. Bitwarden is open source and released under a GPLv3 license, and the Bitwarden community is vibrant and inviting. Visit their forum to learn more about the software, or to pose any questions you may have.


Using a password manager that you trust alongside complex passwords is not a substitute for taking other security precautions, nor is it foolproof. But for many users, it can be an important part of keeping your digital life secured. These definitely aren't the only options out there. There are some older options, like Clipperz and Password Safe, and web-based tools like RatticDB that I would be interested to try out. Which open source password manager do you use, and why?


This article was originally published in December 2016 and has been updated with new information.

Jason Baker
Former Red Hatter. Now a consultant and aspiring entrepreneur. Map nerd, maker, and enthusiastic installer of open source desktop and self-hosted software.

Contributors

11 Comments

Teampass is a self-hosted web based vault. No auto fill extension yet but there features are similar otherwise.

Any that can use ownCloud/nextCloud as back end?

A lot of KeePass users simply sync their vault files on their personal ownCloud/nextCloud instances. If you use password+keyfile authentication and carry the keyfile with you separately (like on a USB stick), then that works reasonably well.

In reply to by Meriam (not verified)

You missed bitwarden. A true competitor to LastPass. Available on many platforms (iOS, Android, Chrome, Firefox, web, etc) and the entire thing is open source on GitHub. Even the backend APIs, database, and such. Check it out: https://bitwarden.com

Unfortunately I still think that LastPass is the best option for people. It may be closed sourced, but they are very proactive when they detect unusual activity. Also they have been a true cross platform solution for many years. I have a YubiKey for 2FA, so I know that only I can get into my password vault. Additionally I have my LastPass setup to not allow login from unknown devices and IP. I just got a new phone and I had to verify that I wanted to use that device before I could access the vault, made setup easier once in to automatically fill all the user names and passwords for my various programs and accounts. I do have device encryption and a long device pin that is required on startup or when the device is asleep for privacy protection.

In reply to by xxkylexx (not verified)

LastPass may be a little easier to use (I've had to use it at work) but the minor inconvenience of a less polished user experience is a worthwhile tradeoff for me. I'm happy with KeePassX and so no reason to change. Honestly, making it slightly harder to create and store a password sometimes is just enough friction to get me to skip yet another login I'll probably never use again.

In reply to by JC Clark (not verified)

LastPass FANBOYs should read on Wikipedia list of HACKS LastPass was subjected to!

Enpass.io is THE BEST closed source, Xdevice, Xbrowser, cloud sync out of box, FREE* manager out there.
Only limit is 20 free passes on mobile app, but then is only $10 for lifetime licence.
suck it up Clark!

In reply to by JC Clark (not verified)

Don't forget the built-in password managers in Chrome, Firefox etc.

My team uses "pass" - "the standard unix password manager". Each person on my team has a GPG id that pass uses to encrypt passwords. Pass uses git for a repository and we have a remote git repository with which we sync. As with all good security it is not simple. GPG has a learning curve and so does git, but once those are tackled, pass is simple to use.

I've switched to pass myself. Key reasons for going this path was:

* Open sourced project, which can be reviewed by external users/developers.
* Security is based on well proven, tested and widely used GnuPG/GPG. This provides a great confidence that secrets are properly secured when saved to disk, which is easy to verify.
* For synchronisation, it stands on the shoulders of well proven, tested and widely used git. Which allows data to be stored on infrastructure not necessarily on the public internet, or in the control of external third-party service providers. (Seriously, you do not really need a globally accessible centralized storage - there will always be scenarios where all your devices at some point in time can access your own private storage. It might even be your own laptop or workstation at home)
* Both a command line interface and a firefox add-on
* Android app available via F-Droid as proper open source projects ( https://f-droid.org/repository/browse/?fdid=com.zeapo.pwdstore )

Unfortunately, the current state of it is a bit too heavy for non-tech users. And the firefox/icecat integration on Android is not really working well. But despite these issues, it is absolutely the solution I have most confidence in - and currently I am capable of handling those deficiencies.

In reply to by Blake (not verified)

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License.