Password managers have become a crucial tool that every online user must rely on. Since they handle extremely sensitive data, like login credentials, credit card information, secret notes, and more, careful consideration is recommended when choosing a password manager. This article goes over the phases I’ve gone through in my experience with password managers, the different solutions I used, and how I got where I am today.
First Password Manager
My journey with password managers started way back when I used the “save password” feature in the Chrome browser. I was still “generating” passwords myself but relying on Chrome to save and automatically insert them when I’m on the login page of various websites. At that time, I didn’t really have too many accounts - probably no more than a dozen. But as the web started turning into a plethora of sign-up walls, where you can’t hover on a button without having to log in first, I quickly ran out of ideas to create new unique passwords. This is the point where I knew I needed a proper password manager.
Around this time, Lastpass was one of the most dominant actors in the field of password management and they were doing some good work. So I decided to give Lastpass a try and I really liked it. The convenience of not having to come up with a “secure” password that I haven’t used before when signing up on a new website, brought such a relief to my account creation flow and reduced a considerable amount of friction. Lastpass had some issues however. The data breach of 2015 was the first thing to sound the alarm for me. I started to realize that fully trusting an entity with my most valuable data, the keys to every single account I own, was probably not a good idea. To make matters more scary, Lastpass does not publish their source code for others to view, analyze, and even contribute to. Security by obscurity is never the way to go. Furthermore, they include third-party trackers in their codebase which is a very bad practice for a security-critical service like Lastpass.
I’m not trying to sabotage Lastpass here, or imply that their security is lacking. As a matter of fact, their security model seems to be solid. As far as I know, there has never been any breach that exposed user sensitive data like passwords in clear text. All I’m saying is that it wasn’t the right fit for me. Not to mention that their recent up-sell push to convert free users to premium by restructuring their pricing and feature models just didn’t sit right with me. They were turning into another Big Tech player, and it was time for me to walk away.
Gaining back control over my data
When I started using Lastpass, there weren’t many options to choose from. But few years later, other password managers started popping up and one of them was particularly good at distinguishing itself amongst the privacy-focused community. This password manager is no other than KeepassXC. I believe it’s the first open-source password manager that I was made aware of and I instantly fell for it. It’s a free, community-driven, offline password manager that I simply couldn’t ignore. Next thing you know, I was migrating all of my passwords off of Lastpass and celebrating the addition of yet another open-source tool to my arsenal.
The only problem that I had to solve was synchronizing data across multiple devices. With a cloud-based service like Lastpass, this issue is taken care of by the service itself and changes on one device are replicated across the others automatically. With an offline password manager like KeepassXC on the other hand, data synchronization becomes the responsibility of the user. So, I moved all my credentials to a KeepassXC database (DB), and used a cloud service to regularly back it up. When I needed a fresh version of my DB in any of my devices, I either transferred it directly within my home network, or pulled it from the cloud service provider, and used an open-source client to read it. To make things simple, I also only ever made changes to the DB on my computer, and stuck to read-only mode on the other devices. You can imagine how this could sometimes prove tedious, especially when I needed to update existing or create new entries in my credentials list from a device other than my main computer. I started to seriously miss the convenience of the seamless synchronization I enjoyed with Lastpass, but I wasn’t ready to downgrade my security and privacy just for that.
The best of all worlds
Luckily, there was this new kid on the block, a new solution that ticked all the boxes for me - it’s open source, free1, and self-hostable! This meant that I could get all the benefits of data control I have with KeepassXC and the convenience of seamless multi-device synchronization. The solution I’m referring to is Bitwarden. Ever since I launched my own instance of Bitwarden, I’ve never looked back. I truly love this piece of software and am so grateful to the amazing people behind it. Plus, the beauty of it all is that when you host your own instance you get all of the premium features for free!
As you see, I wasn’t fortunate enough to pick a winner right from the start. I began my journey naive, prioritizing convenience without paying much attention to security, let alone privacy. As I learned more about password managers, I shifted my priorities and started giving more weight to security and privacy, even at the expense of convenience at times.
If you have comments or suggestions, or if you just want to strike a conversation on this topic, feel free to hit me up on Mastodon.
They also offer premium plans but their free tier has all the basic features expected in a password manager. ↩︎