The Living Thing / Notebooks :

Don’t re-use passwords; that would be stupid.

Now, the solution is easy because we’re in the future and there are many options to manage passwords across your various computing platforms…

…I’m KIDDING; it’s an acrimonious clusterfuck.

• Built-in password management in your OS. Works fine but syncing across devices usually involves trusting yourself to their cloud infrastructure, and usually doesn’t sync across platforms, e.g from Windows to Linux to osx to smartphone and back.

• 1password: (Mac/Windows/iOs/Android) Closed source, so who knows if it works? At least it’s Canadian, so they probably have slightly different security channels they are required to syphon your stuff into. Linux users are politely advised to get fucked. Shiny. Has smartarse features such as not disclosing your secrets under duress in the airport, a.k.a. “Travel mode”, a.k.a rubber hose for normal people Has a CLI.

• dashlane: seems to be more or less the same as 1password, but French (?).

• lastpass runs on every platform, browsers, phones, Linux, Windows, Mac. However the product is closed-source and inscrutable and they have headquarters in the USA, so they have limited ability to resist pressure from casual data harvesting from the American spook apparatus. Also I don’t really trust this company, since their other high-profile product, Xmarks, is so horrible. They claim to be host-safe, though, and this may be true. Their security process seems flaky.

• pass (aka zx2c4 pass) is the unixiest thing here; it GPG-encrypts everything in text files. There are plugins for its friendly open format for various browsers.

Password management should be simple and follow Unix philosophy. With pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities.

pass makes managing these individual password files extremely easy. All passwords live in ~/.password-store, and pass provides some nice commands for adding, editing, generating, and retrieving passwords. It is a very short and simple shell script. It’s capable of temporarily putting passwords on your clipboard and tracking password changes using git.

It’s disconcertingly freeform, but allows for integration, if you don’t mind using various less-scrutinized bits of code. Also it leaves various metadata (website URLs) in plain sight, which may or may not be what you expect from a confidential data manager

• Keepass/keepassx The open-source in-principle cross-platform one. Pronounced “Key-pass” or “Keep-ass” depending on whether it compiles successfully. Free, but makes up for it by being clunky and confusing, which is bad for something like password management. Also it was never so very cross-platform, and the ports to different platforms are divided and confusing. Doesn’t seem to have scheme for smoothly syncing passwords across devices, so you’ll have 50 different password files that you have in various stages of updateness. Moreover, one gets the feeling that although the various Keepass forks are somewhat interoperable, they kind of hate each other.

You can choose from, e.g.

• keepassc terminal-based keepass client written in python, which means you can access it cross-platform on your desktop but good luck with integrating into your phone

• rust-keepass rewrites of keepass in rust, which is a language designed to be more secure. More secure still would be if it ran on all your devices so that you actually used it.

• macpass is a Mac version. But is it the best mac version, or are there fork wars? Guess.

• etc

• There are now many others.

• encryptr, the spideroak one. Open source, runs everywhere as a javascript app

• keeper also offers a Linux client for their encrypted cloud password whodangle

• roboform is the oldest one here I think, (1999!), and does Linux and everything else.

• password safe (open source) has Bruce Schneier branding. It has many ports to every conceivable platform. It doesn’t seem to have a strategy for synchronising between devices.

• passopolis is an open source client/server browser-extension-based password thing.