We have to make our security-related decisions with a critical mindset. Because even if systems are secure, we are may still not prone to hacking.
Interacting with computers requires some measures in order to get the most out of this relationship. One of these measures is using strong passwords, which should satisfy strict criteria we all encountered, such as mixing letter cases and using numbers and other characters. Not just that, but also to be a lengthy password 😑.
Selecting only one strong password is troubling enough, not to mention the need to create countless passwords for all the sites you visit. Thinking of all that encourages people to take shortcuts, and in security, shortcuts mean vulnerabilities that directly impact the system.
One of the best ways to counteract this dullness without compromising security is to use a password manager.
A password manager is a computer software that stores passwords securely alongside other functionalities such as autofill.
A good password manager must be trustworthy. If you can’t trust the software with your own passwords, you won’t use it.
Trustworthiness can’t completely be granted by word of mouth, yet open-source software can assure a very high level of transparency as you can see and inspect the source code and know how it exactly performs its job.
Open-source projects are often free. But opposing to their counterparts, they are derived by the community, not profit. That means even if you are not tech-savvy, you know that many people saw the code and approved of it; and if they find any issues, they’ll fix or report them. This adds a lot of reliability, which is especially important for password managers.
Which Is the Best Open-Source Password Manager? Overall Recommendations.
Based on our experience (and very biased personal preferences), the best free and open-source password managers are Bitwarden and KeePass (specifically KeePassXC, which we cover below). This list is not exhaustive, and if you have other open-source password managers you’d like us to feature, let us know.
- Bitwarden – Possibly the most popular open-source password manager. It has a quick setup, smooth user experience, cross-platform compatibility, and is user-friendly. It has a fantastic free plan (that some of our staff also use) with excellent features and an affordable paid plan for extra features. It can be cloud or self-hosted. It gets a lot of love from HN users.
- KeePass (specifically KeePassXC) – Another very popular password manager preferred by advanced users who want more customization options (and there are many, along with lots of plugins). I personally use it. It has more of a learning curve, but the payoff is huge.
- LessPass – It’s somewhat different because it doesn’t save passwords in a vault. It derives them from your username and website URL. Comes with a simple and easy-to-use UI. It’s not very convenient for many users. However, there are users who prefer this type of password manager.
- Passbolt – A password manager primarily aimed at teams. It’s got a great number of features. The free version is only self-hosted, and if you want it in the cloud hosted by Passbolt, you have to switch to the paid plan. (It has some great reviews in this HN Thread)
What Is a Password Manager?
A password manager is software that stores your passwords securely by encrypting them. Also, most good password managers offer password generation and autofill services.
Encryption is a powerful way to secure credential information. As if anyone tries to open the database without the master password, they get just random data, which is totally nonsensical and of no value.
Essential features of a password manager:
- Security: it has to be secure as its main purpose is storing passwords.
- Transparency: knowing how the software works to provide more trust.
- Organization: Hierarchical categorization of your passwords for convenient and speedy reach instead of endlessly scrolling down a list.
- Using various login methods (master login), such as 2-factor authentication for extra security or biometrics for even easier access to your passwords.
- Ease of use: as with any other software, it has to be convenient to use.
- Autofill services: alongside saving passwords, this is a great feature to have. Also, some password managers offer saving complex form information, meaning you don’t have to refill your data each time you are filling an online form because it will detect the website that you’re on, and it will offer to fill in the relevant information for you.
Benefits of using an open-source password manager
We talked about almost all the essential points regarding open-source software and how such facts contribute to a password manager’s fidelity. Yet, there are other points we have to mention:
- Many developers contribute to the software, which makes it hard to miss bugs or other issues.
- Also, security professionals audit the code for vulnerabilities, making breaches happen less often than closed-source codes.
- You know that besides you, many other people are using the software, as free and open-source software often has wide communities and fan bases.
- Open-source software provides you with the source code, which is free to use, edit, and redistribute. You can compile the source code yourself to ensure a tamper-free version of the software.
Top Open-Source Password Managers
Among the best, there are always elites and leaders. In this section, we will review the top open-source password managers out there.
Bitwarden is one of the best open-source password managers out there. It has many wonderful features that are hard to find in other open-source password managers.
It’s also the password manager some of the other staff here use, and they highly recommend it.
You’ll also find many discussions about Bitwarden on HackerNews, and you may notice many users praise it in the comments.
Starting from universal access – Bitwarden is cross-platform, to its great UI and ease of use, alongside traditional password features.
Bitwarden is a freemium software; they have a free plan that you can use right now hassle-free.
The free plan offers some great features, such as its send feature and a 2-person organization plan which offers the ability to securely share passwords between the two parties.
Paid plans come with great features and at an affordable price; you get 1 GB of encrypted file attachments, advanced 2FA, emergency access in case you lose your master password, and an advanced password strength testing tool.
- Open-source: you can see Bitwarden’s source code on GitHub.
- Cross-platform: it is available for Windows, macOS, Linux, various web browser extensions, Android, CLI, and a web interface.
- Cloud-based or Self-hosted: meaning you can either use the cloud-based version for easy setup, and you can access your passwords from anywhere right away, or you can self-host it yourself if you prefer to be the only one with access to your data.
- AES-CBS 256-bit encryption for all vault data, and a blend of SHA-256 and PBKDF2 to derive a key from your master password.
- Strong hash function with a high number of rounds to hash your master password before saving it in their databases.
- Ability to use device-native login methods such as biometric unlock.
- It has a great autofill service.
- Folders: one can use folders for better organization of your passwords.
- Password strength testing and password generation tools.
- Sharing text: via send, you can send a text to whoever you want for free.
- Password sharing: 2-person organization account is free; for which you can share passwords securely with each other. The paid version for 6 members costs just 3.33$/month.
- Usage of top open-source cryptographic libraries instead of creating their own implementations.
Besides these features, some of the best magazines recommended Bitwarden as the best free password manager.
KeePass is a totally free and open-source Windows-based password manager, and it officially supports Linux and macOS through Mono and Wine. Yet, there are other KeePass-based projects which are aiming to provide better user experience and cross-platform support.
KeePass’s user interface isn’t the best out there; but still there are great alternatives such as KeePassXC.
Unlike cloud-based password managers; KeePass creates a local AES 256-bit encrypted database; which can be used with all software based on KeePass, meaning you have complete control over your passwords. But on the other hand, if you lost the database for whatever reason; all your passwords are gone forever. So, you have to back up your database regularly.
You can use either Kee Vault – if you want a ready to use auto-syncing application based on KeePass, or KeeWeb which lets you save the database in the cloud service of your choice, Google Drive, OneDrive or your own server. KeeWeb will take care of syncing changes automatically.
How to Use KeePass
- It is best to download the portable package.
- Then unzip the file and open the extracted folder.
- Create a new database (CTRL+SHIFT+N).
- Tick “Show expert options.”
- Under “Key file,” press the “Create” button. (Key file adds more security to the database)
A screen similar to this will appear.
- Now another screen will show you the database settings; for example, you can change the number of iterations for the key derivation function.
- Completely free and open-source.
- Relatively old: which means it survived many years without being breached!
- Although KeePass isn’t cross-platform per se, but other software based on it can use the same files as KeePass.
- Local encrypted database: nothing ever leaves your device.
- Autofill service: KeePass offers a great autofill service, beside clipboard management capabilities.
- A very wide range of extensions/plugins to extend functionality, such as OTP authentication code extensions, backup extensions, import/export, and other cryptography-related extensions.
- There are some great alternatives such as KeePassXC.
- OTP authentication codes: one time authentication codes are great ways to mimic hardware OTP devices.
- KeePassXC: best client variant for Linux and macOS – also available for Windows. It has more features like specifying how long the encryption rounds must be. Besides its beautiful UI.
- KeePassDX: a client for Android, with similar features to KeePassXC, its latest version has a rock password meter measuring the entropy of your password; in other words, how random it is. Along with a great autofill service.
- KeePassDroid: this is a basic android client that provide just reading/writing functionality, which is supposed to be safer.
- Strongbox: a beautifully designed application for Apple users, it can be installed on macOS, iPhone, and iPad.
- KeeWeb: a great web application based on KeePass, it has a beautiful UI with great extended functionality; make sure to give it a try.
- Kee Vault: if you don’t want to install or download any software, you can use Kee Vault. They have a 30 days free trial; then they charge £20 a year.
- kpcli: a command line interface for KeePass, it is available for almost all Linux distros, BSD, and a binary for Windows.
- KeePassJava2: a Java 7 API for KeePass that also compatible with android.
A successful attempt to create an appealing UI with KeePass level of security and more added features such as enhanced drive capabilities and SSH support.
I personally use KeePassXC for advanced password management capabilities such as complex auto-types. KeePassXD for Android because it’s beautiful without sacrificing any functionality (it even supports OTPs).
And an open-source browser extension called KeePass Tusk for logging in on the go. Also, using a browser extension is more secure than desktop applications as it prevents password leakage while the database is open. Tusk is available for Google Chrome and Mozilla Firefox.
I wanted to emphasize just one feature, autotype. You can add more fields – called attributes in KeePassXC – to any entry and name it as you wish. For example, I added three more fields to demonstrate how advanced form-filling can be achieved using KeePassXC.
Then, you have to use these attributes to create a template – called a sequence in KeePassXC – that is used to fill your forms; you can find more about that here.
Performing actual autotype, just open the form; then
ALT+TAB to go to KeePassXC and press the keyboard icon in the toolbar (or just use the shortcut
CTRL+SHIFT+V), but make sure you are selecting the entry you previously entered.
Another great feature is sharing passwords, you can check it in the user manual.
It was a very strange idea to grasp at first glance; a password manager that doesn’t save the password.
Yes, LessPass doesn’t save a single password, it is actually more of a password generator so powerful that you need to only remember a master password, your user name, and the url of the service you are accessing (the username and URL will be stored in LessPass server without encryption if you created an account).
It works in different way than other password managers. The data you provide (site, username, master password, and other password-related options such as letter case and length, and a counter used to determine how many times these are hashed) is jointly used to derive a unique password by using a hash function.
Anyone who doesn’t know your master password – as they shouldn’t – can’t derive your passwords no matter what!
Unfortunately, LessPass doesn’t have any advanced capabilities such as autofill, also the data they save on their severs aren’t encrypted by the time of writing this article. But, it is a great password manager nonetheless.
- Stateless passwords: opposing to other password managers; LessPass generates strong passwords, and it never saves them.
- Collision-resistant password generation: it is impossible to get your password without knowing the full parameters.
- Easy-to-use UI: its web UI is intuitive and easy to understand.
- Never storing your master password: passwords get computed on the fly derived from the master password, but the master password itself isn’t stored (except if you are creating an account).
- Configurable parameters: other than your master password, you can configure the length, characters included, and number of rounds for added security.
- Android App: Alongside its web UI, there is an on-the-go beautiful mobile application.
This is a great option for companies and teams, as you self-host your passwords on your own server. Yet, there is a paid plan where you don’t have to go through the hassle of hosting Passbolt yourself (self-hosting is straight-forward; but still it is the hardest way to get a working password manager of all previously mentioned password managers).
It is built for teams, so it has great password sharing capabilities unlike other software we’ve been considering so far.
Passbolt uses end-to-end asymmetric security algorithms such as OpenPGP, which is really better than AES in sharing small files. Asymmetric keys mean only the intended receiver can decrypt the messages, not even the sender can.
Getting Passbolt to work is quite easy; use docker, so you don’t have to think about system specific requirements.
After installation, you can use either Passbolt web interface from any browser or using browser extensions.
- Open-source password hosting system: you host your passwords on your servers. You have complete autonomy over them.
- Easy sharing: built with teams in mind, so it is easy to share passwords.
- Secret based sharing: you don’t need to share the whole vault, just share what you want to share.
- Cross-platform: using Docker you can easily start the password server; clients include browser extensions and an Android application. Desktop applications are on the way.
- Asymmetric cryptography: as discussed earlier, it is the best security option for sharing small texts such as passwords over the network securely.
- Very customizable because there are many themes.
- Cloud service: if you like Passbolt and don’t want to host it on your own, you can subscribe for cloud hosting by Passbolt, and you’ll get 14 days for free.
|Password Manager||Encryption||Cross-platform||Usability||UI||Autofill||Password Generator||Password Meter|
|Bitwarden||AES-CBS 256-bit||Windows, macOS, Linux, browser extensions, Android, CLI, and a web app.||10||Beautiful but not customizable.||Great autofill service, and supports complex forms.||Great password generator.||Very basic for free accounts, but the paid subscription has an advanced one.|
|Windows, (Linux and macOS through mono)|
Other based projects are available for almost all platforms.
|5 for KeePass,|
9 for KeePassXC and KeePassDX
|Ugly, but KeePassXC – and other projects – are beautifully made.||Functional autofill, for complex forms you have to do some work!||Also, great.||Great password meter especially using some extensions, and KeePassXC and DX have a great one on the go.|
|LessPass||Stateless (no encryption needed)||Web application, and Android application.||6||Bearable.||No autofill service.||Collision resistant, LessPass itself is a password generator.||No password strength testing mechanism|
|Passbolt||OpenPGP||Hosting supports almost all platforms, clients are available as web extensions, Android application and soon desktop applications||8||Beautiful and very customizable through themes.||Functional autofill service.||Very easy to use generic password generator.||It has a basic meter that tells you how strong your password is.|
*Usability is on a scale from one to ten, with ten being the most usable, one the least.
From a security point of view, it is better to use a password manager than to make shortcuts around security. As hackers can exploit such behaviors to guess your password, and they often do a terrifying job here.
But using a password manager with a strong master password will save you time and effort more than using shortcuts, yet without creating a security flaw!
Open-source password managers ensure transparency, which is essential for trusting the software. I wouldn’t ever trust closed-source software with my passwords, as I don’t know how they handle them.
If you want a simple, reliable, cross-platform, and great user experience. Bitwarden is a go-to; use a free plan, even paid plans, worth every dime.
For more advanced users who would like to configure anything by themselves, KeePass is the best option. Because if you give yourself time to climb its learning curve, the pay would be huge as there are some great features such as complex forms, One Time Password authentication and even more using its plugins.
The idea of not saving your password at all of LessPass is appealing; as you know for sure, not even the most resourceful hacker can derive them without your must-be unbreakable password; as math never lies. This level of security comes with a simple web UI and an Android app without any more flavors.
Passbolt is great for teams and people who find themselves sharing their passwords too often. With European privacy standards and open-source philosophy, Passbolt ensures your complete ownership of your passwords.