Daniel Pocock <dan...@pocock.pro> writes: > Therefore, how are people choosing a password manager and solving this > in practice?
A primary criterion for my data is: Avoid depending on a service I can't quickly replicate elsewhere with all my data intact. This tends strongly toward standard protocols, and services that are published as free software. So, for a password manager: * The database must be in a format already known to be readable by other, mature, well-maintained software. (This disqualifies an application-specific storage format that might have been readable when I first checked but doesn't remain compatible over time.) * The encryption must be immediately available to decrypt with standard tools, using keys in a standard format and available in an obvious place to use. (This disqualifies software that says it supports a standard encryption algorithm but its keys or encrypted data are not right there for me to try decrypting in a hurry with standard tools.) * The synchronisation must default to, and encourage, standard widely-implemented file synchronisation systems. (This disqualifies software that has a non-default option for some protocol that most of the application's users don't use, therefore it's not as widely user-tested and more likely to be unreliable when I need it.) * The synchronisation must default to, and encourage, choosing an independently-maintained hosting provider. (Similar to the above, if most people default to a single hosting provider then the federated hosting will not be nearly well tested enough to assure reliability in a pinch.) * The synchronisation must easily and obviously allow a user to set up their own (or ask a skilled friend to set up) hosting, on at least an equal standing with other synchronisation methods. For me, at present the best option is Password Store (a.k.a. ‘pass’). > - which password managers have a built-in mechanism for synchronizing > or merging password lists on multiple devices? By setting a Git remote to a private hosted repository, all my devices can sync the password database by Git push and pull. > - who is using some other mechanism such as Git or ownCloud to sync? Git is not an other method, it's built in to the application :-) > Some other factors that come to mind for a comparison table: > > - support for PGP Password Store uses standard OpenPGP, as implemented by GnuPG. > - support for other strong crypto (e.g. smartcard) Don't know about this. > - merging algorithm for multiple devices Password Store uses a separate encrypted file for each entry, so merges are only a matter of managing a directory tree. > - multi-user / team capabilities I've seen discussion of this in the Password Store community; it usually comes down to managing one's GnuPG keys. Password Store allows the database to be encrypted to (i.e. unlockable by any of) multiple GnuPG keys. > - browser integration I prefer integration to *all* applications on the desktop: i.e., the program should simply place the passphrase in the clipboard, allowing me to paste it into whatever form I visit. That covers the browser as well. -- \ “But it is permissible to make a judgment after you have | `\ examined the evidence. In some circles it is even encouraged.” | _o__) —Carl Sagan, _The Burden of Skepticism_, 1987 | Ben Finney
