It's great people are exploring this problem space, but so far nothing comes close to https://www.passwordstore.org/ which is just a wrapper around gpg and git. It has Android/iOS clients, as well as GUI clients.
On Android I use Password Store + OpenKeychain, the UX with a YubiKey is very smooth.
I was using this for ~4 years and really liked it, but recently I've been using 1Password. I tried 1Password as it has a family plan, that didn't really work out though (getting non-technical people to use a password manager is hard - so I'll forever keep being asked "What's the Netflix password?"), but I have stuck with it for myself.
I really like the browser integration, which there isn't anything comparable for pass. I had a bash script [0] which when run would pull the current URL from my browser, and run pass to generate or copy the password to the clipboard - but the 1Password extension is so much nicer. If I'm on a site with weird requirements I'd have to figure out the params to make pass generate a password which matched it; with the extension I just click a few buttons.
I've also got hooked on the iOS app. I didn't know there was one for pass, but it looks rather basic compared to 1Password [1]. 1Password also supports TOTP, so you don't need a seperate app for that - although for security you probably should.
Maybe one day I'll get around to writing my own extension and app for pass, but for now paying $60/year is worth it for me. I don't pay for many apps/services, but this I find really worth it.
>> 1Password also supports TOTP, so you don't need a seperate app for that - although for security you probably should.
It goes way beyond "probably should" regarding security. You're giving a single company not only potential access to your usernames and passwords, but also your last line of defense - TOTP generation. That combination of apps put everything in reach of one company to fuck you over.
Using a password manager that is being coded and maintained by a random everyday software company should be the only concern anyone has over even considering using such an app. That one company has the ability - whether intentionally or via being hacked - to release an update to any of their client apps that sends your entire database, decrypted to plaintext, to any server in the world.
Can you think of any scenario where someone slips in a 2-line commit to one of their client apps that sends your decrypted database to any server of their choice? We're talking about one disgruntled employee who decides they would like access to millions of users' most sensitive credentials. Or perhaps a single firewall opening or social engineering attack away.
It blows my mind that anyone would put this much trust in any for-profit password manager. Every month we hear about yet another major hack against software companies. One day soon, such a hack will happen to 1Password or LastPass, and the majority of their customers are going to have their entire lives (logins to bank accounts, government portals, etc.) exposed.
Such an eventuality cannot be defended against. It will start and end in less than 48 hours thanks to auto-updating applications, and will affect millions.
After lastpass was bought out, I went on a spree to find a different password manager and in that process, I tried almost all of them (free & paid). Nothing came close to Lastpass so I decided to stick with them until they mess up.
If the worst comes to worst, I'll probably move to Dashlane (which is significantly more expensive & a bit more work to use - extensions won't work without a desktop app)
I did try 1Password, and while it was pretty good, it was never "great". By that I mean,
1. It required a desktop app to be installed to use the clients (while this is an issue with Dashlane, the 1Password windows desktop client is just weird - looks outdated, crashes etc.)
2. The 1Password Android app seemed to not have in-app password fill in (which both Dashlane & Lastpass had). While it's not too much of an inconvenience, I feel like 1Password is great if you are in the apple ecosystem.
This is not to say 1Password is "bad" by any means...I loved it's dropbox sync feature for example and it's integration with Alfred on Mac was awesome!
I think you misunderstood my comment. I meant that there isn't anything comparable to 1Password's browser integration for pass (https://www.passwordstore.org/).
As an android user, I've tried 1password and it's pretty much the worst password experience on the platform. The Android client can't generate passwords, and it also can't cache my passphrase for any amount of time if I'm using the 1password keyboard (which is, as far as I can tell, the only way to make 1password fill a field.) After typing my fairly long passphrase 10x a day on the fiddly 1password keyboard with no feedback for the past few weeks, I'm switching to pass.
I understand that 1password on iOS doesn't interact as a third party keyboard, and 1password is an iOS/mac app first and foremost, but that's no excuse for making their Android UX so incredibly frustrating.
I've been using passff[0] with a lot of success for an in-browser pass client with filling support and so on. Works really well.
My understanding is that Chrome makes it difficult to have this kind of thing due to it's sandbox. There was some talk of exposing pass over the network locally so there were no sandbox concerns.
> If I'm on a site with weird requirements I'd have to figure out the params to make pass generate a password which matched it; with the extension I just click a few buttons.
How does this work? I don't suppose there's a micro format for password requirements? Does 1password just have a database of password formats for popular websites?
Pass doesn't have a sane iOS app. The only app available for Pass requires a jailbreak and doesn't function on phones without Cydia, GPG, and an SSH daemon running.
You can use a hash of the site appended with a .pass wide pepper as the name of the directory storing credentials for a particular site, then use a wrapper script that hashes its input before passing it to pass.
This is all a lot of effort, if I went down that road I might as well skip "pass" and handle the passwords myself. What I like about pass is that there isn't much setup.
Full disk encryption also doesn't prevent a running application from seeing the directory structure. But I guess this is not a very realistic attack vector.
Not to shamelessly self promote, but if you like pass but hate GPG, then I already built you a command line password manager that is almost exactly the same as pass
It can securely save files, generate passwords, save passwords and optionally can sync using git.
GPG is well known to have a very clunky interface. It also is based on very old crypto (we know it works against the NSA, but we also know that it has problems that other crypto doesn't).
I don't think it supports any browsers via plugin. You use a separate app to unlock your keychain, it places the relevant password on your clipboard and then it clears the clipboard 30s later. Very simple and therefore avoids a whole bunch of vulnerabilities other password managers (like LastPass) introduce by integrating with browser plugins.
On Android I use Password Store + OpenKeychain, the UX with a YubiKey is very smooth.
https://fossdroid.com/a/openkeychain.html https://fossdroid.com/a/password-store.html