r/PasswordManagers

Password manager question

Hello there,

I'd like to switch all my passwords to a Password manager, such a Proton or Bitwarden.

But I'm using multiple devices regularly (Home PC, mobile, laptop and work computer) on which I'm regularly loging to multiple accounts.

How does the password manager work with multiple devices ? From what I understand, I need to install the software/app on all devices and login in on the password manager, and from there the password manager can retrieve the password, right?

Is it possible to log to a computer on which I'm not logged in on the password manager app from time to time, for example using the app on mobile like a 2FA or something?

Sorry, this question might seems stupid but I have a hard time finding this information!

reddit.com
u/Adurnha — 19 hours ago

Trying to choose between Apple Passwords and Bitwarden

I recently started reorganizing my digital security and separating my online accounts. As part of that process, I also decided to strengthen my security by buying a Yubico Security Key C NFC.

The problem is that I'm still not sure which password manager I should use. At first, I settled on Bitwarden, but Apple's Passwords app is very appealing because it integrates seamlessly with the rest of my main devices and would allow me to avoid relying on third-party software. On top of that, once I buy a second security key as a backup, I'll be able to use them to better protect my iCloud account.

On the other hand, I do have a Windows PC that I use occasionally, and that's where Apple's password manager could become inconvenient.

However, when I think about the accounts that are actually the most critical, such as banking and financial services, none of them can really benefit from a hardware security key. Banks don't support FIDO2/WebAuthn and instead require their own authentication apps, mainly because of European regulations. As far as I know, the Spanish public administration doesn't support this standard either and my YubiKey can't be used with my FNMT digital certificate.

So I'm wondering whether Bitwarden is actually worth the extra complexity in my situation, or if Apple's Passwords would be the more sensible choice.

P.S. A third option would be to return the YubiKey altogether.

UPDATE

Thanks everyone for your replies, but I've decided to return the YubiKey.

I think the FIDO2 standard is really promising because of its passwordless approach, and I believe that's the direction authentication should be moving toward. However, the current implementations haven't convinced me, and I couldn't justify buying a second key just to use a hardware security key with my Apple account. 

I also wasn't aware until today that if a service allows alternative sign-in methods alongside a hardware security key, the overall security of the account is ultimately limited by the weakest authentication or recovery method that's enabled...

reddit.com
u/Shockadelica_ESP — 2 days ago

Password manager/Secure Notes recommendation

Hi! So my phone died recently and it's unsure whether they can repair it yet. But for the future I'd like a password manager-y app, that works on Android, iOS and Windows, synces changes but can be viewed offline. That lets me track not only passwords, but pins or any other sensitive data which I can lock with a password or biometrics. Preferably for free. AI recommended me these apps: Proton Pass, Bitwarden, Zoho Vault, Avira, AuthPass, Keepass, Buttercup, LastPass, Enpass, Standard Notes - any experience with these?

I used to store my sensitive data in a hidden notes file that required biometrics but I heard that's not the safest option out there.

reddit.com
u/VDani04 — 2 days ago

Dumb question, but should I move all my passwords from Apple notes to a password manager?

Currently all my account info and bank info are on my apple notes… I have those notes locked but feel like it’s easy for thiefs to decrypt 😂 should I only store my passwords and sensitive information on a password manager like Apple Passwords?

reddit.com
u/regular_asian_guy — 3 days ago

Offline deterministic password generator in Go — looking for security/UX feedback

I built a lightweight offline deterministic password generator in Go.

The idea is simple: I wanted a way to generate strong account-specific passwords without storing the generated passwords themselves, and without needing a server, account, or cloud sync.

How it works:

  • You create one local encrypted vault seed
  • The seed is encrypted with a master password
  • Passwords are regenerated from:
    • master password
    • encrypted local seed
    • platform
    • email
    • counter/version
  • Generated account passwords are not saved

It uses Argon2id, XChaCha20-Poly1305, and HMAC-SHA256. It is cross-platform: macOS, Linux, and Windows.

GitHub:
https://github.com/Falcn8/acctpass

I’m not trying to claim this replaces audited password managers like Bitwarden, 1Password, or KeePass. It does not do browser autofill, sync, sharing, passkeys, recovery, secure notes, etc. It is more of a small offline CLI for people who like deterministic/local tools.

The project is MIT licensed and unaudited. I’d really appreciate feedback on:

  • the security model
  • cryptographic design
  • CLI UX
  • README clarity
  • release/download process
  • anything that looks risky or misleading

I’m especially interested in criticism before I polish it further.

u/hexaon_ — 3 days ago

bitwarden vs proton pass: which autofill actually works?

stuck between bitwarden and proton pass right now. tbh i just want something that doesn't suck at autofilling and saving new passwords. tired of fighting my phone or browser just to log into basic stuff. which one has better daily integration right now? i don't really care about the ultra-hardcore privacy debates, i just need a manager that actually triggers the autofill when it's supposed to without making me want to throw my phone at the wall. any thoughts?

reddit.com
u/Klutzy_Emergency_346 — 4 days ago

Migrating a small company off LastPass to Passwork after the latest breach, few things im unsure about

The Lastpass Klue breach news last month were the final straw for us, and tbh it's long overdue. Our vaults weren't touched but it's the 8th incident since 2011 so...time to go. We're migrating to Passwork, it has the features we need for audits and EU residency regulations (we’re EU-based, inferrably).

Im handling the migration (and yes Ive been stuck on it for nearly 2 weeks) and have a couple of things I want your guys' opinions on:

-How long, if at all, should I run both vaults in parallel for a while or should I just rip the bandaid off?

-Do you have any importation advice overall? Im afraid that I'll omit stuff, carry over duplicate URLs, that type of thing.

Im kinda new to both the company and the job post itself so this is my first time migrating. I appreciate any advice, especially ones you wouldnt typically find in migration forums (because I read ALL of those already haha).

reddit.com
u/Sbaakhir — 3 days ago

Bramble: Open source, local-only password manager - Now on Android!

Couple weeks ago I posted about a PM that I'm developing, Bramble. Initially I released the Chrome extension, but recently I also published the Android app and iOS is pending Apple's approval. Besides that, the latest version also includes passkey storage for all platforms!

About Bramble

  • Free, open source, GPLv3 licensed
  • Local password manager, no cloud storage
  • Peer-to-peer sync between your extension and devices via a Nostr relay (can be self hosted)
  • EVERYTHING encrypted with AES-256-GCM - zero metadata leakage
  • Smart autofill (username, password, TOTP, credit cards)
  • Auto form submit for passwords of your choice
  • TOTP storage
  • Passkey storage
  • Unlock with security key (Chromium) or biometrics (mobile)
  • Import from 1Pass, ProtonPass, Bitwarden, KeePass
  • Very fine-tunable settings

Android app:

I'm still deciding whether to publish the app on Play store or simply provide the signed APK which users can sideload. Reason for that is Google's plan to lock down Android and take away ownership from its users. Read more about it here: https://keepandroidopen.com/

The app uses no Play APIs whatsoever and will perfectly perform in GrapheneOS, where I actually did all my testing.

I'm primarily building this as an alternative for cloud-based password managers who are constantly raising prices and heading towards enshitification. With Bramble you own your data.

https://github.com/flythenimbus/bramble

https://chromewebstore.google.com/detail/bramble/kmokhdhoggbdcgoepifeckhgbfakaknm

Questions, feedback, feature requests - all welcome!

reddit.com
u/MegagramEnjoyer — 3 days ago
▲ 8 r/PasswordManagers+1 crossposts

An idea for a plausibly deniable vault on your phone

Mods: I'm the developer - Delete if deemed self-promotion (this is totally free)

This is version 3 of an idea I've had bubbling around for a while. A locker on your phone that is 1) Deniable (nobody can prove any data is there - like Veracrypt), 2) Resists on-device tampering/forensics, 3) Resists coercion.

Features include:

  1. Decoy vaults can destroy real vaults (someone coerces you to open the vault, there is no way to know if you are opening a decoy vault or not and a decoy vault can set the other vaults to automatically wipe)
  2. Location-based vaults can only be opened within a geo-fenced area. An attacker would physically need to take you to a location (anywhere on earth) before the vault opens. This is akin to burying the information physically. An attacker with GPS spoofing capability would still need to know "where" to spoof to and also would have no way of knowing if it's a destructive decoy
  3. The information is stored on the phone in a container that appears to be random noise. There is no trace of where there is real (or decoy or none at all) data within the container.
  4. Fully uses all the iOS secure enclave features but also adds Argon2id to the key algorithm.
  5. Nothing ever leaves the device, functions fully off-network. The geo-fencing does require GPS access which should be global.

All features available for free - If you like it, you can buy me a coffee via an in-app purchase.

geolocker.app
u/ambanmba — 5 days ago
▲ 26 r/PasswordManagers+2 crossposts

Looking for recommendations: Best Free vs. Paid Password Managers in 2026?

Hi everyone,

I’m currently reviewing my security setup and looking for a reliable password manager. I would love to hear your personal recommendations:

  • Free tier: Which free password manager do you consider the most secure and feature-rich without annoying limitations?
  • Paid tier: If it’s worth paying for, which one provides the best value, reliability, and security features?

I prioritize ease of use and cross-platform syncing. What are you all using currently and why?

Thanks in advance!

reddit.com
u/Next-Increase3748 — 6 days ago

Lastpass told me to delete my account because they fucked up - Where should I go?

I had a yearly subscription to lastpass that renewed last week and that their browser extension and app both refused to acknowledge. When I contacted support their choice was to tell me to delete my account and make an entirely new one, and that they could or would do nothing to help me receive my premium.

So, I don't think I'll be using them any longer, because what the fuck was that? What do you mean my entire account is unusable because of an error on their side? Lol. That and all the breaches, it's just too much, and while I CAN still use it free it does make using apps/chrome on my phone a hell of a lot more cumbersome.

I'm looking for an alternative that's available both on chrome and on android, if possible. I have memory loss issues so lastpass being able to sign me into apps was a godsend.

reddit.com
u/Gluttonace — 6 days ago

🔐 We Need Better Password Guidance, Not Just Password Rules

Almost every website tells us how to create a password:

✅ Minimum length requirements

✅ Uppercase letters

✅ Lowercase letters

✅ Numbers

✅ Special characters

But very few tell us what NOT to use.

Many users create passwords that technically satisfy all these requirements but still include predictable information such as:

❌ Name

❌ Date of Birth

❌ Birth Year

❌ Mobile Number

❌ Address

❌ Pet Names

❌ Family Names

❌ Favorite Things

From a cybersecurity perspective, these passwords can become easier to crack, guess, or predict when an attacker performs reconnaissance and gathers publicly available information about a target.

A password may look "strong" to a website's validation system while remaining highly predictable to an attacker.

The reality is that most password policies only verify whether certain character requirements are met. They cannot reliably determine whether a user has included personal information in the password.

That is why organizations should consider adding a simple advisory during account creation:

⚠️ Avoid using personal information such as your name, date of birth, phone number, address, family names, or other publicly known details in your password.

Organizations may not be able to technically validate all of this information, but providing this guidance can help users make better security decisions.

This is a small step, but in a world where cyber threats continue to evolve, small awareness measures can have a significant impact on digital safety.

🔐 Security is not only about creating complex passwords.

🔐 Security is about creating unpredictable passwords and passphrases.

Should organizations do more than just enforce password complexity rules?

What additional guidance would you like to see on password creation pages?

What do you think should be added to password creation pages that most websites overlook today?

#CyberSecurity #PasswordSecurity #InfoSec #DigitalSafety #CyberAwareness #EthicalHacking #Privacy #OnlineSecurity #CyberDefense

reddit.com
u/GetAvyrix — 5 days ago

Just got another breach email from LastPass, what is actually the most secure password manager right now?

just got the email from LastPass about the Klue breach. third time something like this has happened since I've been a user. I know the vaults weren't touched this time and it came through a third party, but at this point it's becoming a pattern that's hard to ignore.

what gets me is that I moved to LastPass years ago because it was supposed to be the safe choice. now every year or so there's another email in my inbox.
and it's not just LastPass.

Bitwarden had the CLI supply chain incident in April. Dashlane had a 2FA brute force attack recently. even tools people consider bulletproof have had close calls.

I'm not trying to be dramatic about it but when you're trusting something with every password you own, "the vaults were safe this time" stops being reassuring after a while.

genuinely asking, is there a password manager that has actually never had a meaningful security incident? and what criteria do people actually use when deciding one is secure enough to trust long term? open source, audits, jurisdiction, zero knowledge, all of it feels important but I can't figure out how to weigh them against each other.

reddit.com
u/Emergency_Stop_9882 — 7 days ago

How to sync like a pro

How do you do the syncing? I like using keepassxc on my laptop and the android app is just lovely (KeePassDX). I am currently saving the file in my google drive and connecting directly to that. However i face 3 issues with this.

  1. My google password is stored in keepass itself, so if I am on a fresh device with no access to my other devices, I am pretty much locked out. I do not want to go through the process of a reset for this situation.

  2. The database closes very quickly because its connected directly to gdrive. This means I have to reenter my master key every minute or so. This downgrades the experience of using a password manager to quickly fill in passwords (I have mine in highest security and its connected to gdrive, takes about 20 seconds to open the database on my mobile)

  3. I want to maintain only one databse for all my accounts, however the accounts are split between work and personal profiles in my android. So accessing the db on my other profile is a headache.

Are there any tips for syncing the db like a pro?

reddit.com
u/GreedyStomach7107 — 6 days ago

read the ETH zero-knowledge paper today and now im questioning everything. how do you tell real zero-knowledge from vain marketing?

Ive been maintaining Passwork on-prem for my company for a while now, though I wasnt the one to implement it, it was the guy that the employee before me picked it for the company. I have no problem with it and I like some features like exportable audit logs. Though recently just out of curiosity I've started doing some research on what password managers should and shouldn't do/have so I went down a rabbit hole and a term that intrigued me is, well you guessed it, zero-knowledge, and I came across the ETH Zurich paper (the USENIX 2026 one, here: https://ethz.ch/en/news-and-events/eth-news/news/2026/02/password-managers-less-secure-than-promised.html) and it kinda broke my brain. I've been reading about zero-knowledge architecture for the last few hours trying to figure out what the term even means in practice, because the more I read the more I think the label has been stretched beyond recognition. What keeps tripping me up:

-Vendors that encrypt vault contents but store URLs and site names in plaintext "for autofill performance." Zero-knowledge, except the vendor knows every site every user logs into and when.

-Tools advertised as zero-knowledge that also offer email-based "account recovery." By definition there has to be a backdoor for that to work, but the marketing copy doesnt mention it.

-The ETH finding itself: cloud vaults where the client retrieves the server's public key during enrollment without out-of-band verification. A malicious server hands the client an attacker-controlled key and the client cant tell.

So now im trying to figure out how you actually identify zero-knowledge when you see it. My questions are:

-Is there a clean technical definition of zero-knowledge that holds up across implementations, or is the term inherently (and maybe even purposefully) undefined/fuzzy?

-What feature or design choice immediately disqualifies a vendor from honestly claiming zero-knowledge in your view? (recovery flows, plaintext metadata, server-side key derivation, something else?)

-When evaluating a new password manager, what's the fastest test you apply to call BS on a "zero-knowledge" marketing claim before you go deeper into the docs?

-Most importantly, is "zero-knowledge" even the right thing to be optimising for, or is it a marketing label that distracts from threat models that matter more in practice?

Thanks

u/Sbaakhir — 8 days ago
▲ 3 r/PasswordManagers+1 crossposts

Local-first password management: what is missing from current tools?

I am researching password-management habits among people who prefer local-first or non-cloud software.

The question is not whether everyone needs another password manager. I am trying to understand a narrower case:

- people who dislike vendor-hosted vaults

- people who do not want another account

- people tired of subscriptions

- people who like local files but find current tools too much work

If you use KeePass/KeePassXC, browser storage, Apple/Google Passwords, paper, notes, or something else, I would like to understand what still feels annoying or risky.

I made a short anonymous survey here:

https://tally.so/r/yPgWd0

It takes about 4-6 minutes. Comments here are also useful, especially if your answer is "existing tools are already enough."

u/SavingsArt7949 — 9 days ago
▲ 595 r/PasswordManagers+3 crossposts

Building a usb password manager using an RP2040

Building using an RP2040 and CH32v003 for power handling with tinyusb and picorvd.

The device has 2 modes, Inject and Edit. For inject I just chose the password I want, plug it in, and click the button. The computer sees the device as a keyboard and directly injects keystrokes wherever I have the cursor. Edit makes the device spoof a flash drive. I can drag passwords directly onto the device in plain text. They just sit in ram until you click eject at which point the device pumps the passwords through an encryption algorithm (pin derived pbkdf2 through aes), stores them directly on flash and zeros out the ram partition. This means the device needs no proprietary software at all and just piggy backs off of whatever OS you plug it into. And since the device contains no radio, bluetooth or wifi, the contents are only accessible to whoever has the device in their hand.

It is battery powered and charges whilst plugged in so that you can navigate the ui without messing up the USB ports on the computer, and never have to worry about charging. I also added an accelerometer so that the screen flips based on the way you're holding it. I haven't gotten the USB C port to work yet but the device HAS been tested on ios and android through a USB A to USB C adapter. Editing and Injecting both work fine.

A couple of things I want to add in the future: I want to add a hardware security chip like the SE050 that nukes the key after n attempts to make it uncrackable unless you know the code or can guess it in 5 attempts. That way if you lose the device you can just say "eh fuck it" and not have to worry about it. I also need to revise the battery components to a lipo pouch rather than a coincell. (long story). Right now it can store up to 1000 passwords so I'm thinking there definitely needs to be a way to add passwords to favorites.

I also want it to be able to load passwords by dragging a csv file onto it so that its easy to export from the browser and get everything onto it. Idk, my buddy and I have been working on this for a few months now. What do you think? Would you use it? If so what would you add?

We plan on open sourcing everything once the SE050 is implemented

u/AssociationOk5653 — 13 days ago

storing passwords in a safe

I am currently the family IT guy. if anything happens to me a LOT of accounts are gonna sit idle.

not sure if this will be an issue, but I am trying to plan how to allow someone with only mild technical savvy to be able to retrieve passwords and what they are for (NAS, bank websites, managed network switches)

yes it is incredibly insecure, but I want to print them out and store them in a safe.

unless someone can convince me of a system that can be only accessed by a particular person, and will not be tied to an email, phone or some other way that might change in 5-10 years

reddit.com
u/tater1337 — 11 days ago

Why do you use a password manager when most of the people don't?

I have been using password managers for as long as I remember. One of the earliest ones I used was SPB wallet back in the Pocket PC days. Have used many since then. To me, the idea just makes sense. All my passwords in one place, secure. I don't have to remember them, I can use a distinct password for each account. I mean, names like LastPass or 1Password convey the core value preposition right in their name.

And yet, majority of the people around us don't seem to be using any password manager. Only in this sub I see people comparing options and asking for recommendations. Most people either use browser's inbuilt PM or use nothing at all. They just use the same password everywhere, or just reset the password frequently. Many apps and services have moved to OTP based logins just for people who don't bother remembering or saving passwords.

It goes beyond passwords. There are various non password details like documents, financial accounts etc. People don't bother storing them either. I have seen people write down things in diaries, keep bank details in notes, plain text files, passwords saved in word and excel sheets. There are free password managers, open source options, cloud based and self hosted options but people just don't use them. And it baffles me.

So my question to you is, why are you using a password manager? At what point did you think I need a separate dedicated app to store my passwords and other important info?

reddit.com
u/yashg — 11 days ago

good system integration or what workarounds to use

so i recently went from google password manager to proton and the experience is quite jarring.

is this just something you get used to, i.e. opening proton pass manually all the time to copy paste a password or are there better alternatives out there? android seems to be quite a bit worse as well, as autofill does not work consistently in the browser and barely at all for apps.

i am sure this is something everybody has to deal with, so i guess my question is, what has turbed out to be your best compromise between comfort and security?

reddit.com
u/SieqwardZwiebelbrudi — 11 days ago