2 minute read

I’ve been asked this question countless times over the last couple decades, perhaps because I used to be responsible for cracking weak passwords for a company managing 6 figures worth of people (passwords), so I’m writing this here to have a reference for anyone who asks me moving forward, even though I answered on this blog 7 years ago and my recommendation is the same with one new solution to recommend if you’re a techy, but more importantly I’m going to start by explaining what to ask when any new password management solution comes out.

The first question is, “Is it open source?” even if you’re not normally an open source advocate, there’s likely nothing more important to protect than your passwords, so you should only use a solution that you can look at the source code and make sure there are no backdoors in it — and if you’re not able to make sense of the source code, you want every other security auditor in the world able to look at the code so they can report/fix any holes as discovered.

Can you host it yourself?” is the second question. There’s no way one should trust a 3rd party (corporation/government etc) as these can be compromised and become huge targets if they’re managing all of the passwords for many people.

Keepass 2.x and bitwarden_rs are the only two solutions I know of that meet this criteria as of writing this.

While I have your attention on the topic of passwords, assume your db/password file will be compromised at some point, so make sure you use a really hard to crack password for the master password with the 2fa (consider the attacker gets your yubikey as well) – I recommend at least 5 words that don’t normally go together, with a number and special character, like Reddit2020barbeque&rainbowunicronastronaut would take a long time to crack but is easy to remember.

I’m hesitant to share this next link, as it lets you test different passwords, and I can’t emphasize enough you should not put any real passwords into this site as you should assume it’s being hosted by your attacker trying to get an idea of what your passwords might be — with that warning out of the way, https://howsecureismypassword.net/ lets you type in a password and gives you a rough idea of how long it would take an attacker to crack your password.