Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Why don't people use open source password managers?

iHorseHead

iHorseHead

macrumors 68000
Original poster
Jan 1, 2021
1,689
2,092
Hi!
For the longest time, I've been really curious as in why don't people use open source password managers? There's https://macpassapp.org/ and keepass, which work perfectly together and you could store the database, which is password protected in Google Drive, iCloud, OneDrive etc…
Sure, it doesn't fill out your passwords but I mean still, I feel like it's more secure than LastPass ever was one 1Password and not to mention, more comfortable and it's not really difficult to press ctrl + v for it to automatically fill out your password. I'm just really curious as in why nobody ever mentions KeePass, MacPass etc alternatives?
I mean sure, they all have different names, but they do open the same database, so it doesn't really matter and your passwords are syncing however you want them to sync. You can even store your database file on the USB. I feel like it's a lot more secure than 1Password and definitely better than LastPass as I've already mentioned, but I hardly see anyone talking about Keepass etc apps. Why?

https://keepass.info/download.html -> For iOS, Mac, linux, windows android
 
  • Like
Reactions: leifp
iHorseHead said:
I feel like it's a lot more secure
Click to expand...
"I feel like" is no way to evaluate any sort of secure software.
Using an app like 1Password or even iCloud password autofill is vastly more convenient than having to open an app and then manually copy/paste from that app into wherever the password needs to go. 1Password also does a bunch more than just storing a list of passwords for websites too.
 
  • Like
Reactions: Miicat_47, JemTheWire, TracerAnalog and 11 others
  • Like
Reactions: Miicat_47, mblm85, TracerAnalog and 8 others
MisterSavage said:
I'm curious why you didn't mention Bitwarden, which is what I currently use.

I used (and liked) Keepass back when I was using Windows at home a long time ago.
Click to expand...
We used KeePass professionally until requirements specified that password access had to be monitored.
 
  • Like
Reactions: iHorseHead
chrfr said:
"I feel like" is no way to evaluate any sort of secure software.
Using an app like 1Password or even iCloud password autofill is vastly more convenient than having to open an app and then manually copy/paste from that app into wherever the password needs to go. 1Password also does a bunch more than just storing a list of passwords for websites too.
Click to expand...
But it stays in a clipboard for like 5-30seconds depending on your choice + it's open source. Bet if LastPass wouldn't have had this hack you'd say the same about the lastpass.
 
millerj123 said:
We used KeePass professionally until requirements specified that password access had to be monitored.
Click to expand...
At work we use KeePass and MyVault and password state too, but the last two ones are for corporations only I guess.
 
coffeemilktea said:
Sounds like you answered your own question; these open source password managers are too much work for most people.

Personally, I think Apple's built-in password manager is the best one: it fills in passwords, syncs to all devices, and even detects compromised passwords.
Click to expand...
Well, yeah. That's true. You gotta keep an eye on stuff yourself.
But there are people who use books for passwords.
https://www.amazon.com/Taja-Passwor...ords=Password+Book&qid=1718978656&sr=8-5&th=1 for example…
 
As an Amazon Associate, MacRumors earns a commission from qualifying purchases made through links in this post.
  • Like
Reactions: Shirasaki
Because consumers don’t know what that means. They just want something that works without friction. They don’t have to download iCloud passwords, their device just asks them if they want to save their password.

It’s the lowest effort path, which will always win out.
 
  • Like
Reactions: mblm85, leifp, SiegeDamage and 5 others
Do you audit the code of the open source applications you use, including compiling them from source pulled from their GitHub/SourceForge repositories? No? Then there's no functional difference between using an open-source solution and using a closed-source, commercial solution. None. Zero.

Likewise, people choose the software that provides the best combination of value, function, and UX. The cost, and the license under which the software is offered, are completely immaterial.
 
  • Like
Reactions: chrfr and winxmac
At the time that I started with 1password I couldn't find a free/open-source option that was sufficiently functional across multiple platforms and browsers.

BTW, I try to minimize copying and pasting passwords since it's possible the clipboard could be compromised, and/or I could accidentally paste a password in the wrong place. I like software that fills it in automatically when possible.
 
  • Like
Reactions: meetree
I've been using Firefox's password auto-fill. It works fine across Mac, Windows, Android, iOS, and Linux. I tried LastPass for a while because it stores more than passwords but the two breaches made me uncomfortable, even if they didn't get anything useful.

KeePass looks interesting but it's too light. I'd rather trust the people behind Firefox.
 
I store miscellaneous passwords on my iPhone. Before there was built-in password manager and saver in Safari I was writing them up in Notes (yeah, don’t laugh. I am the only user of my iPhone anyway). But honestly I don’t really “store passwords” nowadays as I change them once in a while or just remember the ones I don’t use too often. Over the course of 10 years I changed 15 gmail accounts (deleted old one, created new. Once in 1-2 years). Therefore I don’t think I need another app I won’t ever use
 
ErikGrim said:
If you're putting passwords on the clipboard you are already opening yourself up to so many exploits.
Click to expand...
I can't argue with you there. However, I doubt it's the case for my work PC that's in company portal etc and I found this on Reddit:

The database file itself is encrypted at all times, and even the data which is in memory is encrypted most of the time :

While KeePass is running, sensitive data is stored encryptedly in the process memory. This means that even if you would dump the KeePass process memory to disk, you could not find any sensitive data.
Furthermore, KeePass erases all security-critical memory (if possible) when it is not needed anymore, i.e. it overwrites these memory areas before releasing them.
Click to expand...
So no, using Kee Pass is much, much safer than using the password manager of your browser.

KeePass does a good job to protect even against risks by generic keyloggers - in case those manages to run somehow on your computer. But in case a trojan is specifically written to attack KeePass there is a of course a risk, your secrets get compromised. Latest when a keylogger manages to run during entry of your master password, then it is pretty easy for the trojan to read everything from the kdbx in the background. For that reason it might be a good idea to activate the "Secure Desktop" option inside KeePass. Unfortunately this may cause compatibility issues - and is therefore deactivated by default.
 
I liked KeePass, too. But it was pwned a little over a year ago. It's database master password was vulnerable. CVE-2023-32784. We used to allow it for end users, banned it, haven't gotten back around to testing it since, presumably, that vulnerability was fixed.

We still permit BitWarden for personal desktop use, for the moment. We're considering centralized tools to proxy all password usage to eliminate copying passwords to the clipboard. Clipboarding passwords is not great technique because it's so accessible to so many apps, and it takes only an invisible instant to exfil.

Don't let password vaulting make you complacent. In enterprise of any scale, that's the tip of an iceberg. Even for personal computing, a couple of these additional techniques can provide additional security. Some are cheap, some rather skill/labor dependent. At large scale, all this can financially "non-trivial", but some occupations and data troves demand it.

We block creation of persistent profiles in the browsers, which blocks access to the browsers' password vaults (of course we hunt and kill any browser app we didn't deploy). We block outbound access to every internet vaulty type tool we can identify. We hoover up every users web history for behavioral analytics, in case anyone discovers/tries a new trick. We used to fire staff and publicly frog-march them to the parking lot, but work-from-home ruined that for us. That's about the most we can do to help regular users not suck.

I whipped up a routine in our Data Leak Prevention (DLP) and insider threat tools to checks user file content for hints at password lists outside a vault product, such as names of our systems coupled to string patterns that characterize user ID + password lists. Not rocket science, just due diligence. Of course our laptops don't run very long on battery power.

Yes, we surveil our users activities, minute by minute, using insider threat analytics tools. We've been known to alert on grocery lists and fantasy sports worksheets <shrug>. Fortunately, however, the C-Suite has ratified a strict daily quota of ***** to give: 0

On top of that, we still get to further torture privileged users, such as engineers, admins and developers who work on IT systems. In addition to mandating password vaulting:
  • Use at least three factors to authenticate. Use just-in-time privilege elevation to precisely defined roles (Part of "Zero-Trust", i.e., no account has admin permissions permanently assigned - users receive authorizations after they authenticate.).
  • No overlap of privileged accounts or roles, keys, certificates or sessions among multiple systems.
  • Sessions have a default time-to-live that can be continuously extended by authenticating (dead-man switch) (not just wiggling the mouse). This is SUPER popular with admins running long project cycles over night. Monster and Adderol in the fridge, everyone!
  • Use single-sign-on for certain non-privileged roles might slightly reduce user self-harm.
  • Stream all system access events to a SIEM in near/real time for behavioral analytics and cross reference to netflows.
  • Audit logs for password usage for any system that still requires passwords at all - an unfortunate requirement, but common in disaster recovery scenarios.
And yet, ALL these precautions can be punkd by supply chain exploits. Or human carelessness and callous handling.
 
Last edited:
  • Like
  • Haha
  • Wow
Reactions: rishi.talreja, gregmac19, meetree and 1 other person
ipaqrat said:
On top of that, we still get to further torture privileged users, such as engineers, admins and developers who work on IT systems. In addition to mandating password vaulting:
...
Click to expand...
I hope you work for the government/military/etc. I don't think any sane engineer would tolerate this.
 
I use iCloud key chain AND MacPass.

What happens if I wake up one day and my iCloud account is closed? As I control my domain and email address and credentials independently, a large disaster turns into a minor headache.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back