Practical privacy and simple cybersecurity.
TheNewOil.org

The Best Password Manager in 2021

Password managers are – thankfully – becoming a mainstream topic. In addition to seeing commercials for certain ones from time to time, it’s becoming more common for me to attempt to spread the word about good passwords only to be met with something like “oh I already use LastPass/Dashlane/1Password/etc.” While it’s good for consumers that there are more of them available, that also makes it rather difficult for people to know what’s best. This week, I’d like to weigh in on this subject. While I will admit that I purposely formatted this blog title for SEO, I am writing this blog on the assumption that you understand the basics of what a password manager is, what it does, and why it matters. If you’re not sure, I encourage you to skim this page of my website quickly and come back.

Criteria

I’ll cut right to the chase: the only two password managers I recommend are Bitwarden and KeePassXC. The first criteria I use to recommend password managers is that they are open source. See this page on my website all about what open source is and why it matters to me. This automatically rules out most of the “mainstream” providers like LastPass, Dashlane, etc. My second criteria that rules out many of the other open-source projects it that they must be cross-platform – that is, they must be available on Windows, Mac, Debian-based Linux, Android, and iPhone. There are some other criteria, which you can view in full here if you care, but those main two will likely answer the inevitable “Why isn’t X listed here?”

Privacy Policy

Bitwarden

Bitwarden’s privacy policy is admittedly not great. This actually serves an excellent example of having security without privacy (I’ll get to Bitwarden’s security in a moment). Visiting the website will automatically result in standard data collection like IP address, cookies, and other automatic identifiers (and needless to say, any other information you knowingly submit like contact forms). They do admit to third-party sharing for the purposes of improving the product, processing payment information, and other such services. The website is also riddled with Google fonts, Cloudflare, and other services that are generally frowned up on in the privacy community for their poor privacy practices, meaning there’s a possibility that those sites may be tracking users even though Bitwarden themselves do not. The policy does not explicitly state but does suggest that app usage is also collected. According to the Apple privacy label, this appears to be limited to crash data.

On the plus side, it does appear that Bitwarden's tracking is limited to their site – in other words, they don’t try to aggregate information about you from other sources to identify you specifically. While this is probably more data about you than they really need, it does seem to be primarily limited to data they want for the purpose of improving the service. They explicitly say in the policy that they ignore Do Not Track signals as they don’t track you anyways. Their mobile app also appears to collect limited data according to the Apple Privacy Label, but unfortunately this “limited data” does include unique identifiers, specifically your Device ID. While I understand the value of this data in regards to security, I suspect they could ignore this information to better preserve privacy if they wanted to.

KeePassXC

KeePassXC’s privacy policy is a lot better. Visiting the website will collect information like partial IP address, browser data, referrer data (if any), and location determined by IP address. On the plus side, the policy explicitly states it will never be shared with third parties (I assume this does not apply to valid law enforcement requests) and is deleted after 90 days. Additionally, they admit to respecting Do Not Track headlines, meaning that if you have that box checked in your browser, no data will be collected in the first place. And even furthermore, KeepassXC only ever contacts the internet on two occasions: to check for new updates, and to pull a website’s favicon (if you request it). No usage analytics are ever submitted (one could argue that auto-checking for updates creates a usage pattern, though personally I view this as a very small, worthwhile risk for most people). For mobile, forks of KeePassXC are used instead of actual Keepass XC. I recommend KeePassDX for Android and Strongbox for iOS. Strongbox explicitly states they collect no information, while KeePassDX’s privacy policy redirects to the official GNU GPL 3.0 license, which tells me they likely have similar practices.

Security

Bitwarden

Bitwarden is cloud-based, which means that you’re automatically opening up some degree of risk by default. However, the database is protected with AES-256 encryption – currently one of the standards that at this time has no known weaknesses – and your password is salted and hashed with bcrypt, which is also considered the current strongest hash algorithm for passwords. For my non-techy readers: they take your security really freaking seriously. The only known weakness at this time would be the master password you use, so make sure you’re using a strong passphrase and two-factor authentication. While it is important to note that nothing is unhackable and keeping your vault in the cloud with Bitwarden is inherently a risk no matter what, at this point in time I would argue that if you’re using a strong master passphrase and two-factor, the average person has nothing to fear on the security front from using Bitwarden.

KeePassXC

KeePassXC’s vault is also encrypted using AES-256. KeePassXC has the advantage of being locally stored, entirely independent of the internet. This means that unless you choose to upload your vault to a cloud service, you have virtually no risk of vault compromise. However, it is important to note that you should keep secure backups as you still run the risk of having your vault get corrupted, being lost if your computer dies, and of course having locally-stored files won’t save you from a compromised device so be sure to take proper and appropriate device security measures overall. I would also encourage the use of a strong passphrase with KeePassXC simply as a precaution, though the odds of needing it are much lower than with Bitwarden (depending on your situation).

Other Features

Quite frankly, Bitwarden and KeePassXC are almost identical in terms of features and functionality. For that reason, I’ll just go ahead and list all the major features and differences here in one section. Both allow you to generate random passwords or passphrases, both allow you to specify the criteria for those passwords (length, special characters, etc), and both will allow you to store your two-factor keys in the app for a more convenient login experience (for Bitwarden this is a paid feature and for KeePassXC this does require a small degree of manual expertise from the user. Regardless, be aware that this does make your password vault a “single point of failure” and therefore this feature should be used cautiously). Bitwarden does have a secure file send feature they recently rolled out for premium users, but I personally have never used it as this isn't something I expect of my password manager and I already have other methods for doing that anyways. I would say the only difference between the two in terms of features and function is the user interface: Bitwarden is very sleek, very modern, very pleasing to the eye, and very easy to navigate. KeePassXC looks a bit more outdated, a bit older, a bit more rough, and some of the more advanced features can be confusing and intimidating (fortunately most users don’t have to worry about these features and can safely ignore them). Both services also allow for a browser extension to easily login to websites. I recommend keeping your browser extensions to a minimum, but that’s useful for those who have come to rely on such features. It's also worth mentioning that Bitwarden does have a paid teams feature, so if you run a company then Bitwarden would be the clear winner here as they make it incredibly easy to integrate multiple users into the same shared vault so that you can use strong passwords at work while still giving access to everyone who needs those sites or accounts.

Ultimately, for individuals, you can’t go wrong with either of these options and which one you should pick depends on your threat model and your lifestyle. If you have a low threat model – that is, you are unlikely to be specifically targeted by an individual or organization – and you value convenience, Bitwarden is probably the right choice for you with their single app, synchronization across all devices, and sleek user interface. If you have a higher threat model (or you simply distrust the cloud), you’re willing to do a little extra work, you don’t mind a slightly outdated design, and/or you’re more techy, then KeepassXC is right for you. Whichever one you use, remember to use a strong passphrase (and two-factor for Bitwarden), keep good backups, and you should be pretty well protected. Now go forth and create strong, unique passwords everywhere.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...