In recent posts we’ve covered what a password manager is, and why you should use one. Now it’s time to find the best open source password manager.
If you’re not sure what a password manager is, or why you should use one, I recommend you read two of my previous posts. What is a Password Manager? covers the “what”, and Why Should I Use a Password Manager? covers the “why”.
What is the best password manager is, of course, subjective. But my criteria are as follows:
- The password manager has to be open source. Open source code means that everyone can audit the code and make sure nothing fishy is going on.
- It has to be free as in speech (libre). There are no restrictions on how the password manager can be used.
- The password manager doesn’t have to be free as in beer (gratis). If it’s good enough, and the price is fair, I’d gladly pay for it.
- The password manager has to work on the operating systems I use frequently: Windows, macOS, Linux, and Android.
- It has to be possible to self-host the password manager. This means that I can install and run it on my own server or computer.
- It has to be possible to synchronize the password manager’s database across multiple devices.
- Backing up the password manager’s database has to be hassle free.
- The password manager has to have an accompanying browser extension to make using it with a browser as user friendly as possible.
The open source and self-hosting criteria limit the number of possible password managers. While there are a lot of different password managers available, only a few of them are open source and supports self-hosting.
Now let’s get cracking!
Passbolt describes itself as “free, open source, self-hosted, extensible”. The password manager features passwords sharing, filters, search, comments, user management, e-mail notifications, support for the KDBX database format, and browser integration.
Passbolt is primarily designed for teams and not individuals, which makes it rather pricey. There’s a free community edition with unlimited users, but the features in the community edition are limited. You’ll miss out on features like the admin panel, and multi-factor authentication. Those features, and more, are only available in the paid premium version, starting at €19 per month.
Passbolt can be used both as a SaaS cloud-service, or it can be self-hosted on your own server. But self-hosting doesn’t mean you get all the features. You’ll still have to purchase a subscription, which, as far as I can tell, will cost you the same as using the cloud-based version.
I’m also not sure how mature Passbolt is. All the screenshots I’ve found has an “alpha”-tag slapped to them, and several of the premium features are not yet implemented.
KeePassXC is an open source community fork of KeePassX, which is a cross-platform port of KeePass for Windows. I can’t use KeePass because it’s Windows only, and KeePassX hasn’t been in active development in quite a while. The most recent KeePass release was back in 2016.
KeePassXC, on the other hand, is in active development. It’s not a web-based password manager, but an application that you download and install on your computer. In this day and age, that might sound old fashioned. But that KeePassXC doesn’t require the user to run any server software, makes it very easy to get up and running quickly.
The password manager has all the features you’d except. You can store usernames, passwords, notes and other information in an encrypted database. The database can be secured with a password. More advanced users can use a key file, a YubiKey challenge, or any combination of the three.
KeePassXC also comes with a password generator, auto-type for automagically filling in login forms, 2FA support with TOTP generation (including Steam Guard), and browser integration through the KeyPassXC-Browser extension. On the more advanced side, KeyPassXC features an SSH agent integration, and a command line interface.
What KeyPassXC is missing, though, is a built-in mechanism for synchronizing the database between multiple devices. If that is something you need, you’ll have to facilitate it yourself. One solution is to use a cloud-based file service, like Dropbox or Nextcloud.
There are no official KeyPassXC apps for Android and iOS. But because KeyPassXC uses the KDBX database format, other people have implemented compatible clients for both operating systems. Examples are KeePass2Android on Android, and Strongbox on iOS.
KeyPassXC looks like a good alternative. But you need to do a little work to get database synchronization across devices working.
Bitwarden is another open source password manager that can be used as both a SaaS cloud service, or installed as a self-hosted service. It comes with a web interface, native clients for Windows, macOS, Linux, Android, and iOS, browser integrations for every major browser, and a command line interface.
As with Passbolt, Bitwarden comes with some basic, free, features, and an extended feature set for premium users. Among the free features are access to all Bitwarden apps, unlimited synchronization between devices, unlimited item (passwords, notes, credit card numbers, etc) storage, 2FA authentication on your Bitwarden account, and a secure password generator.
Unlike Passbolt, Bitwarden is designed with individuals in mind. A premium account will set you back $10 per year, which is a lot cheaper than Passbolt’s premium fee of €19 per month. Bitwarden also provides a premium family plan that supports up to 5 users for $1 per month.
Bitwarden is feature rich, looks awesome, and can be self-hosted. With several affordable premium plans, it’s certainly a viable alternative for anyone looking for an open source password manager.
So What’s the Best Password Manager in 2019!?
Even though Bitwarden almost won me over, I’m leaning towards KeePassXC. Compared to both Passbolt and Bitwarden, it’s rather basic in terms of features, but it still has everything I need. I also like that I don’t need to host anything on my own servers to get KeePassXC to work. It’s just an application I install on all the computer I use. While there is no official app for Android, the KeePassXC developers recommend KeePass2Android, which seems legit.
The KeePassXC password database is just a simple file, which makes it easy to back up and synchronize between devices. While KeePassXC doesn’t have a built-in synchronization feature, this can be accomplished by using a cloud-based file storage like Nextcloud. I’m already using Nextcloud, so getting the database synchronized should be effortless.
So there you have it. KeePassXC seems to be the best open source password manager in 2019. It might not look particularly sexy, but when it comes to password managers, brains are certainly more important than looks.