What is The Best Open Source Password Manager?

In recent posts we’ve covered what a password manager is, and why you should use one. Now it’s time to find the best open source password manager.

If you’re not sure what a password manager is, or why you should use one, I recommend you read two of my previous posts. What is a Password Manager? covers the “what”, and Why Should I Use a Password Manager? covers the “why”.

What is the best password manager is, of course, subjective. But my criteria are as follows:

  • The password manager has to be open source. Open source code means that everyone can audit the code and make sure nothing fishy is going on.
  • It has to be free as in speech (libre). There are no restrictions on how the password manager can be used.
  • The password manager doesn’t have to be free as in beer (gratis). If it’s good enough, and the price is fair, I’d gladly pay for it.
  • The password manager has to work on the operating systems I use frequently: Windows, macOS, Linux, and Android.
  • It has to be possible to self-host the password manager. This means that I can install and run it on my own server or computer.
  • It has to be possible to synchronize the password manager’s database across multiple devices.
  • Backing up the password manager’s database has to be hassle free.
  • The password manager has to have an accompanying browser extension to make using it with a browser as user friendly as possible.

The open source and self-hosting criteria limit the number of possible password managers. While there are a lot of different password managers available, only a few of them are open source and supports self-hosting.

Now let’s get cracking!

What is a Password Manager?

What is a password manager, and how can it save you from hackers and password fatigue?

As we discussed in the post Why Should I Use a Password Manager?, the average internet user typically has a few online accounts. All these accounts require that you provide a pair of credentials – a username and a password – to log in. As we know, a long password is more secure than a short one, but who can possibly remember tons of different long passwords? No one.

Because of this, many people use the same, short and uncomplicated password on all their online accounts. The username is also usually the same everywhere – more often than not, it’s the e-mail address of the user.

There’s no doubt that this is very convenient. It’s one pair of credentials to rule them all. But what happens if one of the services you use gets hacked, and your credentials are leaked? Since you’re using the same username and password everywhere, the hacker can now log in to all the online services you use!

To prevent this from happening, you should use a password manager. But what is a password manager?

Why Should I Use a Password Manager?

Short answer: You should use a password manager because good passwords are hard to remember. Long answer: See below.

To log on to a website on the internet, you normally have to provide a username and a password. A good password is a long one because the more characters a password has, the longer it takes for a hacker’s computer to guess it. But it’s also generally hard to remember long passwords, and many people tend to use the same password – and often username – on all the websites they log in to.

When you use the same credentials everywhere, there’s a higher chance a hacker can figure out your username and password.

Actually, it’s very likely that it has already happened.

Google Bans Gab app

Just as the Gab app hit the #1 trending top spot on the Google Play Store, Google banned it. Will this potentially make life hard for the entire Fediverse?

The far-right social network Gab has now completed its transition to Mastodon. The main motivation was to make a foothold in the mobile app stores. Gab’s previous attempts at distributing a mobile client failed because Apple and Google both removed the it from their respective app stores. The companies cited violation of their policies against hate speech as reason for the removal.

By moving to Mastodon and the ActivityPub protocol, Gab no longer needs to distribute their own mobile client. Instead, their members can, at least in theory, download a generic Mastodon client, and log on to Gab’s Mastodon instance. This prompted some client developers to change the application code so that their client doesn’t work with Gab’s Mastodon instance.

But Mastodon clients are mostly FLOSS. Gab simply copied the source code, removed the blocking code, and compiled their own version of the Mastodon client. This happened to Tusky, and a Gab-branded version of Tusky was available in the Google Play Store.

At least for a short while.

The Rebirth of Webrings

Will the rebirth of webrings save your personal website from the corporate web?

Back in the 1990s social media was still a distant nightmare. If you wanted people to know about your personal website, you couldn’t just tweet about it to your loyal Twitter followers, or post to Facebook. Instead, you had to manually add your website to search engines like Yahoo! and Lycos, use a ping service, try to get on to someone’s blogroll1, or join a webring.

A webring is – or rather was – a collection of websites linked together in a circular fashion. If you joined a webring, you had to add the ring’s navigation bar to your site, and the bar contained links to the previous and next site in the ring. Most webrings were organized around a specific theme, like personal websites, comics, and movies.

The webrings were popular in the 1990s and early 2000s, but as search engines became better at indexing the world wide web, and the social media beast awakened, webrings became obsolete. One of the main webrings sites was WebRing.com, which, through various acquisitions, landed in Yahoo!’s lap in 1999. Unfortunately, their attempt to streamline the site ended in a veritable dumpster fire, and Yahoo! stopped supporting WebRing.com in April of 2001.

Since then, the webring concept has been pretty much dead in the water. A few webring sites, like WebRing.org and RingSurf, are still online, but most their webrings contain sites that went offline a long time ago.

Perhaps the ongoing rebirth of the personal website also means the rebirth of webrings?