banner
Leo

Leo的恒河沙

一个活跃于在珠三角和长三角的商业顾问/跨境电商专家/投资人/技术宅/骑行爱好者/两条边牧及一堆小野猫的王/已婚;欢迎订阅,日常更新经过我筛选的适合精读的文章,横跨商业经济情感技术等板块,总之就是我感兴趣的一切

2023-12-31 - Not Just to Save Money: Usability Report on Open Source Password Managers | Minority Member π+Prime

Not Just for Saving Money: Usability Report on Open Source Password Managers | Minority Member π+Prime#

#Omnivore

There is no inherent superiority between open source and closed source, and free versus paid is just one consideration in the overall cost.


TL;DR

  • Despite facing some reasonable doubts, 1Password remains the most worry-free choice for most users, and its pricing is reasonable relative to the level of service provided. If you are looking to leave 1Password purely for price reasons, your best option may be to continue using 1Password.
  • For users with some technical skills, replacing 1Password with open source solutions like Bitwarden or KeePass is feasible, and the user experience has improved compared to previous years. Relatively speaking, KeePass has a lower initial configuration barrier, while Bitwarden is more feature-rich.

In the field of password management, 1Password's leading position is indisputable. However, over time, doubts and concerns about it have gradually accumulated: a resolute shift to a subscription model, cloud storage, and Electron "wrapper" development have annoyed many long-time users; two rounds of venture capital financing and a strong expansion into commercial business have also raised concerns about its deviation from the "mass line."

Thus, "What are good alternatives to 1Password?" has naturally become a concern for many users. Among the many options, open source solutions represented by KeePass and Bitwarden are particularly favored by geek users.

However, if you really heed some recommendations and prepare to migrate from 1Password to these open source solutions, you will find that it is not an easy task; the "self-reliance" of open source also means the need for "self-service." Even if you are willing to put in the effort, whether you can fully migrate existing data and continue previous habits is also a hesitating factor.

Moreover, in the matter of password management, it can be said that any decision purely oriented towards saving money is wrong, and the halo of open source itself is not enough to guarantee security.

Therefore, the purpose of this article is to explore the feasibility of migrating from 1Password to Bitwarden or KeePass from the perspectives of security, convenience, and more, and to provide some tips and tricks for users who are interested in trying.

How Much Do You Know About Open Source Options#

There are quite a few open source password management tools, but Bitwarden and KeePass may be among the few that can match 1Password in terms of reputation, functionality, and cross-platform support. Their password storage mechanisms are similar to the two modes of 1Password before and after its shift to the cloud.

Bitwarden#

Bitwarden is a relatively young project, having emerged in 2016, but it has already built a good reputation thanks to its decent feature set and active updates.

image

Similar to the current 1Password, Bitwarden adopts a centralized SaaS architecture: password data is stored on the server, and the client is only responsible for reading. However, both the server and client code of Bitwarden (for the most part) are open source, and the official also provides a Docker image for the server, allowing and encouraging users to self-host.

The problem is that this official version contains many components and is very bulky, requiring at least 2GB of memory and 12GB of disk space, which is too much of a burden for many personal servers.

Therefore, when we say "self-host Bitwarden," we generally refer to self-hosting a community-developed, lightweight version of the server that is compatible with the original API, Vaultwarden, and then using it in conjunction with the official clients on various platforms.** Vaultwarden can also run on the original Raspberry Pi, and for most NAS and VPS today, it is naturally not a problem.

KeePass#

KeePass has a much longer history, having existed since the end of 2003. Its architecture is also more traditional, similar to the old version of 1Password: there is no server, and all data is stored in a KDBX format (which is primarily an encrypted XML) password database file. As long as a tool can read and write this format, it can act as a "compatible client" for KeePass. In fact, since the original KeePass only supports Windows and its interface and operation design are extremely outdated, compatible clients are the more common choice.

image

Therefore, if you choose KeePass, the main considerations are (1) which client to choose and (2) how to sync the password database. Specific options will be recommended later.

By the way, the open source culture of the KeePass ecosystem can be said to be exemplary. You can see developers of two competing clients discussing "which is better" on Reddit, engaging in "mutual praise," or collaborating on a proposed extension format. In today's increasingly hostile open source community, such an atmosphere is rare.

Security and Stability#

Security and stability are the lifelines of password management software. However, this is also the factor that users find most confusing and difficult to judge. If you only look at the official websites of various products, they all seem impenetrable and flawless.

My advice is to... ignore this advertising. Indeed, if we only look at the ability to resist brute force attacks, as long as a sufficiently long encryption algorithm is used, the effect is basically acceptable. For example, the 1Password, Bitwarden, and KeePass discussed in this article all support 256-bit AES encryption, meeting the requirements for protecting confidential information in terms of design structure and key length. Even if quantum computers become widespread tomorrow, this is not an algorithm that can be "broken" easily.

But for password managers, brute force attacks are just one of many potential threats. A password manager is a system composed of multiple components, including password databases, servers, and clients, each of which may be attacked or fail, becoming a "weak link" that affects the overall security and stability of the "barrel."

However, listing various potential threats and comparing the defensive capabilities of each product is quite difficult, and the length of this article does not allow for that. But we can think differently: in information systems, "trust"—the assumptions and dependencies on the behavior of others—is the source of vulnerabilities; excessive or misplaced trust can become a risk. Therefore, by comparing the "trust" required by different password managers, it becomes easier to identify risks and determine whether one can accept them.

The table below is a (highly simplified) comparison based on this idea, partially inspired by Ethereum founder Vitalik Buterin's method. The denominator in each cell indicates how many providers are involved in that component, while the numerator indicates how many of those providers must operate as expected for the system to function without faults and securely. For example, "1/1" means "this component has only one provider, and it can only be used normally if that provider operates as expected."

Component1PasswordBitwardenKeePass
Password Database Storage1/12/21/N
Server1/12/20
Client1/11/1N/N

Explanation and analysis are as follows:

1Password: As a commercial product, 1Password is provided by the developer from server to client, and the password database is stored on the developer's server, with all code being closed source. This is the most typical "centralized" model, which is the easiest for ordinary users but heavily relies on trust in the developer. A plus point is that since it started providing cloud services in 2015, 1Password has not experienced any major security incidents or outages. Of course, this is just a qualification and cannot be a reason for complete trust.

Bitwarden: Compared to the one-stop model of 1Password, the biggest difference with (self-hosted) Bitwarden is that there are multiple providers: the client is provided by Bitwarden, while the server and password database storage (code from the Vaultwarden project) are self-hosted by the user. In other words, the "trust" in this system is very decentralized. Users must trust not only the code of Bitwarden and Vaultwarden but also the server they use to host this code—given the limitations of technical ability and the quality of consumer-grade self-hosted servers, its reliability may not actually be higher than that of the market-tested closed-source service like 1Password.

KeePass: This is the most "decentralized" solution. Its advantage lies in the absence of a server that needs to be trusted, and there are rich choices for both password database storage and clients, allowing for simultaneous use and mutual backup. The downside is also the decentralization of trust: each time a storage solution and client are introduced, it means trusting another third party's security and stability, and experience shows that many small open source projects are not sufficient to support such trust.

It can be seen that open source does not necessarily mean more security. On the contrary, if configured improperly, using an open source password manager may expose oneself to greater risks.

Of course, the purpose of pointing this out is not to dissuade but to remind readers to weigh the pros and cons when making a choice and to do their homework accordingly: if choosing the Bitwarden solution, be prepared for a reliable self-hosting environment (such as a stable, well-performing NAS or cloud host); if choosing the KeePass solution, try to select stable cloud storage and reliable clients.

Usability#

After analyzing the security and stability prerequisites, we also need to focus on whether the password manager itself is "user-friendly." In fact, many opinions suggest that the reason using a password manager is considered more "secure" is largely because it reduces the user's memory burden and encourages users to set complex (high entropy) and non-repeating passwords. If a password manager is so complicated that users lose the willingness to use it, reverting to manually entering and reusing weak passwords, then this benefit disappears.

To this end, the following will compare the usability of 1Password, Bitwarden, and KeePass from multiple angles, interspersed with some configuration and usage tips and suggestions to facilitate readers' choices and explorations.

Cross-Platform Support#

Few types of software may require cross-platform support as much as password managers do. When announcing the controversial decision to shift the desktop version of 1Password 8 to Electron, the development team's main reason was to improve cross-platform development efficiency and reduce functional differences between platforms.

As a result, although some long-time macOS users are concerned about losing the native interface version, this indeed allows 1Password to support more platforms and have a stronger overall design. From desktop systems to mobile systems, from browsers to command lines, you basically don't have to worry about whether 1Password supports the platform you are using, and the support for native features across platforms is also very timely.

image

Bitwarden#

In comparison, Bitwarden also performs well overall, matching 1Password in terms of platform coverage and support for native features. However, when considering design quality and user experience, Bitwarden's output is much rougher.

For example, although both are packaged based on web technology, the desktop version of 1Password 8 has undergone several iterations and is already considered high quality among Electron-based software. In contrast, Bitwarden's control styles, animation quality, and operational feel seem to be stuck in the past: the settings interface lacks a separate window, and the list view doesn't even support basic multi-selection with Shift, almost negating the purpose of having a dedicated client. The mobile version is based on the same design and framework, and the experience is similar. Overall, the highest praise is "usable if you hold your nose." (Fortunately, the interaction frequency of password managers is not high, so it indeed belongs to the category of products that are "fine as long as they are usable.")

image

The real thing is even uglier than the ID photo.jpg

KeePass#

The situation with KeePass is even more chaotic. As mentioned earlier, the original KeePass only supports Windows and is not worth recommending; other platforms rely entirely on third-party compatible clients for coverage.

Additionally, while the KeePass official page provides a list of compatible clients, most of the information is outdated. Based on my testing, here are the recommended clients for various platforms as of the time of writing this article, for readers' reference. If multiple options are listed, they are sorted in descending order of recommendation.

PlatformRecommended Clients
Windows/LinuxKeePassXC (open source and free, Qt framework)
macOSStrongbox (open source, advanced features €15/year or €60 one-time purchase) KeePassXC KeePassium (open source, advanced features $20/year or $80 one-time purchase)
iOSStrongbox KeePassium
AndroidKeepass2Android (open source and free) KeePassDX (open source and free, with donation version, $10 one-time purchase)
BrowserStrongbox built-in (Chromium, Firefox, and Safari) KeePassXC-Browser (Chromium and Firefox) KeePassium built-in (only Safari)
Command LineKeePass XC built-in

(In fact, I have tried far more than these; those not listed basically have significant functional deficiencies or have stopped maintenance. While they may barely work, the experience is so poor that I won't list them all to waste everyone's time. Interested readers can try them on their own.)

By the way, if you are considering other options because you are dissatisfied with 1Password's switch to a "wrapper" framework, I particularly recommend Strongbox on macOS/iOS. Although the pricing has a bit of a barrier, it is definitely one of the most compliant with Apple's design specifications that you have seen; the "native feel" even surpasses the old version of 1Password, which is famous for this; and it has achieved a user experience that rivals 1Password on the rudimentary foundation of KeePass, showcasing its impressive capabilities.

image

Strongbox

Initial Configuration Difficulty#

For a "fully managed" service like 1Password, part of its price is the service cost. Since we are considering DIY solutions, some hands-on work is naturally unavoidable. However, there are indeed many differences between Bitwarden and KeePass regarding what aspects require hands-on work and to what extent.

Reading Information

Total word count: 10,786 words

Reading this article will take approximately 18 minutes

Font size selection

Small

Medium

Large

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.