@BearWithBeard said in Best password manager?:
I personally prefer self-hosted, local or offline solutions over anything cloud- or account-coupled wherever that's an option.
Yeah, I think I share this preference. The only advantages I can think of for storing a password vault in the cloud are:
- Presumably, it's backed up often and regularly by whichever vendor you pick.
- Perhaps it's easier to share keys across different, distant platforms. In my case, I don't forsee much need for this.
- If it perhaps comes with very good software and extensions/integrations that makes it more convenient and/or easier to use (especially for a spouse or son/daughter to use) than alternatives. I don't see anything that inherently requires a cloud for that, but competition among password companies and the money they rake in obviously helps in getting it built and maintained, let alone well documented and supported.
On the other hand, I think for local network passwords, of which there can be many, there's an obvious advantage to not depending on the cloud for password management, since you will still want access even if your internet connection goes down. So, based on the helpful feedback here (thanks everyone!), I'll probably look into Bitwarden also.
I have no evidence for it, but given the choice, I think I'd rather have the password vault stored in some kind of specialized security chips that were cleverly designed for that purpose. Somehow, anything on a general purpose computer just seems inherently more vulnerable, even if it's on a local network rather than on a cloud computer. So, if there's any truth to that, I imagine there are already specialized devices on the market which cater to that. At this point I just need to learn enough so that I at least become aware of what the essential features are to look for.
Anyhow, I could imagine that in the end I may (probably) end up with two separate, non-overlapping methods for "access management" (for lack of a better term). The first would be for those websites or network devices that are of the more primitive, password-oriented type (as described by @mfalkvidd t above), because if that's what they use exclusively, there's just no getting around it. The second would be a method better suited for devices/websites that can be accessed using more sophisticated, non-exclusively password methods that are just better and much more secure than resorting to passwords. In this way, one uses the best of what's available, and it should still be manageable because there are just two schemes to consider.
And I would "turn on" 2FA and use it whenever possible. I'm finding that in many instances it is already supported as an option for banks, brokerages, email, even if it's not currently required. Though not a secret, most often its existence is poorly advertised. However, now that I'm looking for it, I'm finding that a lot of sites have it.