While we're at it, is there any open source self-hosted alternative to LastPass etc.?
At this point we'd even go so far as just using a good Keepass Client that comes with a comfortable "send encrypted password blob to xy email, than call him and tell him this decryption password"-function.
As KeePass uses a single (encrypted) file, you can use any hosting service that you want. Just make sure you save the new version back into your storage when you edit entries. You can use Owncloud, Google Drive, OneDrive, ...
because now you have to think about the attack surface of the browser; CSRF, auditing your chrome extensions to try to make sure none of them are exfiltrating your tab contents / metadata, etc etc etc
Ahh shit, and i was just beginning to think that a site i found a while back (can't remember the name) which used a hash function to generate your passwords
Don't forget that with KeePass you can also use as many files as you want. I know that I've been slowly moving from a single password file to a small constellation of context-specific password files. It's an interesting tool in the toolbox and you can even use that to help do things like manage the sync characteristics per KeePass file (this file should never leave this device, this file is synced by Resilio Sync, I'm alright with this other file hanging out in my OneDrive for easy access on devices I only partially trust, etc).
I just recently started using it myself, and I completely agree it works well for my use-case.
I did find one major annoyance; the forced-use of colours for the "Directory" names. I did some digging and found out that within the program it calls the external program 'tree' for the display.
I edited the file (/usr/local/bin/pass) from:
tree -C -l
to
tree -n -l
It was much easier then I expected, and I was pleased I didn't need to use a Hex-editor.
I should have specified better. The main reason why LastPass is interesting at all, is Team Support + a good web UI. We need to be able to send passwords to team-members so we have one source of truth for our logins.
bitwarden was mentioned in a previous thread as a free and open source alternative to lastpass. It works on mobile and the desktop. Maybe it's worth to take a look - https://bitwarden.com/
Not that I'm aware of. There's a bunch of commercial ones, including ours, but development costs make it hard to just open source it if we don't have assurance that people will actually buy whatever value-added services around we can come up with.
Thats the usual chicken + egg problem. Thing is, i don't trust LastPass or any other commercial solution at all, because there is no public auditing possible. And LastPass has had breaches so there is precedence.
But I really get where you are coming from, as we are also a SaaS Shop that has to walk that particular line.
You could create a new KeePass file to send in the email and copy the only password entry you need into the new file, then send then file and out-of-band the password to that file.
You could probably even script a KeePass plugin to automate several of those steps.
At this point we'd even go so far as just using a good Keepass Client that comes with a comfortable "send encrypted password blob to xy email, than call him and tell him this decryption password"-function.