If your concern is third-party reliability but you'd still like a password manager, I'd say your best bet would be pass + git. pass uses gpg to encrypt each password separately in a file structure, and works very well with any sort of git repository making it accessible across devices. Depending on how you set it up it can be 100% in your control with minimal configuration (in my case though I've been lazy and just hooked it up to a private GitHub repository).

1+ for pass. It does one thing and does it well. Zero bloat. I use a simple emacs helm plugin to quickly copy the password to clipboard. Very happy with this setup.

How do you sync to mobile browsers with pass + git?

I don't, sorry. My previous password manager, while it did have a mobile app, was painful to use so I don't miss that too much. For my most important stuff I use rememberable passwords.

If you're using a *nix system: https://www.passwordstore.org/ I switched over from LastPass a few months ago. It uses gpg for encryption and supports git for password syncing between systems. Pretty simple to set up and use. There are quite a few third party apps for it already (both desktop and mobile)

Does this still have the problem of leaking metadata (site names, etc.) in plain text? I don't want to manually obfuscate them.

If you don't like manually obfuscating things, just keep your passwords in a txt file.

I've been amazed by Pass, but couldn't find a thorough review between Pass and KeePass(x). Is one safer than the other?

`pass` is based on well-established cryptography implementations: GnuPG. GnuPG is recommended by many security experts and used widely by journalists dealing with sensitive disclosures, e.g. the edward snowden documents.

It also doesn't try to NIH some complicated database format or syncing technology but instead uses well-established software (git, plain directory structure and gpg-encrypted text files) which makes it robust, flexible and future-proof, and also responsive to changes in cryptography as it benefits from upstream GnuPG updates. You can use any PGP key structure you want, or even hardware PGP devices like the YubiKey.

KeePass on the other hand seems to be based on mostly homegrown techniques written by people with no or limited understanding of cryptography. (see e.g. [0]) That said, I don't know how much KeePassX continues this trend - but it's based on the same file format so it presumably has to reimplement at least some of KeePass's homegrown crypto.

I don't know how much more convincing you need, but personally I wouldn't even dare consider using anything other than `pass`.

[0] https://news.ycombinator.com/item?id=9727297

Thanks! I'll definitely migrate to pass soon.

One big difference: pass only encrypts the password. All metadata is plaintext, so anyone can see a full listing of what online accounts you have.

That's a dangerous oversimplification. By that logic "LastPass is as safe as AES as that's what it uses" which is obviously not the case.

A system is as secure as its weakest component.

I tried LastPass, but didn't trust them, so I found https://www.passwordstore.org/ some year ago. I can't emphasize enough how good it is, mainly because it is so dead simple and transparent in how it works, and also because it has great bash integration, and uses git which makes it easy to sync between your machines. There is also a firefox plugin that integrates with it, but I don't really see that you need it: it is so easy to use at a prompt.

I use password store to, and it works really well. I'm on MacOS but having it to work under Android and Windows was a breeze.

That's brilliant, thanks a lot!

I never trusted "cloud" (read: not yours) password stores. I have been using KeePass and manual syncing, but I had my doubts about it too.

This looks perfect and simple!