Password Managers, Sigh

, Wellesley, MA

I’ve been using pwsafe on the command line for almost a year. I chose it because it:

  • is open source
  • has a small and portable implementation
  • uses an open data format
  • was originally implemented by a well-respected security developer
  • shares its data format with many other projects that are more active and have UIs that might appeal more to the mainstream. Regrettably, many are not open source. (sigh)

It’s less than ideal because it:

  • has only a command line interface that I can’t bring myself to impose on my wife
  • is unmaintained which suggests, among other things, that it’s not getting security updates
  • has fallen behind the pace of development of the original implementation, which is a Windows app with an awful UI
  • isn’t available to me everywhere. I don’t have it on my phone, nor from a friend’s computer.

There is an iPhone app, and it’s even open source, but it only supports the newer “v3” database format, whereas my command line tool only supports “v2”. There is a Mac app from the same developer, but it’s not open source yet, as far as I can tell.

1Password and LastPass are tempting. Of the two, I would prefer 1Password since it delegates syncing password data to a separate service that I can choose whereas LastPass uses its own sync service. But I continue to hold out hope for a better way than trusting a closed source, proprietary program that stores my data in a format only readable by one tool.

Thanks to Bruce Schneier for the original work, to Rony Shapiro for continuing to maintain the original Windows application, and to App77 for the iOS and Mac apps they’re developing.

I love that App77 is building on Bruce Schneier’s original work and taking big leaps forward relative to the original tool’s UX. I’m holding out hope that one of App77, AgileBits, or LastPass eventually opens the source for their complete application.

Know another password manager that fits my ideal? Or one I should keep an eye on?

As a footnote, I also looked at:

Thanks to Bradley Harris for pointing out some bad information in an earlier version of this post. And to Mark Merolli for reminding me about LastPass.

Enjoyed reading this post? Discuss it on Reddit, or follow me on Twitter.