I used enpass for years and was a happy user. one day it prompted me for some re-authentication bullshit security theater. although in that instant it was an easy task, took me all of 10 seconds, it demonstrated a scary amount of power they had as I couldn't bypass it and access my data. from that point on, its days were numbered.

the second issue is the export functionality that was seriously lacking and I had to resort to 3rd party converter tools to convert it to keepassXC; no way that flew by their QC, it had to be intentional.

I do this for sites where I don't care at all about security. One minor tip, that will protect against automated attacks if the password is cracked, is to add part of the website name into the password (e.g "mystrongp4ss!lemworld") .

A human could easily crack it, but automated systems that replay the password on different sites would probably not bother to calculate the pattern.

this one, OP. no need to introduce the horror that's a:

• hosted app (why?!)
• client app is electron crapware
• the client app doesn't even have full functionality, you have to use the web UI for some tasks

edit: I'm obviously speaking about the bitwarden/vaultwarden horror. keepassXC is none of them things.

You also have to keep track the site and how you spell it. For example is it "Microsoft" or "microsoft"?

And keep track of the current name of the site vs the old name. For example am I signing into Microsoft or Live.com or Xbox?

And keep track of my username. Is it my email? Which email? Which username?

I understand the concept but I think if falls apart fast.

Same boat for me, works great! I got the NFC Yubikeys which work fine with Android.

Yup this is the way. The resulting .kdbx database file is encrypted so you can even synchronize it over an untrusted provider. Otherwise you can use something like syncthing to keep it strictly peer to peer.

Yup, but most of that is easily solvable by being consistent, e.g. always use lowercase and your email (even if it's not the login for that site). But yes, you need to know to be consistent so it's a good point to make.

I did self-host bitwarden and it's not that bad to keep updated and running after initial setup (including backups obviously) but it still requires some time and effort to keep it running. And as I was the only user for the service it just wasn't worth the time spent for me (YMMV) so I switched to their EU servers and I've been a happy user ever since.

What I should do is to improve local backps on that, currently I just export my data every now and then manually to a secured storage, but doing it manually means that there's often too long time between exports.

If just one or those passwords gets leaked you might find a lot of other ones get cracked as well.

It may not be sites that you care about. But using a password manager is a lot less effort and a lot safer than whatever technique the average Joe will come up with.

Any password that leaks which could indicate a potential system ( e.g.: sitename in lower/upper/leetspeak) makes the whole thing even more vulnerable.

Just use something. Bitwarden, vault warden, keepassxc, ...

Knowing my social circle I'd recommend bitwarden. Even paying for it costs a measly 10$/year, while the free version is very usable in itself. And generating passphrases or 32char passwords will be a lot safer than whatever the hell they can come up with.

Just avoid the default browser ones, big tech and LastPass.

On mobile I indeed also had that issue once. However I made sure they can't lock me out completely. The db is stored using the opensource sqlcipher, so one can open it and extract everything manually, if absolutely necessary. As long as they don't change this, I am fine. In the worst case that would still be a lot of effort for me, but not impossible.

The export has also improved a lot. You can now also export to JSON which includes all the data one could need.

KeepassXC is the only thing that makes sense to me.

I don't want all my passwords stored with some huge target like lastpass or bitwarden.

Encrypted local (and synced) DB is the only way.

Shamelessly shilling my OSS project, rook. It provides a secret-server-ish headless tool backed by a KeePass DB.

• Headless server
• Optional and convenient integration with the kernel keyring (on Linux), for locking the server to only provide secrets to the user's session
• Provides a range of search, list, and get commands
• Minimal dependencies and small code base make rook reasonably auditable

You might be interested in rook if you're a KeePassXC user. Why might you want this instead of:

• Gnome secret-server, KDEs wallet, or pass? rook uses your (a) KeePass DB, while most other projects store secrets in their own DBs and require (usually manual) sync'ing when passwords change.
• One of the browser secret storage? Those also keep a bespoke DB which needs to be synced, and they're limited to browser use. Rook supports using secrets in cron jobs or on the command line (e.g. mbsync, vdirsyncer, msmtp, etc, etc).
• KeePassXC? KeePassXC does provide a secret service that mocks Gnome secret-service, but you have to keep KeePassXC (a GUI app) running even if you only rarely use the UI. Rook can also be used on a headless machine.
• The KeePassXC command line tool? That requires entering the password for every request, making it tedious to use and impractical for automated, periodic jobs.

Rook is read-only, and intended to be complementary to KeePassXC. The KeePassXC command line tools are just fine for editing, where providing a password for every action is acceptable, and of course the GUI is quite nice for CRUD.

I have more than 120 electronic identities, impossible to track the counter or to remember the tld of all websites I visit.

The concepts is only useful in a very small and defined scenario.

I use GNU pass synced through an internal Gitea. Have wireguard to sync remotely. Works pretty good, I would recommend not setting an expiration on the key, the git history keeps the old encryption anyways.

Hahaha, that's the point of a password manager. If remembering worked, we wouldn't need any of this.

Also, I have 300+ unique logins.

My point is that of those 120 probably 110 have never been compromised nor forced you to change the password due to expiration policies. The remaining 10 are the ones that require some mental gymnastics, so while the problem exists it's not as serious as it sounds. I probably have more than 120 identities using this method since I've been using it for years, and I don't think I ever had to use the counter, it's a matter of being consistent in how you think about websites, for example if you know how you refer to a site slugify it and use that for the field, so you would use spotify, netflix, amazon-prime.

I look at it like this:

• I don't absolutely trust the security of my server. Sure, it hasn't had a breach.....yet, but that possibility is inevitable, given the amount of bots that keep trying to get in by the minute. It's secure, yes, but is it secure enough to entrust the keys to my bank account, my business ventures, et al? IF somebody got the key to my Lemmy account, it would be bothersome, but not cataclysmic since all online accounts are silo'd with only a couple that are linked.
• Bitwarden spent a lot of time and money building a large infrastructure that is, imho, far more secure than my little server. Bitwarden has a pretty good track record. They have had some vulnerabilities, even as recent as '23 but these have been remediated.
• Confirmation bias...I've been using Bitwarden for untold years now and have never had an issue, other than the recent UI theming schema that was so castigated by users that they offered a way to switch back.

While hosting my own password manager would fit right in with the rest of my selfhosting, I think sometimes it's better to defer to more secure options when dealing with highly sensitive data.

This is the way to go.. though I've moved from pass to go pass which is basically the same thing but written in go and looks to be better maintained.. also moved from gitea to forgejo since I think gitea has had some maintainer changes over the last couple of years that may not have been in the spirit of remaining fully FOSS

KeepassXC + Syncthing. Using for 2+ years no issues. Have separate database files for each device and merge them as needed.

This. And to add to what other commenters have said, by using Bitwarden and paying for their Premium plan (very cheap, just $10/year), even if you don't use all their features, you're supporting a good project. It's critical infrastructure, I think the price is more than fair.
Either way, you should always make periodic backups from any cloud service you use, encrypted of course.