Recommended Password Managers


A good password manager should be securely hosted, securely accessible, generate secure passwords, navigable, portable and convenient.

Securely Hosted

A good password manager should be able to be hosted client-side. It should not be hosted by an external service with access to the data inside, e.g. a cloud-based PM like LastPass.

Securely Accessible

A good password manager should be able to be accessed securely. A good example is encrypted database that is hosted on your device that requires a master password or file to decrypt without making any outbound connections to confirm. A bad example is one that requires a web interface to access or requires verifying the master key over the internet.

Secure Password Generation

A good password manager should not only host a database of existing passwords but also generate them as a feature of the program. These generated passwords should be secure with scalable levels of length and bit entropy.*


A good password manager should be easily navigated by search or otherwise such that the desired passwords can be quickly found.


A good password manager should be accessible from wherever a user might need his secrets. It should not necessitate installed software to be securely accessed - it should be able to be accessed from a smartphone or another user's computer, by app, ssh, web or otherwise. Databases should be synced across the user's platforms.


Finally, a good password manager should be convenient. It should be easy to access and use and incorporate into one's life. As the NIST Password Guidelines make clear, good password management is tied directly to the overhead cost of maintaining a strong password system - if a password manager with securely generated passwords is hard to use, people will revert to basic, insecure passwords.

Pass: The Standard UNIX Password Manager

Pass is a robust, CLI password manager that stands on the shoulders of giants for its encryption and syncing: PGP and Git, respectively. It also makes use of venerable pwgen for its password generation.

The database is encrypted to the user's own private PGP key, which acts as a master key to unlock it. It can then be uploaded and synced using git, which will also result in versioning (backups). In this way, a user could upload his database to a private or public cloud (in any git host, such as GitHub) where it would still be encrypted and secure, and would only need to carry his private PGP key with him to access his password database.

zx2c4@laptop ~ $ pass Password Store ├── Business │ ├── some-silly-business-site.com │ └── another-business-site.net ├── Email │ ├── donenfeld.com │ └── zx2c4.com └── France ├── bank ├── freebox └── mobilephone

Pass has a selection of community based implementations that have made it accessible on all major platforms - Windows, Linux, OSX, iOS, Android, etc.

For basic install and setup of Pass synced to a public Github repository, see the Appendix.

However, it is limited, by design, in its UNIX based file organization which enforces .. filenaming convention. Its command line interface requires some memorization of the file structure or expended effort digging through the folders to find the desired password, and can become somewhat unweildy with a large number of secrets. Pass also does not attempt to include any quality-of-life features such as integration with browsers for automatic website login.

↑ Return ↑