If you use KeePass, and you probably will because I'm unaware of any other viable non-cloud options, make sure you use the KeePassXC variant. KeePass is dead.

https://keepassxc.org/

It has been absolutely rock-solid for me on Mac and Android. I used Google Drive to sync the passwords. Now I use Syncthing, another rock-solid piece of software.

Google Drive has begun choking on attempts to open KDBX files for writing and uploading. Especially on ChromeOS, we're having a difficult time when the vault is stored in Drive. This may be a deliberate design at Google, due to the fact that KeePass directly competes with their in-house Password Manager offering. I've implemented a long-term migration away from everything KeePass.

I've implemented a long term migration from everything Google.

By contrast, I find the Authenticator and password management offerings from Google and Microsoft to be quite serviceable by now. They lack many cushy KeePassXC features, but someday will reach parity. The convenience and tight integration is so important. I always prefer first-party, bundled software above third-party.

Especially because KeePass ecosystem is maintained by some kind of fly-by-night, pseudonymous Eurohackers, who knows what undesirable foreign influence is operative here. I already have very uneasy suspicions about the integrity of their supply chains and password generation capabilities.

I'm very happy to fall into the arms of Big Tech whom we already trust for everything else (and if you personally refuse to maintain accounts with Google or Microsoft, remember that every single corporation and government does so anyway, with all your data at stake.)

> I'm very happy to fall into the arms of Big Tech whom we already trust for everything else

Because we are forced to give them our data does not mean at all that we trust them. They should never have been allowed to get that big in the first place.

> The convenience and tight integration is so important.

Freedom and competition are important, too.

I followed a similar path as you did about a year ago. Having tried a bunch of options, I can recommend strongly Strongbox - fantastic native apps for iOS and macOS, with your choice of sync mechanism (local-only is also a first class citizen), and it uses the KeePass file format so you can use your client of choice on other operating systems/no worries about lock-in. Good system integration and autofill extensions. I also appreciated that there was an option for a one-time purchase.

https://strongboxsafe.com

I might be missing something here, but what do you mean by this?

"One defect that has bothered me about BW is that to unlock the vault, locally, you have to be able to contact the BW server."

If my device is offline I can still unlock the vault and access my passwords.

huh. and if your device is online, it syncs via BW cloud?

I don't remember 100% but I thought a long time ago I had a local-only kind of BW setup. At some point I had to (or was dark pattern encouraged to) create a BW account on their cloud. Ever since then, my local vault has my email address associated with it.

Right now, if I open the app fresh, I get the "login page". There don't seem to be any other pages/dialogs that one can open at this point. "Log in or create a new account".

The field to login is an email address. The choices are to log in on bitwarden.com, bitwarden.eu, or self-hosted. There is no option to unlock local vault without contacting one of the 3 server options. I use bitwarden.com. If the server can't be reached, the vault does not unlock.

There's another option to "Create account". That requires an email and password setup. There's no server selection on that pane.

There's no option to not use an "account" and just unlock the local vault. There's no option to create a vault, apart from creating an "account".

I love https://www.passwordstore.org/

Second this, it’s simple, made with bash, git and gpg. Been using it for years myself, I’ve also used it as a shared password store at different workplaces with ease.

You can use KeePass on iCloud, I'm pretty sure. I use it on Syncthing without issue, it should be service-agnostic. The experience has been pretty great in my experience, but it mostly depends on the quality of the client and backend you pick. YMMV, but I wouldn't be afraid of it.

I'd observe the painful bit of password management is not so much and management but retrieval and entry.

If anyone's found something that is slicker than 1Password at this (and which can handle typical developer problems like needing half a dozen or more different logins to the same site) I'd love to know about it.

SamuraiSafe is available for ios and mac. I use it. You can sync via iCloud, or any old way you want. It asks for a vault when opened. Free, and no ads.

https://samarama.net/samuraisafe/app.html

I always recommend using the most secure password manager there is... your own memory and brain power ;)

Create a system or pattern based on url or brand and mentally hash it into a password.

> Create a system or pattern based on url or brand and mentally hash it into a password.

Doesn't sound very secure. Also when you realize that you anyway have to trust cryptography, I believe it starts making a lot of sense to have an actual cryptographic key and encrypt it with one good random password you learn by heart.

I use pass https://www.passwordstore.org/, which encrypts my passwords with my GPG key, which comes from my Yubikey, which I unlock with a password. That means that I only need to remember one password, and it feels a lot more secure than your pattern based on url or brand.

That is decidedly not secure. A critical part of any password manager is URL validation.

Famously subject to the $12 attack - buy a monkey wrench from the hardware store, and hit you with it until you tell me your password. Not as secure as many other approaches?

I use KeePass. It's portable and you can have full control of where the database is stored.

Is there something that precludes iCloud Keychain from your list?

hard to store arbitrary secure notes, credit card data is in a separate place, passwords not associated to a website are difficult, additional notes on top of the password (eg security question answers -- you should NEVER supply real answers to knowledge based questions) are difficult. i'm sure there's more issues i can't readily come up with on the spot.

KeePassXC

Secrets, Macpass on macos.

Is it a joke, or do you genuinely not know that you should run as far as you can away from LastPass?