So I’m looking for a simple Windows Based Password Manager Program (Windows 10). It doesn’t have to do anything other than store username and password combos in a non-cloud based, secure, on device database. (read as I don’t want to have to make an account anywhere or touch the internet to get at passwords.)
I don’t need it to do much of anything including: connect to the internet in any way, sync passwords between devices, check passwords against “Have I been Pwned.”, Etc…
I only have a few small requirements: That it be a properly secured and encrypted on device database and it be master password protected, it has the ability to copy passwords to the clipboard for use inside the operating system and if it has a way to export/import and backup the secure database that’s a plus.
Keepass is probably going to be your best option for an offline password manager. I don’t want to pry into your reasoning for needing a completely offline solution but I will say there are free and self-hosted solutions that can meet even your highest security needs. If self-hosting a server is an option I’d take a look at Bitwarden.
Funny that you say that. It’s not really a need, it’s a want. I belong to a small camp of people who believe that if you host things as valuable as your personal passwords on the cloud “Someone else’s computer” and they are somehow compromised, then you are relying on them to disclose that information and rectify the situation. I’m sorry to say, I don’t trust any companies that implicitly. I hate the idea of giving a company all my private information and leaving it’s ultimate security up to them. So yeah, it’s a little tinfoil hatty. But that is how I’ve decided to structure my own personal threat model. Thanks for the answer tho. I’ll look into Keepass.
So one of Bitwarden’s approach to privacy is using zero-knowledge security model. This means that your password database is fully encrypted and only ever decrypted on the client side device. So even if their servers were to be breached the hackers would only get an AES-256 encrypted copy of your database. This also means Bitwarden is unable to see anything you have stored in your password manager.
Oh, and Bitwarden’s code is open source and has gone through multiple security audits. So not trying to twist your arm but it’s a lot more secure than you probably think.
While that seems very reasonable and even a great security/business model, one of the other principles of my personal threat model is reduction of attack surface.
Now I imagine that even with a zero knowledge approach like this, they (Bitwarden) will still require some sort of registered account and password combo to confirm and establish ownership of a password database which they host. Also that may or may not involve paying for the services which would additionally tie PII and payment details to a specific user account/pw DB. All of that increases exposure risk and is counter to tighter security hygiene. Even if I cannot tell you today how that might be a possible attack vector tomorrow; by limiting the risk in the first place, you’re better off.
KeepassXC is a more modern take and I’d second the use on this.
@Whizdumb how will you make and sync backup copies of your password database? You cant just keep it all in one device. If that devices dies, all your account dies with it.
But that’s why I said it would be beneficial to have the ability to import and export password databases as long as they are securely encrypted. Then I can also use a thumbdrive or ext HD to backup those things.
I use an open source piece of software called FreeFileSync - so good that I support the project. I then sync various folders/directories to a couple of encrypted USB sticks that I always have upon my person.
Sounds like you want something like gopass, it just gpg encrypts text files and can do clipboard stuff. So you would just create a password protected gpg key on your machine and use that for gopass