Buttercup is an open source password manager for Windows, macOS, Linux, Firefox and Chrome
There is no shortage in supply when it comes to password managers, but not all of them are open source.
Buttercup is a free password manager, which is open source and offers cross-platform support. Open source, at least in theory, gives everyone the opportunity to check the source code of applications or services to make sure they are clean, and to compile the applications manually.
Tip: check out Martin's review of his favorite password manager KeePass here.
ButtercupÂ is available for Windows, macOS and Linux, as a desktop application, for Firefox and Chrome as browser extensions and for Android and iOS. Every major operating system is supported by the password manager.
Buttercup encrypts the database in the .BCUP format using AES 256-bit CBC mode with a SHA256 HMAC (similar to what KeePass uses).
The best part about it is: you choose where the password vault is stored.Â The program does not store the password database in the cloud on company servers; options that it provides are to save the vault data locally on the computer or mobile device, or to save it online using one of the supported cloud services:
- Google Drive
So, privacy isn't an issue with Buttercup. But, for your own peace of mind, just make sure you have 2-factor authentication enabled on the cloud service you are using for the vault for that extra layer of security. Check out our Dropbox, Microsoft Account, and Google two-step verification guides.
The service supports popular third-party cloud providers as well as self-hosted solutions; the latter options are more difficult to set up but they provide better control.
How do we get started with the password manager? Desktop version or browser add-on? That's your choice. Click on the + button to add a vault, you can add as many as you want. Use one of the above mentioned options, to create a new vault. I chose to create one in Dropbox. Now to the vault.
Managing the vault
Buttercup can import an existing password database from the following programs/services.
- 1Password - .PIF
- KeePass - .KDBX
- LastPass - .CSV
- Bitwarden - .JSON
- Buttercup - .CSV
You can export your Buttercup database in the CSV format. Buttercup allows you to create groups which you can use to categorize your accounts.
Save logins (when you enter credentials)
Visit any website where you have an account and login, to see a "Save login" prompt. Doing so will allow the extension to store your credentials securely in your personal vault.
Save logins manually
To manually add an entry, open the vault, and click the "New entry" option. Enter the username, password, and URL in the respective fields and hit save.
Note: This wasn't working for me at all in the add-on. An issue on the GitHub page says that this was addressed recently. I tried re-installing the add-on in Firefox, and also tried the Chrome extension on Microsoft Edge Dev, but no dice. I tried this for a few days, and nearly gave up on this feature, but tried the desktop version to add new entries manually. It worked perfectly. This workaround might be a deal-breaker for some people.
This is the 2nd most important feature next to securely storing passwords in my opinion in any password manager. You need unique and strong passwords for each account, and Buttercups password generator delivers just that. It is available in the extensions and desktop programs.
Options that are available here include adding low and upper case letters, digits, space, and symbols, and you can also set the length of the password. I found the option to use "Words" (it generates random meaningless phrases) to be odd. Regardless of how bizarre the sentence appears to be I'd rather not have pronounceable content in my passwords; it may be an option if you need to remember the password though.
There are very few options in the program most of which are basic. You can use it to move logins from one group to another and for copying the password, username or URL to the clipboard. You can also store notes securely in Buttercup to protect them using strong encryption.
Note: Firefox warned me about the Buttercup installer saying "This file is not commonly downloaded."Â It probably has something to do with the program having few users.
Buttercup is not available in a portable for Windows and macOS yet, but a Linux version is available.
Buttercup Add-on + Settings
The add-on has options to create a new vault, open an existing one, a password generator; basically just like the desktop version. It does have a few extra features such as auto-fill to fill out login information automatically.
Click on the icon which appears in the username or password field and it opens a pop-up menu which lets you search for the entry you wish to use to fill the fields. The other invaluable feature is that you can set Buttercup to automatically lock the vault and define the time after which it should lock it.Â You can enable or disable a dark theme for the interface. And there's a Save option which you can set to show up when you fill up a form.
Buttercup mobile app
The Android app is bare-bonesÂ and only allows you add a remote archive. So, there is no way to create a new vault and store it on the device. It supports auto-fill and clipboard copying, however. I did not test the application for iOS.
Where it impresses
- The Buttercup add-on is brilliant, has a nice UI and is quite user-friendly. The option to store your vault in a location of your choice is good. The auto fill is handy too.
- The mobile app can be of help when you are away from your computer and wish to access your logins, but it cannot be used on its own.
- The desktop application is alright, but for one issue.
Where it falls short
- New entries aren't being saved by the browser extension.
- My major complaint is regarding the desktop program. While you can lock (close) an archive manually, there is no auto-lock option. So once you unlock an archive, it stays unlocked until you close it. This is a massive security risk, and I had to check the application multiple times to see if it was hidden. It is puzzling as to why the add-on has auto-lock, but the desktop version doesn't.
Yes, I know Buttercup is an electron based software, and I also know some of you love those. You can try the browser add-on if you want to, it's quite nice.
Buttercup's cloud service is quite similar to how I use KeePass across my devices. But I prefer the latter over any password manager, it's always been irreplaceable.
Buttercup is a cross-platform application that is pretty much available for every major system out there.Â The application has certain strengths such as the ability to store passwords locally or using cloud providers or self-hosted solutions. It falls short in the features department, especially the mobile Android version is lacking and not usable on its own.
The option to store the password database in the cloud may be useful but it is not a unique feature. Even services that don't support it natively support it to a degree provided that you sync data with your local devices.
All in all, it is an option if you are looking for a cross-platform open source password management solution.
Now you: which password manager do you use, and why?
The biggest problem I have with all of these password managers is that they don’t allow you to store an email address along with the URL, login, and password. So, if you’re like me and have different email addresses associated with different websites, there’s no way to filter by email address and see which sites are using it.
Just add it to the note field that basically every password manage has for website entries. I also do the same for when I make up fake answers for security questions.
If you are using Keepass this is quite easy to do. I’ve just tried it out and the search function works in all applicable fields: Title, Username, URL and Notes, but also in the Attributes tab where you can enter additional information.
Password Safe has a username field which I use for the email address that I used for the site.
Kee Pass allows that. The best way to store the email is usually in the Username field.
But you can also create any custom field you want, and put it in here. And custom fields are different for each entry.
The developer of Kee Pass has often been asked to put a dedicated email field, and he has explained why he won’t do it.
The user needs to be able to choose what he puts in the Username field. Usually, it’s the email you registered with, but for some sites, it may be… your actual user name (Bill, versus [email protected]).
The password field will always receive a password.
It’s 90 MiB in size! o.O
A quick remark, Ashwin, could you please save the screenshots in .PNG format? They are simple images with nothing complex in them, so it will actually take less space as lossless PNG. Here is an example of a VLC screenshot, both in .PNG and .JPG (saved directly from MS Paint): imgur.com/a/JPICei2
size: 36,0 KB (36Â 864 bytes)
size: 44,0 KB (45Â 056 bytes)
I wouldn’t have a problem myself if the files were just larger, but the compression used is really aggressive. From here it looks like somebody smudged some vaseline on my screen.
Another bloated Electron app. No thanks! I use Password Safe. Portable, lightweight, less than 12.3 MB, simple GUI, YubiKey, can import KeePass.
“The Cloud” is just someone else’s computer.
That’s like saying “A truck is just someone else car” (metaphor). It’s just not that simple.
“the cloud”(s) not just an NFS share. There are access and security technologies that not only put it out of the ballpark but in a whole other league. (another metaphor).
The same access and security technologies work on anyone’s personal computer as on a server. There’s no real distinction – only whether one chooses to use them.
Web servers are hacked all the time and used to gain access to corporate servers which are (allegedly) behind a firewall which is supposed to prevent that – but doesn’t.
There is no such thing as “secure.” A thing is “secure” only until someone else with patience, skills and intent doesn’t want it to be.
Encryption is indeed the best protection against hacking – but has its own downsides, including how it is implemented and the risk of loss if the encryption algorithm fails due to a program bug. I get a computer security RSS feed. Almost every day someone in the feed is complaining about one of the whole-disk encryption programs borking his ability to login to and use his system. Unless it can be fixed – or he has an unencrypted backup – his whole data is just gone.
I wouldn’t use full-disk encryption if you paid me because I don’t trust any program to not fail at some point due to a bug and I have fifteen years worth of data on my system that I can’t afford to replace and thus can not afford to lose due to someone’s bug.
Password managers aren’t that bad. If you lose the password database, it’s just a major annoyance to have to manually reset all your passwords.
I don’t have a problem storing a password database on a cloud server in the non-public area – although at this point I have no real use for that as I don’t access it from outside my home. But I can see there is a threat there. But if the password database is encrypted properly by the program – and there isn’t a known bug – being on the cloud isn’t much different than being on a personal computer – except for the fact that more hackers are likely trying to get into that cloud server than any given personal computer. But that’s the fact that concerns some people – and rightly so.
I won’t use Buttercup because it’s an electron app. The problem with all the new “app platforms” is that they’re either resource hungry, or you have to jump through hoops to use them – unlike older Linux program managers or using perl or python straightforward installs. Even “config; make; make install” isn’t that hard if you have the dependencies. Ruby is a pain, and everything since is a joke.
You can buy a truck, lock its doors and stop other people from entering it. Can you do that with a Google/Amazon/iCloud server? No.A truck belongs to you. The cloud is somebody elses property. Its not complicated.
Thank you Ashwin. I appreciate your work. Sounds like an interesting new entry to the market.
In response to your question, personally I prefer to use Pleasant Password Server for enterprise: https://pleasantsolutions.com/passwordserver
It’s easy to use and has that polish that comes from being around awhile, has many simple and advanced features, and is a robust solution useable across platforms and devices.
So it’s like Bitwarden only not as robust. The world doesn’t need another password manager
Competition begets innovation.
Competition begets innovation.
Certainly, that’s right !
The presence of competitors in any case is required. If the existence is lost, it is Inevitable to “corruption” without exception as evidenced by history (even a “plaster saint”).
I can only speak on behalf of 1password, but it does exactly this.
I use LastPass as my main Password manager and Bitwarden as a backup.
Open source Keepass (on Windows) and open source KeepassXC (Linux) rules them all.
added 2665 packages from 1663 contributors and audited 22230 packages in 184.536s
found 10 vulnerabilities (9 moderate, 1 high)
Buttercup requires running whole Chromium framework that uses a ton of resources. I prefer offline password vaults like Keepass and Password Safe.
THat’s our hope.
About the subject,
Now you: which password manager do you use, and why?
I have always used “KeePass Password Safe 2” consistently for a long time. Then compile KeePass Plugins and Extensions (KeePassFaviconDownloader.plgx, HIBPOfflineCheck.plgx, KeePassHIBP.plgx), It can do more customization (enhancement).
KeePass can combine various character types (special characters, high-order ANSI characters, etc.) to set the number of characters of the password freely.
And the biggest benefit is that it can be managed “local”.
It can fulfill all the demands for me. I do not need other Password Managers.
KeePass Password Safe | This is the official website of KeePass, the free, open source, light-weight and easy-to-use password manager.
Security – KeePass | Detailed information on the security of KeePass.
Technical FAQ – KeePass |
Plugins – KeePass | Information about the plugin framework (installing plugins, security, …) can be found on the help pages ‘KeePass 1.x Plugins’ and ‘KeePass 2.x Plugins’.
“KeePass Password Safe” is for Windows only.
For other operating systems, the cross-platform “KeePass XC” is recommended.
KeePassXC Password Manager | KeePass Cross-Platform Community Edition
KeePassXC can store your passwords safely and auto-type them into your everyday websites and applications.
The Project – KeePassXC | KeePassXC is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, fully cross-platform and modern open-source password manager.
The project repository is available on GitHub.
To stay up to date with news about the project, you can also follow us on Twitter.
I also have iPad and iPhone, but also use “Bitwarden” for mobility and efficiency about them.
Bitwarden | Open Source Password Management Solutions |
Sticky Password for me. Can store database in the cloud or locally; and the latter allows sync over wifi with phone if desired (and I do). Not perfect, but pretty good; and the programmer/publisher seems slow to update when problems arise. Prefer it to others I have tried.