Best Password Managers for Developers
Password managers are essential security tools, but developers have additional requirements beyond basic credential storage: CLI access for terminal workflows, SSH key management, TOTP generation, and team sharing. This guide evaluates password managers from a developer perspective.
Developer Requirements
A developer-friendly password manager should offer:
* Command-line interface (CLI) for terminal integration.
* Browser extension for development tool logins.
* SSH key and API token management.
* TOTP (two-factor) code generation.
* Team sharing with fine-grained permissions.
* Audit logging for security compliance.
* Cross-platform support (macOS, Linux, Windows).
1Password
1Password is the most popular password manager among developers. It offers a robust CLI and excellent developer experience.
**Developer Features:**
* Comprehensive CLI: `op` command for all operations.
* SSH agent integration for SSH key management.
* TOTP code generation built-in.
* Secrets automation for CI/CD pipelines.
* Biometric unlock (Touch ID, Windows Hello).
* Travel mode (remove vaults when crossing borders).
* Watchtower for compromised password alerts.
# 1Password CLI examples
# Sign in
op account add --address my.1password.com --email user@example.com
# Get a password
op read "op://Personal/GitHub/password"
# Get an API token for automation
op item get "GitHub" --fields "token" --reveal
# Use in scripts securely
API_TOKEN=$(op read "op://Development/API/token")
curl -H "Authorization: Bearer $API_TOKEN" https://api.example.com/data
**SSH Agent Integration:**
# Use 1Password as your SSH agent
export SSH_AUTH_SOCK=~/.1password/agent.sock
# Load SSH keys from 1Password
ssh-add -l
**Pros**: Best developer tooling, polished UX, SSH agent, strong security track record.
**Cons**: Paid subscription ($35/year), no free tier for teams.
Bitwarden
Bitwarden is the leading open-source password manager. It offers a self-hosted option and strong CLI tools.
**Developer Features:**
* Full CLI tool (`bw`).
* Self-hosted option (Vaultwarden server).
* Open source codebase (auditable).
* Unlimited devices on free plan.
* API for programmatic access.
# Bitwarden CLI examples
# Login
bw login user@example.com
# Get a password
bw get password github.com
# List items
bw list items --search "github"
# Export vault
bw export --format json --output vault-backup.json
**Self-Hosted Deployment:**
# Docker Compose for Vaultwarden
services:
vaultwarden:
image: vaultwarden/server:latest
ports:
- "8443:80"
volumes:
- vw-data:/data
environment:
SIGNUPS_ALLOWED: "false"
volumes:
vw-data:
**Pros**: Open source, self-hosting option, free tier, CLI support.
**Cons**: UI less polished, no built-in SSH agent, CLI can be slow.
pass (Standard Unix Password Manager)
`pass` is the standard Unix password manager, using GPG encryption and a Git repository for storage. It is minimal, scriptable, and follows the Unix philosophy.
# Initialize password store
pass init "your-gpg-key-id"
# Add a password
pass insert github.com/personal
# Generate a random password
pass generate github.com/personal 32
# Get a password (with clipboard)
pass -c github.com/personal
# Git integration
pass git push origin master
**Directory Structure:**
~/.password-store/
github.com/
personal.gpg
work.gpg
aws/
console.gpg
api-key.gpg
servers/
web01.gpg
**Browser Integration:** Via `passff` Firefox extension.
**Pros**: Simple, Unix-native, fully scriptable, Git-backed.
**Cons**: GPG dependency, no GUI, no team sharing, no TOTP built-in.
gopass
gopass is a modern rewrite of pass with additional features. It supports teams, YAML-based secrets, and multiple backends.
# Initialize
gopass setup
# Create a secret with multiple fields
gopass insert --echo webserver/login
# username: admin
# password: secret123
# url: https://internal.example.com
# Mount different storage backends
gopass mounts mount work git@github.com:company/secrets.git
# Sync all mounts
gopass sync
**Pros**: Team sharing built-in, YAML secrets, Git-backed, multi-store.
**Cons**: More complex than pass, GPG still required.
Browser-Based Options
**Dashlane** and **Keeper** focus on consumer and enterprise respectively, with limited developer-specific features. They lack CLI support and SSH integration.
Security Considerations
| Feature | 1Password | Bitwarden | pass | gopass |
|---------|-----------|-----------|------|--------|
| Encryption | AES-256-GCM + SRP | AES-256-CBC | GPG | GPG + XCrypto |
| 2FA | Built-in TOTP | Built-in TOTP | External | External |
| Audit log | Yes | Yes | Git log | Git log |
| Zero-knowledge | Yes | Yes | Yes | Yes |
| Open source | No (proprietary) | Yes | Yes | Yes |
CI/CD Integration
For DevOps workflows, password managers can supply secrets to CI/CD pipelines:
# GitHub Actions with 1Password
jobs:
deploy:
steps:
- uses: 1password/load-secrets-action@v1
with:
export-env: true
env:
DEPLOY_KEY: op://Development/AWS/deploy_key
DB_PASSWORD: op://Production/Database/password
- run: ./deploy.sh
Bitwarden equivalent via API:
# Get session token
BW_SESSION=$(bw login --apikey < api_key.txt)
bw get password "Production/Database" --session $BW_SESSION
Recommendations
* **Solo developers**: pass or gopass for Unix-native simplicity with Git backup.
* **Team with diverse platforms**: 1Password for best developer experience and SSH integration.
* **Budget-conscious or self-hosted**: Bitwarden for open-source, free tier, and self-hosting.
* **Maximum Unix compatibility**: pass for minimal, scriptable password management.
* **CI/CD heavy**: 1Password Secrets Automation or Bitwarden Secrets Manager.
Summary
Password managers are a critical part of developer security hygiene. 1Password offers the best overall developer experience with its CLI, SSH agent, and CI/CD integration. Bitwarden provides a strong open-source alternative with self-hosting capability. pass and gopass appeal to Unix purists who want maximum scriptability and Git-native workflows. Choose based on whether you prioritize polish (1Password), openness (Bitwarden), or minimalism (pass).