Password managers are essential security tools, but developers have additional requirements beyond basic credential storage: CLI access for terminal workflows, SSH key management, TOTP generation, and team sharing. This guide evaluates password managers from a developer perspective.

Best Password Managers for Developers

Developer Requirements

A developer-friendly password manager should offer:

  • Command-line interface (CLI) for terminal integration.

  • Browser extension for development tool logins.

  • SSH key and API token management.

  • TOTP (two-factor) code generation.

  • Team sharing with fine-grained permissions.

  • Audit logging for security compliance.

  • Cross-platform support (macOS, Linux, Windows).

1Password

1Password is the most popular password manager among developers. It offers a robust CLI and excellent developer experience.

Developer Features:

  • Comprehensive CLI: op command for all operations.

  • SSH agent integration for SSH key management.

  • TOTP code generation built-in.

  • Secrets automation for CI/CD pipelines.

  • Biometric unlock (Touch ID, Windows Hello).

  • Travel mode (remove vaults when crossing borders).

  • Watchtower for compromised password alerts.

1Password CLI examples

Sign in

op account add --address my.1password.com --email user@example.com

Get a password

op read "op://Personal/GitHub/password"

Get an API token for automation

op item get "GitHub" --fields "token" --reveal

Use in scripts securely

API_TOKEN=$(op read "op://Development/API/token")

curl -H "Authorization: Bearer $API_TOKEN" https://api.example.com/data

SSH Agent Integration:

Use 1Password as your SSH agent

export SSH_AUTH_SOCK=~/.1password/agent.sock

Load SSH keys from 1Password

ssh-add -l

Pros : Best developer tooling, polished UX, SSH agent, strong security track record.

Cons : Paid subscription ($35/year), no free tier for teams.

Bitwarden

Bitwarden is the leading open-source password manager. It offers a self-hosted option and strong CLI tools.

Developer Features:

  • Full CLI tool (bw).

  • Self-hosted option (Vaultwarden server).

  • Open source codebase (auditable).

  • Unlimited devices on free plan.

  • API for programmatic access.

Bitwarden CLI examples

Login

bw login user@example.com

Get a password

bw get password github.com

List items

bw list items --search "github"

Export vault

bw export --format json --output vault-backup.json

Self-Hosted Deployment:

Docker Compose for Vaultwarden

services:

vaultwarden:

image: vaultwarden/server:latest

ports:

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- "8443:80"

volumes:

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- vw-data:/data

environment:

SIGNUPS_ALLOWED: "false"

volumes:

vw-data:

Pros : Open source, self-hosting option, free tier, CLI support.

Cons : UI less polished, no built-in SSH agent, CLI can be slow.

pass (Standard Unix Password Manager)

pass is the standard Unix password manager, using GPG encryption and a Git repository for storage. It is minimal, scriptable, and follows the Unix philosophy.

Initialize password store

pass init "your-gpg-key-id"

Add a password

pass insert github.com/personal

Generate a random password

pass generate github.com/personal 32

Get a password (with clipboard)

pass -c github.com/personal

Git integration

pass git push origin master

Directory Structure:

~/.password-store/

github.com/

personal.gpg

work.gpg

aws/

console.gpg

api-key.gpg

servers/

web01.gpg

Browser Integration: Via passff Firefox extension.

Pros : Simple, Unix-native, fully scriptable, Git-backed.

Cons : GPG dependency, no GUI, no team sharing, no TOTP built-in.

gopass

gopass is a modern rewrite of pass with additional features. It supports teams, YAML-based secrets, and multiple backends.

Initialize

gopass setup

Create a secret with multiple fields

gopass insert --echo webserver/login

username: admin

password: secret123

url: https://internal.example.com

Mount different storage backends

gopass mounts mount work git@github.com:company/secrets.git

Sync all mounts

gopass sync

Pros : Team sharing built-in, YAML secrets, Git-backed, multi-store.

Cons : More complex than pass, GPG still required.

Browser-Based Options

Dashlane and Keeper focus on consumer and enterprise respectively, with limited developer-specific features. They lack CLI support and SSH integration.

Security Considerations

| Feature | 1Password | Bitwarden | pass | gopass |

|---------|-----------|-----------|------|--------|

| Encryption | AES-256-GCM + SRP | AES-256-CBC | GPG | GPG + XCrypto |

| 2FA | Built-in TOTP | Built-in TOTP | External | External |

| Audit log | Yes | Yes | Git log | Git log |

| Zero-knowledge | Yes | Yes | Yes | Yes |

| Open source | No (proprietary) | Yes | Yes | Yes |

CI/CD Integration

For DevOps workflows, password managers can supply secrets to CI/CD pipelines:

GitHub Actions with 1Password

jobs:

deploy:

steps:

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- uses: 1password/load-secrets-action@v1

with:

export-env: true

env:

DEPLOY_KEY: op://Development/AWS/deploy_key

DB_PASSWORD: op://Production/Database/password

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- run: ./deploy.sh

Bitwarden equivalent via API:

Get session token

BW_SESSION=$(bw login --apikey < api_key.txt)

bw get password "Production/Database" --session $BW_SESSION

Recommendations

  • Solo developers : pass or gopass for Unix-native simplicity with Git backup.

  • Team with diverse platforms : 1Password for best developer experience and SSH integration.

  • Budget-conscious or self-hosted : Bitwarden for open-source, free tier, and self-hosting.

  • Maximum Unix compatibility : pass for minimal, scriptable password management.

  • CI/CD heavy : 1Password Secrets Automation or Bitwarden Secrets Manager.

Summary

Password managers are a critical part of developer security hygiene. 1Password offers the best overall developer experience with its CLI, SSH agent, and CI/CD integration. Bitwarden provides a strong open-source alternative with self-hosting capability. pass and gopass appeal to Unix purists who want maximum scriptability and Git-native workflows. Choose based on whether you prioritize polish (1Password), openness (Bitwarden), or minimalism (pass).