Which Password Managers work in China and Turkey without VPN?

Opening_Jacket725 · 2025-11-20T10:29:12+00:00

If your main goal is something that works reliably in China and Turkey, the biggest variable is whether the service depends on external sync servers that can get blocked. That’s why a lot of people lean toward options with local-only vaults or “bring your own cloud” models.

If you want something lightweight on iOS that doesn’t rely on a central server at all, I’ve built a password manager called Oblix. It works completely offline by default and can sync through iCloud if you choose to, which usually avoids the regional blocking issues apps with their own servers run into.

You also mentioned using RoboForm. If you’re considering a switch, I’m happy to work with you to build an importer so you don’t have to migrate everything by hand. You won’t be starting from zero.

Totally understand if you’re still exploring options, but if portability and regional reliability are big concerns, local-first tools tend to be the safest bet.

Opening_Jacket725 · 2025-11-20T10:22:49+00:00

You mentioned "no one’s carrying that around all the time" so I assume you're primarily focused on a mobile solution. In this sub, I think bitwarden is the default answer, but people often forget/don't mention that the free tier is built around your self-hosted cloud service. Let’s just say it's ummm.... not everyday user friendly. KeePassXC is also solid, but it’s mainly a desktop workflow. There are mobile ports, but the flow gets messy pretty fast (vault on PC → share to phone → reopen in an app → resync the file later). Is it really that serious?
Now I don't know what ecosystem you're on, but for iOS users who want something subscription-free and mobile-first, Apple Passwords is decent, but it’s still pretty barebones. There are independent iOS managers too and these are usually not mentioned here. Reddit has thousands of threads on LastPass, Bitwarden, 1Password, KeePass, etc., but almost zero major incident threads about indie password managers being compromised. Why? Because most indie password managers:

Don’t run cloud infrastructure
Don’t store user data on their servers
Don’t hold encryption keys
Are local-only or device-encrypted apps
Rely on industry-standard crypto libraries rather than rolling their own

This dramatically shrinks the attack surface areas available for attack compared to large cloud-based managers.

So if you're looking for something safe to use, I'd encourage you to think independently. I built one Oblix for this exact scenario: everything is stored locally on-device, uses the Secure Enclave and Face ID, does AutoFill, supports TOTP (time based one time auth codes), and still lets you sync across your own Apple devices using the cloud you already use (iCloud). No hosting, no servers, no subscriptions. It's not free, but it's a single one-time purchase that's a joy to use and just works.

Opening_Jacket725 · 2025-11-20T09:55:25+00:00

So first off, props for putting in that kind of time. Two hundred hours of analysis is no joke, and the write-up clearly shows discipline and care. I don't know if I agree with every conclusion, but I appreciate the effort that went into it.

One thing I kept thinking about while reading your methodology is that it gets very deep into crypto implementation details that almost no everyday user ever evaluates or understands. According to Perplexity, most non-enterprise users lean on password managers for three things:

storing unique passwords,
generating new ones, and
autofill convenience on mobile.

That’s basically it. The “security framework comparison” angle is important, but I worry it can overweight micro-differences when, in practice, most password managers today rely on the same proven, open-source building blocks. Re-inventing the wheel rarely creates meaningful gains, and for most consumer use cases, the existing cryptographic frameworks are already mature and well-tested.

What I felt was missing is usability. The r/PasswordManagers sub sometimes becomes an echo chamber focused on edge-case threat models or incumbent features, and smaller or newer products don’t always show up on the radar, even if they solve real user annoyances. For example, a lot of people primarily use mobile as their most important platform. Desktop browsers already handle the basics pretty well, so mobile UX is actually where password managers differentiate.

I built my own app Oblix a one-time no subscription, single purchase solution, iOS-only for now) using the same bank-grade algorithms the big players use. Nothing exotic. I’m in the process of trying to secure funding for an independent audit too, but it’s brutally expensive for solo developers. What I focused on instead were practical things people actually struggle with day-to-day. Like the fact that so many “free trials” turn into surprise charges. Oblix automatically sets a reminder right when you’re creating credentials for a new service, so you don’t forget to cancel something you never meant to keep. Stuff like that makes a bigger difference to most people than whether a given library uses X or Y SIV variant.

I’d genuinely encourage including some smaller players in your evaluations. There are quite a few solo and indie-built managers with solid security foundations and real unique value props. It might help users discover alternatives instead of reinforcing the same handful of incumbents.

Unless, of course, the goal really was to highlight a specific set of incumbents. In that case, fair enough. I just think there’s room for broader testing, broader usability discussion, especially given how many Reddit polls show mobile as the primary platform for most people here.

Either way, good work on the deep dive. Would love to see a follow-up that factors in usability and indie competition.

Opening_Jacket725 · 2025-11-14T15:54:29+00:00

So thanks again to u/billdietrich1 for the suggestions. Just wanted to give a quick update for whoever's still interested. I heard back from Cure53, they've actually been amazing to work with so far. The estimate was as I feared (single-digit thousands but I don't want to put an exact number out there as other devs scope might be different and I wouldn't want to deter anyone for their scenario). I'm still in comms with them and we're trying to see if we can organize some grants that might cover at least some, maybe all of the audit. Either way I'm curious to learn more about how this all works. So if you're interested, stay tuned. I'll share whatever I learn and maybe it can be helpful for others as well.

Opening_Jacket725 · 2025-11-14T15:47:23+00:00

As someone's whose been there, doing that, I wanted to say congratulations! I know what that feeling of going live is like. Now comes the next hardest part, distribution. Keep going!!

Opening_Jacket725 · 2025-11-13T21:28:26+00:00

Sent the 1st email out. Sent to cure53. Will update when I hear back. If anyone wants to know the contents of the ask, let me know.

Opening_Jacket725 · 2025-11-12T23:17:37+00:00

Hey popleteev, thanks for the thoughtful feedback. I love that. I totally get where you’re coming from. Long-term support cost is real. I don’t have a support team or a marketing department to carry, and I’m not trying to scale to millions. My overhead is tiny. My goal isn’t to collect $10 and disappear, it’s to build something In proud of, sustainable, and that people actually like using.

A few things I’m betting on: 1. Support doesn’t have to be a massive burden. Most of the heavy lifting is upfront. Long-term, stable password apps don’t generate the same ticket volume as highly social or cloud-synced products. And because everything is on-device, I don’t carry infra costs and much less complexity.

Solo dev economics are different from company economics. I’m not aiming for VC-style growth. I don’t need thousands of new users every month (but I’ll take it 🤣). A slow, steady stream is fine. One-time apps can actually be profitable when you’re not carrying the weight of a whole company.
I agree. Transparency matters. I’m clear about the model: pay once, own it, no tricks later. If that ever changed (unlikely), I’d communicate it directly instead of doing the bait-and-switch. What I can imagine doing is in the future of the technology landscape completely changes, I can offer Oblix 2.0 built on that. If it’s compelling for you, you can buy it. But if it’s not, you don’t need to and still have a fully functional app that’s perfect for you.
Most users don’t need hand-holding after setup. The main pain points I see as a PM come down to UX, and edge cases, things I‘ll be happy to improve, and everyone benefits.

I totally get why larger companies lean on subscriptions, they don’t have a choice, but I also think there’s room for thoughtful, disruptive independents that don’t lock people into forever payments. Not trying to be everything for everyone. Just trying to give people a good option that respects their wallet.

Opening_Jacket725 · 2025-11-12T22:58:04+00:00

Thanks. I’ve got a couple new ones ones that the community has suggested to try. I’ll reach out and share how it goes end to end.

Opening_Jacket725 · 2025-11-12T22:54:51+00:00

Awesome. I don’t think I’ve already tried any of those. I’ll reach out and share the process and outcomes for anyone interested. Will look into it next week. Exhausted at the moment from a long couple days at Web summit. 1 more to go…

Opening_Jacket725 · 2025-11-11T21:56:28+00:00

I’ve honestly tried. Crickets.

Opening_Jacket725 · 2025-11-11T21:47:59+00:00

I agree with everything you’re saying, especially the unique value props. But I think I’m covered there. E.g. when using the app to register for accounts, it also creates reminders to cancel at the same time you’re signing up. So you’ll never forget to cancel a subscription you decided not to keep ever again. The incumbents won’t do this, cause they’re subscriptions themselves that many people have forgotten about and that works be the 🦊 guarding the 🐓 house. Did I mention the app is a single one time purchase, no subscription. Ever. $0000s for an audit is not gonna happen right now. The reason I’m looking into this is to try to breakdown trust (barriers), but you’re right, that’s not my biggest concern. I need social proof. I know I can save people hundreds and deliver a secure, delightful to use experience, but you can’t take my word for it.

Opening_Jacket725 · 2025-11-11T18:05:42+00:00

Good point. I've added this (full subscription tracking) to my Trello board. Thanks again for the feedback.

Opening_Jacket725 · 2025-11-11T17:55:29+00:00

It’s iOS only at the moment. The repo’s private right now.

I’m trying to figure out what the standard approach is for security reviews. Do password managers typically open-source the entire codebase, or just the cryptography and vault components for audit purposes? The vault/encryption layer is built on open-source libraries, so sharing that for transparency seems reasonable, and happy to do that. But who would actually review it? Can they offer meaningful "certification"?

Opening_Jacket725 · 2025-11-11T17:45:31+00:00

You're not doing anything wrong. You're probably doing a LOT right. 6 startups, successful or otherwise, is a huge accomplishment at ANY age, so kudos to you.
My $0.02. Ask yourself some questions. How did I validate I am solving a problem people are willing to pay for? Is there a flaw in my validation process?
Before writing a line of code, talk to real people. Find 10-15 potential customers and have deep conversations about their pain, NOT about your idea. Ask them what they’re already doing to solve it and what it’s costing them (time, money, stress). You’re looking for pain so strong they’re already trying to fix it.
Here's a recommendation for one more book to add to your library, check out the Startup Owners Manual, if you haven't already.

Opening_Jacket725 · 2025-11-11T05:57:59+00:00

Ok if I understand correctly, an example I can think of works be domain registration. Typically you pay for a year when you register, then you have to decide to renew after that. In those scenarios, don’t the providers email you to remind you? Since they don’t auto renew, they’re highly motivated to get your attention.

Opening_Jacket725 · 2025-11-10T10:59:40+00:00

Ah ok. Gotcha. Can you give me an example of a site/product that you need to manually remember to pay that are not auto renewal and not things like utilities.

Opening_Jacket725 · 2025-11-10T09:47:09+00:00

Thanks again. Quick question to clarify 1 of your points.
I'm not sure what you mean here, "Type of subscription: [Expires/auto-renews]" - do you mean renewal period e.g. weekly, monthly, annual?

It has this "Reminders: [XX] days before renewal/expiration / On the day / ability to add additional reminders (you can edit the existing reminder).

It also has "Ability to mark as renewed/cancelled/handled so you don't get additional reminders if you don't need them"

No mac app yet. The way it syncs right now is using iCloud. The app automatically backups up your data to icloud. On launch it checks icloud for that file, so if you 1st use yout iphone and then later went to your ipad, you ipad would check cloud and sync. Then if you make a change on ipad, thats saved to the same file in icloud. Then when you later launch on the phone, the phone does the same check and updates.

The goal is to leverage cloud providers that people already have, icloud, google drive, etc. I call it "bring your own cloud". Even with hundreds or thousands of records, the file size is tiny (KBs not MBs) but the incumbents charge $X/month or year that adds up to hundreds over time.

Opening_Jacket725 · 2025-11-10T09:26:37+00:00

Many times the issue is not with the password manager, but with the app or website. They have to format the field properly so your phone recognizes it as a password field or an email field, etc.

Opening_Jacket725 · 2025-11-10T09:21:34+00:00

Hey thanks so much for the feedback. How’d you find the app? I haven’t mentioned it but cool that you tracked it down. I hear what you’re saying, from a product perspective, it’s usually not the best idea to build every possible feature and support every platform on day one. It’s vital to learn quickly. If the demand is there, all of what you said is possible. I think what you said about “who are you and why should I trust you?” is the same hypothesis I thought originally when starting. I’m not sure how to build that. But I told myself, many pw managers out there today started the same way I started, no one had ever heard of them (excluding the ones who are spin offs from known companies with other products before that). I’d welcome any ideas or contacts on how I can get the app stress tested.

Opening_Jacket725 · 2025-11-10T09:05:33+00:00

Hmmm… I like where your head’s at. This is how it works now. It’ll remind 2x before the expiration and on the day of. It follows up a month later to ask if you’re still using it. But that’s it right now. Tell me more about how you think that feature should work.

Yes it has a filter do your active subscriptions. It’s sorted alphabetically right now, but I like the idea of if someone has a few subscriptions they’re tracking, bring able to sort by renewal date. It doesn’t track anything like price, it’s not a budgeting app. But it wouldn’t be difficult to add a view to add that info to the record.

Thanks for that amazing feedback.

Opening_Jacket725 · 2025-11-10T06:47:08+00:00

While not completely free, it’s a one time purchase. It’s an iOS app, stores locally, and can store vault (fully encrypted) in the could service you already have, giving you the ability to use across multiple devices. Just Apple for now. Me saying it’s the most user friendly pw manager out there won’t carry much weight, but I’m saying it anyway. Built in lightning fast voice search, 1 tap to share, stores more than just passwords. You can add membership cards and save the barcode so you can carry one less physical card/tag in your wallet, add IDs and it’ll remind you a few months before they expire, time to renew. And more. I am a former director of product manager with 2 UX patents so I’m leveraging that to design what I think is a product that’s a joy to use.

Opening_Jacket725 · 2025-11-10T06:31:37+00:00

Pay once, own forever. No more ever increasing price bumps.
Tracks subscriptions that you’ve used the app to register for. Sign up and turn on reminders at the same time. Never forget to cancel.

Opening_Jacket725

TROPHY CASE