Something like pass lends itself ideally to version control, but all my entries' metadata (names, dates) are visible, which is a problem for me. I want to be able to store my secret database even on untrusted infrastructure.
Currently, I'm pondering storing big or often updated binary data separately from the passphrases and similar low-footprint data.
On the odd occasion it's been modified on two devices without a sync and SyncThing produces a sync-conflict file, a simple "Merge from database..." within KeePassXC happily pulls in the newer data from both databases to merge them again.
I use the Staggered File Versioning feature on at least one device + a separate backup mechanism to satisfy my paranoia about losing the database.
As a fellow paranoid, what mechanism are you using for the separate backup?
Password managers with password generators and 2FA code generators are ok for work related use, but they usually may not cover other pieces of information, like credit/debit cards, software licenses, identification cards, hardware/appliances, etc. Adding custom fields in each entry by oneself isn’t a great option. Perhaps it’s not a great idea (even with a very strong master password) to put all the information in one database, but I see value in being able to store, retrieve and auto fill different kinds of information (even if some may seem too complex to define in a generic schema).
I already tried Bitwarden, but it covers only passwords, cards and identities (plus secure notes).
* https://www.passwordstore.org/
It's just a bunch of gpg encrypted files with as much stuff as you want in them, in any format you want (password on first line). Easy to share/sync to whatever you want. Lots of interfaces on lots of platforms but you really don't need an interface.
Has git support...
Essentially, I accidentally publicly exposed my private key. I thought I was clever for writing a Python script to dump all my passwords and then re-add them after setting up pass with a new key.
A year later, when I accidentally deleted my private key (reformatted laptop, phone bricked before set laptop back up), I spent a few hours trying to figure out if I made a mistake that would let me recover my passwords. I was very motivated :)
Eventually, I realized that since I'd been using git to sync pass between my phone and computer (the recommended setup) I could access versions of my encrypted data for every account more than a year old and decrypt them with the private key I leaked. I got back almost all my data.
Luckily I was using a private git repository for defense in depth, but many guides recommend a public reposity because they say gpg is very strong.
It all works, but only if you don't do something dumb like I did. Now I'm on 1password and happy knowing that experienced people are paid to make it and smart security researchers like Troy Hunt (of haveibeenpwned fame) have said it's the most secure password manager they've looked into.
(I said the same thing earlier in a different post)
Emacs is good at automatically keeping gpg files. Not sure about mobile support.
In the password fields, I don't know how anyone either writing or using a password manager doesn't consider unambiguous glyphs to be critical. It's a password manager not a greeting card designer.
They think they have solved this by specifying the font to be monospace in the password fields (maybe notes too I don't remember).
I submitted an issue complete with pictures of passowords written in monospace fonts in KeePassXC where the characters are ambiguous.
It shouldn't even require pictures to convey the problem. Once someone says "the property "monospace" and the property "unambiguous" are two dufferent properties. It's an unsafe and in fact broken assumption.", you'd think that would shed all the light necessary.
But what more do you do when tbey don't see it even WITH pictures? Fork it yet again? Just to add a config option to let the user or desktop integrator select an arbitrary font for some display fields?
What really bugs me is, they didn't say "yeah that would be better but it's hard and we don't know when anyone might get to it" No, they think it's already done.
Failing to get that idea across really made me wonder about the parts of their work that aren't so visible.
The ability to specify an unambiguous font for password fields, for example, makes absolute sense.
And the app defaulting to the monospace font is not an appropriate solution, because a user may pick a monospace default which isn’t unambiguous. Not every app requires unambiguity the way a password field might, so to require the user to change their default font is not a great solution.
There’s a reason emacs, vim, etc allow you to set your own fonts specific to the app that’s different from your DE defaults. That’s because they have very specific requirements that may be different from what you’re looking for in a general default font for your DE. The same is true for something like the password field of a password manager app.
Honestly, certain devs in this case started insulting the OP well before the OP said anything unreasonable, probably because for some reason they came up with the idea that the OP thought this was a heinous bug when, as they clarified, that was an invention on the reader’s part with no grounding in anything the OP said, who was not calling it a bug, nor by any means calling it heinous. Of course the discussion went off the rails after that with the OP unnecessarily getting personal, but I can see where their frustration came from even if they shouldn’t really have acted on it.
I think i understand what this is about. It starts with this code (inlined for brevity)
> QFont passwordFont = QFontDatabase::systemFont(QFontDatabase::FixedFont);
> "fixed" and "unambiguous" are different things
(note: there is no QFontDatabase::UnambiguousFont)
> broken in lubuntu 17.10: resulting font was neither fixed nor unambiguous.
> this kind of utility needs the option to specify a specific font
I don't see how that's ambiguous.
There is room for growth in the business passman market.
LDAP auth, has ACLs, uses on-prem database server.
Why no love? Perhaps because windows-only.
This is a real deal breaker.
I have four devices that are being used on almost-daily basis: - work PC - home PC, - laptop, - smartphone
work and home PCs are often on at the same time leading to a situation where I have KeePassXC database open - it happens I just leave home/work without closing / locking the database (or it prompts database modified - save?) which might lead to some desync scenarios (it already happened to me).
So I think I need something that will not keep local database as KeePassXC does, but will use online store. I am not a big cloud fan, so would prefer to host in on my own infra.
My requirements: - self-hosted - online (some API-based), - cross-platform (at least Windows/Android but with Linux in mind) - browser-aware completion (similar to KeePassXC) - Firefox + maybe chrome,
Is bitwarden a way to go? Or is there something better?
Don't know if KeepassXC has the same functionality as Keepass, but they provide an option to use a LocalDB/MasterDB synchronization [0]. This could help preventing desync problems.
[0] https://keepass.info/help/kb/trigger_examples.html#dbsync
Disclaimer: Not affiliated with MacPass in any way.
[0] https://keepass.info/help/kb/trigger_examples.html#dbsync
My favorite cloud provider is BitWarden[1], which I believe was the first cloud password service supporting hardware keys.
I've gotten used to the painless ssh-agent integration KeepassXC has and really wasn't looking forward to trying to switch to another manager...
I've been looking to switch from my older copy of 1Password - I don't care about cloud support, beyond letting me keep the encrypted data in Dropbox or similar, but I really appreciate a good browser extension and mobile app.