I use Keepass2Android, which works great with Nextcloud and handles very well offline usage and subsequent merge of the database. On iOS the experience is much worse: I use KeePassium but it does not connect natively to Nextcloud, so I use BoxCryptor for that. The downside is that if Nextcloud is unreachable, I cannot see my saved passwords. Anyone managed to have a good experience on iOS?
I find the 2fa should be separate, even on a separate device, from the password store.
Which is why I never use this OTP/2FA feature in my favorite passwordmanager Bitwarden.
If you store both the password and 2FA in something that secure, is it really causing any real harm?
If your threat model dictates that this IS a threat for you, then by all means, don't do that. But I think for the average person this is far more secure than some of the alternatives they'd be doing otherwise.
(I mean, I say this as someone who also keeps 2FA separate, but I do see some benefit to 2FA even stored with the password)
I can't take software like bitwarden seriously because they still require you to have a cloud account and/or run your own server which I also have no interest in. I want something I can actually backup natively on a client without extra effort like a script running agaisnt an api. A single file encrypted database is more than adequate. Control and ownership of the password blob is just so absolutely critical if you invest heavily in password management, especially with sites that take a stance of "password/otp or we'll never recover the account"
However, after being forced to upgrade (and pay again) multiple times due to API changes, and the integration stopped working with various browsers, I wasn't a happy customer anymore. KeePassXC works just as good, if not better. I'm using it on Debian, with browser extensions and on iOS (and sometimes even on my old Macbook Pro on OSX). Being FOSS, I'm not afraid anymore that stuff will stop working at some point, because some proprietary API is deprecated.
Another thing: Keepass(XC) became a snap package on recent Ubuntus. If there's one piece of software I dont want to be a snap package it is this tool. It get slow, ugly and hard to find (in a process tree). This is the last piece of software I want to run in snap.
"became" is misleading. It's available as a snap if you want to use it. It [also] remains available from the apt repository maintained in the traditional way.
Of course if you want keepassxc on Ubuntu 20.04 from apt/deb, you'll get 2.4.3, because that is the traditional way. The snap available is 2.6, because consuming the latest directly from upstream is how snaps work. You can choose with methodology you prefer.
I took a whole day to check out all available FOSS options. KeePassXC won based on my criteria by a long shot.
One deadly reason against BitWarden (for me): Having a FOSS server that's not officially supported and more or less reverse engineered, is even worse than a proprietary API. It can become defunct at any point in time - and it might even be hard to catch it. At least, with 1P, when they deprecated their old Apps, they announced it.
Not saying that BitWarden is bad in any way. Just saying that the KeePassXC stack is FOSS all the way with no lock in and multiple implementations of the Keepass file format.
As for the SNAP package: I'm not versed in that. I'm just using the regular Debian package. Works fine for me.
Running a bitwarden server has been a much better experience, particularly the bitwarden_rs fork (1). I run it in a container and it's been rock-solid. The organization / collections features make sharing pws with my family really easy, and 2FA gives me peace of mind. The ios app is really smooth too. Importing a db from keepass was pretty easy.
BTW, I did try the official bitwarden container first, but found it bloated and feature-restricted (if you don't want to pay a monthly fee).
What's the advantage of BitWarden over sharing your Keepass database with a family member via Dropbox or something?
Wait, why is that the case?
> This is the last piece of software I want to run in snap.
Well, KeepassXC is not that resource hungry, is it?
There's even multiple iOS apps available for use with keepass last time I checked. I'm using https://keepassium.com/
NB: I understand what you're saying about still using 1p with Signal. I did that for quite some time, as well(; Using keepassium really works equally well for me as did 1p on iOS. Doesn't look as fancy, but I really just need it to know my passwords or generate a new one^^
It is absolutely horrendous, mostly due to being written in NodeJS, AFAICT ("when your only tool is a hammer..."?).
Nice thing about Bitwarden-rs is you get a lot of the "premium" features for free with it. For example: Yubikey, U2F, and Duo support.
Once Flash support is dropped for good I'm probably going to be stuck writing a replacement.
From https://github.com/bitwarden/server#requirements:
Requirements
.NET Core 3.1 SDK
SQL Server 2017KeePassXC
* [Pro] Excellent desktop app. Fast, easy, polished, powerful (TOTP available by default).
* [Pro] Great data ownership philosophy and data storage flexibility.
* [Con] Poor cross-platform app experience, especially on mobile (iOS in particular).
* [Con] Tinkering required to sync data. This isn't a big deal for many of us on here, but presented a large barrier to entry for my non-tech-savvy friends & family.
Bitwarden
* [Pro] Excellent cross-platform experience.
* [Pro] Low barrier to entry via SaaS, making it a good option for less-than-tech-savvy folks. This is ignoring the nice option to self-host.
* [Pro] Sharing features (haven't actually used them).
* [Pro] Web vault is accessible via web browser (accessibility).
* [Con] Web vault is accessible via web browser (increased attack surface).
* [Con] App is a tad slow (electron), but this is an acceptable price to pay for the good cross-platform experience.
I've got a sequence that gets me logged into to a mainframe and navigates all the way to the main menu and given how often I hit it I bet it has saved me from an RSI by now.
Also, I think the Android client is quite a bit better than Keepass2Android.
In bitwarden this is seamless because it always saves to the cloud. With keepass you have to manually set up the file sharing with syncthing/dropbox/etc. One problem I had is that sometimes the file sync I set up wouldn't work properly and I'd add new passwords on the phone before it received the latest file version from the computer. When that happens you end up with some passwords that are only on the computer and some that are only on the phone, which is something that syncthing can't fix by itself.
My experiences are my own; KeePassXC allows a much higher level of security than anything that's cloud-based but it's also not as convenient to use. For me, that makes Bitwarden the "right" choice. I only used one computer all the time then I would use KeePassXC without a doubt.
Currently I’m using regular KeePass 2 and Keepass2Android and both offer to sync the changes in case I edit both at the same time… I would’ve thought KeePassXC does the same.
I use Syncthing on my devices to keep the database in sync, and I let it deal with the file versioning just in case something happens.
The con is that it doesn't always feel as polished as other password managers, but that's mostly a personal taste thing. I use KeeWeb on my desktop/laptop, and KeePass2Android on my smartphone.
- Keepass db, stored in google drive with a memorized master passphrase - this brings password sync out-of-the-box
- G-Drive pulled down on all my PCs/laptops, with KeepassX used as the client
- Keepass2Android's G-Drive integration used on my phone - now made even more convenient with their "Quick Unlock" feature.
I've gone so far as to keep a separate db for payment info, though that one has a keyfile that I manage offline with a randomly-generated password, the password being stored in my password db.
I have found this setup very convenient over the years, and it offers peace of mind in knowing I'm not beholden to any online third parties to store this sensitive info.
It's just a bash script that used gpg and git. I find it the most KISS solution. Not available on phones but I don't trust my phone with my secrets anyway.
You have to import your GPG key to it and set up your git connection to your server and you're all set.
It also supports OTP generation which is really nice.
[1]: https://apps.apple.com/us/app/pass-password-store/id12058205...
I use it and it works quite well.
Also gopass exists, which is useful to share secrets with teams + your personals, same interface. I wrote about it [0] + a cheatsheet [1]
If so, then a browser plugin would seem to provide better security. So this might be a little too KISS.
Does anyone have comments on how much of a concern it really is to have passwords travel by the clipboard?
As with many security matters, it will vary depending upon your threat model.
I generally feel that if you have something installed watching your clipboard for nefarious reasons then you've already got a bigger problem, and I prefer that potential security issue over having all my credentials integrated into the browser via a plugin (a clipboard sniffer will catch one or two things passing by, a hacked browser with integrated or add-in based password store might reveal everything at once).
If you use the clipboard for transfer, take the precaution of always clearing it soon after use. KeePass does this by default, as do some other similar tools.
Why is that? I trust my phone more than any other device because of it's encryption / secure enclaves / sandboxing etc.
When it works, it works great. You can tell the extension to auto-fill and auto-submit, so that it feels like you had been logged in from the very beginning.
The problem is, it works (in my experience) around 80% of the time. I'm guessing it's not on them since it requieres websites to follow certain standards in order to have autodetectable login form fields, but it's a pain nonetheless.
Try it, it takes a couple mins to set up. The best feature IMO is the keyboard shortcuts to fill in details.
I use Basic Auth for many of my LAN-only web services at home and KeepassXC + browser extension feels like having client-side certificate authentication or similar, feels like going through airport security without taking your stuff off into bins.
Well, that's better than my experience with Lastpass, although that might just be me.
https://keepassxc.org/docs/KeePassXC_GettingStarted.html#_se...
- I'm not positive I'm understanding your question, but KeePassXC takes security just as seriously as the original KeePass does
- Yes, you can use KeePass2Android, or any other KeePass compatible software. KeePass and KeePassXC use exactly the same database format
- Binaries itself = 9,1M
- Plugins (styles, icon engines etc) = 12M
- Resources (icons, documentation, translations) = 15M
- Libraries (Qt, crypto, Yubikey etc.) = 38M
> why is KeePass 10mb installed and KeePassXC 108mb
Why does the file size matter? Are the devices you use so short on storage that an extra 100 mb is an issue? Obviously if it was something like 50 GB then yes, that makes sense but in general most HDD's and devices have GB's of empty space.
No, but just about any aspect of computing benefits from smaller file sizes, or smaller data size in general, starting with CPU caches, RAM caching of files, file transfers, including syncing things over the network, backing things up. The more free space a SSD has, the smarter it can be about wear leveling (I think, though I have no idea how much this matters in practice).
I mean sure, if the data just sits there, and you don't do anything else with the machine but run a password so manager, it really doesn't matter, but we tend to run dozens programs actively with even more running in the background, all of this adds up quick even on one machine. And then there are billions of people using even more devices.
In this case, I like using KeePassXC portable, so if the size is the result of having less outside dependencies, I'm fine with it, don't get me wrong. But generally, this attitude of just throwing hardware at software is a problem, which by now it has reached gigantic proportions IMO, and you made the argument generally.
Imagine some kind of character encoding that is exactly Unicode, but every character gets repeated 10 times... not for any useful reason, just so people can show they can afford beefy hardware and waste it. Would you use it?
We cannot even begin to imagine what our current hardware would be capable of, if we only allowed ourselves the time to use it well. Consider that this runs on hardware from 1981: https://www.pouet.net/prod.php?which=65371
The same achieved with less is always better, I'll just claim that. The whole universe in all it's infinite wealth cannot change that, and we live on a planet that's about to get ruined real hard because of our consumption of materials and energy. Storage may very well become so big and cheap as to be practically infinite, but CPU will always cost energy.
For one-off things with limited use, knock yourself out, of course, but if you package something for distribution, it may stay around "forever" and get handled countless times, by servers and end-users, so if it can be made smaller without making it worse and without extreme hassle, make it smaller.
"When invoking the 'Save' command, KeePass checks whether the file on disk/server has been modified while you were editing it. If it has been modified, KeePass prompts whether you want to overwrite or synchronize with the file."
https://keepass.info/help/v2/sync.html
KeePassXC, on the other hand, does not seem to have been designed for shared synchronization:
"Cloud synchronization ... can be easily accomplished by simply storing your KeePassXC database inside your shared cloud folder and letting your desktop synchronization client do the rest. We prefer this approach, because it is simple, not tied to a specific cloud provider and keeps the complexity of our code low."
Great multi platform support, browser integration, webdav support (makes sync a breeze if you have a webdav server like owncloud, seafile, or a Synology Nas)
Should I switch?
One thing that really amazed me was recently (1-2 years ago) KeepassXC got rid of the lock file and made it possible for multiple processes/computers to seamlessly work on the same file. This is fantastic for situations like having 2 computers running at the same time, opening a Keepass database file from Dropbox.
The interface looks better, sure, but nothing really makes me to be dissatisfied.
On MacOS I use: https://macpassapp.org/ (Open Source)
I always wanted to try: https://www.passbolt.com/ (Self-hostable)
I do know that I can compile myself but still I cannot audit every single release, this can be migitated by myself using git and extracting tar files on every release. But this should not be this difficult.
KeePassXC on the other hand is more practical and works on all platforms consistently and is easy to compile with cmake and has convenient cmake switches to disable network connectivity.
KeepassX has stalled development since 2016 but was a true cross platform desktop client
KeepassXC is the fork of X and at this point in time is lightyears ahead of X.
I'm sure the developers of XC may have wanted to contribute to X but X seems to have been spearheaded by a single developer who stalled on letting other devs become maintainers. So the community forked it.
But to answer the question, it's impossible to merge X and the original because their code bases are in entirely different languages and arguably X doesn't give you anything than the one man dev show.
It would be much handier if we could just tag the records with a number of tags + add a description and/or comment rather than put it in a folder. I always use search rather than manual folder tree navigation anyway.
For example, part of data may be held unencrypted in RAM that could be read by OS or other programs. Any use of TPM?
