Their FAQs isn't too convicing!
> KeePass is a very proven and feature-rich password manager and there is nothing fundamentally wrong with it. However, it is written in C# and therefore requires Microsoft's .NET platform. On systems other than Windows, you can run KeePass using the Mono runtime libraries, but you won't get the native look and feel which you are used to. KeePassXC, on the other hand, is developed in C++ and runs natively on all platforms giving you the best-possible platform integration.
This is extremely funny because they actually replaced the native UI with their own terrible theme. So actually, they deliberately sabotaged their own argument for using KeePassXC!
Granted, you can switch to the "classic UI", at least until they get rid of that. But there are a number of issues, including that the accent colors don't match, and there are a ton of complaint issues on their Github page:
https://github.com/keepassxreboot/keepassxc/issues/5280 https://github.com/keepassxreboot/keepassxc/issues/5092 https://github.com/keepassxreboot/keepassxc/issues/5301
- Safer web browser integration (uses WebExtension Native Messaging, rather than a localhost service)
- Built-in YubiKey integration
- "Health check" dashboard that shows you problematic passwords (expired, weak, reused, Have I Been Pwned integration)
And OnlyKey support too!
Keepass is the best but the others are still fine as well.
One thing a colleague mentioned about bitwarden that might be good is that you can basically "share" parts of your password store with external users.
That could be great if you are the IT guy that convinced people to use a password manager but sometimes still needs access to passwords.
For my usecase that never was important which Is why I am sticking with keepass which is pretty great
I use keepass myself, because for my usecase it is the appropriate thing to use. At least I think it is.
You're managing your "self-hosted solution" and only a tiny share of people runs one anyway. Syncing a file along with other data/backups is a sufficient compromise between security and convenience for many people.
Bitwarden autotype is very sketchy on my (admittedly older) Android phone. For some apps it straight up doesn't show up, on others the prompt disappears when I need it. The alternative is to use the system clipboard which is absolutely terrible and no one should ever do it, especially on smartphones. The special keyboard option that KeepassDX and Keepass2Android provide are significantly better without being too inconvenient in my opinion. Whether or not the autotype issue is fixed on newer Android versions is irrelevant, I shouldn't have to switch out a perfectly working phone just for a workflow I can live without.
Also Keepass has been a standard for so long that I just trust it more. If tomorrow Bitwarden were to disappear off the face of the planet (I'm aware it doesn't work that way), I'd have to export my passwords and look for another solution. This is probably mitigated by self-hosting but I have neither the infrastructure nor the inclination to do so. I can theoretically at least continue to use my kdbx file on any platform without issue, sticking to a particular version of a client that I like or switching it out for another if I'm so inclined. No hijinks involved.
I will concede that the sync is not as convenient but I use Syncthing and Snapdrop for a bunch of other stuff already so I don't mind, not to mention the fact that I feel better about my vault never being exposed to the internet in any form.
The language is somewhat ambiguous and obviously written before things like LastPass/Dashlane/etc. even existed, but I tend not to editorialize when it comes to security reqs.
Maybe BitWarden would work for my purposes, but I have no complaints about KeePass, so I don't know why I'd switch.
On the other hand bitwarden_rs is GPL-v3. Like it or not, at the very, it is very clear where it stands.
Interestingly, KeePassXC has multiple licences and take the time to neatly list what is under which.
Besides, Syncthing (with history enabled) gives me backups "for free" as part of the regular sync, whereas I'd still have to set that up myself when hosting Bitwarden.
I think if you use a MacBook you can use a "universal clipboard" of some kind [1] but I use a linux thinkpad.
[1]: https://apps.apple.com/us/app/strongbox-keepass-pwsafe/id897...
Apple only cares about your security if you're gonna continue being a paying customer.
* set generated pw length beyond 128 back
* create groups of any unicode characters by myself and specifically black or whitelist them for the pw generation,
* manage all keyboard shortcuts, both the local and global ones,
* auto-type with a global shortcut any chosen entry individually—but username, password, and otp in particular—so that I don't have to fix the seq and delays every time the website changes or I'm somewhere with slower internet.
The process would be:
either press a global shortcut to find an entry or pre-select it in the app, then use other global shortcuts to auto-type the attributes individually
* show the attributes in place of the notes
What's your usecase for such long passwords? 55 lower case ASCII characters (a-z) have over 258 bits of entropy.
As an example, that's more than the key length of AES-256. If my limited understanding is correct that would mean it gives no additional brute-force resistance to use a password longer than 55 lower case characters for anything AES-256 encrypted (and thus also for anything weaker than AES-256). Similar logic should apply if the password gets hashed to 256 bits or less (e.g. SHA-256 or bcrypt with 192bits).
Besides, a local password generator can be a convenient way to generate random strings for other uses as well.