Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
KeePassXC 2.6.0 Released (keepassxc.org)
249 points by varjolintu on July 8, 2020 | hide | past | favorite | 174 comments


I've been using KeePassXC ever since switching from OSX to Debian Linux. On OSX, I used 1Password and have been an advocate for years.

However, after being forced to upgrade (and pay again) multiple times due to API changes, and the integration stopped working with various browsers, I wasn't a happy customer anymore. KeePassXC works just as good, if not better. I'm using it on Debian, with browser extensions and on iOS (and sometimes even on my old Macbook Pro on OSX). Being FOSS, I'm not afraid anymore that stuff will stop working at some point, because some proprietary API is deprecated.


You might want to checkout BitWarden. A FOSS server exists (even on in Rust, iirc) and there are opensource clients as well (browser plugins maintained by BitWarden). This system is "zero knowledge", the server does not get to see the passwords in normal operation (it does in case of imports, which I think is a huge security flaw one can mitigate by not importing).

Another thing: Keepass(XC) became a snap package on recent Ubuntus. If there's one piece of software I dont want to be a snap package it is this tool. It get slow, ugly and hard to find (in a process tree). This is the last piece of software I want to run in snap.


> Another thing: Keepass(XC) became a snap package on recent Ubuntus.

"became" is misleading. It's available as a snap if you want to use it. It [also] remains available from the apt repository maintained in the traditional way.

Of course if you want keepassxc on Ubuntu 20.04 from apt/deb, you'll get 2.4.3, because that is the traditional way. The snap available is 2.6, because consuming the latest directly from upstream is how snaps work. You can choose with methodology you prefer.


My preferred way of installing and managing software on Ubuntu is compiling the source to /opt and then installing it to the system with the Debian/Ubuntu Update Alternatives system:

- https://wiki.debian.org/DebianAlternatives

- http://manpages.ubuntu.com/manpages/trusty/man8/update-alter...

It allows you to install multiple different versions side-by-side and toggle which of them is called by the canonical system command in /bin, /usr/bin or wherever.

You install them in /opt or somewhere else where collisions won't occur, then use the update-alternatives command to link them into /bin, /usr/bin or other system directories.

It takes a little more work up front, but is worth it. It makes both upgrades and rollbacks completely painless, and you get to decide which version you use.

The upfront work part is in scripting the various binaries and manpage files that need to be linked together, atomically, into system directories. Here's an old (out-of-date) example script for installing Haskell Platform after building it in /opt/ that demonstrates this. All subcommands must be slaved to the main command, and update-alternatives enables this.

https://pastebin.com/74JAxdTX


Dit not know that, but after "just installing it", it was suuuper slow and ugly (very not matching my other apps) and I could not find the process it was running as at first (snap obfuscates that). Also it could not read a file I put in /tmp.

I want to use a tool to protect my privacy, please not package that in some security-unproven test-bed of a packaging/execution method please.

(Also found the calc app was in snap, and thus verrrry slow to start, then I dumped Ubuntu altogether)


I even got the snap yesterday morning already!


I did check it out before using KeePassXC, thank you.

I took a whole day to check out all available FOSS options. KeePassXC won based on my criteria by a long shot.

One deadly reason against BitWarden (for me): Having a FOSS server that's not officially supported and more or less reverse engineered, is even worse than a proprietary API. It can become defunct at any point in time - and it might even be hard to catch it. At least, with 1P, when they deprecated their old Apps, they announced it.

Not saying that BitWarden is bad in any way. Just saying that the KeePassXC stack is FOSS all the way with no lock in and multiple implementations of the Keepass file format.

As for the SNAP package: I'm not versed in that. I'm just using the regular Debian package. Works fine for me.


I'm not sure when you looked at Bitwarden but the official server and clients are open source under the AGPL, including the API for other people to make their own servers and clients with. So I would say that Bitwarden fills the FOSS all the way requirement.

https://github.com/bitwarden


I've self hosted the rust server, and have attempted to host the official server but found that it was difficult to install and addly slow once configured. Running your own server also loses you many of the benefits of premium if you keep supporting the project. They changed their color scheme from my favorite blue to Facebook-blue, and after exploring it on tails, I think I'll be more than happy to transition to keepass in the future.


The bitwarden_rs server features TOTP entries and support for login with U2F (YubiKey) and Duo. It also handles Vault attachments and organizations. Which premium features are you missing?


bitwarden_rs is really nice code.


What was hard about self-hosting the official server? I found it a little resource heavy but their docker images make it all very simple to set up and run.

I lived with that for a while, and didn't like the size of the VPS I had to use to keep it stable, so I moved to bitwarden_rs, and I haven't noticed any missing premium features.

I like keepasxc also, but the thing that moved me from that to bitwarden was my desire to use my password databases in multiple places at once without conflicts. I think the bitwarden browser integration and phone integration is nicer, also.


> As for the SNAP package: I'm not versed in that. I'm just using the regular Debian package. Works fine for me.

`apt install package` could install a snap [0] [1].

I don't know if you're using the `.deb` installed via your package manager or downloaded directly from the KeePassXC distribution. In either way, you might want to look deeply into how it works. Consider previous discussions about Ubuntu and Snaps.

[0]: https://news.ycombinator.com/item?id=23434067

[1]: https://news.ycombinator.com/item?id=23435178


No, it can’t. I never said that I’m using Ubuntu. I’m using Debian and stock Debian packages as mentioned before (as mentioned in the original GP comment).

It’s a proper native package: https://packages.debian.org/buster/keepassxc


I started with 1P and switched to Keepass as they started pushing their subscription service. Keepass was fine, but had some annoying sync issues occasionally (via dropbox) and never really found a good ios app. The whole system worked but felt sort of cobbled together. I think this is because it is built as a local application that can sync through other services, rather than server / client. Syncing data is more front and center with BW.

Running a bitwarden server has been a much better experience, particularly the bitwarden_rs fork (1). I run it in a container and it's been rock-solid. The organization / collections features make sharing pws with my family really easy, and 2FA gives me peace of mind. The ios app is really smooth too. Importing a db from keepass was pretty easy.

BTW, I did try the official bitwarden container first, but found it bloated and feature-restricted (if you don't want to pay a monthly fee).

1. https://github.com/dani-garcia/bitwarden_rs


How do you have the Bitwarden server setup? I'd love to run it locally at home on a NUC or something similar, but Bitwarden has this shitty "feature" where you can't actually save anything new unless you have a connection to the server. I'd rather not expose a server to the outside world running locally on my network if possible.


This was my answer to that:

https://geoff.tuxpup.com/posts/caddy_and_wireguard/

I never got 'round to writing up the bitwarden specifics, but it covers the path I negotiated between hosting it somewhere else and exposing it to the world.


I considered doing it from a home server using a wireguard connection on my Unraid box, but in the end just went for a cheap cloud instance from digital ocean. I'm also a bit uncomfortable with exposing my home network through a reverse-proxy so things that i need lots of access to go up on the VPS.


> never really found a good ios app

If anyone is looking, Strongbox and Keepassium are both good.


After playing with dozens of password managers and more phone apps than I can count, I now use KeePassXC on all my desktops/laptops (across Linux/Mac/Win) and Strongbox on iOS devices and have never been happier with my setup. It all just works now.


My main problem with BitWarden is its weird Folder UX model - I can't quite put my finger on it, but I keep running into things I want to do but that I can't quite do when sharing. 1Password's "Vault" model is so much clearer.

What's the advantage of BitWarden over sharing your Keepass database with a family member via Dropbox or something?


The ability to create shared folders of credentials either for corporate or family situations while maintaining separate accounts is a big one. The password to my account and my wife's to hers are in our shared folder so if I plotz without warning she can get into my credential store and get into things like the power company website, insurance website, etc without having to have all of the credentials (along with crap she'll never care about like SSH keys and passwords for my EC2 instances) she doesn't care about taking up space on her account.


What’s annoying is that space shouldn’t be an issue at all, these secrets are tiny. Instead of folders, they should be tags, with the ability to grant access and sort by those tags (IMHO as a Bitwarden paying customer).

I hope Apple rolls out their iOS 14 keychain improvements soon, and supports family sharing/delegation/access controls based on the family primitives in iCloud, so we can bounce from Bitwarden.


> (it does in case of imports, which I think is a huge security flaw one can mitigate by not importing)

Wait, why is that the case?


You can still use the official PPA or AppImage.


> It get slow

> This is the last piece of software I want to run in snap.

Well, KeepassXC is not that resource hungry, is it?


I think they mean the startup is slower. Snaps don't really impact performance other than startup time.


Why not? Isn't it nice that you can control what other software can reach it?


How do you sync to iOS? Sync issue caused me to switch from keypassxc on Linux to browser based 1Password there. Not thrilled to use browser crypto but sending passwords to myself via Signal was getting old.


Not OP, but I use Resilio Sync (aka Bittorent Sync) and it has been working great for sometime now. Just open the app and the latest kdb file gets pulled down. I use the Strongbox app on iOS which supports kdb.


How do you sync kdb to Strongbox. IIRC iOS Resilio requires files to be exported manually


With the later versions of iOS supporting "Files" now, Strongbox points to the file that is stored within the "Sync" (Resilio) location. What this means is that Strongbox is actively reading/writing to that file within the "Sync" location on iOS. Whenever I open the Resilio Sync app it will either push the changes I made on mobile to the server or pull down the file from the server and overwrite the file on iOS, depending on which is the newer file.

Also, I don't use Resilio's proxy servers either, so all of this is 100% running on my own infra. I have Wireguard setup on my home network, so if I am away from home, I can "VPN" in on my phone and then open the Resilio Sync app to sync up remotely.


I tried Files, but after some sort of timeout the File disappeared and I don't know what that was about, so I went back to Share.


I haven't run into that before, but I'll describe how I bootstrapped my setup in case that might help resolve your issue.

  (1) Setup Resilio sync on my NAS
  (2) Shared the folder holding the kdb file via Resilio Sync
  (3) Entered the code into the Resilio Sync mobile app
  (4) Performed an initial sync of the folder to my phone
  (5) Downloaded Strongbox and pointed it to the kdb file under the "Sync" location in Files on iOS


Thanks, indeed with "Files" it works!


In Resilio I Share > "Copy to Strongbox". I mark it as Read Only to keep from confusing myself and use a separate "Mobile kdbx" for any passwords I create on Mobile and share that the other direction as needed. (I don't have to use two files, I just find it an easier process that makes it less likely for me to forget to sync one direction or the other and "lose" a password.)

(I miss Windows Phone here in that I could directly share my Resilio file and its sync status with a KDBX app as Resilio was a standard file host. iOS really should standardize something like that instead of forcing a unidirectional Share as the only pattern.)

(ETA: I tried Files which is supposed to do something closer, but it didn't seem to work for me.)


I used to be of this mindset as well. (Two different files, so I wouldn't overwrite or lose a password just in case I synced the wrong direction)

I gave this up though as Resilio will detect conflicts and prevent overwriting in case that did happen and I make automated nightly backups of my password file, so I can restore the file if I ever did "lose" a password. I've been running with my current setup and haven't had to restore yet.


Strongbox is great, I use it to pull the kdb from Dropbox.


€45 for a 'lifetime' purchase, ouch!


That's comparable to a year of 1Pass/Lastpass. You can also use it for free, the pro version just adds some nice features/touches.

It is by far the best mobile Keepass-compatible app I've used. Minikeepass was good for a while but seems abandoned.


Thanks for the tip, i didn't notice Strongbox can be used for free. I refuse to buy any subscriptions so i always only buy full versions of apps. For my particular use case €45 is way too much though. Perhaps this will change in the future and i might buy it.

I bought the '1 time purchase' of 1Password on macOS like 6 years ago and have been happily using that on macOS, iPhone and iPad. Still gets updates today (I did pay for 1 major upgrade if i remember correct.) It was way cheaper than all the subscription crap where you don't really realize what you're paying for and how much. I would never buy the current expensive 1Password subscription.


I'm using a native app which uses the same passwords dialog as 1password (or the iCloud keychain for that matter). You can configure which one to open in the settings.

There's even multiple iOS apps available for use with keepass last time I checked. I'm using https://keepassium.com/

NB: I understand what you're saying about still using 1p with Signal. I did that for quite some time, as well(; Using keepassium really works equally well for me as did 1p on iOS. Doesn't look as fancy, but I really just need it to know my passwords or generate a new one^^


KeePassXC + Nextcloud has surplanted any other password manager for me for the last two years. The OTP integration is great as well.


Same here, the setup is working great

I use Keepass2Android, which works great with Nextcloud and handles very well offline usage and subsequent merge of the database. On iOS the experience is much worse: I use KeePassium but it does not connect natively to Nextcloud, so I use BoxCryptor for that. The downside is that if Nextcloud is unreachable, I cannot see my saved passwords. Anyone managed to have a good experience on iOS?


I've had a very good experience with Strongbox. I personally haven't used the Nextcloud integration yet so I can't vouch for that specifically, but I've used it with multiple cloud services and it's been seamless every time. It also caches your database locally, which should solve the problems you were having with BoxCryptor. It is freemium, and the really useful features will cost $1 per month, but there is also an option to purchase a perpetual license. Quality indie apps are hard to come by iOS these days, and I'm glad to pay for a service that's so integral to my daily life.

https://strongboxsafe.com/


Update: after writing this I checked again, and with the latest update to the Nextcloud iOS app it is possible to directly open and save the Keepass database from Nextcloud. No need for BoxCryptor anymore. Hurray for Nextcloud!


Isn't "integrated 2fa" defeating the purpose, though?

I find the 2fa should be separate, even on a separate device, from the password store.

Which is why I never use this OTP/2FA feature in my favorite passwordmanager Bitwarden.


When using a password manager of sufficient security the weakness isn't the password manager. The password manager is likely the strongest security app that most people use on the daily.

If you store both the password and 2FA in something that secure, is it really causing any real harm?

If your threat model dictates that this IS a threat for you, then by all means, don't do that. But I think for the average person this is far more secure than some of the alternatives they'd be doing otherwise.


The advantage to OTP, even when stored with the password, is that it switches from shared-secret to asymmetric-key login. Of course in theory with a good hash+salt it's nearly the same, but with OTP I have better confidence that an attacker can't steal my credentials.

(I mean, I say this as someone who also keeps 2FA separate, but I do see some benefit to 2FA even stored with the password)


eh? what OTP scheme is asymmetric?


Logically, yes, reality if you think deeply, it's no different than having a OTP app on your phone and also the password manager.... At best if you are so concerned you just create a second keepass DB for OTP or if you are more concerned, have two phones ;)

I can't take software like bitwarden seriously because they still require you to have a cloud account and/or run your own server which I also have no interest in. I want something I can actually backup natively on a client without extra effort like a script running agaisnt an api. A single file encrypted database is more than adequate. Control and ownership of the password blob is just so absolutely critical if you invest heavily in password management, especially with sites that take a stance of "password/otp or we'll never recover the account"


In addition to what other people have said, some sites force you to use 2FA or endlessly bug you to enable it.


Along those same lines, I also store my security questions/answers in my password manager. In many cases, the security questions are stupid, but if I'm forced to do it, then at least I can keep it organized.


I usually just generate long >32 chars random strings as answers to these stupid questions, and store the string in my password manager as well.

Worked great, until some support person on the phone actually wanted to know the answer...


For me the winning combo is KeePassXC + Syncthing.


Yes, the best feature about KeePassXC is this ability to do your own syncing. I work at a Fortune 500 where they block every syncing service except OneDrive, so that's what I have to use.


You might be able to get Syncthing to work if you use a relay server listening on port 443, it would depend on their firewall.


Unfortunately Syncthing does not work on iOS, so it's not a fully cross platform solution.


I am not a fan of Syncthing. I do not want a web UI, and there UI is by default unsafe and needs to be disabled or secured anyway. I do not like their config format either.


Same here... really well built products that just work!.


I prefer KeeWeb for the UI, but Syncthing is great.


NextCloud actually has awesome plugin, named Passwords. You get everything major players have for free and its simply awesome. You also get team communication (add LDAP/AD to it), REST API, folders, automatic icons etc.


I've been using the original KeePass for a long time. I'm an architect, not a coder/software developer. So my question is a bit naive on this forum, but why is KeePass 10mb installed and KeePassXC 108mb if they do the same thing? I like that KeePass has plugins that I can tailor to my needs. Does KeePassXC make the same security software changes as KeePass? I forgot one more question, can I use KeePass2Android if I switched?


- the size difference is because KeePass offloads a lot of work to the .Net framework, and in contrast KeePassXC does that same work itself.

- I'm not positive I'm understanding your question, but KeePassXC takes security just as seriously as the original KeePass does

- Yes, you can use KeePass2Android, or any other KeePass compatible software. KeePass and KeePassXC use exactly the same database format


The size of KeePassXC application is the following (inspecting macOS version here):

- Binaries itself = 9,1M

- Plugins (styles, icon engines etc) = 12M

- Resources (icons, documentation, translations) = 15M

- Libraries (Qt, crypto, Yubikey etc.) = 38M


> can I use KeePass2Android if I switched? Yes you can. Another Android app that is also compatible with the same database is KeePassDX.


I've used the original KeePass for a long while but find KeePassXC just more likable. And in general, even the OTP support is brillant.


I suspect it is all dependencies because on Linux KeepassXC 2.5.4 itself is only 14.5 MB.


Hi there, I have a genuine question about your comment and I apologize if this comes across as attacking, that is not my intent at all.

> why is KeePass 10mb installed and KeePassXC 108mb

Why does the file size matter? Are the devices you use so short on storage that an extra 100 mb is an issue? Obviously if it was something like 50 GB then yes, that makes sense but in general most HDD's and devices have GB's of empty space.


> Why does the file size matter? Are the devices you use so short on storage that an extra 100 mb is an issue?

No, but just about any aspect of computing benefits from smaller file sizes, or smaller data size in general, starting with CPU caches, RAM caching of files, file transfers, including syncing things over the network, backing things up. The more free space a SSD has, the smarter it can be about wear leveling (I think, though I have no idea how much this matters in practice).

I mean sure, if the data just sits there, and you don't do anything else with the machine but run a password so manager, it really doesn't matter, but we tend to run dozens programs actively with even more running in the background, all of this adds up quick even on one machine. And then there are billions of people using even more devices.

In this case, I like using KeePassXC portable, so if the size is the result of having less outside dependencies, I'm fine with it, don't get me wrong. But generally, this attitude of just throwing hardware at software is a problem, which by now it has reached gigantic proportions IMO, and you made the argument generally.

Imagine some kind of character encoding that is exactly Unicode, but every character gets repeated 10 times... not for any useful reason, just so people can show they can afford beefy hardware and waste it. Would you use it?

We cannot even begin to imagine what our current hardware would be capable of, if we only allowed ourselves the time to use it well. Consider that this runs on hardware from 1981: https://www.pouet.net/prod.php?which=65371

The same achieved with less is always better, I'll just claim that. The whole universe in all it's infinite wealth cannot change that, and we live on a planet that's about to get ruined real hard because of our consumption of materials and energy. Storage may very well become so big and cheap as to be practically infinite, but CPU will always cost energy.

For one-off things with limited use, knock yourself out, of course, but if you package something for distribution, it may stay around "forever" and get handled countless times, by servers and end-users, so if it can be made smaller without making it worse and without extreme hassle, make it smaller.


Why does CPU usage matter? Just buy a faster CPU. Why does memory usage matter? Just buy more memory. Why does network bandwidth usage matter? Just get a faster Internet connection. Why does stability matter? If it crashes, just restart it.


If you like KeePassXC you should consider donating. I donate $5 a month because it's worth paying for good software.

https://keepassxc.org/donate/


I am assuming there are ways to turn off health checks to “ Have I Been Pwned”. I never want my local password manager to do outcalls for any reason...


You manually run the audit, and it makes it very clear that it’s about to do an online activity:

https://github.com/keepassxreboot/keepassxc/pull/4438


The application does not perform this check automatically, it is a report that you have to request explicitly. There is also a warning upon request that a remote request will be performed.


Another option you should consider: https://www.passwordstore.org/

It's just a bash script that used gpg and git. I find it the most KISS solution. Not available on phones but I don't trust my phone with my secrets anyway.


I use "Pass - Password Store" [1] for iOS and it works a charm for me.

You have to import your GPG key to it and set up your git connection to your server and you're all set.

It also supports OTP generation which is really nice.

[1]: https://apps.apple.com/us/app/pass-password-store/id12058205...


How is it compared to keepassxc.


There's an android version: https://f-droid.org/en/packages/dev.msfjarvis.aps/

I use it and it works quite well.

Also gopass exists, which is useful to share secrets with teams + your personals, same interface. I wrote about it [0] + a cheatsheet [1]

[0]: http://woile.github.io/posts/sharing-team-secrets/

[1]: https://woile.github.io/gopass-cheat-sheet/


Passwordstore is just awesome. We're using gopass (go port of the pass scripts) which supports multiple stores to be mounted so we can have different recipients i.e. for team1, team2 and private. In combination with browserpass for firefox and android-password-store for smartphone it's the simplest and best tool I ever used for password management. And the best part: it's just simple text files which are encrypted using gpg. So we just sync them with syncthing and even if the pass or gopass program would go away in the future we can use gpg decrypt.


I've heard claims that using the clipboard to transfer passwords is not very secure because a lot of different pieces of software may be able to read the clipboard.

If so, then a browser plugin would seem to provide better security. So this might be a little too KISS.

Does anyone have comments on how much of a concern it really is to have passwords travel by the clipboard?


> how much of a concern it really is to have passwords travel by the clipboard?

As with many security matters, it will vary depending upon your threat model.

I generally feel that if you have something installed watching your clipboard for nefarious reasons then you've already got a bigger problem, and I prefer that potential security issue over having all my credentials integrated into the browser via a plugin (a clipboard sniffer will catch one or two things passing by, a hacked browser with integrated or add-in based password store might reveal everything at once).

If you use the clipboard for transfer, take the precaution of always clearing it soon after use. KeePass does this by default, as do some other similar tools.


I can't count a requirement to have git wherever you need a password as a KISS solution.


You can set up your store with git but it's optional.


> Not available on phones but I don't trust my phone with my secrets anyway.

Why is that? I trust my phone more than any other device because of it's encryption / secure enclaves / sandboxing etc.


I don't have root on it. I didn't pick the hardware.


One thing that bugs me about passwordstore is that while passwords are encrypted, the names of the websites are stored in the clear. Last I saw there is an workaround you can use with "tombs" but IMO it would have been much better if they had done the right thing by default and stored the whole password database in a single file.


How trusted are the iOS/Android app compared to the "mainstream" desktop clients like KeepassXC ? I'm a bit wary of downloading a "random client" from the App Store. Are those audited/trusted as much ?


I've been using Keepass2Android [0] for a few years now (synced with the desktop client) and haven't had any issues. I'm not aware if any audits on it, but I'm not sure the risk of a developer pushing malicious binaries is that much higher on the play store than the arch/debian/snap/brew repositories.

[0] https://github.com/PhilippC/keepass2android


I imagine those on iOS/Android are "complete" re-implementation of the client. Isn't that the case ?


I've never contributed to it, but my understanding is KeepassXC is both a library and desktop client (and cli client, which I've never used) and that the app uses the library to manipulate the database. This piece of documentation seems to confirm this.

https://github.com/PhilippC/keepass2android/blob/master/docs...


Does anyone know if the browser integration is similar to/better than Lastpass or Bitwarden? Does it even have browser integration?


I use the browser extension all the time (Chrome).

When it works, it works great. You can tell the extension to auto-fill and auto-submit, so that it feels like you had been logged in from the very beginning.

The problem is, it works (in my experience) around 80% of the time. I'm guessing it's not on them since it requieres websites to follow certain standards in order to have autodetectable login form fields, but it's a pain nonetheless.

Try it, it takes a couple mins to set up. The best feature IMO is the keyboard shortcuts to fill in details.


Many non-standard fields may cause problems with the extension. You can always try to set Custom Login fields for a certain page which allows you to override input fields for username and password use.


Also, this is more niche, but I have it set to auto-fill HTTP Basic Auth credentials, which works perfectly since that's a well-established standard.

I use Basic Auth for many of my LAN-only web services at home and KeepassXC + browser extension feels like having client-side certificate authentication or similar, feels like going through airport security without taking your stuff off into bins.


> The problem is, it works (in my experience) around 80% of the time

Well, that's better than my experience with Lastpass, although that might just be me.


I've been using it ever since ditching OSX in favor of Debian Linux. On OSX, I used 1password and the KeePassXC browser extension works just as fine. In fact, better, because 1Password stopped working for Chromium due to whatever proprietary cert requirement which wasn't met.


In my experience, it's a lot worse which is why I switched. It constantly broke when Firefox updated. Usually the fix was to update keepassx but sometimes it was more complicated than that. Eventually it got to a point where I couldn't fix it. So I switched to bitwarden with a self hosted server and have had zero problems. It's also been a better, more reliable experience in other ways.


It does have a browser integration. Available for Firefox, Chrome/Chromium/Vivaldi/Brave/Edge and Tor Browser.


Pretty good I would say, not much worse than LastPass



Just use this and forget about LastPass/Bitwarden. It has everything you need:

https://apps.nextcloud.com/apps/passwords


Word of warning: Don't use KeePassXC when your co-workers use KeePass2 using a network drive. KeePassXC doesn't support KP2's sync protocol. You'll clobber other people's changes when you save using XC. It took us a few weeks before we noticed that many passwords were missing.


Oh, thank you! Potentially saved us from unnecessary headaches. I'll be sure to use regular KeePass when editing a shared database. For my own db I prefer KeePassXC, and use DropBox for syncing between devices.


But that sounds like the wrong thing to do. Why are you all pointing all your apps at a shared "database" file? And how about locking issues?


This seems to be a supported feature of KeePass 2:

"When invoking the 'Save' command, KeePass checks whether the file on disk/server has been modified while you were editing it. If it has been modified, KeePass prompts whether you want to overwrite or synchronize with the file."

https://keepass.info/help/v2/sync.html

KeePassXC, on the other hand, does not seem to have been designed for shared synchronization:

"Cloud synchronization ... can be easily accomplished by simply storing your KeePassXC database inside your shared cloud folder and letting your desktop synchronization client do the rest. We prefer this approach, because it is simple, not tied to a specific cloud provider and keeps the complexity of our code low."

https://keepassxc.org/docs/#faq-cloudsync


The synchronization feature is what's keeping me on KeePass 2 (running on Mono in Linux) , despite the fact that the interface looks completely out of place in my KDE system.


Also a user. Works well in general, although I continue to be sad to see the arrogance during argumenting in an issue that is a valid and necessary usecase for many people using online banking. https://github.com/keepassxreboot/keepassxc/issues/725


Surely that sort of individual character checking of passwords implies plaintext password storage.

Seems reasonable not to go out of the way to support obscure insecure password entry methods.


I bet they just hash every character of the password separately!

/s


KeepassXC with the .pdb synced with git and locally-distributed .key files has been my go-to for years. I don't use browser extensions.


I'm excited to try this out. Just to mention two interesting projects:

On MacOS I use: https://macpassapp.org/ (Open Source)

I always wanted to try: https://www.passbolt.com/ (Self-hostable)


I switched from MacPass to KeePassXC because it supports newer versions of the KeePass database spec and is compatible with Windows and Linux. If you ever end up sharing password databases, it's a must.


Could you please specify what is the dataspec support difference between MacPass and KeePassXC? As for formats they both support KDBX4. But yes, MacPass dev and releases are very slow. It's just that it has been such a functional and stable native app since years.


While we're on the subject of password managers ... I'm still looking for one with decent multi-user & group support, with audit trails, which is self-hosted. Bitwarden sounded promising, but I'm put off by their MS based stack and their pricing model. Any other recommendations would be greatly appreciated.


I'm not sure what you mean by "their MS based stack", but if it is not about the build tools (.net etc), but about them hosting on azure: Bitwarden can be selfhosted just fine on Linux. https://github.com/bitwarden/server#linux--macos


Unless it's changed since I looked at it, it requires MS SQL Server, which does run on linux, but isn't FOSS, and is very expensive to license if you aren't already using it.


> and is very expensive to license if you aren't already using it.

Not FOSS, but the express edition is free as in beer and the limits should not matter at all for bitwarden (I think the main one is max 10 GB). I prefer KeepassXC + Keepass2Android + Nextcloud though ;)


SQL Server has a no-cost edition, SQL Server Express. This addresses only the free as in beer side of your comment.

Not suggesting this as an argument for you to adopt BW, but just as an FYI.


There's an alternative implementation of the bitwarden server in Rust:

https://github.com/dani-garcia/bitwarden_rs


That along with their CLI utility is what killed Bitwarden for me.

It is absolutely horrendous, mostly due to being written in NodeJS, AFAICT ("when your only tool is a hammer..."?).


Bitwarden-rs is an open source project that implements a bitwarden compatible backend as a self-contained binary (implemented in Rust)


I just set this up this weekend in a container at home, on my Synology box.

Nice thing about Bitwarden-rs is you get a lot of the "premium" features for free with it. For example: Yubikey, U2F, and Duo support.

https://github.com/dani-garcia/bitwarden_rs


The company I work for has used CorporateVault for years, but it is unfortunately a dead project and relied on Java and Flash to work properly. I've been looking for a replacement for some time but all the contenders seem to have cloud bullshit, are overengineered, and/or can't integrate with AD.

Once Flash support is dropped for good I'm probably going to be stuck writing a replacement.


Can you please say more on what you mean by MS based stack? It runs on azure?


Probably the underlying stack.

From https://github.com/bitwarden/server#requirements:

   Requirements

   .NET Core 3.1 SDK
   SQL Server 2017


Well you can run SQL Server on Linux if you wanted


It's not a recommendation because I haven't tried it but I recently learnt about TeamPass : https://teampass.net


I'm been considering jumping to bitwarden


What don't you like about their pricing model?


Thoughts on comparing this to bitwarden? Pros, cons?


Having used both, Bitwarden has been a better overall experience for me and much better for my friends and family. I still like both of them.

KeePassXC

* [Pro] Excellent desktop app. Fast, easy, polished, powerful (TOTP available by default).

* [Pro] Great data ownership philosophy and data storage flexibility.

* [Con] Poor cross-platform app experience, especially on mobile (iOS in particular).

* [Con] Tinkering required to sync data. This isn't a big deal for many of us on here, but presented a large barrier to entry for my non-tech-savvy friends & family.

Bitwarden

* [Pro] Excellent cross-platform experience.

* [Pro] Low barrier to entry via SaaS, making it a good option for less-than-tech-savvy folks. This is ignoring the nice option to self-host.

* [Pro] Sharing features (haven't actually used them).

* [Pro] Web vault is accessible via web browser (accessibility).

* [Con] Web vault is accessible via web browser (increased attack surface).

* [Con] App is a tad slow (electron), but this is an acceptable price to pay for the good cross-platform experience.


One of the other things I like about KeePass in regards to non-mobile devices is that you can autotype your credentials into things that are not web browsers and even make custom sequences per application.

I've got a sequence that gets me logged into to a mainframe and navigates all the way to the main menu and given how often I hit it I bet it has saved me from an RSI by now.


KeePass support on iOS has gotten better in recent years. I like KeePassium, but I’ve also heard good things about Strongbox.


I self-host Bitwarden and I haven't even bothered to install the desktop app. Since I have a browser open at all times, I just use the browser extension.

Also, I think the Android client is quite a bit better than Keepass2Android.


I tried bitwarden once and didn’t like it (can’t remember why, don’t care, no interest in switching ;) ), so I never tried their mobile client. But I’d be interested in what’s better than K2A, I think the modern Android experience with it is awesome.


A few things I remember: adding new entries was clunkier in k2a because I had to tap multiple times to select things like category/folders that I didn't care about. Bitwarden has better URI matching as I could choose the matching rule. BW has better search, or rather it displays search results in a more useful way. The autofill service also seemed to work more reliably, and I don't think k2a showed the matching logins right in the autofill drop-down menu, but I could be misremembering there.

Ultimately though it was the browser extensions, combined with the self-hosting option, that sold me on BW. None of the Keepass plugins I tried over the years worked that well. BW has extensions for both Firefox on Android and Vivaldi on desktop that are as solid as anything I've tried.


Can Electron really be called a good cross-platform experience? Consistent maybe, but good?


The main difference for me is if you want to use it on multiple devices, for example your computer and your phone.

In bitwarden this is seamless because it always saves to the cloud. With keepass you have to manually set up the file sharing with syncthing/dropbox/etc. One problem I had is that sometimes the file sync I set up wouldn't work properly and I'd add new passwords on the phone before it received the latest file version from the computer. When that happens you end up with some passwords that are only on the computer and some that are only on the phone, which is something that syncthing can't fix by itself.


This was the biggest reason I moved from KeePassXC to BitWarden. If I'm only creating new accounts on my phone then sending those credentials to my self via Signal or Wire is no big deal (update on my desktop, synch to iCloud, pull down new KDBX file on my phone for Strongbox which I use in readonly mode). If I'm creating account credentials on a platform where I don't have Signal or Wire installed (a shared Chrimebook, for example) then what... sending to myself by email draft? Add in mobile testing on devices on which a factory reset is regularly executed then it becomes an even easier choice in favor of BitWarden.

My experiences are my own; KeePassXC allows a much higher level of security than anything that's cloud-based but it's also not as convenient to use. For me, that makes Bitwarden the "right" choice. I only used one computer all the time then I would use KeePassXC without a doubt.


And it doesn’t offer to synchronize them?

Currently I’m using regular KeePass 2 and Keepass2Android and both offer to sync the changes in case I edit both at the same time… I would’ve thought KeePassXC does the same.


It does? I remember it being a fiddly thing but it is also possible that I messed up somewhere else.


I used to only manually sync several years ago, because of those problems. Then I got a new phone, set up normal sync and it suddenly worked without any problems.


The pro is you remain fully in control of your password database and you can host it the way you like. And all features are free since you don't rely on someone else's infrastructure.

I use Syncthing on my devices to keep the database in sync, and I let it deal with the file versioning just in case something happens.

The con is that it doesn't always feel as polished as other password managers, but that's mostly a personal taste thing. I use KeeWeb on my desktop/laptop, and KeePass2Android on my smartphone.


Bitwarden can be self-hosted as well, and there are multiple open-source server implementations. [1][2]

[1] https://github.com/bitwarden/server

[2] https://github.com/dani-garcia/bitwarden_rs


Not every body who wants to have their own ownership of certain items wants to get into the full scale IT business of maintaining a server.


Agreed. Though self-hosting is an option, not a requirement.

For my case I installed Bitwarden-rs on my Synology box at home in a container. I realize most people don't want to do that, but for me it was relatively easy.

I only allow access to it from inside my home-network.


BitWarden is better on the browser for me (it's been a while since I used KeePass*), but Keepass2Android is the best mobile password manager, bar none.


+1 for Keepass2Android.. my setup:

- Keepass db, stored in google drive with a memorized master passphrase - this brings password sync out-of-the-box

- G-Drive pulled down on all my PCs/laptops, with KeepassX used as the client

- Keepass2Android's G-Drive integration used on my phone - now made even more convenient with their "Quick Unlock" feature.

I've gone so far as to keep a separate db for payment info, though that one has a keyfile that I manage offline with a randomly-generated password, the password being stored in my password db.

I have found this setup very convenient over the years, and it offers peace of mind in knowing I'm not beholden to any online third parties to store this sensitive info.


Years ago I used KeePassX. It became stale, ugly, and didn't have a good Android app. KeePassX then moved to .NET, and didn't work well on Linux, so I looked around. I settled on enpass as it was a paid app without a subscription, and withyour choice of sync/backup. Enpass has excellent desktop/mobile apps with sync using your choice of cloud service. I'm very happy with it.


I actually just finished moving from 1Password to Enpass. KeePassXC was in the mix and is nice but what killed it for me was the lack of credit card / template support. Did not like the 1Password move from offline storage to online sync. You can buy a license but it is about $70 or so per platform. Enpass desktop is free and I can sync to my Synology using WebDav. That all said, I really hope KeePassXC vastly improves because I would love love love to use as much OSS as I can.


KeepassX is still written in C++, the project is just dead. I think you are confusing Keepass (.NET) and KeepassX (C++). KeepassXC is a fork of KeepassX.

https://github.com/keepassx/keepassx


Another satisfied enpass customer here, also switched from keypass.

Great multi platform support, browser integration, webdav support (makes sync a breeze if you have a webdav server like owncloud, seafile, or a Synology Nas)


Why do people insist on putting everything, even passwords, in folders? I find categorizing files, let alone passwords, into a strict taxonomy a particularly hard job of questionable usefulness.

It would be much handier if we could just tag the records with a number of tags + add a description and/or comment rather than put it in a folder. I always use search rather than manual folder tree navigation anyway.


How does Keepassxc compare to other password managers (passwordstore with gpg-agent/gnome keyring, 1password, Bitwarden, etc) in terms of protecting secrets when the vault is unlocked?

For example, part of data may be held unencrypted in RAM that could be read by OS or other programs. Any use of TPM?


Wait, so there's Keepass, KeepassX and KeepassXC? I understand the X is cross-platform (initially was linux-only) whereas presumably Keepass is win-only; but what's the "community fork" for? Why not improve KeepassX? And why don't KeepassX and Keepass merge now?


Keepass 1 is .NET Framework based. Keepass 2 is .NET Framework and has a Mono build of varying success. 1 and 2 are the originals and still actively developed.

KeepassX has stalled development since 2016 but was a true cross platform desktop client

KeepassXC is the fork of X and at this point in time is lightyears ahead of X.

I'm sure the developers of XC may have wanted to contribute to X but X seems to have been spearheaded by a single developer who stalled on letting other devs become maintainers. So the community forked it.

But to answer the question, it's impossible to merge X and the original because their code bases are in entirely different languages and arguably X doesn't give you anything than the one man dev show.


I used to use KeePass and KeePassXC for years at a time, but the amount of time I have saved not having to mess with syncing issues more than makes up for the ~$30 a year for 1password that always works across windows, linux, ios and mac.


Is it better than KeePassX?


Keepassxc is actively maintained. Keepassx, not so much.


I like the design of X more Not sure what is better in XC though


X looks very unnatural on macos

https://i.imgur.com/JtXVZW2.png


I'm curious why would anyone on Windows use KeePassXC instead of KeePass. Are KeePass plugins compatible?


For me personally because the author of KeePass is a stubborn person who is hellbent on not using a VCS. I see no reason why one would not use a VCS in 2020. From a security point of view this is a massive violation of trust due to the fact that a criminal entity could hypothetically sneak into the computer of the author of KeePass and modify a cpp file to link to malware and the author will have no idea of it and when he compiles and distributes it. He would have unknowingly distributed malware which due to the context of the application can cause massive damage.

I do know that I can compile myself but still I cannot audit every single release, this can be migitated by myself using git and extracting tar files on every release. But this should not be this difficult.

KeePassXC on the other hand is more practical and works on all platforms consistently and is easy to compile with cmake and has convenient cmake switches to disable network connectivity.


Commonly used plugins seem to have built-in data format and behavioral compatibility, and I guess a big reason would be for consistency across platforms - and now the custom Qt stylesheets, if that's your thing.


Has anyone migrated from Lastpass to KeePassXC? Was it difficult?


Lastpass to Keepass2 years ago, it was simply export/import. I assume it’s pretty much the same for XC


I like the simplicity/design of KeePassX more than XC


Been on the "regular" KeePass all along.

Should I switch?


I switched many years ago because Keepass didn't work well (or at all) on Linux. Since then, I think KeepassX and especially KeepassXC have surpassed the original Keepass in quality - so yes.

One thing that really amazed me was recently (1-2 years ago) KeepassXC got rid of the lock file and made it possible for multiple processes/computers to seamlessly work on the same file. This is fantastic for situations like having 2 computers running at the same time, opening a Keepass database file from Dropbox.


Fair point, but I'm a Windows user, so that alone is not really an argument.

The interface looks better, sure, but nothing really makes me to be dissatisfied.


Browser integration was a major issue with Keepass - haven't used it in years so I don't know if they've fixed it so you don't need the plugin hack.


That was my reason to switch from 2 to XC (on Windows) as well. Far superior browser support.


I switched because KeePassXC has TOTP and SSH key functionality built in, instead of being provided by plugins.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: