I've been using KeePassXC ever since switching from OSX to Debian Linux. On OSX, I used 1Password and have been an advocate for years.
However, after being forced to upgrade (and pay again) multiple times due to API changes, and the integration stopped working with various browsers, I wasn't a happy customer anymore. KeePassXC works just as good, if not better. I'm using it on Debian, with browser extensions and on iOS (and sometimes even on my old Macbook Pro on OSX). Being FOSS, I'm not afraid anymore that stuff will stop working at some point, because some proprietary API is deprecated.
You might want to checkout BitWarden. A FOSS server exists (even on in Rust, iirc) and there are opensource clients as well (browser plugins maintained by BitWarden). This system is "zero knowledge", the server does not get to see the passwords in normal operation (it does in case of imports, which I think is a huge security flaw one can mitigate by not importing).
Another thing: Keepass(XC) became a snap package on recent Ubuntus. If there's one piece of software I dont want to be a snap package it is this tool. It get slow, ugly and hard to find (in a process tree). This is the last piece of software I want to run in snap.
> Another thing: Keepass(XC) became a snap package on recent Ubuntus.
"became" is misleading. It's available as a snap if you want to use it. It [also] remains available from the apt repository maintained in the traditional way.
Of course if you want keepassxc on Ubuntu 20.04 from apt/deb, you'll get 2.4.3, because that is the traditional way. The snap available is 2.6, because consuming the latest directly from upstream is how snaps work. You can choose with methodology you prefer.
My preferred way of installing and managing software on Ubuntu is compiling the source to /opt and then installing it to the system with the Debian/Ubuntu Update Alternatives system:
It allows you to install multiple different versions side-by-side and toggle which of them is called by the canonical system command in /bin, /usr/bin or wherever.
You install them in /opt or somewhere else where collisions won't occur, then use the update-alternatives command to link them into /bin, /usr/bin or other system directories.
It takes a little more work up front, but is worth it. It makes both upgrades and rollbacks completely painless, and you get to decide which version you use.
The upfront work part is in scripting the various binaries and manpage files that need to be linked together, atomically, into system directories. Here's an old (out-of-date) example script for installing Haskell Platform after building it in /opt/ that demonstrates this. All subcommands must be slaved to the main command, and update-alternatives enables this.
Dit not know that, but after "just installing it", it was suuuper slow and ugly (very not matching my other apps) and I could not find the process it was running as at first (snap obfuscates that). Also it could not read a file I put in /tmp.
I want to use a tool to protect my privacy, please not package that in some security-unproven test-bed of a packaging/execution method please.
(Also found the calc app was in snap, and thus verrrry slow to start, then I dumped Ubuntu altogether)
I did check it out before using KeePassXC, thank you.
I took a whole day to check out all available FOSS options. KeePassXC won based on my criteria by a long shot.
One deadly reason against BitWarden (for me): Having a FOSS server that's not officially supported and more or less reverse engineered, is even worse than a proprietary API. It can become defunct at any point in time - and it might even be hard to catch it. At least, with 1P, when they deprecated their old Apps, they announced it.
Not saying that BitWarden is bad in any way. Just saying that the KeePassXC stack is FOSS all the way with no lock in and multiple implementations of the Keepass file format.
As for the SNAP package: I'm not versed in that. I'm just using the regular Debian package. Works fine for me.
I'm not sure when you looked at Bitwarden but the official server and clients are open source under the AGPL, including the API for other people to make their own servers and clients with. So I would say that Bitwarden fills the FOSS all the way requirement.
I've self hosted the rust server, and have attempted to host the official server but found that it was difficult to install and addly slow once configured. Running your own server also loses you many of the benefits of premium if you keep supporting the project. They changed their color scheme from my favorite blue to Facebook-blue, and after exploring it on tails, I think I'll be more than happy to transition to keepass in the future.
The bitwarden_rs server features TOTP entries and support for login with U2F (YubiKey) and Duo. It also handles Vault attachments and organizations. Which premium features are you missing?
What was hard about self-hosting the official server? I found it a little resource heavy but their docker images make it all very simple to set up and run.
I lived with that for a while, and didn't like the size of the VPS I had to use to keep it stable, so I moved to bitwarden_rs, and I haven't noticed any missing premium features.
I like keepasxc also, but the thing that moved me from that to bitwarden was my desire to use my password databases in multiple places at once without conflicts. I think the bitwarden browser integration and phone integration is nicer, also.
> As for the SNAP package: I'm not versed in that. I'm just using the regular Debian package. Works fine for me.
`apt install package` could install a snap [0] [1].
I don't know if you're using the `.deb` installed via your package manager or downloaded directly from the KeePassXC distribution. In either way, you might want to look deeply into how it works. Consider previous discussions about Ubuntu and Snaps.
No, it can’t. I never said that I’m using Ubuntu. I’m using Debian and stock Debian packages as mentioned before (as mentioned in the original GP comment).
I started with 1P and switched to Keepass as they started pushing their subscription service. Keepass was fine, but had some annoying sync issues occasionally (via dropbox) and never really found a good ios app. The whole system worked but felt sort of cobbled together. I think this is because it is built as a local application that can sync through other services, rather than server / client. Syncing data is more front and center with BW.
Running a bitwarden server has been a much better experience, particularly the bitwarden_rs fork (1). I run it in a container and it's been rock-solid. The organization / collections features make sharing pws with my family really easy, and 2FA gives me peace of mind. The ios app is really smooth too. Importing a db from keepass was pretty easy.
BTW, I did try the official bitwarden container first, but found it bloated and feature-restricted (if you don't want to pay a monthly fee).
How do you have the Bitwarden server setup? I'd love to run it locally at home on a NUC or something similar, but Bitwarden has this shitty "feature" where you can't actually save anything new unless you have a connection to the server. I'd rather not expose a server to the outside world running locally on my network if possible.
I never got 'round to writing up the bitwarden specifics, but it covers the path I negotiated between hosting it somewhere else and exposing it to the world.
I considered doing it from a home server using a wireguard connection on my Unraid box, but in the end just went for a cheap cloud instance from digital ocean. I'm also a bit uncomfortable with exposing my home network through a reverse-proxy so things that i need lots of access to go up on the VPS.
After playing with dozens of password managers and more phone apps than I can count, I now use KeePassXC on all my desktops/laptops (across Linux/Mac/Win) and Strongbox on iOS devices and have never been happier with my setup. It all just works now.
My main problem with BitWarden is its weird Folder UX model - I can't quite put my finger on it, but I keep running into things I want to do but that I can't quite do when sharing. 1Password's "Vault" model is so much clearer.
What's the advantage of BitWarden over sharing your Keepass database with a family member via Dropbox or something?
The ability to create shared folders of credentials either for corporate or family situations while maintaining separate accounts is a big one. The password to my account and my wife's to hers are in our shared folder so if I plotz without warning she can get into my credential store and get into things like the power company website, insurance website, etc without having to have all of the credentials (along with crap she'll never care about like SSH keys and passwords for my EC2 instances) she doesn't care about taking up space on her account.
What’s annoying is that space shouldn’t be an issue at all, these secrets are tiny. Instead of folders, they should be tags, with the ability to grant access and sort by those tags (IMHO as a Bitwarden paying customer).
I hope Apple rolls out their iOS 14 keychain improvements soon, and supports family sharing/delegation/access controls based on the family primitives in iCloud, so we can bounce from Bitwarden.
How do you sync to iOS? Sync issue caused me to switch from keypassxc on Linux to browser based 1Password there. Not thrilled to use browser crypto but sending passwords to myself via Signal was getting old.
Not OP, but I use Resilio Sync (aka Bittorent Sync) and it has been working great for sometime now. Just open the app and the latest kdb file gets pulled down. I use the Strongbox app on iOS which supports kdb.
With the later versions of iOS supporting "Files" now, Strongbox points to the file that is stored within the "Sync" (Resilio) location. What this means is that Strongbox is actively reading/writing to that file within the "Sync" location on iOS. Whenever I open the Resilio Sync app it will either push the changes I made on mobile to the server or pull down the file from the server and overwrite the file on iOS, depending on which is the newer file.
Also, I don't use Resilio's proxy servers either, so all of this is 100% running on my own infra. I have Wireguard setup on my home network, so if I am away from home, I can "VPN" in on my phone and then open the Resilio Sync app to sync up remotely.
I haven't run into that before, but I'll describe how I bootstrapped my setup in case that might help resolve your issue.
(1) Setup Resilio sync on my NAS
(2) Shared the folder holding the kdb file via Resilio Sync
(3) Entered the code into the Resilio Sync mobile app
(4) Performed an initial sync of the folder to my phone
(5) Downloaded Strongbox and pointed it to the kdb file under the "Sync" location in Files on iOS
In Resilio I Share > "Copy to Strongbox". I mark it as Read Only to keep from confusing myself and use a separate "Mobile kdbx" for any passwords I create on Mobile and share that the other direction as needed. (I don't have to use two files, I just find it an easier process that makes it less likely for me to forget to sync one direction or the other and "lose" a password.)
(I miss Windows Phone here in that I could directly share my Resilio file and its sync status with a KDBX app as Resilio was a standard file host. iOS really should standardize something like that instead of forcing a unidirectional Share as the only pattern.)
(ETA: I tried Files which is supposed to do something closer, but it didn't seem to work for me.)
I used to be of this mindset as well. (Two different files, so I wouldn't overwrite or lose a password just in case I synced the wrong direction)
I gave this up though as Resilio will detect conflicts and prevent overwriting in case that did happen and I make automated nightly backups of my password file, so I can restore the file if I ever did "lose" a password. I've been running with my current setup and haven't had to restore yet.
Thanks for the tip, i didn't notice Strongbox can be used for free. I refuse to buy any subscriptions so i always only buy full versions of apps. For my particular use case €45 is way too much though. Perhaps this will change in the future and i might buy it.
I bought the '1 time purchase' of 1Password on macOS like 6 years ago and have been happily using that on macOS, iPhone and iPad. Still gets updates today (I did pay for 1 major upgrade if i remember correct.) It was way cheaper than all the subscription crap where you don't really realize what you're paying for and how much. I would never buy the current expensive 1Password subscription.
I'm using a native app which uses the same passwords dialog as 1password (or the iCloud keychain for that matter). You can configure which one to open in the settings.
There's even multiple iOS apps available for use with keepass last time I checked. I'm using https://keepassium.com/
NB: I understand what you're saying about still using 1p with Signal. I did that for quite some time, as well(; Using keepassium really works equally well for me as did 1p on iOS. Doesn't look as fancy, but I really just need it to know my passwords or generate a new one^^
I use Keepass2Android, which works great with Nextcloud and handles very well offline usage and subsequent merge of the database. On iOS the experience is much worse: I use KeePassium but it does not connect natively to Nextcloud, so I use BoxCryptor for that. The downside is that if Nextcloud is unreachable, I cannot see my saved passwords. Anyone managed to have a good experience on iOS?
I've had a very good experience with Strongbox. I personally haven't used the Nextcloud integration yet so I can't vouch for that specifically, but I've used it with multiple cloud services and it's been seamless every time. It also caches your database locally, which should solve the problems you were having with BoxCryptor. It is freemium, and the really useful features will cost $1 per month, but there is also an option to purchase a perpetual license. Quality indie apps are hard to come by iOS these days, and I'm glad to pay for a service that's so integral to my daily life.
Update: after writing this I checked again, and with the latest update to the Nextcloud iOS app it is possible to directly open and save the Keepass database from Nextcloud. No need for BoxCryptor anymore. Hurray for Nextcloud!
When using a password manager of sufficient security the weakness isn't the password manager. The password manager is likely the strongest security app that most people use on the daily.
If you store both the password and 2FA in something that secure, is it really causing any real harm?
If your threat model dictates that this IS a threat for you, then by all means, don't do that. But I think for the average person this is far more secure than some of the alternatives they'd be doing otherwise.
The advantage to OTP, even when stored with the password, is that it switches from shared-secret to asymmetric-key login. Of course in theory with a good hash+salt it's nearly the same, but with OTP I have better confidence that an attacker can't steal my credentials.
(I mean, I say this as someone who also keeps 2FA separate, but I do see some benefit to 2FA even stored with the password)
Logically, yes, reality if you think deeply, it's no different than having a OTP app on your phone and also the password manager....
At best if you are so concerned you just create a second keepass DB for OTP or if you are more concerned, have two phones ;)
I can't take software like bitwarden seriously because they still require you to have a cloud account and/or run your own server which I also have no interest in. I want something I can actually backup natively on a client without extra effort like a script running agaisnt an api. A single file encrypted database is more than adequate. Control and ownership of the password blob is just so absolutely critical if you invest heavily in password management, especially with sites that take a stance of "password/otp or we'll never recover the account"
Along those same lines, I also store my security questions/answers in my password manager. In many cases, the security questions are stupid, but if I'm forced to do it, then at least I can keep it organized.
Yes, the best feature about KeePassXC is this ability to do your own syncing. I work at a Fortune 500 where they block every syncing service except OneDrive, so that's what I have to use.
I am not a fan of Syncthing. I do not want a web UI, and there UI is by default unsafe and needs to be disabled or secured anyway. I do not like their config format either.
NextCloud actually has awesome plugin, named Passwords. You get everything major players have for free and its simply awesome. You also get team communication (add LDAP/AD to it), REST API, folders, automatic icons etc.
I've been using the original KeePass for a long time. I'm an architect, not a coder/software developer. So my question is a bit naive on this forum, but why is KeePass 10mb installed and KeePassXC 108mb if they do the same thing? I like that KeePass has plugins that I can tailor to my needs. Does KeePassXC make the same security software changes as KeePass? I forgot one more question, can I use KeePass2Android if I switched?
Hi there, I have a genuine question about your comment and I apologize if this comes across as attacking, that is not my intent at all.
> why is KeePass 10mb installed and KeePassXC 108mb
Why does the file size matter? Are the devices you use so short on storage that an extra 100 mb is an issue? Obviously if it was something like 50 GB then yes, that makes sense but in general most HDD's and devices have GB's of empty space.
> Why does the file size matter? Are the devices you use so short on storage that an extra 100 mb is an issue?
No, but just about any aspect of computing benefits from smaller file sizes, or smaller data size in general, starting with CPU caches, RAM caching of files, file transfers, including syncing things over the network, backing things up. The more free space a SSD has, the smarter it can be about wear leveling (I think, though I have no idea how much this matters in practice).
I mean sure, if the data just sits there, and you don't do anything else with the machine but run a password so manager, it really doesn't matter, but we tend to run dozens programs actively with even more running in the background, all of this adds up quick even on one machine. And then there are billions of people using even more devices.
In this case, I like using KeePassXC portable, so if the size is the result of having less outside dependencies, I'm fine with it, don't get me wrong. But generally, this attitude of just throwing hardware at software is a problem, which by now it has reached gigantic proportions IMO, and you made the argument generally.
Imagine some kind of character encoding that is exactly Unicode, but every character gets repeated 10 times... not for any useful reason, just so people can show they can afford beefy hardware and waste it. Would you use it?
We cannot even begin to imagine what our current hardware would be capable of, if we only allowed ourselves the time to use it well. Consider that this runs on hardware from 1981: https://www.pouet.net/prod.php?which=65371
The same achieved with less is always better, I'll just claim that. The whole universe in all it's infinite wealth cannot change that, and we live on a planet that's about to get ruined real hard because of our consumption of materials and energy. Storage may very well become so big and cheap as to be practically infinite, but CPU will always cost energy.
For one-off things with limited use, knock yourself out, of course, but if you package something for distribution, it may stay around "forever" and get handled countless times, by servers and end-users, so if it can be made smaller without making it worse and without extreme hassle, make it smaller.
Why does CPU usage matter? Just buy a faster CPU. Why does memory usage matter? Just buy more memory. Why does network bandwidth usage matter? Just get a faster Internet connection. Why does stability matter? If it crashes, just restart it.
I am assuming there are ways to turn off health checks to “ Have I Been Pwned”. I never want my local password manager to do outcalls for any reason...
The application does not perform this check automatically, it is a report that you have to request explicitly. There is also a warning upon request that a remote request will be performed.
It's just a bash script that used gpg and git. I find it the most KISS solution. Not available on phones but I don't trust my phone with my secrets anyway.
Passwordstore is just awesome. We're using gopass (go port of the pass scripts) which supports multiple stores to be mounted so we can have different recipients i.e. for team1, team2 and private. In combination with browserpass for firefox and android-password-store for smartphone it's the simplest and best tool I ever used for password management. And the best part: it's just simple text files which are encrypted using gpg. So we just sync them with syncthing and even if the pass or gopass program would go away in the future we can use gpg decrypt.
I've heard claims that using the clipboard to transfer passwords is not very secure because a lot of different pieces of software may be able to read the clipboard.
If so, then a browser plugin would seem to provide better security. So this might be a little too KISS.
Does anyone have comments on how much of a concern it really is to have passwords travel by the clipboard?
> how much of a concern it really is to have passwords travel by the clipboard?
As with many security matters, it will vary depending upon your threat model.
I generally feel that if you have something installed watching your clipboard for nefarious reasons then you've already got a bigger problem, and I prefer that potential security issue over having all my credentials integrated into the browser via a plugin (a clipboard sniffer will catch one or two things passing by, a hacked browser with integrated or add-in based password store might reveal everything at once).
If you use the clipboard for transfer, take the precaution of always clearing it soon after use. KeePass does this by default, as do some other similar tools.
One thing that bugs me about passwordstore is that while passwords are encrypted, the names of the websites are stored in the clear. Last I saw there is an workaround you can use with "tombs" but IMO it would have been much better if they had done the right thing by default and stored the whole password database in a single file.
How trusted are the iOS/Android app compared to the "mainstream" desktop clients like KeepassXC ? I'm a bit wary of downloading a "random client" from the App Store. Are those audited/trusted as much ?
I've been using Keepass2Android [0] for a few years now (synced with the desktop client) and haven't had any issues. I'm not aware if any audits on it, but I'm not sure the risk of a developer pushing malicious binaries is that much higher on the play store than the arch/debian/snap/brew repositories.
I've never contributed to it, but my understanding is KeepassXC is both a library and desktop client (and cli client, which I've never used) and that the app uses the library to manipulate the database. This piece of documentation seems to confirm this.
I use the browser extension all the time (Chrome).
When it works, it works great.
You can tell the extension to auto-fill and auto-submit, so that it feels like you had been logged in from the very beginning.
The problem is, it works (in my experience) around 80% of the time. I'm guessing it's not on them since it requieres websites to follow certain standards in order to have autodetectable login form fields, but it's a pain nonetheless.
Try it, it takes a couple mins to set up. The best feature IMO is the keyboard shortcuts to fill in details.
Many non-standard fields may cause problems with the extension. You can always try to set Custom Login fields for a certain page which allows you to override input fields for username and password use.
Also, this is more niche, but I have it set to auto-fill HTTP Basic Auth credentials, which works perfectly since that's a well-established standard.
I use Basic Auth for many of my LAN-only web services at home and KeepassXC + browser extension feels like having client-side certificate authentication or similar, feels like going through airport security without taking your stuff off into bins.
I've been using it ever since ditching OSX in favor of Debian Linux. On OSX, I used 1password and the KeePassXC browser extension works just as fine. In fact, better, because 1Password stopped working for Chromium due to whatever proprietary cert requirement which wasn't met.
In my experience, it's a lot worse which is why I switched. It constantly broke when Firefox updated. Usually the fix was to update keepassx but sometimes it was more complicated than that. Eventually it got to a point where I couldn't fix it. So I switched to bitwarden with a self hosted server and have had zero problems. It's also been a better, more reliable experience in other ways.
Word of warning: Don't use KeePassXC when your co-workers use KeePass2 using a network drive. KeePassXC doesn't support KP2's sync protocol. You'll clobber other people's changes when you save using XC. It took us a few weeks before we noticed that many passwords were missing.
Oh, thank you! Potentially saved us from unnecessary headaches. I'll be sure to use regular KeePass when editing a shared database. For my own db I prefer KeePassXC, and use DropBox for syncing between devices.
This seems to be a supported feature of KeePass 2:
"When invoking the 'Save' command, KeePass checks whether the file on disk/server has been modified while you were editing it. If it has been modified, KeePass prompts whether you want to overwrite or synchronize with the file."
KeePassXC, on the other hand, does not seem to have been designed for shared synchronization:
"Cloud synchronization ... can be easily accomplished by simply storing your KeePassXC database inside your shared cloud folder and letting your desktop synchronization client do the rest. We prefer this approach, because it is simple, not tied to a specific cloud provider and keeps the complexity of our code low."
The synchronization feature is what's keeping me on KeePass 2 (running on Mono in Linux) , despite the fact that the interface looks completely out of place in my KDE system.
Also a user. Works well in general, although I continue to be sad to see the arrogance during argumenting in an issue that is a valid and necessary usecase for many people using online banking.
https://github.com/keepassxreboot/keepassxc/issues/725
I switched from MacPass to KeePassXC because it supports newer versions of the KeePass database spec and is compatible with Windows and Linux. If you ever end up sharing password databases, it's a must.
Could you please specify what is the dataspec support difference between MacPass and KeePassXC? As for formats they both support KDBX4. But yes, MacPass dev and releases are very slow. It's just that it has been such a functional and stable native app since years.
While we're on the subject of password managers ... I'm still looking for one with decent multi-user & group support, with audit trails, which is self-hosted. Bitwarden sounded promising, but I'm put off by their MS based stack and their pricing model. Any other recommendations would be greatly appreciated.
I'm not sure what you mean by "their MS based stack", but if it is not about the build tools (.net etc), but about them hosting on azure: Bitwarden can be selfhosted just fine on Linux. https://github.com/bitwarden/server#linux--macos
Unless it's changed since I looked at it, it requires MS SQL Server, which does run on linux, but isn't FOSS, and is very expensive to license if you aren't already using it.
> and is very expensive to license if you aren't already using it.
Not FOSS, but the express edition is free as in beer and the limits should not matter at all for bitwarden (I think the main one is max 10 GB). I prefer KeepassXC + Keepass2Android + Nextcloud though ;)
The company I work for has used CorporateVault for years, but it is unfortunately a dead project and relied on Java and Flash to work properly. I've been looking for a replacement for some time but all the contenders seem to have cloud bullshit, are overengineered, and/or can't integrate with AD.
Once Flash support is dropped for good I'm probably going to be stuck writing a replacement.
Having used both, Bitwarden has been a better overall experience for me and much better for my friends and family. I still like both of them.
KeePassXC
* [Pro] Excellent desktop app. Fast, easy, polished, powerful (TOTP available by default).
* [Pro] Great data ownership philosophy and data storage flexibility.
* [Con] Poor cross-platform app experience, especially on mobile (iOS in particular).
* [Con] Tinkering required to sync data. This isn't a big deal for many of us on here, but presented a large barrier to entry for my non-tech-savvy friends & family.
Bitwarden
* [Pro] Excellent cross-platform experience.
* [Pro] Low barrier to entry via SaaS, making it a good option for less-than-tech-savvy folks. This is ignoring the nice option to self-host.
* [Pro] Sharing features (haven't actually used them).
* [Pro] Web vault is accessible via web browser (accessibility).
* [Con] Web vault is accessible via web browser (increased attack surface).
* [Con] App is a tad slow (electron), but this is an acceptable price to pay for the good cross-platform experience.
One of the other things I like about KeePass in regards to non-mobile devices is that you can autotype your credentials into things that are not web browsers and even make custom sequences per application.
I've got a sequence that gets me logged into to a mainframe and navigates all the way to the main menu and given how often I hit it I bet it has saved me from an RSI by now.
I self-host Bitwarden and I haven't even bothered to install the desktop app. Since I have a browser open at all times, I just use the browser extension.
Also, I think the Android client is quite a bit better than Keepass2Android.
I tried bitwarden once and didn’t like it (can’t remember why, don’t care, no interest in switching ;) ), so I never tried their mobile client. But I’d be interested in what’s better than K2A, I think the modern Android experience with it is awesome.
A few things I remember: adding new entries was clunkier in k2a because I had to tap multiple times to select things like category/folders that I didn't care about. Bitwarden has better URI matching as I could choose the matching rule. BW has better search, or rather it displays search results in a more useful way. The autofill service also seemed to work more reliably, and I don't think k2a showed the matching logins right in the autofill drop-down menu, but I could be misremembering there.
Ultimately though it was the browser extensions, combined with the self-hosting option, that sold me on BW. None of the Keepass plugins I tried over the years worked that well. BW has extensions for both Firefox on Android and Vivaldi on desktop that are as solid as anything I've tried.
The main difference for me is if you want to use it on multiple devices, for example your computer and your phone.
In bitwarden this is seamless because it always saves to the cloud. With keepass you have to manually set up the file sharing with syncthing/dropbox/etc. One problem I had is that sometimes the file sync I set up wouldn't work properly and I'd add new passwords on the phone before it received the latest file version from the computer. When that happens you end up with some passwords that are only on the computer and some that are only on the phone, which is something that syncthing can't fix by itself.
This was the biggest reason I moved from KeePassXC to BitWarden. If I'm only creating new accounts on my phone then sending those credentials to my self via Signal or Wire is no big deal (update on my desktop, synch to iCloud, pull down new KDBX file on my phone for Strongbox which I use in readonly mode). If I'm creating account credentials on a platform where I don't have Signal or Wire installed (a shared Chrimebook, for example) then what... sending to myself by email draft? Add in mobile testing on devices on which a factory reset is regularly executed then it becomes an even easier choice in favor of BitWarden.
My experiences are my own; KeePassXC allows a much higher level of security than anything that's cloud-based but it's also not as convenient to use. For me, that makes Bitwarden the "right" choice. I only used one computer all the time then I would use KeePassXC without a doubt.
Currently I’m using regular KeePass 2 and Keepass2Android and both offer to sync the changes in case I edit both at the same time… I would’ve thought KeePassXC does the same.
I used to only manually sync several years ago, because of those problems. Then I got a new phone, set up normal sync and it suddenly worked without any problems.
The pro is you remain fully in control of your password database and you can host it the way you like. And all features are free since you don't rely on someone else's infrastructure.
I use Syncthing on my devices to keep the database in sync, and I let it deal with the file versioning just in case something happens.
The con is that it doesn't always feel as polished as other password managers, but that's mostly a personal taste thing. I use KeeWeb on my desktop/laptop, and KeePass2Android on my smartphone.
Agreed. Though self-hosting is an option, not a requirement.
For my case I installed Bitwarden-rs on my Synology box at home in a container. I realize most people don't want to do that, but for me it was relatively easy.
I only allow access to it from inside my home-network.
BitWarden is better on the browser for me (it's been a while since I used KeePass*), but Keepass2Android is the best mobile password manager, bar none.
- Keepass db, stored in google drive with a memorized master passphrase - this brings password sync out-of-the-box
- G-Drive pulled down on all my PCs/laptops, with KeepassX used as the client
- Keepass2Android's G-Drive integration used on my phone - now made even more convenient with their "Quick Unlock" feature.
I've gone so far as to keep a separate db for payment info, though that one has a keyfile that I manage offline with a randomly-generated password, the password being stored in my password db.
I have found this setup very convenient over the years, and it offers peace of mind in knowing I'm not beholden to any online third parties to store this sensitive info.
Years ago I used KeePassX. It became stale, ugly, and didn't have a good Android app. KeePassX then moved to .NET, and didn't work well on Linux, so I looked around. I settled on enpass as it was a paid app without a subscription, and withyour choice of sync/backup. Enpass has excellent desktop/mobile apps with sync using your choice of cloud service. I'm very happy with it.
I actually just finished moving from 1Password to Enpass. KeePassXC was in the mix and is nice but what killed it for me was the lack of credit card / template support. Did not like the 1Password move from offline storage to online sync. You can buy a license but it is about $70 or so per platform. Enpass desktop is free and I can sync to my Synology using WebDav. That all said, I really hope KeePassXC vastly improves because I would love love love to use as much OSS as I can.
KeepassX is still written in C++, the project is just dead. I think you are confusing Keepass (.NET) and KeepassX (C++). KeepassXC is a fork of KeepassX.
Another satisfied enpass customer here, also switched from keypass.
Great multi platform support, browser integration, webdav support (makes sync a breeze if you have a webdav server like owncloud, seafile, or a Synology Nas)
Why do people insist on putting everything, even passwords, in folders? I find categorizing files, let alone passwords, into a strict taxonomy a particularly hard job of questionable usefulness.
It would be much handier if we could just tag the records with a number of tags + add a description and/or comment rather than put it in a folder. I always use search rather than manual folder tree navigation anyway.
How does Keepassxc compare to other password managers (passwordstore with gpg-agent/gnome keyring, 1password, Bitwarden, etc) in terms of protecting secrets when the vault is unlocked?
For example, part of data may be held unencrypted in RAM that could be read by OS or other programs. Any use of TPM?
Wait, so there's Keepass, KeepassX and KeepassXC? I understand the X is cross-platform (initially was linux-only) whereas presumably Keepass is win-only; but what's the "community fork" for? Why not improve KeepassX? And why don't KeepassX and Keepass merge now?
Keepass 1 is .NET Framework based. Keepass 2 is .NET Framework and has a Mono build of varying success. 1 and 2 are the originals and still actively developed.
KeepassX has stalled development since 2016 but was a true cross platform desktop client
KeepassXC is the fork of X and at this point in time is lightyears ahead of X.
I'm sure the developers of XC may have wanted to contribute to X but X seems to have been spearheaded by a single developer who stalled on letting other devs become maintainers. So the community forked it.
But to answer the question, it's impossible to merge X and the original because their code bases are in entirely different languages and arguably X doesn't give you anything than the one man dev show.
I used to use KeePass and KeePassXC for years at a time, but the amount of time I have saved not having to mess with syncing issues more than makes up for the ~$30 a year for 1password that always works across windows, linux, ios and mac.
For me personally because the author of KeePass is a stubborn person who is hellbent on not using a VCS. I see no reason why one would not use a VCS in 2020. From a security point of view this is a massive violation of trust due to the fact that a criminal entity could hypothetically sneak into the computer of the author of KeePass and modify a cpp file to link to malware and the author will have no idea of it and when he compiles and distributes it. He would have unknowingly distributed malware which due to the context of the application can cause massive damage.
I do know that I can compile myself but still I cannot audit every single release, this can be migitated by myself using git and extracting tar files on every release. But this should not be this difficult.
KeePassXC on the other hand is more practical and works on all platforms consistently and is easy to compile with cmake and has convenient cmake switches to disable network connectivity.
Commonly used plugins seem to have built-in data format and behavioral compatibility, and I guess a big reason would be for consistency across platforms - and now the custom Qt stylesheets, if that's your thing.
I switched many years ago because Keepass didn't work well (or at all) on Linux. Since then, I think KeepassX and especially KeepassXC have surpassed the original Keepass in quality - so yes.
One thing that really amazed me was recently (1-2 years ago) KeepassXC got rid of the lock file and made it possible for multiple processes/computers to seamlessly work on the same file. This is fantastic for situations like having 2 computers running at the same time, opening a Keepass database file from Dropbox.
However, after being forced to upgrade (and pay again) multiple times due to API changes, and the integration stopped working with various browsers, I wasn't a happy customer anymore. KeePassXC works just as good, if not better. I'm using it on Debian, with browser extensions and on iOS (and sometimes even on my old Macbook Pro on OSX). Being FOSS, I'm not afraid anymore that stuff will stop working at some point, because some proprietary API is deprecated.