[problems]

KeePass recently got an Argon2 KDF and ChaCha20 as a cipher. I highly recommend it, good mobile apps, pretty simple UI, control over your own DB, sync it with your favourite tool, I use SyncThing as its Android support is excellent.

[ktta]

I would suggest KeePassXC, which in my opinion, looks better since uses Qt rather than mono so has a more native feel.

https://keepassxc.org/

[EuAndreh]

See also KeeWeb[0].

Also mutiplatform as KeePassXC, built on Electron. Even though it is built on JavaScript, it has 0 dependencies[1].

And the author responds well on external feedback/contributions[2].

It does support KDBX4[3].

[0]: https://keeweb.info/

[1]: https://github.com/keeweb/keeweb/blob/c651343f80f4f3d41c7d64...

[2]: https://github.com/keeweb/keeweb/issues/104

[3]: https://github.com/keeweb/keeweb/issues/326

[problems]

> 0 dependencies

If bundling your devDependencies at compile time counts as "0 dependencies", nothing has any dependencies. In this case, the whole thing's built on electron - all of chrome's rendering engine is quite the dependency. The uncompressed Windows version is 137 MB on disk. Fatter than most any app should be.

[problems]

I would not suggest this as KeePassXC does not support the new KDBX4 format with the upgraded cryptography - only the old Keepass format which relies on a custom AES-based key derivation function, which I cannot in good faith recommend.

Once it's implemented I may reconsider, but for now at least, I'd shy away from it.

https://github.com/keepassxreboot/keepassxc/issues/148

[ktta]

Thanks for the info!

Edit: Looks like it's close

https://github.com/keepassx/keepassx/pull/200#issuecomment-2...

[balladeer]

For OSX I have been using this native app MacPass - http://mstarke.github.io/MacPass. Actively developed from what I see on Github.

[snowwrestler]

Which mobile app do you use with KeePass? I use MiniKeePass and am pretty happy with it.

[ktta]

I'm not the user you replied to, but that app looks like the only good app, atleast for iOS.

[problems]

I use the open source Keepass2Android which is open source and supports the new crypto, has just about every utility I could want.

https://keepass2android.codeplex.com/

[mihaifm]

It's a good app but as far as I remember the integration with Dropbox wasn't working properly. I think that's the main issue with KeePass right now - getting your passwords synchronized with your phone.

[problems]

SyncThing solves this quite nicely on Android at least. For iOS, I'm not sure, Apple's restrictions make proper sync near impossible in the name of battery life - even while charging or on WiFi.

[peak_body_yo]

> Argon2 KDF and ChaCha20 as a cipher

Are these a huge improvement from what was offered previously?

[problems]

Before they were using a custom AES-based key derivation function which had not been strongly peer reviewed so Argon2 is a big improvement there in my book.

ChaCha20 over the existing AES-CBC... not as much, I feel more comfortable in that it's harder to screw up the implementation of it, but that's about it. CBC mode especially can have unexpected side effects unless used very carefully, ChaCha20 or any other strong stream cipher, even AES in CTR mode is somewhat easier to understand the side effects of.

So overall, not concretely in terms of known vulnerabilities, but in terms of predicted risks, I'd say certainly. Before this change I was erring on the side of known algorithms with solutions like LastPass at least using standardized PBKDF2. With this change, KeePass went behind or middle of the pack, cryptographically compared to competition, to the frontrunner.