KeePassXC and Bitwarden are the best password managers in existence right now: KeePassXC if you want to be disconnected from the cloud and Bitwarden if you want both the convenience of cloud-based password management AND high security.
>convenience of cloud-based password management AND high security.
One attack vector I see with Bitwarden is that if the server hosting the web client or the Firefox/Google account that owns the browser extension gets compromised, they could easily be modified to exfiltrate all your data.
So unless you always package the browser extension yourself and check the web client's code before using it, your passwords are essentially only as secure as the developer's security measures are strong.
You can also run your own bitwarden server either with their official server or with bitwarden_rs, a reimplementation in rust that runs better on lower-end hardware
It runs better everywhere. I have set up both and see no difference between them feature wise. Why would you use the official one? It's so resource heavy, more difficult to set up, feels very enterprise-y.
I honestly tried to use Bitwarden, paid for premium for one time key feature and browser extensions comparing to 1pass are much less convenient. For instance, an ability to manage multiple website (e.g. google) accounts is priceless
A habit I carried over from using KeePassXC is that I don't use a browser extension. Call it paranoia but I don't want the browser process to have the ability to reach into my password manager. What I do is pin the Bitwarden tab open and just copy & paste where needed. For the desktop app it would be awesome if it had an auto-type feature like KeePassXC (something that mystifies coworkers who see that in action for the first time, even remotely). Even though my employer has a corporate LastPass account for shared production passwords I insist on using KeePassXC for non-shared credentials. I've told those who need to be notified and there is general indifference what password manager I use for non-shared credentials (AWS login, GitLab credentials, storing SSH keys, etc) as long as it's secure.
You're losing out on certain types of phishing protections by doing this.
You're also potentially opening yourself up to any apps/tools that are keeping an eye on your clipboard if you're copying and pasting. Auto-type might help with that, but I also wouldn't hold my breath for such a feature coming.
And at the same time you win by not falling victim of "oops, there is a bug in our browser add-on that accidentally leaks arbitrary login data to websites", as it has happened in the past. Leaking all my credentials certainly sounds more concerning to me than leaking the credentials to a single page.
KeePassXC asks for permission to share each credential with the browser, with a "Remember" checkbox. You can have convenience for your unimportant logins while keeping your sensitive credentials fully secure.
Compromising everything is easier, it means you have to change the password for everything and know it was compromised.
If only SOME stuff is compromised then you don't know what was compromised so you end up having to change everything anyway.
I mean, that's at least my approach. I'd rather know I needed to keep an eye on everything rather than some things. At least then I know I can take appropriate precautions.
If you are infected with a clipboard logger chances are it is also a keyboard logger. Frankly, at that point you're unlikely to be saved by a browser extension anyway.
That is the one thing that worries me about iOS (okay: the BIGGEST concern, not the ONLY concern) now that's it has been shown that TikTok and LinkedIn (apps not on my phone) have been shown to be copying the contents of the clipboard. I had not thought of using a browser plugin to avoid clipboard scavengers on non-mobile OSes: I'll have to give that some thought now.
And you are gaining that many passwords are not shared with the browser. I rely on in browser password storage (which you can also encrypt e.g. in Chrome) for frequently accessed sites.
I think the separation of concerns outweighs the KeepassXC<->Browser integration part.
If your computer is compromised (meaning occasional copy&paste is not secure) you have WAY more problems than only Keepass and phishing.
KeePassXC has a thing where it asks you before it will give the browser the password the first time for a given URL. I don't know if you can force it to always prompt you, but that would seem a better solution—as others have pointed out, copy/paste and even auto-type opens you up to more attacks.
Browser extensions have the benefit of being more resilient against phishing (since they can perform origin checks), which I would definitely recommend for most users.
I'm doing similar thing with KeePass. While there are browser extensions to work with KeePass, I decided to not use those. I'm using Ctrl+B, Ctrl+V for user name and I'm using Ctrl+V which sends keystrokes into browser to fill password. Actually most of websites remember my login information for a long time, so this is not a problem at all. And I like to keep some sense of control over my private data.
As pointed out elsewhere in this thread, there is a danger here that you have to manually verify the origin of the page you are on, which makes you far more vulnerable to phishing attacks, which are common and can be very sophisticated (things like pages that look like normal content but change to a fake Google log in page when you minimise the page, so when you come back, it is there waiting).
If you have two logins for the same service with the same URLs they'll appear in the browser extension with the username shown by the title.
If you're instead talking about using the same login credentials on multiple sites, it can do that as well, just edit the item and add a second URL to the site. Now that item will appear on both site URLs
Yep, I saw that, the feature I was trying to describe is a popup on a username that gives you a list of all accounts tied to this domain, which is quite handy. In Bitwarden I have to either right click or copy/paste from the extension. A bit awkward IMO
How can anyone switch to bitwarden given how complex it is to switch back in the future? I love keepass because I am allowed to export my DBS to any other provider with ease. For bitwarden, there is not a good export system (that includes attachments,images...),meaning that I would be vendor locked.
Personally I think it would be awesome if Bitwarden gave you the option to export your password vault as a KDBX4 file. What's the best way to fund a bounty program for adding this feature to Bitwarden?
I am using 1Password with a standalone licence (sunk cost, so 'free' doesn't matter much. Also, C$70 is essentially free when it comes to securing my digital life). I sync a vault with a few co-workers via Dropbox and this is sufficient for us, no need for 1Password.com 'cloud' yet.
We like the UI, and to our knowledge 1Password has the best track record for security, with extensive and continuous testing and no major fuck-ups yet.
What advantages to switching to KeePassXC or Bitwarden are there for us?
Source code access, and being free of charge seems to be the main things you would get compared to 1Password. Also, great Linux support (from what I've heard 1Password only recently even added a Linux-compatible client).
But to me it sounds like you have a solution you are very happy with, and you don't mind paying for that solution, so my recommendation would be to stick with it.
Although, as a happy user of KeePassXC, I'm tempted to ask the counter-question: why would I want to pay for 1Password when KeePassXC gives me a great solution for free (and also gives me source code access)?
Good question. I can't think of compelling reasons why a standalone user, or a small team, would switch to 1Password if they're already happy with KeePassXC.
I did that switch after using Keepass(XC) for about 10 years. For me it was for the seamless sync across devices, and nicer polish of the various apps/addons (iOS, Firefox, etc).
> (from what I've heard 1Password only recently even added a Linux-compatible client).
Just plugins for Firefox and Chrome, AFAIK, actually. And a command line client that's just a wrapper for the website. No full-featured client available. KeePassXC can be a better option for interop with 1pass than 1pass is, on Linux, depending on what you need.
There is also a hybrid client[1][2] now, written in Rust, and Electron. Although the command-line client will always be my favourite, as I always have a terminal window open anyway, at least those who dislike the command-line or prefer a GUI client have another option now.
Guess that hasn't made it to their "download for linux" page on the main site yet. It still offers the plugins, with an alternate option for the command line tools.
They are also very responsive on Github for logged issues and questions. They responded within the hour to an update to an existing issue that I logged.
1Password seems to have a better reputation for security among commercial providers.
But KeePassXC is based on the KeePass file format, and to my knowledge that has a better security story than commercial platforms--though it is harder to use.
For example, a couple of years ago Tavis Ormandy at Google Project Zero went through password managers and had unkind things to say (and reported vulnerabilities) about LastPass, 1Password, and Dashlane. He said KeePass looks "sane" or something like that.
The advantage is higher security, zero cost and control over data.
1password is closed source and there is no way to verify that it actually encrypts the passwords.
I wouldn’t give someone my passwords to encrypt and store them for me. It’s a simple task and I can just encrypt and store my passwords. I don’t need a shinier UI.
No idea if 1Password does it, but KeePassXC has really good SSH support where it integrates with your SSH agent for storing private keys (and/or the relevant passphrase).
You can upgrade from 1Password 6 to 7 (standalone) to get the Safari extension to work. It's not great, but I don't use Safari so it doesn't affect me.
Frankly, the new 1Password mini app is a strong step in the wrong direction since 6. It's huge, it tries to do too much. I've never been happy with it. I switched to Bitwarden and generally it serves the purposes better. A few things are worse but the stuff I interact with regularly is better.
I realize GP was unqualified too, but can you expand on this since it sounds like you've used both? I use (go)pass fairly happily and was recently recommended BitWarden and I'm curious about what separates them.
I’ve been using KeePassXC almost as long as it’s been available, and couldn’t be happier. Database stored on my NAS and synced to Dropbox for when I’m out, gives me access on all my devices without having to worry about whether x or y service will still be around in a year or 2.
I do this as well, although tried lastpass and bitwarden. It just wasn't that great and those "standalone" apps were just silly compared to keepass/keepassXc.
One thing that was a killer feature for me: keepass2Android was WAY better to in integration to my android devices. Tried to convince family to use a password manager, but lastpass was a failure on some devices. Keepass with sync to some cloud is perfect - database with multiple copies, works well.
Syncthing is a nice alternative to Dropbox. If you use multiple computers at different locations, you could, say, use Syncthing to sync your KeepassXC database between your home computer and your phone, and between your phone and your work computer, without it ever touching a third party service.
It has worked for me perfectly for quite a long time. All my personal documents and photos are synced between an Android phone, my RPi 4 and my laptop. I haven't touched the settings for years. It just always works, 100% perfectly. I don't understand why it isn't more popular.
I managed to get syncthing running well in my rpi4 but the sync was just abysmally slow. I'm on gigabit internet however the time delay between syncing and then syncing itself was slow. I think it is more to do with a delay in handshake or device discovery than the transmission of data itself. Any tips for making the discovery better/faster?
"First, you'll want to set up a server" and you're already down to well under 1% of the population that'll be interested in reading any further, let alone following through and actually doing it.
I doubt the OP intended to ask why it wasn't popular among the general population. That seems obvious. I would interpret his question as asking why it's not more popular even among the subset of people who are happy to run their own servers, like readers of this very board.
Started using Keypass about a year ago, I really like it. Just wondering if Dropbox is considered a safe place to store the DB files? I did this for a while, but then I got paranoid and switched to something fully encrypted.
For sharing between devices I found Firefox Send to be useful (before it went down, hope it comes back), also Keybase filesystem is one of my go-tos as well.
Maybe I’m being overly cautious, but I sleep better at night knowing my DBs are encrypted.
The database files are encrypted by your master password (and optional key file, etc) at rest, but paranoia with your sync provider is valid. It's one of the reasons that I like Keypass, because sync provider is something I control and any "file-like" share can be used I don't need Keypass-specific providers.
Fwiw, I've lately been using Resilio Sync, which is BitTorrent style peer-to-peer between devices I control and encrypted over the wire as well. It also supports advanced encrypted shares where you can even have "know nothing" devices that help to seed/participate in your shares but can't read/write inside them, as an interesting tool in "personal cloud hosting".
Right, I guess my concern was a brute force attack on a DB file if it fell into the wrong hands. I looked at the main website again though, and apparently the official Windows app has some protection against this. It says however, KeypassX (and I assume therefore KeypassXC) does not have the same level of protection.
Another comment mentioned using a key-file, so maybe I will revisit that approach, since I used password only when I started.
To prevent brute force attack, you should choose long enough password and adjust iterations parameter on Key transformation. Basically more iterations = more time to brute force, but your application will spend more time opening the database. Longer password = less likely for brute force to succeed.
For me 12 characters password with default 60 000 iterations seems safe enough. My estimation is that it would take at least millions of dollars to break it and my passwords are not worthy of that. You can easily make it into unbreakable for a foreseeable future by using something like 16-characters random password and 10 millions of iterations.
Key file of enough length is like an unbreakable password. But you probably can't remember it, so be careful not to lose it. My database is accessible on public URL which I remember and I remember my password, so I can always download it anywhere and open it. I think that it's a big advantage and I wouldn't want to lose it.
When I decided to start using a password manager, I was drawn to Keypass since it is open source and I don't have to rely on any third party service. But learning how to use it correctly, and juggle your db files among all your devices requires a sound, thought out strategy!
I currently only use a password/phrase, but I will consider using a key file as well. My concern was a brute force attack on a compromised DB file. But I guess as long as the key-file was never put in the cloud, this would alleviate that concern?
Yes, when you want to use a new device you sideload the key file onto it in a secure manner (i.e. USB).
On Android this presents some issues though, since the last I checked the keyfile had to be added to the "SD Card" class storage, which other apps can also access. If you are on android and go this route, be really careful about the types of apps you install that have Storage permissions (good advice in general, of course).
Good points. I used to use Android, but recently switched to iOS, mostly because I have a Macbook pro and iMac.
I'm not blown away by the iPhone in general honestly, but being able to sync everything between the Mac devices is super convenient. The ability to easily share files wireless-ly between all of them via Airdrop is fantastic. Great use cae for moving KBDX files, or in this case key-files is super useful.
I have read that the KDBX4 password database is "very secure" but am curious if any hacking challenges have been conducted to see if anyone can break it? The challenge I have in mind put some kind of contact info in an entry and then post the KDBX file on a public site for anyone to download and try to hack. If you get it open, use the info to contact the contest organizers and once you explain how you overcame the security and it's replicated you get however much has been donated as a hack bounty.
I'll put $100 in right now if the maintainers of KeePassXC are down with this.
I'm no cryptographic expert, but I always liked the simple design of the kdbx files. So simple that I can understand it and see tat there are no (obvious, assuming the underlying algorithms are called correctly) problems:
The whole database is a single big xml document which is then encrypted with a normal symmetrical encryption method (most of the time AES). And that is already the core of it.
There are a few additional things (A user-chosen key-derivation-function is used to increase the brute-force time and there is a header in the binary format with such things as keepass version, which algorithms are used for encrypting and a checksum...).
But in comparison to other cloud-based password managers it's a nice feeling to intuitively "know" whats happening under the hood.
The KeePassXC developers are quite conscious about memory security and implement that in XC in a way that's not really possible with a .NET application like KeePass: https://keepassxc.org/blog/2019-02-21-memory-security/
Arguments sound good but I didn't seem to find any biometric authentication for KeePassXC. In KeePass I could use some plug-ins to connect Windows Hello with KeePass so I could unlock the DB with my fingerprint or via looking into the camera.
Maybe I simply didn't search good enough, is there any possibility to have such functionality in KeePassXC?
There are some nice quality of life features; the "auto-save" being the one I use the most. So my changes don't get lost, and they get synced (for me via Syncthing) virtually immediately.
I find the browser integration extension(s) more robust/stable as well, but that could be environmental.
thanks! If I find a way to use multiple stores in pass, I will switch to it. It seems that it's autofill on Android is a lot better than any Keepass app that I tried.
Currently running KeePassX. Maybe I'll give this a whirl. The key concept with the KeePass family of projects is that your passwords remain on your device, and don't get synced to some cloud you have no control over.
I switched to KeePassXC because KeePassX had a bug where you could silently lose data if you made changes to the notes section of an entry and hit `Esc` without remembering to save.
KeePassX won't prompt you at all and silently drops all those changes, whereas KeePassXC will ask what to do.
KeePassXC also seems to immediately save changes upon adding new entries whereas KeePassX requires an explicit <ctrl-s>.
I have a free drop box account and use it to store kdb file.
What is a better alternate if I want to access to kdb file from more than 3 devices (combination of windows + ios devices.)
I'd like to use the same db file between Windows, Linux and Android, and I'd like to be able to autoenter without a browser plugin, at least on Windows.
I switched to KeePassXC a few months ago from KeePass. The UI is quite clunky in places, but that's easier to live with than being beholden to some online service...