[mikece]

KeePassXC and Bitwarden are the best password managers in existence right now: KeePassXC if you want to be disconnected from the cloud and Bitwarden if you want both the convenience of cloud-based password management AND high security.

[mimimi31]

>convenience of cloud-based password management AND high security.

One attack vector I see with Bitwarden is that if the server hosting the web client or the Firefox/Google account that owns the browser extension gets compromised, they could easily be modified to exfiltrate all your data. So unless you always package the browser extension yourself and check the web client's code before using it, your passwords are essentially only as secure as the developer's security measures are strong.

[gchamonlive]

You can also run your own bitwarden server either with their official server or with bitwarden_rs, a reimplementation in rust that runs better on lower-end hardware

[throwaway8941]

It runs better everywhere. I have set up both and see no difference between them feature wise. Why would you use the official one? It's so resource heavy, more difficult to set up, feels very enterprise-y.

[gchamonlive]

exactly, it is suited for enterprises, where you have to stick with the official builds for compliance.

[tarasmatsyk]

how is your experience in a browser?

I honestly tried to use Bitwarden, paid for premium for one time key feature and browser extensions comparing to 1pass are much less convenient. For instance, an ability to manage multiple website (e.g. google) accounts is priceless

[mikece]

A habit I carried over from using KeePassXC is that I don't use a browser extension. Call it paranoia but I don't want the browser process to have the ability to reach into my password manager. What I do is pin the Bitwarden tab open and just copy & paste where needed. For the desktop app it would be awesome if it had an auto-type feature like KeePassXC (something that mystifies coworkers who see that in action for the first time, even remotely). Even though my employer has a corporate LastPass account for shared production passwords I insist on using KeePassXC for non-shared credentials. I've told those who need to be notified and there is general indifference what password manager I use for non-shared credentials (AWS login, GitLab credentials, storing SSH keys, etc) as long as it's secure.

[selykg]

You're losing out on certain types of phishing protections by doing this.

You're also potentially opening yourself up to any apps/tools that are keeping an eye on your clipboard if you're copying and pasting. Auto-type might help with that, but I also wouldn't hold my breath for such a feature coming.

[TonyTrapp]

And at the same time you win by not falling victim of "oops, there is a bug in our browser add-on that accidentally leaks arbitrary login data to websites", as it has happened in the past. Leaking all my credentials certainly sounds more concerning to me than leaking the credentials to a single page.

[john-shaffer]

KeePassXC asks for permission to share each credential with the browser, with a "Remember" checkbox. You can have convenience for your unimportant logins while keeping your sensitive credentials fully secure.

[selykg]

Eh.. I'm going to go a different route.

Compromising everything is easier, it means you have to change the password for everything and know it was compromised.

If only SOME stuff is compromised then you don't know what was compromised so you end up having to change everything anyway.

I mean, that's at least my approach. I'd rather know I needed to keep an eye on everything rather than some things. At least then I know I can take appropriate precautions.

[AnIdiotOnTheNet]

If you are infected with a clipboard logger chances are it is also a keyboard logger. Frankly, at that point you're unlikely to be saved by a browser extension anyway.

[Latty]

I'm not sure I follow. Browser extensions aren't simulating keyboard strokes, so they absolutely would save you in that case.

[AnIdiotOnTheNet]

You assume that any malware that is in a position to log keyboard and clipboard events is somehow not in a position to do things like install its own trusted certificate, perform dll injection, or otherwise intercept the password anyway. Not to mention that with all the other things it has access to it might not need said password to fuck up your life.

Its a poor argument for choosing browser extensions over cut & paste because the circumstances where it has an advantage are incredibly specific.

[Dylan16807]

That depends on how many horrible ideas make their way from phone to desktop.

[mikece]

That is the one thing that worries me about iOS (okay: the BIGGEST concern, not the ONLY concern) now that's it has been shown that TikTok and LinkedIn (apps not on my phone) have been shown to be copying the contents of the clipboard. I had not thought of using a browser plugin to avoid clipboard scavengers on non-mobile OSes: I'll have to give that some thought now.

[vbezhenar]

iOS have standard API for password managers. There's no reason not to use it.

[selykg]

Really hoping Apple makes this feature available in macOS so that password managers can hook into it in an official way. Every year I keep crossing my fingers but it never happens.

[therealmarv]

And you are gaining that many passwords are not shared with the browser. I rely on in browser password storage (which you can also encrypt e.g. in Chrome) for frequently accessed sites.

I think the separation of concerns outweighs the KeepassXC<->Browser integration part.

If your computer is compromised (meaning occasional copy&paste is not secure) you have WAY more problems than only Keepass and phishing.

[voxl]

Auto type is much worse, never use an auto type feature, it can easily fall prey to insertion in hidden input fields.

[Latty]

KeePassXC has a thing where it asks you before it will give the browser the password the first time for a given URL. I don't know if you can force it to always prompt you, but that would seem a better solution—as others have pointed out, copy/paste and even auto-type opens you up to more attacks.

[delroth]

Browser extensions have the benefit of being more resilient against phishing (since they can perform origin checks), which I would definitely recommend for most users.

[vbezhenar]

I'm doing similar thing with KeePass. While there are browser extensions to work with KeePass, I decided to not use those. I'm using Ctrl+B, Ctrl+V for user name and I'm using Ctrl+V which sends keystrokes into browser to fill password. Actually most of websites remember my login information for a long time, so this is not a problem at all. And I like to keep some sense of control over my private data.

[Latty]

As pointed out elsewhere in this thread, there is a danger here that you have to manually verify the origin of the page you are on, which makes you far more vulnerable to phishing attacks, which are common and can be very sophisticated (things like pages that look like normal content but change to a fake Google log in page when you minimise the page, so when you come back, it is there waiting).

[selykg]

Bitwarden supports multiple accounts.

If you have two logins for the same service with the same URLs they'll appear in the browser extension with the username shown by the title.

If you're instead talking about using the same login credentials on multiple sites, it can do that as well, just edit the item and add a second URL to the site. Now that item will appear on both site URLs

[tarasmatsyk]

Yep, I saw that, the feature I was trying to describe is a popup on a username that gives you a list of all accounts tied to this domain, which is quite handy. In Bitwarden I have to either right click or copy/paste from the extension. A bit awkward IMO

[paulryanrogers]

KeePass can support that too. If it sees more than one match when auto typing it'll prompt you to choose.

[sigzero]

I never had any problems using BW and my multiple gmail accounts?

[jaimehrubiks]

How can anyone switch to bitwarden given how complex it is to switch back in the future? I love keepass because I am allowed to export my DBS to any other provider with ease. For bitwarden, there is not a good export system (that includes attachments,images...),meaning that I would be vendor locked.

[oropolo]

What vendor lock-in? They make it plainly clear how to export your data from BitWarden: https://bitwarden.com/help/article/export-your-data/

Personally I think it would be awesome if Bitwarden gave you the option to export your password vault as a KDBX4 file. What's the best way to fund a bounty program for adding this feature to Bitwarden?

[Funnnny]

KeePass has the ability to import Bitwarden JSON file so there's little need for the feature.

[mikece]

There might not be a need but I like the idea of being able to use the Bitwarden client on iOS/Android with a KDBX4 database file from KeePass(XC).

[driverdan]

Bitwarden is 100% open source. You can run your own server. There is no vendor lock in.

[Spivak]

Not an excuse for poor export capabilities but you can absolutely DIY with bitwarden-cli.

[kspacewalk2]

>best password managers in existence right now

I am using 1Password with a standalone licence (sunk cost, so 'free' doesn't matter much. Also, C$70 is essentially free when it comes to securing my digital life). I sync a vault with a few co-workers via Dropbox and this is sufficient for us, no need for 1Password.com 'cloud' yet.

We like the UI, and to our knowledge 1Password has the best track record for security, with extensive and continuous testing and no major fuck-ups yet.

What advantages to switching to KeePassXC or Bitwarden are there for us?

[chucky]

Source code access, and being free of charge seems to be the main things you would get compared to 1Password. Also, great Linux support (from what I've heard 1Password only recently even added a Linux-compatible client).

But to me it sounds like you have a solution you are very happy with, and you don't mind paying for that solution, so my recommendation would be to stick with it.

Although, as a happy user of KeePassXC, I'm tempted to ask the counter-question: why would I want to pay for 1Password when KeePassXC gives me a great solution for free (and also gives me source code access)?

[kspacewalk2]

Good question. I can't think of compelling reasons why a standalone user, or a small team, would switch to 1Password if they're already happy with KeePassXC.

[benhurmarcel]

I did that switch after using Keepass(XC) for about 10 years. For me it was for the seamless sync across devices, and nicer polish of the various apps/addons (iOS, Firefox, etc).

[spanhandler]

> (from what I've heard 1Password only recently even added a Linux-compatible client).

Just plugins for Firefox and Chrome, AFAIK, actually. And a command line client that's just a wrapper for the website. No full-featured client available. KeePassXC can be a better option for interop with 1pass than 1pass is, on Linux, depending on what you need.

[jamesponddotco]

There is also a hybrid client[1][2] now, written in Rust, and Electron. Although the command-line client will always be my favourite, as I always have a terminal window open anyway, at least those who dislike the command-line or prefer a GUI client have another option now.

[1] https://discussions.agilebits.com/discussion/114964/1passwor...

[2] Read-only for now, as it is a development preview.

[george_perez]

No, they have a client now. https://discussions.agilebits.com/discussion/114964/1passwor...

HN discussion: https://news.ycombinator.com/item?id=24054112

[spanhandler]

Guess that hasn't made it to their "download for linux" page on the main site yet. It still offers the plugins, with an alternate option for the command line tools.

[abawany]

They are also very responsive on Github for logged issues and questions. They responded within the hour to an update to an existing issue that I logged.

[snowwrestler]

1Password seems to have a better reputation for security among commercial providers.

But KeePassXC is based on the KeePass file format, and to my knowledge that has a better security story than commercial platforms--though it is harder to use.

For example, a couple of years ago Tavis Ormandy at Google Project Zero went through password managers and had unkind things to say (and reported vulnerabilities) about LastPass, 1Password, and Dashlane. He said KeePass looks "sane" or something like that.

[aborsy]

The advantage is higher security, zero cost and control over data.

1password is closed source and there is no way to verify that it actually encrypts the passwords.

I wouldn’t give someone my passwords to encrypt and store them for me. It’s a simple task and I can just encrypt and store my passwords. I don’t need a shinier UI.

[Latty]

No idea if 1Password does it, but KeePassXC has really good SSH support where it integrates with your SSH agent for storing private keys (and/or the relevant passphrase).

[rudedogg]

If I remember correctly 1Password stopped updating browser extensions for the non-subscription versions.

I had to switch to keychain because the safari extension stopped working.

[kspacewalk2]

You can upgrade from 1Password 6 to 7 (standalone) to get the Safari extension to work. It's not great, but I don't use Safari so it doesn't affect me.

[selykg]

Frankly, the new 1Password mini app is a strong step in the wrong direction since 6. It's huge, it tries to do too much. I've never been happy with it. I switched to Bitwarden and generally it serves the purposes better. A few things are worse but the stuff I interact with regularly is better.

[shmerl]

Such tools should be open source.

[chromedev]

Nope, pass (Password Store) is way better IMO.

[rendaw]

I realize GP was unqualified too, but can you expand on this since it sounds like you've used both? I use (go)pass fairly happily and was recently recommended BitWarden and I'm curious about what separates them.

[jm2dev]

I’m very happy with pass too.