KeePassXC 2.6.1
keepassxc.orgKeePassXC and Bitwarden are the best password managers in existence right now: KeePassXC if you want to be disconnected from the cloud and Bitwarden if you want both the convenience of cloud-based password management AND high security.
>convenience of cloud-based password management AND high security.
One attack vector I see with Bitwarden is that if the server hosting the web client or the Firefox/Google account that owns the browser extension gets compromised, they could easily be modified to exfiltrate all your data. So unless you always package the browser extension yourself and check the web client's code before using it, your passwords are essentially only as secure as the developer's security measures are strong.
You can also run your own bitwarden server either with their official server or with bitwarden_rs, a reimplementation in rust that runs better on lower-end hardware
It runs better everywhere. I have set up both and see no difference between them feature wise. Why would you use the official one? It's so resource heavy, more difficult to set up, feels very enterprise-y.
exactly, it is suited for enterprises, where you have to stick with the official builds for compliance.
how is your experience in a browser?
I honestly tried to use Bitwarden, paid for premium for one time key feature and browser extensions comparing to 1pass are much less convenient. For instance, an ability to manage multiple website (e.g. google) accounts is priceless
A habit I carried over from using KeePassXC is that I don't use a browser extension. Call it paranoia but I don't want the browser process to have the ability to reach into my password manager. What I do is pin the Bitwarden tab open and just copy & paste where needed. For the desktop app it would be awesome if it had an auto-type feature like KeePassXC (something that mystifies coworkers who see that in action for the first time, even remotely). Even though my employer has a corporate LastPass account for shared production passwords I insist on using KeePassXC for non-shared credentials. I've told those who need to be notified and there is general indifference what password manager I use for non-shared credentials (AWS login, GitLab credentials, storing SSH keys, etc) as long as it's secure.
You're losing out on certain types of phishing protections by doing this.
You're also potentially opening yourself up to any apps/tools that are keeping an eye on your clipboard if you're copying and pasting. Auto-type might help with that, but I also wouldn't hold my breath for such a feature coming.
And at the same time you win by not falling victim of "oops, there is a bug in our browser add-on that accidentally leaks arbitrary login data to websites", as it has happened in the past. Leaking all my credentials certainly sounds more concerning to me than leaking the credentials to a single page.
KeePassXC asks for permission to share each credential with the browser, with a "Remember" checkbox. You can have convenience for your unimportant logins while keeping your sensitive credentials fully secure.
Eh.. I'm going to go a different route.
Compromising everything is easier, it means you have to change the password for everything and know it was compromised.
If only SOME stuff is compromised then you don't know what was compromised so you end up having to change everything anyway.
I mean, that's at least my approach. I'd rather know I needed to keep an eye on everything rather than some things. At least then I know I can take appropriate precautions.
If you are infected with a clipboard logger chances are it is also a keyboard logger. Frankly, at that point you're unlikely to be saved by a browser extension anyway.
I'm not sure I follow. Browser extensions aren't simulating keyboard strokes, so they absolutely would save you in that case.
You assume that any malware that is in a position to log keyboard and clipboard events is somehow not in a position to do things like install its own trusted certificate, perform dll injection, or otherwise intercept the password anyway. Not to mention that with all the other things it has access to it might not need said password to fuck up your life.
Its a poor argument for choosing browser extensions over cut & paste because the circumstances where it has an advantage are incredibly specific.
> Its a poor argument for choosing browser extensions over cut & paste because the circumstances where it has an advantage are incredibly specific.
I agree that malware that has that power could do something else, but the parent post incorrectly asserted that the specific attack of keylogging would work, which it doesn't. I wasn't arguing that as the reason to use them over copy/paste.
The main thing extensions save you from is phishing attacks because they verify the origin of the page is correct for the entry, which is a really common attack and a hard thing for humans to verify consistently, and doesn't require any malware on your machine.
Of course, but in the case that the app is not actually "attacking" you, and is instead just poorly written and/or poorly thought out you're reducing your risk.
A lot of time you can attribute compromises to ignorance rather than malice.
So an app that is stupidly logging the clipboard and doing dumb things with that data, rather than being a malicious app.
Not much can help you if an app on your machine is in a position of power.
That depends on how many horrible ideas make their way from phone to desktop.
That is the one thing that worries me about iOS (okay: the BIGGEST concern, not the ONLY concern) now that's it has been shown that TikTok and LinkedIn (apps not on my phone) have been shown to be copying the contents of the clipboard. I had not thought of using a browser plugin to avoid clipboard scavengers on non-mobile OSes: I'll have to give that some thought now.
iOS have standard API for password managers. There's no reason not to use it.
Really hoping Apple makes this feature available in macOS so that password managers can hook into it in an official way. Every year I keep crossing my fingers but it never happens.
And you are gaining that many passwords are not shared with the browser. I rely on in browser password storage (which you can also encrypt e.g. in Chrome) for frequently accessed sites.
I think the separation of concerns outweighs the KeepassXC<->Browser integration part.
If your computer is compromised (meaning occasional copy&paste is not secure) you have WAY more problems than only Keepass and phishing.
Auto type is much worse, never use an auto type feature, it can easily fall prey to insertion in hidden input fields.
KeePassXC has a thing where it asks you before it will give the browser the password the first time for a given URL. I don't know if you can force it to always prompt you, but that would seem a better solution—as others have pointed out, copy/paste and even auto-type opens you up to more attacks.
Browser extensions have the benefit of being more resilient against phishing (since they can perform origin checks), which I would definitely recommend for most users.
I'm doing similar thing with KeePass. While there are browser extensions to work with KeePass, I decided to not use those. I'm using Ctrl+B, Ctrl+V for user name and I'm using Ctrl+V which sends keystrokes into browser to fill password. Actually most of websites remember my login information for a long time, so this is not a problem at all. And I like to keep some sense of control over my private data.
As pointed out elsewhere in this thread, there is a danger here that you have to manually verify the origin of the page you are on, which makes you far more vulnerable to phishing attacks, which are common and can be very sophisticated (things like pages that look like normal content but change to a fake Google log in page when you minimise the page, so when you come back, it is there waiting).
Bitwarden supports multiple accounts.
If you have two logins for the same service with the same URLs they'll appear in the browser extension with the username shown by the title.
If you're instead talking about using the same login credentials on multiple sites, it can do that as well, just edit the item and add a second URL to the site. Now that item will appear on both site URLs
Yep, I saw that, the feature I was trying to describe is a popup on a username that gives you a list of all accounts tied to this domain, which is quite handy. In Bitwarden I have to either right click or copy/paste from the extension. A bit awkward IMO
KeePass can support that too. If it sees more than one match when auto typing it'll prompt you to choose.
I never had any problems using BW and my multiple gmail accounts?
How can anyone switch to bitwarden given how complex it is to switch back in the future? I love keepass because I am allowed to export my DBS to any other provider with ease. For bitwarden, there is not a good export system (that includes attachments,images...),meaning that I would be vendor locked.
What vendor lock-in? They make it plainly clear how to export your data from BitWarden: https://bitwarden.com/help/article/export-your-data/
Personally I think it would be awesome if Bitwarden gave you the option to export your password vault as a KDBX4 file. What's the best way to fund a bounty program for adding this feature to Bitwarden?
KeePass has the ability to import Bitwarden JSON file so there's little need for the feature.
There might not be a need but I like the idea of being able to use the Bitwarden client on iOS/Android with a KDBX4 database file from KeePass(XC).
Bitwarden is 100% open source. You can run your own server. There is no vendor lock in.
Not an excuse for poor export capabilities but you can absolutely DIY with bitwarden-cli.
>best password managers in existence right now
I am using 1Password with a standalone licence (sunk cost, so 'free' doesn't matter much. Also, C$70 is essentially free when it comes to securing my digital life). I sync a vault with a few co-workers via Dropbox and this is sufficient for us, no need for 1Password.com 'cloud' yet.
We like the UI, and to our knowledge 1Password has the best track record for security, with extensive and continuous testing and no major fuck-ups yet.
What advantages to switching to KeePassXC or Bitwarden are there for us?
Source code access, and being free of charge seems to be the main things you would get compared to 1Password. Also, great Linux support (from what I've heard 1Password only recently even added a Linux-compatible client).
But to me it sounds like you have a solution you are very happy with, and you don't mind paying for that solution, so my recommendation would be to stick with it.
Although, as a happy user of KeePassXC, I'm tempted to ask the counter-question: why would I want to pay for 1Password when KeePassXC gives me a great solution for free (and also gives me source code access)?
Good question. I can't think of compelling reasons why a standalone user, or a small team, would switch to 1Password if they're already happy with KeePassXC.
I did that switch after using Keepass(XC) for about 10 years. For me it was for the seamless sync across devices, and nicer polish of the various apps/addons (iOS, Firefox, etc).
> (from what I've heard 1Password only recently even added a Linux-compatible client).
Just plugins for Firefox and Chrome, AFAIK, actually. And a command line client that's just a wrapper for the website. No full-featured client available. KeePassXC can be a better option for interop with 1pass than 1pass is, on Linux, depending on what you need.
There is also a hybrid client[1][2] now, written in Rust, and Electron. Although the command-line client will always be my favourite, as I always have a terminal window open anyway, at least those who dislike the command-line or prefer a GUI client have another option now.
[1] https://discussions.agilebits.com/discussion/114964/1passwor...
[2] Read-only for now, as it is a development preview.
No, they have a client now. https://discussions.agilebits.com/discussion/114964/1passwor...
HN discussion: https://news.ycombinator.com/item?id=24054112
Guess that hasn't made it to their "download for linux" page on the main site yet. It still offers the plugins, with an alternate option for the command line tools.
They are also very responsive on Github for logged issues and questions. They responded within the hour to an update to an existing issue that I logged.
1Password seems to have a better reputation for security among commercial providers.
But KeePassXC is based on the KeePass file format, and to my knowledge that has a better security story than commercial platforms--though it is harder to use.
For example, a couple of years ago Tavis Ormandy at Google Project Zero went through password managers and had unkind things to say (and reported vulnerabilities) about LastPass, 1Password, and Dashlane. He said KeePass looks "sane" or something like that.
The advantage is higher security, zero cost and control over data.
1password is closed source and there is no way to verify that it actually encrypts the passwords.
I wouldn’t give someone my passwords to encrypt and store them for me. It’s a simple task and I can just encrypt and store my passwords. I don’t need a shinier UI.
No idea if 1Password does it, but KeePassXC has really good SSH support where it integrates with your SSH agent for storing private keys (and/or the relevant passphrase).
If I remember correctly 1Password stopped updating browser extensions for the non-subscription versions.
I had to switch to keychain because the safari extension stopped working.
You can upgrade from 1Password 6 to 7 (standalone) to get the Safari extension to work. It's not great, but I don't use Safari so it doesn't affect me.
Frankly, the new 1Password mini app is a strong step in the wrong direction since 6. It's huge, it tries to do too much. I've never been happy with it. I switched to Bitwarden and generally it serves the purposes better. A few things are worse but the stuff I interact with regularly is better.
Such tools should be open source.
Nope, pass (Password Store) is way better IMO.
I realize GP was unqualified too, but can you expand on this since it sounds like you've used both? I use (go)pass fairly happily and was recently recommended BitWarden and I'm curious about what separates them.
I’m very happy with pass too.
I’ve been using KeePassXC almost as long as it’s been available, and couldn’t be happier. Database stored on my NAS and synced to Dropbox for when I’m out, gives me access on all my devices without having to worry about whether x or y service will still be around in a year or 2.
I do this as well, although tried lastpass and bitwarden. It just wasn't that great and those "standalone" apps were just silly compared to keepass/keepassXc.
One thing that was a killer feature for me: keepass2Android was WAY better to in integration to my android devices. Tried to convince family to use a password manager, but lastpass was a failure on some devices. Keepass with sync to some cloud is perfect - database with multiple copies, works well.
Syncthing is a nice alternative to Dropbox. If you use multiple computers at different locations, you could, say, use Syncthing to sync your KeepassXC database between your home computer and your phone, and between your phone and your work computer, without it ever touching a third party service.
It has worked for me perfectly for quite a long time. All my personal documents and photos are synced between an Android phone, my RPi 4 and my laptop. I haven't touched the settings for years. It just always works, 100% perfectly. I don't understand why it isn't more popular.
I managed to get syncthing running well in my rpi4 but the sync was just abysmally slow. I'm on gigabit internet however the time delay between syncing and then syncing itself was slow. I think it is more to do with a delay in handshake or device discovery than the transmission of data itself. Any tips for making the discovery better/faster?
"First, you'll want to set up a server" and you're already down to well under 1% of the population that'll be interested in reading any further, let alone following through and actually doing it.
I doubt the OP intended to ask why it wasn't popular among the general population. That seems obvious. I would interpret his question as asking why it's not more popular even among the subset of people who are happy to run their own servers, like readers of this very board.
:-) And now I have another "for the family" project. Thanks, I think...
Started using Keypass about a year ago, I really like it. Just wondering if Dropbox is considered a safe place to store the DB files? I did this for a while, but then I got paranoid and switched to something fully encrypted.
For sharing between devices I found Firefox Send to be useful (before it went down, hope it comes back), also Keybase filesystem is one of my go-tos as well.
Maybe I’m being overly cautious, but I sleep better at night knowing my DBs are encrypted.
The database files are encrypted by your master password (and optional key file, etc) at rest, but paranoia with your sync provider is valid. It's one of the reasons that I like Keypass, because sync provider is something I control and any "file-like" share can be used I don't need Keypass-specific providers.
Fwiw, I've lately been using Resilio Sync, which is BitTorrent style peer-to-peer between devices I control and encrypted over the wire as well. It also supports advanced encrypted shares where you can even have "know nothing" devices that help to seed/participate in your shares but can't read/write inside them, as an interesting tool in "personal cloud hosting".
Your database is encrypted by default. Additional encryption won't hurt, of course, but you can absolutely use Dropbox.
Right, I guess my concern was a brute force attack on a DB file if it fell into the wrong hands. I looked at the main website again though, and apparently the official Windows app has some protection against this. It says however, KeypassX (and I assume therefore KeypassXC) does not have the same level of protection.
Another comment mentioned using a key-file, so maybe I will revisit that approach, since I used password only when I started.
To prevent brute force attack, you should choose long enough password and adjust iterations parameter on Key transformation. Basically more iterations = more time to brute force, but your application will spend more time opening the database. Longer password = less likely for brute force to succeed.
For me 12 characters password with default 60 000 iterations seems safe enough. My estimation is that it would take at least millions of dollars to break it and my passwords are not worthy of that. You can easily make it into unbreakable for a foreseeable future by using something like 16-characters random password and 10 millions of iterations.
Key file of enough length is like an unbreakable password. But you probably can't remember it, so be careful not to lose it. My database is accessible on public URL which I remember and I remember my password, so I can always download it anywhere and open it. I think that it's a big advantage and I wouldn't want to lose it.
Great, Thanks for the advice!
When I decided to start using a password manager, I was drawn to Keypass since it is open source and I don't have to rely on any third party service. But learning how to use it correctly, and juggle your db files among all your devices requires a sound, thought out strategy!
I store the KDBX file in Dropbox, store the key file elsewhere, and use a strong password. Without the key the database file is useless.
I currently only use a password/phrase, but I will consider using a key file as well. My concern was a brute force attack on a compromised DB file. But I guess as long as the key-file was never put in the cloud, this would alleviate that concern?
Yes, when you want to use a new device you sideload the key file onto it in a secure manner (i.e. USB).
On Android this presents some issues though, since the last I checked the keyfile had to be added to the "SD Card" class storage, which other apps can also access. If you are on android and go this route, be really careful about the types of apps you install that have Storage permissions (good advice in general, of course).
Good points. I used to use Android, but recently switched to iOS, mostly because I have a Macbook pro and iMac.
I'm not blown away by the iPhone in general honestly, but being able to sync everything between the Mac devices is super convenient. The ability to easily share files wireless-ly between all of them via Airdrop is fantastic. Great use cae for moving KBDX files, or in this case key-files is super useful.
>Keybase
They are sold to ZOOM...since then i dont use it anymore
If KeePass's database file wasn't secure on it's own, then it would be quite useless.
If you’re concerned about security, you wouldn’t use Dropbox in the first place. Use mega.nz instead.
KeePass(XC) encrypts the database on its own.
I have read that the KDBX4 password database is "very secure" but am curious if any hacking challenges have been conducted to see if anyone can break it? The challenge I have in mind put some kind of contact info in an entry and then post the KDBX file on a public site for anyone to download and try to hack. If you get it open, use the info to contact the contest organizers and once you explain how you overcame the security and it's replicated you get however much has been donated as a hack bounty.
I'll put $100 in right now if the maintainers of KeePassXC are down with this.
I'm no cryptographic expert, but I always liked the simple design of the kdbx files. So simple that I can understand it and see tat there are no (obvious, assuming the underlying algorithms are called correctly) problems:
The whole database is a single big xml document which is then encrypted with a normal symmetrical encryption method (most of the time AES). And that is already the core of it. There are a few additional things (A user-chosen key-derivation-function is used to increase the brute-force time and there is a header in the binary format with such things as keepass version, which algorithms are used for encrypting and a checksum...).
But in comparison to other cloud-based password managers it's a nice feeling to intuitively "know" whats happening under the hood.
There have been audits of the official KeePass.info software which some argue still has open vulnerabilities.
Not sure if there have been audits of this popular fork or the format itself.
IIRC the format is relatively simple: an encrypted XML stream. So it may be OK.
Any reason to switch over from KeePass to KeePassXC? I'm only using Windows so the cross platform argument doesn't hit me actually.
The KeePassXC developers are quite conscious about memory security and implement that in XC in a way that's not really possible with a .NET application like KeePass: https://keepassxc.org/blog/2019-02-21-memory-security/
KeePassXC supports TOTP. This is the main reason why I switched.
Arguments sound good but I didn't seem to find any biometric authentication for KeePassXC. In KeePass I could use some plug-ins to connect Windows Hello with KeePass so I could unlock the DB with my fingerprint or via looking into the camera.
Maybe I simply didn't search good enough, is there any possibility to have such functionality in KeePassXC?
There are some nice quality of life features; the "auto-save" being the one I use the most. So my changes don't get lost, and they get synced (for me via Syncthing) virtually immediately.
I find the browser integration extension(s) more robust/stable as well, but that could be environmental.
Not really. I use KeePass on Windows and KeePassXC on macOS for the same password db that I have cloud synced.
KeePassXC and pass (the standard unix password manager) are the absolut best. Thanks allot to the maintainers!!
Is there an easy way to import/export between them?
Yeah under "Migrating to"
thanks! If I find a way to use multiple stores in pass, I will switch to it. It seems that it's autofill on Android is a lot better than any Keepass app that I tried.
Found this tutorial: https://www.gilesorr.com/blog/shared-passwordstore.html There are two ways of having multiple stores and sharing them, but I am not too sure I like these solutions....
Currently running KeePassX. Maybe I'll give this a whirl. The key concept with the KeePass family of projects is that your passwords remain on your device, and don't get synced to some cloud you have no control over.
I switched to KeePassXC because KeePassX had a bug where you could silently lose data if you made changes to the notes section of an entry and hit `Esc` without remembering to save.
KeePassX won't prompt you at all and silently drops all those changes, whereas KeePassXC will ask what to do.
KeePassXC also seems to immediately save changes upon adding new entries whereas KeePassX requires an explicit <ctrl-s>.
I moved from KeepPassX to XC recently. It has the same features but the user interface is so much better.
The android app is great too. I use rclone to sync my keepass file to Google Drive which means it is always up to date on my phone too
Android app? Which one?
Keepass2Android is what I've used.
That is what I'm using too
Same! If you haven't already, please consider Patreon or just donating to the dev directly. We use his app constantly and it's great to support him!
KeePassDX has a much more modern UI. Also open source
> KeePassDX has a much more modern UI.
Is that supposed to be an endorsement or a warning?
I like the app and use it due to it being offline + a smooth UI. No clunky like the rest, even though they are great too.
Your choice. It was an endorsement.
I used KeePassDroid for a long time, but recently switched to KeePassDX, and love it.
I have a free drop box account and use it to store kdb file. What is a better alternate if I want to access to kdb file from more than 3 devices (combination of windows + ios devices.)
OneDrive, if you don't want to self-host. I switched from Dropbox when they added the device limit.
Syncthing
I did read the other comment about syncthing; but that requires setting up a server. Do not want to go that route.. :)
Syncthing does not require setting up a server. Your devices connect to each other directly, or through a relay if that's not possible.
Thanks.. Will give a try...
Can anyone tell me which Keepass they recommend?
There's so many different Keepasses...
I'd like to use the same db file between Windows, Linux and Android, and I'd like to be able to autoenter without a browser plugin, at least on Windows.
KeePassXC is the only one actively maintained.
I believe this one, KeePassXC, is the most-recommended one.
Is the db format standard - ie can I sync the same file between Android/Linux and KeePassXC and use it in all of them?
Yes, it’s the same format
I switched to KeePassXC a few months ago from KeePass. The UI is quite clunky in places, but that's easier to live with than being beholden to some online service...
KeePass doesn't have any online service.
I think he was talking about both Keepass and KeepassXC's UI
Love this project.