In a way this is a nice example of why 1Password or BitWarden are doing well. This might work out okay for a technical person, but the average user isn't going to look at the KeyPass downloads page [1] and feel confident about what to download -- even assuming they're using Windows, you need a phone app and sync for meaningful password management these days... and that's very worrying in their presentation. Whereas 1Password and similar do just tell you "download this everywhere, it'll do what you need".
At least KeePassXC has a non-cryptic website. Still not as convenient as the cloud based ones though, but it's nice if you are primarily using one device or know how to share the database between your devices.
Plus I feel that once one has experienced the browser integration of 1Pass, BW, LastPass, etc it's hard to go back to manually filling credentials again. That and the seamless sync across devices. It's just too much to handle for non techie folk.
I'm willing to tolerate a little friction to setup syncing, but keepass has friction at almost every level.
Their importer is powerful... but I had to manually configure it to import from lastpass. Just bake that in ffs.
There is no "generate password" button on the main application screen despite that being the #2 use for a password manager behind autofilling. Instead the main screen has "find", "find entries" and "search" buttons which are all slightly different despite sounding completely redundant.
To get a browser plugin, you have to pick from a disturbingly long list, each with pros and cons, each requiring a few config steps, and none of which work as well as the cloud competition. I had random disconnections from keepass and many autofill failures.
Finally, you get to syncing, and the friction is bigger than you expect. It is not enough to set up a LAN folder; your solution needs to be able to resolve conflicts if you ever use more than one device simultaneously, otherwise you run the risk of losing changes. The most common sync solution is dropbox because that is the only mainstream cloud offering with first party support for linux, which is fine, but can still cause conflicts. The recommended way to handle this is quite convoluted[1]. Just bake that in, FFS!
>Finally, you get to syncing, and the friction is bigger than you expect. It is not enough to set up a LAN folder; your solution needs to be able to resolve conflicts if you ever use more than one device simultaneously, otherwise you run the risk of losing changes.
Would you explain what kind of a problem you see here (I mean: KeePass related)?
AFAIK syncing two KeePass database instances is based on timestamps, so losing changes made on any two copies kept/used on different devices is simply impossible if you properly use KeePass (ie. do merge them with KeePass).
Of course, if you want to have a real cloud-based password manager then KeePass (without any extension) isn't appropriate at all. But what's the purpose of comparing apples to oranges?
> phone app and sync for meaningful password management these days
Idk. I very intentionally decided to not have 98% of my passwords on my phone. (The remaining few rarely change and I put them in my phone by hand without sync.)
This decision was less because of security consider but more because I don't want to be able to access the services through my phone.
If then anyone (especially I myself) wants to pressure me into doing work or anything like that when I'm away it won't work because I simply can't. Makes it easier to switch off after work or on holidays.
I have all my passwords on my phone too (bitwarden)
But work gets its own separate password manager that only lives on the work computer and nowhere else. I’ll get fired before I even think about work outside of work hours let alone on vacation.
work in my comment also refered to e.g. student work and similar :-)
the company I'm now working for uses 1password, it's on my work laptop and only there, not on my phone, neither my private PC. Same for slack. Only office mail is also on my phone, so that I can call sick from my phone if necessary (but normal work communication doesn't go through mail at all, so it's fine).
I don't find that doing work when only my phone is accessible is a problem (though I'm sure that varies wildly based on your job / workplace-culture). However, I do find that most of the passwords I have saved are random app-services / websites for personal use, and I'd prefer to have them available if I need them -- even if all I'm saving myself is the effort of getting up and walking over to my computer.
I am not sure what you are looking at, but when I go to the 1password page from my mobile I see big buttons with: memberships, families, business and team, Mac, Windows, Linux, IOS, apple watch, android, 1password in the browser, scim Bridge, cli, secrets automation, ssh, desktop betas, browsers,android betas, IOS betas, previous versions.
Now that is a whole different level of confusing then keepass. I mean I generally know what I'm looking for, but wouldn't know if I should click on the families or Linux button for example. So I think this refutes your point that market share is due to the download page.
I'm really not sure what you're looking at, but on 1Password's mobile site there's a huge button to download from your phone's store on the homepage. The "Try 1Password FREE" button takes you to a well laid-out pricing page.
Edit: Ah, I guess you might be talking about the small Downloads section in the footer. Even that's much more clear than a page with a 2.x download, 2.x portable download, 1.x download, 1.x portable download, and then 30+ unofficial ports.
I replied in a different comment that I landed on the community page.
But I have to say, arguing that the downloads buttons on keepass are more friction than "get started" (I don't see a app store link) which takes me to the business offer and then the family offer where I have to register an account and provide payment details, is a bit of a stretch. And bitwarden is very similar.
Sure I can search on the playstore, but then I also find keepass quite easily there.
I think that's just the downside of 1Password/Bitwarden's business model. The best they can do is explain the core features on the splash page, as you'd need a valid account to actually use the app in the first place.
KeePassXC is probably the closest to ideal. It could just use more info about what it does on the homepage, and change its name for better marketing. But the project states itself that their audience is "for people with extremely high demands of secure personal data management" so I doubt that would ever be addressed.
Well, "the closest", but not ideal, unfortunately, what I realized when they decided to abandon support for windows7 forcing me to maintain the KeePass database in VMs by hand... :-(
Replying to myself, seems like I went to 1password.community which is the first result I get when I search. I guess this goes to show for the perils of having to be high in the search rankings.
and reliably managing a secure backup is too much to ask of my mom and some others. I am pretty technical, self host, and manage backups, but I have lost data in situations due to failed disks and DB corruption. Losing one's password vault can be almost catastrophic. I am not knocking KeepassXC, but I just can't recommend it for some users.
My stack is KeePassXC on computers, Keepass2android on mobile and Dropbox for syncing. A few months ago I realized that both of my clients showed a TOTP option. Went digging a little and realized that there was enough support that I felt completely comfortable jumping ship away from Google Authenticator.
Google Authenticator had been worryingly opaque to me until then - you scan a QR code and then somehow you get TOTP codes? - and having gone through a phone number change recently, I felt especially aware and uncomfortable about having 2FA for many important accounts tied to one fairly fragile, fairly mis-placeable electronic device (not to mention in an app controlled by Google).
Figuring out how to use TOTP on KeePass was the nudge I needed to read up on how TOTP works, and of course it was quite simple. And keeping TOTP secrets in a password manager seems like a not-terrible idea (with the one caveat - and it's not a small one, I know - of busting the "second factor"ness of 2FA by making it possible to generate a TOTP code from the same device that you're using to log in with).
I was especially impressed that KeePass knows about Steam's non-standard TOTP implementation and is able to generate Steam Authenticator codes. I will say that doing this requires some hairy steps! This was what put me on the right path: https://old.reddit.com/r/Bitwarden/comments/a67c1n/steam_aut... And I put a good ~200 words of notes stored in that particular KeePass entry to remind me how I did it in the future.
Thank you very much for your remark! I always am in trouble when I have to dig through terrible KeePass "documentation" and never found a remark about it.
I trust this over Bitwarden or Lastpass since you have to trust those services with your data (and I don't). Web-based password managers can be hacked, or have their login interface laced with third-party code that could be exfiltrating your master passphrase. My strategy is using KeePass and keeping multiple copies of the database in various cloud providers in case my local copy is lost/corrupted. It takes under a minute to sync my local copy to Dropbox, Google Drive, Box, etc
For the super paranoid, SyncThing provides a straightforward way for you to synchronise your database between various local devices without having any data in the cloud at all.
[edit: Syncthing's Discovery Server probably counts as data, actually; you can work around that but then it's less "straightforward"]
OMG I tried to setup SyncThing a couple of months ago to sync my KeePassX (kdbx) between my PC, my MAC and my Android phone. It was hell, I had to fight SyncThing every step of the way (connecting between clients, which one is the receiver and which one is the sender and whatnot), and it just didn't sync. In addition I learned that in Android SyncThing cannot sync to an external SD card ( https://github.com/syncthing/syncthing-android/issues/1366 ) .
I ended up uploading the file to Google Drive and using it's client. It works pretty flawlessly.
It works just fine for my PC, laptop and Android. Shame that you had a bad experience with it although perhaps your use case is a bit unusual. Although that's surprising about Android being so difficult to work with in Go. It sounds like this is being resolved in Android 10 upwards: https://github.com/syncthing/syncthing-android/wiki/Frequent...
>I ended up uploading the file to Google Drive and using it's client. It works pretty flawlessly.
Besides my general distrust of Google, the real source of my headache is the ransomware attack. Thus such a simple schema is unsatisfactory. And the proper automatic backup procedure needs noninteractive testing whether the cloud copy is not garbled. Until now I don't know how to do it so I make backups of my Dropbox copy by hand.
I remember trying something similar and I kept getting weird results like repeated folders that didn't sync and then when they would I'd have 2 copies of somethign not knowing which I should keep. Maybe it's gotten better a couple years later?
It's a strange commercial offering with a weird relationship to BitTorrent (it's "ex"), but Resilio Sync is an interesting device to device option as well.
Mostly because it is closed source, and also the odd behind-the-scenes drama of Resilio's spin out from BitTorrent (the company, not the tech). (The BitTorrent company of today is a strange cryptocurrency/NFT zombie of the tech company it originally was.) To my understanding that drama and corporate spin out in part even influenced the creation of Syncthing as an alternative.
From my view, Resilio is still easier to use with better apps than Syncthing, and in theory their corporate business model seems sustainable (more so than the previous parent company) and can provide useful corporate support when such needs occur. But there's still lingering doubts after all this time that they will continue to do the right things, support the software well, and it is closed source so there's not a lot of community support options if the company's business model pivots in any accidentally similar way to the events that lead to Resilio existing in the first place.
If you don't want to trust Bitwarden with your data, you can self-host a server yourself (either running the official server [1] or the compatible Vaultwarden [2]).
and get into merge hell when you forget to push and have passwords added on two different binary blobs? no thanks. I prefer using something that was meant to be a password server
No. You misread my point. I never said you should replace Bitwarden and use a Git repository as a password manager. My point is about self-hosting in general, hence why I linked the recent GitHub outage.
If you can self-host a password manager, then in the case of GitHub [0] going down every month you can self-host your Git repositories yourself, especially if you have projects like wireguard [1] for example.
> I trust this over Bitwarden or Lastpass since you have to trust those services with your data (and I don't).
This is the conundrum I am in. I have been looking for a pocket-sized password manager, which can sync from something like a spreadsheet I keep in cold storage. This seemed to fit the bill:
So I purchased one. It's pretty cool, although the controls are a bit clunky. Overall, pretty cool bit of tech.
However, to import your passwords into the device, there is no way to do so with the stock software which does not involve uploading all of your passwords to their servers. That is asinine, if I am being generous.
I use Bitwarden. I don't trust that service with my data. I host an instance of the community-developed backend: https://github.com/dani-garcia/vaultwarden on my own server so that I don't need to, and use the FOSS clients to access it.
I feel more comfortable with that than syncing a KeePass file over dropbox or google drive, mostly because I got myself into a nasty situation that way with a corrupted KeePass database a while back.
I've been using KeePass on my windows PCs and Mac/IOS compatible versions on macs, iPads, and iPhones for years. I have my database on Dropbox so that all the Apple devices sync to the same file and a keep a local copy on my PC that is automatically updated from the Mac using WinSCP, a .bat file, and task scheduler. I have to do the copy thing because Dropbox reduced the number of devices that can access it directly to 3 several months ago for the free account. I even have it running on my work PC (sssshhhhhh!). Needless to say, I love it. It's features nicely fit my browsing style plus it's free.
Syncthing (https://syncthing.net) is another solution for syncing between multiple devices/computers. One thing I liked about Dropbox, that wasn't necessarily available on Linux, was the ability to choose whether to sync the files locally or keep them on Dropbox.
I'm pretty much Syncthing + Synology these days. The bulk of my files are on Synology and the little files like the keepass databases are passed around with Syncthing.
I didn't do this for anybody but me. As long as I know how to do it, that's all the matters. Let them spend 42 years in the computer industry to figure it out.
I don't know as Mono is any less native than .NET, they both have to JIT the program's IL, and the .NET APIs don't really expose much of anything that's platform-specific so there isn't really a "native" platform.
Mono even had AOT compiler with capabilities that are only now landing on Native AOT, and are the underlying architecture for what made Blazor possible in first place.
It seems to me KeepassXC is currently one of the most secure options for password management. The attack surface of offline password managers such as KeepassXC is much smaller than that of the online password managers.
You may sync it with your tool of choice, eg, Dropbox.
The desktop application is excellent, reliable, and with state of the art protections (Yubikey, Argon2 KDF, memory protections, etc).
I have been using KeePass with their official client on Windows and Strongbox (free tier) on both MacOS and iOS, and I synchronise via iCloud (previously via Google Drive). For me this solution has been working perfectly fine since many years now, and I am really not a technical user. I’m always surprised why not more people seem to use this solution (i.e. why password manager discussion is so common on HN)
I also use KeePassXC for several years now and think it is better (hey, it has dark mode!) however it doesn't support plugins so it might not be a viable solution for everyone.
I love KeePass for many reasons but one of the killer features for me is notes and encrypted attachments. It's also one of the reasons why I won't switch to applications like Bitwarden.
> but one of the killer features for me is notes and encrypted attachments. It's also one of the reasons why I won't switch to applications like Bitwarden.
KeePass looks nice. Currently I'm using pass but I will investigate KeyPass either as a recommendation for others or possible alternative to my current solution.
I set up pass (on Linux and Mac, using brew) with two GPG keypairs, a soft keypair and a YubiKey. The YubiKey goes in a physical safe along with instructions for next of kin (and as an ultimate backup for me). YubiKey is protected with PIN.
For daily use, use the soft GPG key and gpg-agent to cache it. PassFF on Firefox (or see github passforios for iOS) or command-line tools (easily can build hooks with dmenu/rofi as well).
pass stores the gpg-encrypted passwords in a Git repository. Set up a private remote repository and push to it for offsite backup. There is some leakage of info as the names of the sites become the filename, e.g., ycombinator.gpg. This can be mitigated with some plugins like tomb, but then PassFF and passforios won't work.
https://keeweb.info/ is a website that loads a local keepass database (or from something like Google Drive).
That's what I use in my Chromebook, reading the same database I keep in sync there, which I also access from Android.
KeePassXC is one of the best pieces of software out there. Does exactly what it needs to do, runs on every device I've ever owned, and has been independently audited for implementation weaknesses.
It's not just great FOSS software, it's just straight up great software.
It would regularly fail connect to the browser plugins when I tried it (despite successfully connecting previously), and the browser plugins failed to autofill more often than not.
There were a ton of usability headaches in the core application too. The UI was quite unintuitive.
It may be technically great, but that's just one dimension of greatness.
Sorry, I've never used the browser plugins. Personally, generally don't want code with squishy, hard to conceptualize access rights having more access to my web data than I intend, so I just run the desktop app or mobile app and use the copy password button to add it to the clipboard for 10 seconds.
Never had problems with connecting to the browser (as long as frequently you update the software/browser plugin).
IMHO The UI of the Linux app is ok, not grate but very usable. The Android app I think is worse though.
Failing to fill auto-fill is in my experience 100% to blame on the website in question. It happens more often then with some commercial alternatives. They just don't have the same amount of resources to work around websites doing stupid quirky things with password input fields. Which websites would stop doing quirky password input field stuff.
KeePass is awesome. Open spec. Works offline. Plenty of good clients for every platform. Self-managed syncing via your service of choice (Dropbox, OneDrive, <other>, etc.). Can't recommend it enough.
I've been using Bruce Schneier's Password Safe for years - very happy with it. I was recently looking at KeePass. I've dug into the comparison a little bit, but I'd be interested to hear this community's take on KeePass vs. PasswordSafe.
I've used PasswordSafe for some years. My only complaint is I'd like a way to access the user, pass and notes in a view-only mode without editing so I don't accidentally trash something.
I switched to KeePassXC on one of my laptops and it seems OK but requires more clicking to access and autotype a username and password. I haven't switched on any other devices. Still undecided.
I imagine it might be obvious for most users and potential users of pass, and being in line with the unix philosophy, it might be by design, but still, since I didn't see it mentioned in the documentation, it's worth mentioning:
By itself, Passwordstore will not encrypt file names or directory names (which by convention represent the names of the service/site you have an account with).
That might not pose a problem if no one else has access to the machine that hosts your git repo, but if that's not the case (even if it's a private repo on whatever platform), you might want to use either Tomb or git-crypt-remote to have full end-to-end encryption. There are even some tools that glue tomb and pass together (https://github.com/roddhjav/pass-tomb for one), though I'm not sure what's the situation is like when it comes to mobile integration with tomb/git-crypt-remote.
Wouldn't that same argument suggest that that encrypted DNS queries should not be something one would want to use?
My point is - it's nothing like that, I'm sure that most people could think of at least one website at some point in their life where they'd want to keep the knowledge of them having an account with that website private.
I hate KeePass so much at work. But we still have to use it because our security leadership insist on it. It's not a bad tool for a home user with one PC but it's totally inadequate for an enterprise scenario. But they keep insisting it's safe because it's been audited and the encryption is strong. Sure but what's the point of encryption if you store the password in a text file in the same folder or in some cases in the actual filename :(
I've compiled a huge list of issues to convince them. Like no audit logs. No password complexity enforcement. No single password sharing with third parties (you have to give them the entire thing and password or create a new one which they can open forever). No central overview. We have no idea how many passwords are stored, how well they are secured (the master password) and who they are shared with and when.
Has anyone found a good argument to convince your leadership? And what did you move to?
The kdbx format used by KeePass is an open standard, and can be used by a variety of password management applications. Perhaps another app using that format might be a better fit for you and your organisation?
I don't think you're going to have much luck convincing your organisation to adopt a centralised service. Simply having files is as close to free as possible, while even a self-hosted centralised service will have a significant cost in terms of service time and administration. That's probably why they're so against change.
My company also pushes Keepass. The main reason is that it's free and there's no server to run. Getting a budget for something in a large company is a pretty large barrier.
I took more as "bitwarden is now involved with VC so watch the news for changes". We all know what happens when VC take over a private company. Customer focus often suffers as the bean counters start making the company thing in terms of quarters as issue #1
Doesn't mean they agreed with their employers decision.
Doesn't mean they don't complain about it when their company does it.
Doesn't mean they don't raise complains internally with their employer.
But what do you expect?
They quitting their job about this, many can't afford it.
They mentioning how bad their employer is too every time they complain about a different company? That would be just annoying (close to) no one wants that.
Sure some people which also work for much worse companies wrt. such properties and are not currently looking for a different employer are hypocrites.
But so what? Better voice your complains even if you don't act on them then to not even voice your complains and just accept bad things. (Sure acting on them would be even better, way better.)
At the end of the day, engineers/programmers are the ones who implement these changes. I find it unacceptable that lots of HNers get so high minded about these issues but then go on to contribute to the problem by working at for-profit companies. Nothing wrong with either one, just choose one.
At the end of the day engineers and programmers receive dollars for hours worked and can often be ambivalent about whether that is good or bad for customers because they no longer are valued by management as input to features and the future direction of the company.
> ... can often be ambivalent about whether that is good or bad ...
I don't agree with that. At best, they should resist bad ideas, and at the very least, they shouldn't b!tch about them on HN when someone else does it.
I love keepass, and use it with all of my systems. I have the database on my personal nextcloud instance (but you can use One Drive / Google Drive / DropBox) and encrypt it with not only a passphrase, but a keyfile. I can access the database from my phone, desktop, laptop, and other devices.
Since you're also using a keyfile to encrypt it, it doesn't matter if another party gets the db file and even your passphrase, since only a device that also has the physical keyfile can decrypt it.
I just installed my vaultwarden as a stand alone bitwarden and imported my bitwarden data to it. It was actually pretty painless and runs in like 1/10 the space of the bitwarden (self hosted) server on a cloud instance. In the next couple days I think I'll test backup and such and if it works I'll be moving over to that from bitwarden. I have used keepass in the past but I prefer programs like lastpass and bitwarden with browser plugins.
Is there something that would allow a keepass db file to be shared through a REST API?
At my current work, we have a lot of credentials to test environments shared on one single keepass file and I am wondering if I could securely use it as a network accessible (VPN only) vault and ideally something I could programmatically fetch those credentials for CI.
This feels like an XY problem to me. I for sure wouldn't want anyone to reinvent a security API, and that goes doubly for doing so on top of a system that is inherently single-user. As the others have pointed out, Vaultwarden exists and is GPLv3. The bitwarden CLI should work with it and is also GPLv3
trained myself and my siblings back in 2013-15. that time was VERY difficult for them because i kept pestering them to remember every account login, every piece of important information on it to a point it became a stupid chore.
years later, its wonderful. they have EVERYTHING there and on their phones. they they dont need to keep the data synced at two places since they only use their phone so they keep a live copy on it and occasionally keep one with me just in case something happens to the phone.
it is a bulletproof setup that works. recently someone mistyped a password and i was like "dont you have keepass" and i was told "obvio"... that was nice.
I agree KeePass is free, open source and lightweight but calling it easy to use is quite a stretch, especially if you want the same kind of functionality (e.g. autofill in browsers) that other tools provide out of the box.
If you are alone and have reliable internet, then syncing the password db file can be good enough.
I mean you can only run into a problems when you change it in two devices without sync in between. But that is super unlikely (in general; if you have reliable internet; you can improve reliably of this setup by syncing to a kind of server/file storage as "source of truth" as it won't be e.g. out of battery or disconnected from the internet ;-) ).
And as long as what you use for syncing doesn't blindly overrides when conflicting syncs happen you can resolve the problem by hand, not that I would expect it to happen. (At least with KeePassXC this works well, I haven't use keepass as most places strongly recommend XC over keepass without XC.)
Not keepass, but you can self-host Bitwarden using `vaultwarden`, an open-source reimplementation of the server (the official server is also partially open source, but complex to install and run - this one is a simple binary you can run), which works with the official client apps.
A few year ago I was syncing keepass over http (it's built in keepass) with a Apache httpd and webdav module.
Configuration was not really tricky and worked flawlessly.
I even managed to use a yubikey on sync request.
I just use keepassxc and have a cron job that zips and encrypts the password vault and then uploads it to Amazon S3 once a day, simple and pretty much foolproof, probably costs me $0.12 a year for storage.
you can improve fool proving by watching the db file for change and then uploading it
you can further improve it by checking if the uploaded file is the one which was there when you did download it last and only then upload your changed version
but yes, for many people that simple approach would be good enough by far I mean how often do you add new passwords?
Yeah, I thought about checking the md5 before wrapping and aborting the run if there was no change, but I like knowing that the process is still working and that nothing stupid happened to my cronfile at some point. Two instances of having a cronfile silently overwritten is two too many for one lifetime.
I use WebDAV. Just throw up a container like dgraziotin/nginx-webdav-nononsense and connect to keepass2android and keeweb. I then use regular backup software to back up the mounted WebDAV files.
password-store is another solution if you're CLI and scripting inclined. It also has browser plugins. KeepassXC + a cloud "dropbox", make sure that it is set to save after every change to the password database. It also has plugin for popular browsers. Vaultwarden is another option and the one I am likely to switch over to after this announcement.
I do not, although I use Strongbox - liked the UI a tick better. They are pretty similar feature-wise, KeePassium is a tick cheaper for the pro-tier, and sources are available. Strongbox is able to merge the DB in case of conflict. And in reality both apps are written by a single guy, so I would say it is a draw :)
I previously used MiniKeepass which has been shut down.
My grated to KyPass, which looks good on paper but syncing with Google Drive didn’t work in practice.
Now using KeePassium Pro. Very happy. Does everything I need, uses the file API for opening files and integrates well.
[1]: https://keepass.info/download.html