I am afraid of a private company being responsible for my passwords but also not confident in my own ability to manage any sort of password manager across all my devices. What do people do?
I've used KeePass for ages and every time another password manager comes up in the headlines it's only ever made me feel more confident about that decision. Zero games, no cloud/other party to be dependent on, and I have total freedom to implement whatever backup/sync methods work best for my situation.
KeePass is not KeePassXC. The former is written in .NET, the latter in C++; numerous open source audits have shown that KeePassXC is far and away more secure than KeePass. Not to mention that cross-platform performance for KeePassXC is superior.
> numerous open source audits have shown that KeePassXC is far and away more secure than KeePass.
Could you link some?
I mean, that sounds like a major claim, but it doesn't appear to be mentioned on either of their Wikipedia pages, in their FAQ's, nor on some of the top-results from Google.
> KeePass is a very proven and feature-rich password manager and there is nothing fundamentally wrong with it. However, it is written in C# and therefore requires Microsoft's .NET platform. On systems other than Windows, you can run KeePass using the Mono runtime libraries, but you won't get the native look and feel which you are used to.
> KeePassXC, on the other hand, is developed in C++ and runs natively on all platforms giving you the best-possible platform integration.
, where they don't appear to claim a security-advantage.
> It is interesting to notice, that the code of KeePassXC is organized in classes cleaner than the code of KeePass in C#. The classes are smaller, the functions are shorter. See e.g. the code to read a database. The reason for this might be
that KeePass grew organically into a more complex logical structure and maybe it could enjoy some refactorings. In any case, right now, it is easier to review KeePassXC code for security and to understand it than to do so for KeePass.
You can sync a KeePassXC database using a provider like Google Drive/iCloud/Dropbox/etc but that's not a feature of KeePassXC, it's you doing semi-manual cloud synch.
KeepassXC (optionally synced with syncthing or your cloud provider of choice) - Portable, no need to host a server to keep the database, offline-first. Database format is standardized, and other password managers support the database format.
pass, if you're always on the terminal. (optionally synced with syncthing or any cloud provider). Or you can go with gopass, which uses the same database format, has better support for multiple users/stores, and enables git versioning by default. There are GUI and mobile clients available that are compatible with this database format.
These are the main ones I would recommend you take a look at for the most common use-cases. I can't recommend anything that doesn't provide FOSS clients or that can't be self-hosted, so some decent options UX-wise were excluded. You really have to see what you want out of the password manager to choose one. Keep in mind that for both pass and keepass there are multiple clients that are compatible with the database format, that affords you with more portability, options, and the possibility of having native clients.
I am very happy with my vaultwarden setup, but if you don't run your own server, you don't want to, KeePassXC + syncthing is probably the best you can do.
Fwiw, the biggest downside of it is multiple user functionality.
It's doable, but you have to import the public gpg key of everybody who needs to access the secrets. Effectively, every secret ends up encrypted with the public key of every user who needs access - not sure how scalable it would be if you have more than a small team of people accessing it this way.
I love it on Linux, but has anyone else had it perform really poorly on macos? Last time I had a MacBook, it wasnt even close to the instantaneous speed of pass on Linux- more like seconds for every command.
I use it intensively on Mac and not had that problem.
Since it interfaces with GPG I would suspect something to do with how your gpg configuration is set up (is it trying to talk to a gpg-agent or possibly a pin-entry program that is timing out or something like that). Intrinsically what it does is completely trivial in terms of compute etc.
Back when 1password, 90% sure it was that, had no Linux client I was searching for a solution to store passwords and settled for Enpass.
I sync via WebDAV on my Synology NAS and I’m not really worried to lose anything since every synced device has a full copy of the data.
Thought about switching to 1password a few months back since we’re using it at work and the client is better but they don’t have an Enpass import. It supports some kind of CSV transfer but I don’t want to pay for a bunch of, worst case scenario, not really perfectly structured data so I decided to stick with what I have.
Edit: when thinking of switching I was a little nitpicky. I’m pretty happy with Enpass everything considered. 1p client is just even better but with the give them your data and your money thing, which I’m not necessarily fond of
1Password is the best password manager I've used, and the family plan works great and is reasonably priced ($60/year). Unlike many folks who are cloud-averse, I prefer a cross-platform solution that syncs to the cloud, and I'm comfortable with their security model (https://support.1password.com/1password-security/).
It's worth noting that they really fubared the 1Password 8 transition and I was very irritated that they had me looking at alternatives. However, they gradually fixed the problems and missing features and now I'm 100% satisfied with it again.
> “It's worth noting that they really fubared the 1Password 8 transition”
I’d never use 1Password again. While the software may be good when you try it, I’m sure they will ruin it at a later date. That was my experience. The company earned my enmity.
1Password is making choices for the business at the cost of security. Sucking people's password vaults into their cloud is very not cool. Additionally removing the local vault only option is another business first decision.
It's only a matter of time before 1Password has a real security problem because the business forces at 1Password appear to be much stronger than the engineering forces.
1Password is E2E encrypted no with decryption/encryption happening only at the edge? If the cloud storage is compromised, that doesn't mean the attacker can read the passwords?
It's a march of small concessions and after 5 years of marching you find yourself very far away from where you thought you were. "We only collect things that don't matter to you, trust us."
That means that that shareholders can make the company choose things that benefit shareholders at the cost of customers. Taking investment is a fundamental change in trust architecture.
I no longer believed that 1password is aligned with me, and alignment is a constant force always acting. Removing local vaults was proof of lack of alignment. Removing local vaults was proof that 1Password will choose money over security. Removing local vaults was proof that that appearing worthy of trust is a lower priority than coercing people into their cloud.
No but it means a fake 1P login page can be served and that will result in some non-zero number of people who didn't have a choice on a local sync having their credentials compromised. I am a huge 1P and I think their whitepapers show off their top-tier talent in the crypto space but killing local sync was a very crummy decision.
Conversely: I have zero interest in managing the storage of my own password vaults. It's a trade-off I'm willing to make for convenience and durability.
By way of example: I recently moved overseas, and in the process I wiped my desktop and moved to a laptop-only setup. Unfortunately, I managed to back up an outdated Adobe Lightroom catalog, not my current catalog, so I lost about two years' worth of catalog data -- including Lightroom edit histories. Yes, this is obviously a mistake on my part, but I recognise that I make these mistakes, and I'm willing to trade some loss of privacy and security for a significant decrease in a different risk profile.
Removing a local option is shitty, but there's nothing wrong with providing cloud-based storage.
I have to agree. Been using it ~5 years with no issues. There may be application specific reasons some other manager is better, but for an easy to use and seemingly solid product, I'd recommend 1password.
Since 2014 for me, through multiple startups. Easiest way to maintain personal passwords and still allow role-based management by any business I am managing or working with, in the same program and login.
The author of that article wrote, "If you absolutely need the CLI interface, I do not really have any good recommendations for you." I think the existence of the (minor[1]) issues raised in that article are less annoying than having to use a GUI password manager (but I'm generally anti-GUI).
PGP has a kind of authentication called MDC which is kind of a MAC. Changes to ciphertext are detected.
The metadata leakage is not good from a privacy standpoint, but brings about much more important security benefits that are mentioned in the post. Using Gopass will hide metadata.
For all the people recommending keepassxc and are also iOS users, how do you deal with the lack of reproducibility of iOS apps?
Even “opensource” apps such as strongbox and keepassium have no way of asserting that whatever code they publish on GitHub is the same that I’m installing through the AppStore.
Am I just overly paranoid?
This is the main hindrance for me to using KeePassXC everywhere. If I’m going to blindly trust anyone I prefer to trust apple keychain.
I was in the same boat as op: Didn't want to care about sync at all and use it on all my devices. Didn't want to rely on a third party. Vaultwarden solved that for me.
Like all services I self-host for personal use, it's only accessible via VPN.
I use Secrets (https://outercorner.com/secrets-mac/) which syncs via iCloud. Definitely not perfect, especially if you're not heavily within the Apple ecosystem, but at least it's native and doesn't require a subscription.
If you want to save some money, it will give you an automatic 25% discount if you just wait around for some amount of days before buying the full version. Applies to both versions of the app.
initially started with dashlane, but it was such a pain in the ass that i never used it. when i started getting my shit together security-wise, i signed up for bitwarden then hosted vaultwarden for a little while. i have keepassxc with syncthing a shot and im probably going to stick with this setup.
i have very little confidence recommending anything other than bitwarden/vaultwarden or keepassxc
For maximum security (no cloud sync): KeePassXC
In both cases an essential feature applies: if you forget your master password you've lost access to your password database.