XC is where it's at imho. It's not perfect, but it improves upon KeePassX a KeePass improvement itself. It's fast, cross platform, and has decent encryption options. It's probably not for sharing with a team of any size, though I have done it and fought with locking via outside communication, but I just hate all the enterprisey cloud password managers that live so close to a browser, and find myself going back to keepassxc (and gpg and ansible vault).
There is room for growth in the business passman market.
Not sure there's that much growth potential there. In the cloud space, there's a bunch of offerings. In the on-prem space, products like Thycotic Secret Server and ManageEngine's Password Manager Pro cover the ground of companies willing to pay moderate sums of annual licensing.
I've reached similar conclusions; its inclusion of the SSH Agent as well as TOTP and browser integration made it a good choice for Linux. On Windows I've got a team still sticking to normal KeePass on a shared drive; not the greatest solution but it does work well with multiuser scenarios
What's wrong with KeePass for Windows? I'm using it and it works for me. I actually prefer it to C++ version, because .NET is a managed runtime and provides defense from some common vulnerabilities which is important for security software.
The single thing that keeps me from sticking with KeePassX is simply because it doesn't have the auto-type feature. I love that it's open source and works on all OS, but that is such a convenient hotkey that it's hard to give up.
Only used KeePassX until now but will try out XC! I keep my pw-db + image in a self-hosted (gitea) private git repo (with general filenames along 100s of files) for availability. Would be cool to be able to integrate XC with git
I have been using KeePassXC and am quite satisfied with it. Hope they add the option of being able to specify multiple URLs e.g. for some apps, the URL scheme is androidapp://... which doesn't work with fetching favicons.
I used Qt5 settings editor to make it similar to non-QT apps (I'm using XUbuntu) but that only takes care of window/toolbar/icon/fonts. Just so happens that I don't use a dark theme so I'm happy with the results but I can see that it'll standout in a dark themed desktop.
I just wish I could convince them that specifying a monospace font is not the same as specifying an unambiguous font, and it matters because not everything is cut & pastable.
In the password fields, I don't know how anyone either writing or using a password manager doesn't consider unambiguous glyphs to be critical. It's a password manager not a greeting card designer.
They think they have solved this by specifying the font to be monospace in the password fields (maybe notes too I don't remember).
I submitted an issue complete with pictures of passowords written in monospace fonts in KeePassXC where the characters are ambiguous.
It shouldn't even require pictures to convey the problem. Once someone says "the property "monospace" and the property "unambiguous" are two dufferent properties. It's an unsafe and in fact broken assumption.", you'd think that would shed all the light necessary.
But what more do you do when tbey don't see it even WITH pictures? Fork it yet again? Just to add a config option to let the user or desktop integrator select an arbitrary font for some display fields?
What really bugs me is, they didn't say "yeah that would be better but it's hard and we don't know when anyone might get to it" No, they think it's already done.
Failing to get that idea across really made me wonder about the parts of their work that aren't so visible.
(to GP) I really have to say, this is not how you should ask someone else to fix a problem. Going at the developers on a personal level is NEVER a good thing. If it was my project, I probably would have closed the issue completely after you insulted me this personally.
Regardless of the conversation, it really bothers me when the person locking a thread also posts the "last word" before locking it, allowing no chance for rebuttal.
> "fixed" and "unambiguous" are different things
(note: there is no QFontDatabase::UnambiguousFont)
and an actual bug somewhere else as the root cause
> broken in lubuntu 17.10: resulting font was neither fixed nor unambiguous.
which finally resulted in:
> this kind of utility needs the option to specify a specific font
but things got heated between "not a bug: fix your system" and "this utility can be improved" ending in personal insults and everyone being annoyed by each other despite showing great love for the application (just foss things)
It looks like you've got a bone to pick with them not having agreed with you. I had a look at your Github issue and I agree that this is down to your _system_ not the application; your screenshots don't demonstrate the problem either.
It’s not a bug with the app, but the OP’s is a reasonable feature request.
The ability to specify an unambiguous font for password fields, for example, makes absolute sense.
And the app defaulting to the monospace font is not an appropriate solution, because a user may pick a monospace default which isn’t unambiguous. Not every app requires unambiguity the way a password field might, so to require the user to change their default font is not a great solution.
There’s a reason emacs, vim, etc allow you to set your own fonts specific to the app that’s different from your DE defaults. That’s because they have very specific requirements that may be different from what you’re looking for in a general default font for your DE. The same is true for something like the password field of a password manager app.
Honestly, certain devs in this case started insulting the OP well before the OP said anything unreasonable, probably because for some reason they came up with the idea that the OP thought this was a heinous bug when, as they clarified, that was an invention on the reader’s part with no grounding in anything the OP said, who was not calling it a bug, nor by any means calling it heinous. Of course the discussion went off the rails after that with the OP unnecessarily getting personal, but I can see where their frustration came from even if they shouldn’t really have acted on it.
It's very rare that you need to disambiguate letters. My handwriting only disambiguates words of you accept contextual clues, and even then ...
Stylistic considerations, some of which ride on centuries of history, overriding information transfer is extremely common (that's not an excuse, more an observation). Just look at how this site [HN] uses gradual desaturation to convey downvotes, abysmal UX, but the designer clearly felt it was fit for purpose.
Agreed, a an "unambiguous" option when generating a password would be nice, along with some colouring depending if it's a letter, a number or a special character would be nice.
This might be my favorite feature in Bitwarden. Numbers are colored differently than letters. Red may not have been the best color choice but not being colorblind myself, I can't say whether it's an issue in practice.
I use git to version my Keepass database files. It's not great, because if you store binary files inside the Keepass database, the git repo's size grows very fast. I do it because I don't trust the apps I use to not corrupt the file. Does anyone have alternative solutions?
Something like pass lends itself ideally to version control, but all my entries' metadata (names, dates) are visible, which is a problem for me. I want to be able to store my secret database even on untrusted infrastructure.
Currently, I'm pondering storing big or often updated binary data separately from the passphrases and similar low-footprint data.
I've been using SyncThing for years with my KeePassXC database without issues (including Android for use with Keepass2Android).
On the odd occasion it's been modified on two devices without a sync and SyncThing produces a sync-conflict file, a simple "Merge from database..." within KeePassXC happily pulls in the newer data from both databases to merge them again.
I use the Staggered File Versioning feature on at least one device + a separate backup mechanism to satisfy my paranoia about losing the database.
I keep the db + image file in a selfhosted (gitea) private repo. The repo contains 100s of files and I named the keepass files very general to hide in the open if my server is hacked.
Hmmm... I haven't taken a look at what the raw DB file looks like but I imagine it wouldn't be too hard to differentiate from the other files if looking at the bytes on disk. Food for thought...
Yes its possible, but needs finding out. There is also another file among the 100s that needs to be used with a strong password tough. All these layers make me feel it's safe enough
For my own ultra-secure (offline) storage, I use a strong password for a KeepassX DB stored on a LUKS-encrypted USB drive that's only plugged in when needed. Layers are the way to go ;)
I store my keepass database on a private Seafile server hosted on a cheap cloud VPS. What I like about this solution is: 1) the file is stored in an encrypted seafile library with client side encryption so that a potential hacker could not access the file even with access to the server. 2) delta sync for my other large files. Disclaimer: I am in no way associated with seafile, just a happy user for many years.
I just branch my kdbx file every ~4 months to withstand dB corruption. Appending -$date suffix on the filename. I also sync the database (using nextcloudpi) between mobile (keepassdx) and desktop.
Is there a good “secrets manager” or “encrypted information manager” that’s free (preferably also open source) or quite cheap (not subscription based), is multi-platform (including mobile) and supports auto-fill in other applications (especially browsers)?
Password managers with password generators and 2FA code generators are ok for work related use, but they usually may not cover other pieces of information, like credit/debit cards, software licenses, identification cards, hardware/appliances, etc. Adding custom fields in each entry by oneself isn’t a great option. Perhaps it’s not a great idea (even with a very strong master password) to put all the information in one database, but I see value in being able to store, retrieve and auto fill different kinds of information (even if some may seem too complex to define in a generic schema).
I already tried Bitwarden, but it covers only passwords, cards and identities (plus secure notes).
It's just a bunch of gpg encrypted files with as much stuff as you want in them, in any format you want (password on first line). Easy to share/sync to whatever you want. Lots of interfaces on lots of platforms but you really don't need an interface.
Highschool me fucked up pass and exposed a lot of data. It was entirety my own fault, but there are footguns if you don't fully understand the model.
Essentially, I accidentally publicly exposed my private key. I thought I was clever for writing a Python script to dump all my passwords and then re-add them after setting up pass with a new key.
A year later, when I accidentally deleted my private key (reformatted laptop, phone bricked before set laptop back up), I spent a few hours trying to figure out if I made a mistake that would let me recover my passwords. I was very motivated :)
Eventually, I realized that since I'd been using git to sync pass between my phone and computer (the recommended setup) I could access versions of my encrypted data for every account more than a year old and decrypt them with the private key I leaked. I got back almost all my data.
Luckily I was using a private git repository for defense in depth, but many guides recommend a public reposity because they say gpg is very strong.
It all works, but only if you don't do something dumb like I did. Now I'm on 1password and happy knowing that experienced people are paid to make it and smart security researchers like Troy Hunt (of haveibeenpwned fame) have said it's the most secure password manager they've looked into.
(I said the same thing earlier in a different post)
I did, but I presumed that I should still change the key once it was exposed. IIRC it was a nonrandom long passphrase (the first letter of every word in a 20-30 word sentence, I think. I've since moved to memorizing random passphrases). I was able to remember that password when I needed to recover the data later.
I don't really understand why Keybase hasn't pushed into this area. It seems like an obvious addition along with their other team services and new tools like git
I've been using CryFS with Google Drive for any kind of sensitive information and it has worked wonderfully well so far. I mostly store sensitive documents, encryption keys, 2FA setup and reset codes in there. A password manager could easily be built on top of it.
Try KeePass. There's .NET implementation for Windows, there're few cross-platform C++ implementations for Linux and macOS, there are integrations with browser, there are mobile clients and you can configure sync as you like. For example I'm using KeePass on Windows desktop, synchronize it to my WebDAV server and then synchronize it with KeePassium iOS app. It works well and I control every single bit of it (I don't use browser extension because I think that it's too dangerous to let all my passwords to be accessible by something running in browser, but it's possible if you don't care). Simpler option for synchronization is dropbox which is popular among many users and works just as well.
I really love all the work that has gone in to XC but I preferred the original look and feel of Keepass 2. I feel the need to get over that and try XC again. It’s great to see it continuing to get development and new features.
Only the look and feel. Meanwhile the cross platform compatibility of XC appeals to me. I never had much luck running Keepass 2 with mono whereas XC takes care of all the cross platform woes
I used the original KeePass 2 client for a long time but at some point I looked for a more stable and good looking client. Since I am mainly a macOS user, I found MacPass [1]. I highly recommend it for any mac users. Its been nothing but stable and good for me.
I noticed in the screenshots that KeePassXC can show TOTP for an entry. Doesn't it limit the usefulness of a TOTP, if both the password and the TOTP seed are stored in the same location? Or am I missing something?
You can have a separate database file as a backup for your TOTP secrets. This way you can setup the TOTP with KeePassXC directly, then transfer the secret to your phone for example. This assumes you can trust the device from which you setup TOTP with KeePassXC.
Looking for some advice here. I am generally happy with KeePassXC (switching from browser-remembered passwords was a big step forward for me), but I have a feeling that it might not be a perfect solution for me.
I have four devices that are being used on almost-daily basis:
- work PC
- home PC,
- laptop,
- smartphone
work and home PCs are often on at the same time leading to a situation where I have KeePassXC database open - it happens I just leave home/work without closing / locking the database (or it prompts database modified - save?) which might lead to some desync scenarios (it already happened to me).
So I think I need something that will not keep local database as KeePassXC does, but will use online store. I am not a big cloud fan, so would prefer to host in on my own infra.
My requirements:
- self-hosted
- online (some API-based),
- cross-platform (at least Windows/Android but with Linux in mind)
- browser-aware completion (similar to KeePassXC) - Firefox + maybe chrome,
Is bitwarden a way to go? Or is there something better?
Hi check out my comment right in the thread right above yours... :-D
Don't know if KeepassXC has the same functionality as Keepass, but they provide an option to use a LocalDB/MasterDB synchronization [0]. This could help preventing desync problems.
For anyone that's used both, any impressions on how XC compares to BitWarden?
I've been looking to switch from my older copy of 1Password - I don't care about cloud support, beyond letting me keep the encrypted data in Dropbox or similar, but I really appreciate a good browser extension and mobile app.
76 comments
[ 3.0 ms ] story [ 134 ms ] threadThere is room for growth in the business passman market.
LDAP auth, has ACLs, uses on-prem database server.
Why no love? Perhaps because windows-only.
[1]: https://www.soft-o.com/
This is a real deal breaker.
I've gotten used to the painless ssh-agent integration KeepassXC has and really wasn't looking forward to trying to switch to another manager...
In the password fields, I don't know how anyone either writing or using a password manager doesn't consider unambiguous glyphs to be critical. It's a password manager not a greeting card designer.
They think they have solved this by specifying the font to be monospace in the password fields (maybe notes too I don't remember).
I submitted an issue complete with pictures of passowords written in monospace fonts in KeePassXC where the characters are ambiguous.
It shouldn't even require pictures to convey the problem. Once someone says "the property "monospace" and the property "unambiguous" are two dufferent properties. It's an unsafe and in fact broken assumption.", you'd think that would shed all the light necessary.
But what more do you do when tbey don't see it even WITH pictures? Fork it yet again? Just to add a config option to let the user or desktop integrator select an arbitrary font for some display fields?
What really bugs me is, they didn't say "yeah that would be better but it's hard and we don't know when anyone might get to it" No, they think it's already done.
Failing to get that idea across really made me wonder about the parts of their work that aren't so visible.
I think i understand what this is about. It starts with this code (inlined for brevity)
and this distinction of characteristics and an actual bug somewhere else as the root cause which finally resulted in: but things got heated between "not a bug: fix your system" and "this utility can be improved" ending in personal insults and everyone being annoyed by each other despite showing great love for the application (just foss things)The ability to specify an unambiguous font for password fields, for example, makes absolute sense.
And the app defaulting to the monospace font is not an appropriate solution, because a user may pick a monospace default which isn’t unambiguous. Not every app requires unambiguity the way a password field might, so to require the user to change their default font is not a great solution.
There’s a reason emacs, vim, etc allow you to set your own fonts specific to the app that’s different from your DE defaults. That’s because they have very specific requirements that may be different from what you’re looking for in a general default font for your DE. The same is true for something like the password field of a password manager app.
Honestly, certain devs in this case started insulting the OP well before the OP said anything unreasonable, probably because for some reason they came up with the idea that the OP thought this was a heinous bug when, as they clarified, that was an invention on the reader’s part with no grounding in anything the OP said, who was not calling it a bug, nor by any means calling it heinous. Of course the discussion went off the rails after that with the OP unnecessarily getting personal, but I can see where their frustration came from even if they shouldn’t really have acted on it.
Stylistic considerations, some of which ride on centuries of history, overriding information transfer is extremely common (that's not an excuse, more an observation). Just look at how this site [HN] uses gradual desaturation to convey downvotes, abysmal UX, but the designer clearly felt it was fit for purpose.
I don't see how that's ambiguous.
Something like pass lends itself ideally to version control, but all my entries' metadata (names, dates) are visible, which is a problem for me. I want to be able to store my secret database even on untrusted infrastructure.
Currently, I'm pondering storing big or often updated binary data separately from the passphrases and similar low-footprint data.
On the odd occasion it's been modified on two devices without a sync and SyncThing produces a sync-conflict file, a simple "Merge from database..." within KeePassXC happily pulls in the newer data from both databases to merge them again.
I use the Staggered File Versioning feature on at least one device + a separate backup mechanism to satisfy my paranoia about losing the database.
As a fellow paranoid, what mechanism are you using for the separate backup?
Password managers with password generators and 2FA code generators are ok for work related use, but they usually may not cover other pieces of information, like credit/debit cards, software licenses, identification cards, hardware/appliances, etc. Adding custom fields in each entry by oneself isn’t a great option. Perhaps it’s not a great idea (even with a very strong master password) to put all the information in one database, but I see value in being able to store, retrieve and auto fill different kinds of information (even if some may seem too complex to define in a generic schema).
I already tried Bitwarden, but it covers only passwords, cards and identities (plus secure notes).
* https://www.passwordstore.org/
It's just a bunch of gpg encrypted files with as much stuff as you want in them, in any format you want (password on first line). Easy to share/sync to whatever you want. Lots of interfaces on lots of platforms but you really don't need an interface.
Has git support...
Essentially, I accidentally publicly exposed my private key. I thought I was clever for writing a Python script to dump all my passwords and then re-add them after setting up pass with a new key.
A year later, when I accidentally deleted my private key (reformatted laptop, phone bricked before set laptop back up), I spent a few hours trying to figure out if I made a mistake that would let me recover my passwords. I was very motivated :)
Eventually, I realized that since I'd been using git to sync pass between my phone and computer (the recommended setup) I could access versions of my encrypted data for every account more than a year old and decrypt them with the private key I leaked. I got back almost all my data.
Luckily I was using a private git repository for defense in depth, but many guides recommend a public reposity because they say gpg is very strong.
It all works, but only if you don't do something dumb like I did. Now I'm on 1password and happy knowing that experienced people are paid to make it and smart security researchers like Troy Hunt (of haveibeenpwned fame) have said it's the most secure password manager they've looked into.
(I said the same thing earlier in a different post)
Emacs is good at automatically keeping gpg files. Not sure about mobile support.
[1] https://macpassapp.org/
Disclaimer: Not affiliated with MacPass in any way.
[0] https://keepass.info/help/kb/trigger_examples.html#dbsync
My favorite cloud provider is BitWarden[1], which I believe was the first cloud password service supporting hardware keys.
[1] https://bitwarden.com/
I have four devices that are being used on almost-daily basis: - work PC - home PC, - laptop, - smartphone
work and home PCs are often on at the same time leading to a situation where I have KeePassXC database open - it happens I just leave home/work without closing / locking the database (or it prompts database modified - save?) which might lead to some desync scenarios (it already happened to me).
So I think I need something that will not keep local database as KeePassXC does, but will use online store. I am not a big cloud fan, so would prefer to host in on my own infra.
My requirements: - self-hosted - online (some API-based), - cross-platform (at least Windows/Android but with Linux in mind) - browser-aware completion (similar to KeePassXC) - Firefox + maybe chrome,
Is bitwarden a way to go? Or is there something better?
Don't know if KeepassXC has the same functionality as Keepass, but they provide an option to use a LocalDB/MasterDB synchronization [0]. This could help preventing desync problems.
[0] https://keepass.info/help/kb/trigger_examples.html#dbsync
I've been looking to switch from my older copy of 1Password - I don't care about cloud support, beyond letting me keep the encrypted data in Dropbox or similar, but I really appreciate a good browser extension and mobile app.