64 comments

[ 16.5 ms ] story [ 647 ms ] thread
Available of “Always on Top” mode is good improvement.
I have been using KeePass for years. Why should I go to KeePassX or KeePassXC?

Their FAQs isn't too convicing!

> KeePass is a very proven and feature-rich password manager and there is nothing fundamentally wrong with it. However, it is written in C# and therefore requires Microsoft's .NET platform. On systems other than Windows, you can run KeePass using the Mono runtime libraries, but you won't get the native look and feel which you are used to. KeePassXC, on the other hand, is developed in C++ and runs natively on all platforms giving you the best-possible platform integration.

That seems pretty convincing if you want to easily open your KeePass file on Linux without dealing with Mono. I do that quite often.
KeePass is awkward on macOS and Linux. KeePassX hasn't had a release in 4 years. Thus, KeePassXC ... it's actually pretty good IMHO.
KeepassXC is using Qt for UI. That sounds a lot better to me than Mono.
KeePassXC is the move, you can import your old keepass database
The database is fully interoperable and the keyboard shortcuts aren't dumb.
Built in SSH agent - to store you ssh keys and make them available to your ssh clients. KeePass supported it to too, but awkwardly through an extension which needed to be separately installed.
FWIW, KeePassXC's auto-type can help keep your clipboard free of passwords; its built-in ssh-agent can keep your unencrypted keys off disk; it has the ability to read 1Password .opvault (that is perhaps becoming less important now that their 1Password for Linux is coming out, but it still has no support for _local_ vaults and I'm not holding my breath they'll fix that) ... and that's the best list I can come up with not having actively used either of the other clients
For Linux support. Keepass on windows, x or xc on mac and Linux.

Keepass is the best but the others are still fine as well.

Personally I've switched to keepassXC the day I had to read my password db from python, I could not make it work with keepassx
> On systems other than Windows, you can run KeePass using the Mono runtime libraries, but you won't get the native look and feel which you are used to.

This is extremely funny because they actually replaced the native UI with their own terrible theme. So actually, they deliberately sabotaged their own argument for using KeePassXC!

Granted, you can switch to the "classic UI", at least until they get rid of that. But there are a number of issues, including that the accent colors don't match, and there are a ton of complaint issues on their Github page:

https://github.com/keepassxreboot/keepassxc/issues/5280 https://github.com/keepassxreboot/keepassxc/issues/5092 https://github.com/keepassxreboot/keepassxc/issues/5301

Yeah their constant revisions to the UI lately has made me start reaching for Bitwarden more and more. There was once a time I could run it on Windows, Linux, Mac, at home or at work, and it all looked the same. Now I'm always guessing where things moved to or how to copy additional attributes...
In addition to what the others said...

- Safer web browser integration (uses WebExtension Native Messaging, rather than a localhost service)

- Built-in YubiKey integration

- "Health check" dashboard that shows you problematic passwords (expired, weak, reused, Have I Been Pwned integration)

> Built-in YubiKey integration

And OnlyKey support too!

I've been using KeepassX for about a decade, I forgot that Keepass was a separate application until just now.
(comment deleted)
I've fully switched to a bitwarden. There's a good selfhosted solution too https://github.com/dani-garcia/bitwarden_rs
I'm not sure what the benefit to locally hosted solutions like KeePassXC are to BitWarden. You can't beat BitWarden's ease of use and you don't have to manage storage / backups yourself. Bitwarden is open source, has passed multiple independant audits and has easily verified 0 knowledge / e2e crypto (they can't see your data on their servers). What more could you want?
>You can't beat BitWarden's ease of use and you don't have to manage storage / backups yourself.

You're managing your "self-hosted solution" and only a tiny share of people runs one anyway. Syncing a file along with other data/backups is a sufficient compromise between security and convenience for many people.

I have some contracts with large corps and US govt (non-military) that forbid my use of any password manager with cloud hosting.

The language is somewhat ambiguous and obviously written before things like LastPass/Dashlane/etc. even existed, but I tend not to editorialize when it comes to security reqs.

Maybe BitWarden would work for my purposes, but I have no complaints about KeePass, so I don't know why I'd switch.

I'll give you two reasons I use it over Bitwarden.

Bitwarden autotype is very sketchy on my (admittedly older) Android phone. For some apps it straight up doesn't show up, on others the prompt disappears when I need it. The alternative is to use the system clipboard which is absolutely terrible and no one should ever do it, especially on smartphones. The special keyboard option that KeepassDX and Keepass2Android provide are significantly better without being too inconvenient in my opinion. Whether or not the autotype issue is fixed on newer Android versions is irrelevant, I shouldn't have to switch out a perfectly working phone just for a workflow I can live without.

Also Keepass has been a standard for so long that I just trust it more. If tomorrow Bitwarden were to disappear off the face of the planet (I'm aware it doesn't work that way), I'd have to export my passwords and look for another solution. This is probably mitigated by self-hosting but I have neither the infrastructure nor the inclination to do so. I can theoretically at least continue to use my kdbx file on any platform without issue, sticking to a particular version of a client that I like or switching it out for another if I'm so inclined. No hijinks involved.

I will concede that the sync is not as convenient but I use Syncthing and Snapdrop for a bunch of other stuff already so I don't mind, not to mention the fact that I feel better about my vault never being exposed to the internet in any form.

I'd rather not run .NET (or especially MSSQL) if I can avoid it. I get enough of that shitshow at work...

Besides, Syncthing (with history enabled) gives me backups "for free" as part of the regular sync, whereas I'd still have to set that up myself when hosting Bitwarden.

On a quick scan, the "BITWARDEN LICENSE AGREEMENT" mentions "Commercial Module License". So some sort of Opencore and, TBH, I'm too lazy to check out further the implications.

On the other hand bitwarden_rs is GPL-v3. Like it or not, at the very, it is very clear where it stands.

Interestingly, KeePassXC has multiple licences and take the time to neatly list what is under which.

I don't use any of those. This is written in Go and doesn't use MySql. It's an encrypted file.
How can that comment be the best HN comment of a link of a KeepassXC release ?
Disclaimer: Hearsay

One thing a colleague mentioned about bitwarden that might be good is that you can basically "share" parts of your password store with external users.

That could be great if you are the IT guy that convinced people to use a password manager but sometimes still needs access to passwords.

For my usecase that never was important which Is why I am sticking with keepass which is pretty great

why use self-hosted when it can just run on MY computer? From over 10 years in development and lived all over the world, it taught me to NOT trust the internet. Keep password and really files local whenever possible. Put not so important files on hosting! USB drive are big now.
Not all password managment is for one person only. Sometimes you want something that can serve a whole team with some sort of granular level of who is allowed to see what. And from what I understood bitwarden is way better for that usecase than keepass.

I use keepass myself, because for my usecase it is the appropriate thing to use. At least I think it is.

Ah for sure! However, I think each person ought manage their own password in the current digital age.
it's self hosted on my netowork that if I want to access remotely I can via my VPN.
Does anyone know of a good KeepassX client on iOS?
Also interested. My current solution is to open the master file on my laptop, then slowly type the password from my laptop screen to my iOS device.

I think if you use a MacBook you can use a "universal clipboard" of some kind [1] but I use a linux thinkpad.

[1]: https://support.apple.com/en-us/HT209460

Apple has keychain linked to an icloud account but it's subpar of a password manager at best. Most mac people who I know that are techy just use lastpass.
KeePassium for the client on iOS and iCloud to sync the database between laptop and iPhone works pretty well
Another vote for Keepasium. There is a paid upgrade but if you have only one db file I don’t think it’s limited in any way.
If you don't want to pay a ton of money, I use KeePass Touch.
This was the rabbit hole that got me off ios.

Apple only cares about your security if you're gonna continue being a paying customer.

Mm, I want the option to

* set generated pw length beyond 128 back

* create groups of any unicode characters by myself and specifically black or whitelist them for the pw generation,

* manage all keyboard shortcuts, both the local and global ones,

* auto-type with a global shortcut any chosen entry individually—but username, password, and otp in particular—so that I don't have to fix the seq and delays every time the website changes or I'm somewhere with slower internet.

  The process would be: 
    either press a global shortcut to find an entry or pre-select it in the app, then use other global shortcuts to auto-type the attributes individually
* copy the password from the editing menu without revealing it,

* show the attributes in place of the notes

> * set pw length beyond 128 back

What's your usecase for such long passwords? 55 lower case ASCII characters (a-z) have over 258 bits of entropy.

As an example, that's more than the key length of AES-256. If my limited understanding is correct that would mean it gives no additional brute-force resistance to use a password longer than 55 lower case characters for anything AES-256 encrypted (and thus also for anything weaker than AES-256). Similar logic should apply if the password gets hashed to 256 bits or less (e.g. SHA-256 or bcrypt with 192bits).

Does that matter? Some passwords are a long-term security solution so who knows what kind of flaws, advances, or use cases you may have to deal with. The limits should be whatever the software and hardware permits.

Besides, a local password generator can be a convenient way to generate random strings for other uses as well.

You gain nothing.

The password is compressed into 256-bit key at the end so you gain nothing. Argon2 is used to derive the key, so all you need to worry is good password and maybe use keyfile if you want more security.

You're talking about the password for the password manager file, I think. I'm talking about the actual passwords you save.

A password manager shouldn't be limiting or directing the user on the length of a passwords they need. If someone, for instance, wants a hex char string with more than 512 entropy, they need more than 128 chars.

KeePassXC 2.6.2 does not have 128-bit limit for passwords you save. I don't know if the previous versions had because I have not tested.
> Does that matter?

Yes. Right now what you're asking for is useless nonsense, and your provided motivation is basically "But I want it" which puts you slightly lower priority than the little girl who wants a pony 'cos at least she can articulate why.

It matters. It may trick people into thinking that longer = more secure. Which is only the case up to a certain extent.

If you reach beyond 256 bits of entropy, there is no added security. No current system will use more than that. And going beyond that is not future proofing, because you're storing it in a current system, defeating any added entropy.

I don't see good reasons why you would use a password generator embedded in a password manager for non-security purposes. Security purposes here are always more important than other uses.

But if you do have a good example, feel free to prove me wrong.

Just a heads up, it fails to run on MacOS < 10.15

https://github.com/keepassxreboot/keepassxc/issues/5584

On MacOS I've been using MacPass (https://macpassapp.org/) for years, which uses the same file format (so can use KeePass with the same DB on other platforms) but is more Mac OS-y.
I am on 10.13.6 and use KeePassXC just fine, although I do build it from source, so that probably explains our different experiences. I just wanted to chime in that the accurate statement seems to be the prebuild dmg from them fails to run on < 10.15
This could use rebranding due to an unfortunate name. The intention is that it's "keep pass[word]" but it could also read as "keep ass".
I fail to see how this isn’t an objectively good thing
Lol I still see that too! I get an immature chuckle every now and then. Maybe that's why I stick with it instead of lastpass.
Always thought of it as Kee Pass as "key pass" - the key to your pass.
googling for 'man date' to read the manual page on date always gives me a second thought.