38 comments

[ 2.9 ms ] story [ 84.4 ms ] thread
KeePassXC + syncthing to sync the database file has been a solid combo of secret storage across all my devices, even Android phones. It's been working perfectly for 5 years now.
I do this as well with syncthing.

I have a PCengines box at home running wireguard that also runs an always on instance of syncthing so I can sync to and from my home network from a Starbucks or wherever.

It takes a little setup but once that's done it's very much "fire and forget".

Indeed. On Android I'm using Keepass2Android Offline which doesn't even declare internet permissions, works great.
Same here. Been my setup for almost 10 years. Encrypted db file in an encrypted volume. Multiple offline and online backups.
I use KeePassXC (strongbox on phone) + Nextcloud. Everything is wonderful except for nextcloud hiccups. I recently uploaded a resume and realized after it sent that the metadata was incorrect and a local file rename must have been overwritten. Embarrassingly, I had to send an email with the right resume. I sent it from my phone. Right after I checked on the sent email and found that the nextcloud file through ios files uploaded 86 bytes of junk rather than my resume, so I had to send another email.
I have the same setup. One question, is there a Syncthing solution for iOS devices?
I looked into this a while back and Syncthing does not have an iOS app.
Apparently it's the longest running Issue on their Github: https://github.com/syncthing/syncthing/issues/102

Edit to add:

There is Möbius Sync [0] but I didn't have much success with it. It did work but not quite the way I wanted so eventually I just deleted it.

On Reddit [1] people suggest all sorts of workarounds using other sync tools, like iCloud or NextCloud. Not ideal.

[0] https://www.mobiussync.com/ [1] https://www.reddit.com/r/Syncthing/comments/ese82l/ios_users...

I went with this combo as well. My requirement was to sync my password database across multiple platforms (Windows, Linux, MacOS, and Android). KeePassXC works great on all the desktop OSes, and there's a couple choices for Android apps (I chose Keepass2Android).

It does have downsides, mostly around Syncthing: it's a bit of a battery hog and there's no iOS app. If either one of those ever becomes enough of a problem for me I can just switch it out for one of the more normal cloud storage providers though.

This is exactly how I do the very same thing, and same as yourself, it's been working pretty much flawlessly for me since day one. Mine's Linux + Android, but I assume the same would work across any operating systems supported by SyncThing and KeePassXC.
If I'm a happy KeePass user, and everything just works, is there any reason to switch to KeePassXC?
KeePass, as far as I can tell, is inactive. KeePassXC seems to be the logical successor that is active.
>KeePass, as far as I can tell, is inactive

really? looking at the keepass site:

>Latest News

>KeePass 2.50 released

>2022-01-09 14:15. Read More »

>KeePass 1.40 released

>2022-01-02 11:42. Read More »

>KeePass 2.49 released

>2021-09-10 16:18. Read More »

>KeePass 2.48 (2.48.1) released

>2021-05-07 14:34. Read More »

For something that just needs to store passwords, I don't see why there needs to be monthly updates or anything like that.

> For something that just needs to store passwords, I don't see why there needs to be monthly updates or anything like that.

Because usability and UI do make improvements (probably an unpopular opinion on HN...) and follows trends, KeePass does look completely outdated, the UX is completely outdated and the – nowadays – most important part, browser integration, is only achieved via plugins.

Don't get me wrong, I still use KeePass, but I would never recommend KeePass to non-technical users (and would think twice about recommending it to technical users) while I would recommend KeePassXC to my mother.

> Because usability and UI do make improvements (probably an unpopular opinion on HN...) and follows trends, KeePass does look completely outdated, the UX is completely outdated and the – nowadays – most important part, browser integration, is only achieved via plugins.

This is a pretty good point, even if i'm of the opposite opinion!

To me, KeePass is wonderfully boring and usable, much like spreadsheet software (e.g. LibreOffice Calc), it doesn't waste space and does everything i need it to.

Furthermore, browser integration actually wouldn't be something i want - i'd prefer to keep those pieces of software as far from one another as possible. Though using the OS clipboard could also be problematic, of course, which is my current approach when i want to log into a site.

> Don't get me wrong, I still use KeePass, but I would never recommend KeePass to non-technical users (and would think twice about recommending it to technical users) while I would recommend KeePassXC to my mother.

Your argument about suggesting the more "modern" looking software to non-technical folks is a good one, though! Of course, at the end of the day, some folks will still store their passwords in plain text or Excel/Word files because the cognitive load of using any non-browser-based password manager is too much cognitive load for them. Or even using a password manager at all, hence we still get sticky notes with passwords etc., human nature isn't too likely to change anytime soon.

>To me, KeePass is wonderfully boring and usable, much like spreadsheet software (e.g. LibreOffice Calc), it doesn't waste space and does everything i need it to.

agreed. keepassxc has much more padding/whitespace than keepass.

>Furthermore, browser integration actually wouldn't be something i want - i'd prefer to keep those pieces of software as far from one another as possible.

I'm mixed on browser integration. On one hand it's more convenient and can potentially be more secure (can protect against phishing attacks because it can check the url for you). On the other hand, having a direct link to your entire password vault is a massive attack surface. The ideal implementation for me would be an addon that can auto-fill credentials, but require explicit approval from the app to fill anything. To my knowledge no such implementation exists.

>Though using the OS clipboard could also be problematic, of course, which is my current approach when i want to log into a site.

Keepass has auto-type, which works around this.

If I'm not mistaken you can set KeePass (and KPXC) to show a confirmation popup before the browser extension can access a password for a website. But I haven't used this function so I'm not 100% sure.
It had an update this month. It's solid IMO. Gives me IrfanView vibes for some reason.
I like the KeePassXC interface way better, the database format is the same though.
I would say no. I've never found much of a notable difference between the two clients.

I personally prefer the original client for it's UI and only use XC for Mac because it doesn't need XQuartz

It is written in C++ and doesn't depend on .NET.
As a .NET developer, that's not something that would concern me :)
I don't think there is, the original is as good as it gets I think. I only switched to KeePassXC for their native Linux support.
I find the browser plugin easier to install, at least on Firefox. I tried to set up the auto-type of KeePass, but it never really worked.

Plus, I'm not sure if KeePass can generate TOTPs (if it can, it's too hidden for me), but with KeePassXC is right there after an easy setup.

Still has both installed, but only use the XC.

I switched to XC years ago when I discovered browser autofill support, TOTP, and SSH key functionality are all built-in and don't need plugins. (fewer things to set up and keep up to date) Since the database file format is the same, the switch was painless.
KeePass is made in C#, KeePassXC is made in C++. That alone might make your life easier if you need to use it in Mac or Linux, because I've found making Keepass' C# plugins work on mono is tricky, while KeePassXC doesn't need plugins for my use cases.

Edit: Looks like KeePassXC doesn't support plugins, and I hadn't noticed :/

I can vouch for this solution. Combined with a common secure folder for core team members, and it's a great way to share key accounts that don't support multi-user. Otherwise, we'd never rotate passwords!
This is another enthusiastic thumbs up for KeepassXC.

I use it everywhere I have to but on Android where I use KeepassDX.

Keeweb.info is also a good alternative OSS client with a web front-end, good as a last resort even on mobile browsers

https://keeweb.info/

It could automatically load SSH keyd to Putty Agent on DB opening. Nice convenience for e.g. GitHub keys. Learned about it accidentally after long usage. It performs great for core functions. I store the db in DropBox and the second factor key file in OneDrive personal vault.
My main use case for KeePassXC and KeePass2Android is security against obsolescence.

I don't trust LastPass or 1Password to keep working in 2032 or 2042, but I'm certain some version of my personal .kbdx file will still exist and be usable.

Been using KeePassXC and syncing on iCloud / OneDrive and has been working quite well.

Using the Apple Silicon version on the MBP14" works great!

Solid part of my software stack. I personally sync my password safe file with a Nextcloud instance I host.
I like keepassxc.

For everybody trying it: avoid the password sharing feature. It's currently hopelessly broken. The last time I had a look it was a known issue that needs major rework. IMO that can be worked around be keeping a dedicated database for shared scenarios -- albeit not practically fine grained for every secret. (I don't care, yet)

Keepassxc and Password Store are great offline password managers.