KeePassXC + syncthing to sync the database file has been a solid combo of secret storage across all my devices, even Android phones. It's been working perfectly for 5 years now.
I have a PCengines box at home running wireguard that also runs an always on instance of syncthing so I can sync to and from my home network from a Starbucks or wherever.
It takes a little setup but once that's done it's very much "fire and forget".
I use KeePassXC (strongbox on phone) + Nextcloud. Everything is wonderful except for nextcloud hiccups. I recently uploaded a resume and realized after it sent that the metadata was incorrect and a local file rename must have been overwritten. Embarrassingly, I had to send an email with the right resume. I sent it from my phone. Right after I checked on the sent email and found that the nextcloud file through ios files uploaded 86 bytes of junk rather than my resume, so I had to send another email.
I went with this combo as well. My requirement was to sync my password database across multiple platforms (Windows, Linux, MacOS, and Android). KeePassXC works great on all the desktop OSes, and there's a couple choices for Android apps (I chose Keepass2Android).
It does have downsides, mostly around Syncthing: it's a bit of a battery hog and there's no iOS app. If either one of those ever becomes enough of a problem for me I can just switch it out for one of the more normal cloud storage providers though.
This is exactly how I do the very same thing, and same as yourself, it's been working pretty much flawlessly for me since day one. Mine's Linux + Android, but I assume the same would work across any operating systems supported by SyncThing and KeePassXC.
> For something that just needs to store passwords, I don't see why there needs to be monthly updates or anything like that.
Because usability and UI do make improvements (probably an unpopular opinion on HN...) and follows trends, KeePass does look completely outdated, the UX is completely outdated and the – nowadays – most important part, browser integration, is only achieved via plugins.
Don't get me wrong, I still use KeePass, but I would never recommend KeePass to non-technical users (and would think twice about recommending it to technical users) while I would recommend KeePassXC to my mother.
> Because usability and UI do make improvements (probably an unpopular opinion on HN...) and follows trends, KeePass does look completely outdated, the UX is completely outdated and the – nowadays – most important part, browser integration, is only achieved via plugins.
This is a pretty good point, even if i'm of the opposite opinion!
To me, KeePass is wonderfully boring and usable, much like spreadsheet software (e.g. LibreOffice Calc), it doesn't waste space and does everything i need it to.
Furthermore, browser integration actually wouldn't be something i want - i'd prefer to keep those pieces of software as far from one another as possible. Though using the OS clipboard could also be problematic, of course, which is my current approach when i want to log into a site.
> Don't get me wrong, I still use KeePass, but I would never recommend KeePass to non-technical users (and would think twice about recommending it to technical users) while I would recommend KeePassXC to my mother.
Your argument about suggesting the more "modern" looking software to non-technical folks is a good one, though! Of course, at the end of the day, some folks will still store their passwords in plain text or Excel/Word files because the cognitive load of using any non-browser-based password manager is too much cognitive load for them. Or even using a password manager at all, hence we still get sticky notes with passwords etc., human nature isn't too likely to change anytime soon.
>To me, KeePass is wonderfully boring and usable, much like spreadsheet software (e.g. LibreOffice Calc), it doesn't waste space and does everything i need it to.
agreed. keepassxc has much more padding/whitespace than keepass.
>Furthermore, browser integration actually wouldn't be something i want - i'd prefer to keep those pieces of software as far from one another as possible.
I'm mixed on browser integration. On one hand it's more convenient and can potentially be more secure (can protect against phishing attacks because it can check the url for you). On the other hand, having a direct link to your entire password vault is a massive attack surface. The ideal implementation for me would be an addon that can auto-fill credentials, but require explicit approval from the app to fill anything. To my knowledge no such implementation exists.
>Though using the OS clipboard could also be problematic, of course, which is my current approach when i want to log into a site.
If I'm not mistaken you can set KeePass (and KPXC) to show a confirmation popup before the browser extension can access a password for a website. But I haven't used this function so I'm not 100% sure.
I switched to XC years ago when I discovered browser autofill support, TOTP, and SSH key functionality are all built-in and don't need plugins. (fewer things to set up and keep up to date) Since the database file format is the same, the switch was painless.
KeePass is made in C#, KeePassXC is made in C++. That alone might make your life easier if you need to use it in Mac or Linux, because I've found making Keepass' C# plugins work on mono is tricky, while KeePassXC doesn't need plugins for my use cases.
Edit: Looks like KeePassXC doesn't support plugins, and I hadn't noticed :/
I can vouch for this solution. Combined with a common secure folder for core team members, and it's a great way to share key accounts that don't support multi-user. Otherwise, we'd never rotate passwords!
It could automatically load SSH keyd to Putty Agent on DB opening. Nice convenience for e.g. GitHub keys. Learned about it accidentally after long usage. It performs great for core functions. I store the db in DropBox and the second factor key file in OneDrive personal vault.
For anyone that does challenge-response with a Yubikey like I do, I'd suggest Keepass2Android Password Safe[1] if you're on Android. I've been using it for years and it's well maintained in terms of updates and features, and it supports the KeePassXC challenge-response method. Edited to add: And it's open source[2].
My main use case for KeePassXC and KeePass2Android is security against obsolescence.
I don't trust LastPass or 1Password to keep working in 2032 or 2042, but I'm certain some version of my personal .kbdx file will still exist and be usable.
For everybody trying it:
avoid the password sharing feature. It's currently hopelessly broken. The last time I had a look it was a known issue that needs major rework.
IMO that can be worked around be keeping a dedicated database for shared scenarios -- albeit not practically fine grained for every secret. (I don't care, yet)
38 comments
[ 2.9 ms ] story [ 84.4 ms ] threadI have a PCengines box at home running wireguard that also runs an always on instance of syncthing so I can sync to and from my home network from a Starbucks or wherever.
It takes a little setup but once that's done it's very much "fire and forget".
Edit to add:
There is Möbius Sync [0] but I didn't have much success with it. It did work but not quite the way I wanted so eventually I just deleted it.
On Reddit [1] people suggest all sorts of workarounds using other sync tools, like iCloud or NextCloud. Not ideal.
[0] https://www.mobiussync.com/ [1] https://www.reddit.com/r/Syncthing/comments/ese82l/ios_users...
It does have downsides, mostly around Syncthing: it's a bit of a battery hog and there's no iOS app. If either one of those ever becomes enough of a problem for me I can just switch it out for one of the more normal cloud storage providers though.
really? looking at the keepass site:
>Latest News
>KeePass 2.50 released
>2022-01-09 14:15. Read More »
>KeePass 1.40 released
>2022-01-02 11:42. Read More »
>KeePass 2.49 released
>2021-09-10 16:18. Read More »
>KeePass 2.48 (2.48.1) released
>2021-05-07 14:34. Read More »
For something that just needs to store passwords, I don't see why there needs to be monthly updates or anything like that.
Because usability and UI do make improvements (probably an unpopular opinion on HN...) and follows trends, KeePass does look completely outdated, the UX is completely outdated and the – nowadays – most important part, browser integration, is only achieved via plugins.
Don't get me wrong, I still use KeePass, but I would never recommend KeePass to non-technical users (and would think twice about recommending it to technical users) while I would recommend KeePassXC to my mother.
This is a pretty good point, even if i'm of the opposite opinion!
To me, KeePass is wonderfully boring and usable, much like spreadsheet software (e.g. LibreOffice Calc), it doesn't waste space and does everything i need it to.
Furthermore, browser integration actually wouldn't be something i want - i'd prefer to keep those pieces of software as far from one another as possible. Though using the OS clipboard could also be problematic, of course, which is my current approach when i want to log into a site.
> Don't get me wrong, I still use KeePass, but I would never recommend KeePass to non-technical users (and would think twice about recommending it to technical users) while I would recommend KeePassXC to my mother.
Your argument about suggesting the more "modern" looking software to non-technical folks is a good one, though! Of course, at the end of the day, some folks will still store their passwords in plain text or Excel/Word files because the cognitive load of using any non-browser-based password manager is too much cognitive load for them. Or even using a password manager at all, hence we still get sticky notes with passwords etc., human nature isn't too likely to change anytime soon.
agreed. keepassxc has much more padding/whitespace than keepass.
>Furthermore, browser integration actually wouldn't be something i want - i'd prefer to keep those pieces of software as far from one another as possible.
I'm mixed on browser integration. On one hand it's more convenient and can potentially be more secure (can protect against phishing attacks because it can check the url for you). On the other hand, having a direct link to your entire password vault is a massive attack surface. The ideal implementation for me would be an addon that can auto-fill credentials, but require explicit approval from the app to fill anything. To my knowledge no such implementation exists.
>Though using the OS clipboard could also be problematic, of course, which is my current approach when i want to log into a site.
Keepass has auto-type, which works around this.
I personally prefer the original client for it's UI and only use XC for Mac because it doesn't need XQuartz
Plus, I'm not sure if KeePass can generate TOTPs (if it can, it's too hidden for me), but with KeePassXC is right there after an easy setup.
Still has both installed, but only use the XC.
Edit: Looks like KeePassXC doesn't support plugins, and I hadn't noticed :/
I use it everywhere I have to but on Android where I use KeepassDX.
https://keeweb.info/
[0] https://github.com/keeweb/keeweb
[1] https://keeweb.info/
[1] https://play.google.com/store/apps/details?id=keepass2androi...
[2] https://github.com/PhilippC/keepass2android
I don't trust LastPass or 1Password to keep working in 2032 or 2042, but I'm certain some version of my personal .kbdx file will still exist and be usable.
Using the Apple Silicon version on the MBP14" works great!
For everybody trying it: avoid the password sharing feature. It's currently hopelessly broken. The last time I had a look it was a known issue that needs major rework. IMO that can be worked around be keeping a dedicated database for shared scenarios -- albeit not practically fine grained for every secret. (I don't care, yet)