KPXC is brilliant. Recently I switched to it from BitWarden and I am satisfied. The only issue for me is the autotype support on Wayland (it's not there yet; currently only able to auto fill password and username for xwayland app).
I chose KPXC because I am in easy access to the database, and since I already pay for cloud hosting I just sync the database on the cloud (I use Seafile, I recommend!). Open and convenient :)
I'm sure Bitwarden is more than adequate as well though.
I recently tried it, as I don’t need 90% of the features NextCloud offers anyway. Sadly, the installation process seems far more complicated, and I ended up just abandoning it and going back to NC after getting unclear error messages.
I see; I use hosted version (some here https://www.seafile.com/en/partner/ -- they should advertise it better imo). Had no problems from the beginning (there are clients for Linux/Win/etc. as well).
I like the idea of self-hosting a lot, but I also think it's fine to have hosted services of OSS (I think you need to be technically oriented to make it work easily and reliably, which isn't everyone).
I've migrated from KPXC to Bitwarden because of all the sync conflicts and having to diff different versions and figuring out, which data is latest (yes, keepass-diff is a thing).
With Bitwarden, I cannot create a new password or change existing one without being online, but I consider that a small price for not having to deal with conflicts anymore.
Since logging in is an online activity, that means every modification should automatically sync to the database as well. Thus I've never had conflicts, I think Seafile handles conflicts very well (mostly silently?). Never had an issue really (although the Android app is slightly clunky).
Logging in doesn't have to be on the public internet. It doesn't have to be a some intentionally isolated network either, but think setting up IoT devices: you log to the AP they created, create credentials and then connect them to some other network with Internet connectivity. So while you are connected to their AP, you don't have sync.
The sync conflicts happened to me whenever I left keepass databases open and changed it on multiple devices. Usually, those changes were adding new accounts into the databases or changing a password on one while adding something on the other. This regularly happened when working in a team.
I assumed people would switch from Keepass + database synced on a private server to something else when they started working in teams and need better/easier permission models. :)
As you have mentioned it, I have written the tool keepass-diff (<https://github.com/Narigo/keepass-diff/>) to help me for exactly these conflicts and I could quickly resolve the issues with it. It was still useful enough to let me keep using Keepass. Was it not working for you or was it too hard to use because of how it needs to be set up first? Would you have stayed with Keepass + sync if something similar to this was integrated into UI clients?
I have checked a few settings on KPXC, and it has 'Automatically save after every change', 'Automatically reload database when modified externally' (and 'Safely save database') all enabled, not sure it helps (as I mentioned, never had any problems).
Not sure if NextCloud could be causing some issues? As I mentioned, I believe Seafile automatically overwrites (to newest version) and it's been fine (there's history if you lose something, which shouldn't happen anyway).
I do think this merge functionality would be very nice in KPXC, but for other reasons: I sometimes use the browser databases to save passwords (when I forget to open KP) and I need to merge the new entires.
I've used 'Automatically save after every change' and 'Automatically reload database when modified externally', as the other comment says, with syncing via Syncthing. It wasn't in team, but between multiple devices - laptop, desktop, phone and with a NAS in the sync chain, so there is something always on.
Yet, the sync conflicts happened anyways. The first time it was quite shock, why my password doesn't work, but then I found the conflict password file and the password from there worked.
Your tool made it much easier, big thanks for creating it.
Maybe, if the keepassxc had in the UI, that it detected a sync conflict (that would involve a knowledge how the misc sync tools work) and offered merging them, I would probably stayed.
Ultimately, I switched to vaultwarden, on the same above-mentioned NAS. It does not have all the features of the keepassxc, but it is good enough for me, the sync problems disappeared, and the browser integration works a little bit better (doesn't complain that the main app isn't running, while it is).
Sorry for the late reply. BitWarden is great. I really don't have anything to complaint (before BitWarden, I was using browser built-in password manager). However, I changed. I start to value the following:
1. I need a tool that can save not just password, but something more general. For example, a desktop software credential (with BitWarden, I need to open a browser or electron app to do that). Another example would be a PIN required each time I use the voice mail. Or certain PIN for my bank accounts (not the one used to login the online banking). I am aware you can save them in the note section, but it feels better when you can customize these fields. These non-password secrets used to be saved in plain text scattered around in various files on my PC. Now I have a centralized and organized access.
2. I know that with some configuration you can have self-hosted BitWarden vault. But I think KPXC + whatever_file_sync_app is simpler.
3. I actually started using KeePassXC because IT forced me so. I hated it initially, but later discovered it's actually a great tool for managing secrets in general.
4. HN Syndrome: preferring "native" app than web/electron.
Ah, didn’t know Bitwarden doesn’t support extra fields like that, that is something I use as well. Thanks for the reply, it’s rare to hear about some (even personal) negatives of bitwarden :)
I'm going to take a guess and say that you're using GNOME if you're using Fedora and yeah, I don't think auto type works on GNOME's wayland version yet. They're working on their own protocol called libie the last time I checked.
However, auto typing on Wayland works pretty well if you use wlroots compositors/window managers like sway.
I am curious why you switched from Bitwarden? Usually when people are exiting a password manager it’s migrating to Bitwarden or KeePass but you’re the first I’ve heard moving from Bitwarden itself.
I too switched from BitWarden to KeePass. I was reading about browser security and became concerned about running my password manager in the same process as the browser and relying on its sandbox. With KeePassXC I have the option to either forgo browser integration completely or use their addon which communicates to the manager and asks for an entry, which prompts for permission itself or uses an allow list by URL. That makes it much harder for a website to somehow break the sandbox and access my entire database.
It's a small change but it does reduce the attack surface as well as force me to manage my data myself which I want to do more of.
Also with BitWarden, their UI annoyed me when I needed a password outside the browser. L
I'm not the person you asked but I switched from BitWarden to KeepassXC. BW was very good so the only reason I looked for an alternative was I wanted something that would support entering passwords with autotype in OS apps instead of just the browser.
Love KeePassXC - it's a beautiful and speedy program which simply just works without ever causing any problems. The original KeePass always struck me as a tad heavy due to its somewhat archaic aesthetic and dependency on Mono, whereas KeePassXC looks modern and requires minimal resources and dependencies.
I combine it with KeePassium on iOS and Resilio Sync for synchronising across my main and mobile devices. (Syncthing doesn't offer an iOS client, sadly, hence the choice of using Resilio)
I recently researched password managers, settled on keypassxc. Happy I did. I use keypassxc on windows + keypassxc chrome plugin, strongbox on iOS and google drive for syncing. All works seamlessly.
I'll probably be switching from 1Password soon, as they get ready to force their Electron implementation onto customers. I downloaded Strongbox but I was surprised to find that configuring the storage backend was super confusing.
What is the best "backend" for setting up sync between KeePassXC/Strongbox/etc, between multiple clients active simultaneously?
Is there a good reason why we haven't seen something like a REST API enabled backend using KeePassXC as a client? Syncing files using off-the-shelf services is great that it exists, but it's obviously far from an optimal solution.
If you're after a rest backend for your password manager, Vaultwarden is likely what you're after
Having said that, I am in the same camp as some of the other comments in using KPXC for it's AutoType (and ssh agent), so if that's also your requirements then Vaultwarden won't get it done because the Bitwarden clients are aggressively stupid
I switched from KeePass to KeePassXC some years ago when I realized the XC browser extension was better than what KeePass offered. Sync via my own Nextcloud, KeePass2Android on mobile, works great :)
I'm using KeePassDX on Android (sync'd to KeepassXC on PC using syncthing). It works quite well and the GUI feels quite polished.
Of all the Keepass implementations in Android it seems to be the most actively maintained and featureful, but it's great to have a few different options. In addition to KeePassDroid (which I used to use, and have no major issues with) there's another (Authpass) on F-Droid which I haven't yet tried but looks promising.
In my experience - yes. I used Keepassdroid and on a new phone decided to try K2A but ended up much preferring the UI of KeepassDX. Its autofill works really well.
My only issue (albeit minor) with KeePassXC is that I can't drag'n'drop data (eg. username or password) from entry list to a browser control. It works perfectly in KeePass.
Keepass was recently found to be less secure and expose password in plain text in some situation. Depending on how your OS deals with drag and drop, might not be the safest option.
This might have been 2.6 already but I find the new flat interface kinda meh. Sure, not everyone was happy with the old 2.4 "native windows 95" look but with the new one everything just feels too big, like a mobile app on the desktop :(
I still use KeePassX and have no issues with it so no reason to move to XC. I do value an actively maintained project, but I also value stability - and particularly for a security-sensitive application, I quite like the fact that it hasn’t been updated in years (I’m not saying I assume all the bugs have been fixed, just that there is less churn in which bugs could hide). How should I evaluate the respective projects from the perspective of security, and the level of trust I should be placing in the developers?
I welcome updates that fix security vulnerabilities, but I view feature updates as a potential vector for introducing security vulnerabilities.
The difficulty is telling the difference between projects that rarely update because there aren’t any vulns, and projects that rarely update because they don’t care.
Been a happy user of KeePassXC for over 4 years now. I keep the password databases and keys synchronised across devices using Syncthing. Once I've set this up, it's pretty transparent and I haven't had to tinker with it.
Same setup, the DB only came out of sync (conflict) a few times but that's because with my setup Syncthing is only doing it's thing when I'm on my local network...
> Same setup, the DB only came out of sync (conflict) a few times but that's because with my setup Syncthing is only doing it's thing when I'm on my local network...
keepass is one of those apps you are either forced on to due to a disaster (forgetting your important portal credentials at the most problematic time) or your memory is like a sieve.
it took me like 2015-2017 to teach my siblings to use it. now we have copies of each others kbdx files and passwords in our respective files so if there is an emergency to access the others data (which contains btw, all important data besides login credentials, passport numbers, tax information, expiry of policies) and other than the occasional password change which barely happens now because we don't go and willy nilly create accounts or changes.
this is a very low cost/maintenance option because the files exist on our phones, in our backups, on our devices, the whole shebang.
i don't need an online password manager, it simply will not work for me because i am relying on someone else and because the data is on my device, its as secure as the xkcd plumbing password
I started using it because using the same password for everything was a bad practice and it was time to stop. I think the vast majority of people with passwords reuse 1-3 passwords for everything.
sure but over time you forget "usernames". "what was the routing number of my bank" or "when does my passport expire" or "what is the private key of my crypto paper wallet, what is my paper wallet code itself".
"what was the recovery email/mobile to my fb/gmail?"
this works almost like a safekeep in case a person dies and their heirs get to access important stuff which otherwise get lost. i mean my family has a copy of my file with the password
* Runs on Linux/Mac/Windows and there are compatible clients for Android. Make your own cloud with a RaspberryPi referred by a DDNS and you'll have super powers.
* Auto-type. Is tricky to get it working but once you get it you'll become addicted.
* The UI makes it much easier to copy and paste fields and the notes are clearly visible. I often use the notes to store things like github tokens (for git), etc. However, I keep 2FA TOTP codes on my Pebble watch only. If you keep 2FA codes on the same file as your password then it isn't 2 Factor anymore, right?
Little things that bothered me:
* It took me a while to understand how does the Touch ID/fingertip reader works (you need to turn on the checkbox, press Ok on the authentication modal and then touch the reader). Touch ID is one of those things that suddenly you discover you can't live without.
* The browser add-ins are not always smooth and friction-less. Sometimes you need to reload the page, reopen the db. Chrome's add-in is the hardest to get working. Firefox's is better.
* Edit: forget this. As varjolintu explains bellow, this is wrong. ~~You can't have multiple addresses per entry. Some sites will login with different URL's and KeepassXC will not recognize all.~~
You can have multiple URL's per entry. However, those only work with the browser extension. Edit entry and go to Browser Integration tab. There's a list of additional URL's.
One of the things I like about the auto-type is that you can reconfigure it on a per-site basis in case the login sequence isn't the usual. I can have it page through my company's sso labrynth, enter tenancy IDs, trigger my preferred duo method or even navigate to a subpage after logging in. With most other PW managers you are just left with what it gives you and if it doesn't detect the logon fields, that's just too bad.
I can also make it auto-type into remote sessions, non-browser applications, and """""extremely secure""""" fields that don't allow you to paste into them.
I do use the 'url in title bar' browser extension (there are a lot of these) to help it lock on properly.
I really like the DELAY function. YouTube is one of those sites where they have email and password on different cards/sites, so I can just add a delay of about 3 seconds and the auto fill in will work:)
> Edit: forget this. As varjolintu explains bellow, this is wrong. ~~You can't have multiple addresses per entry. Some sites will login with different URL's and KeepassXC will not recognize all.~~
Create 2 entries for the same site and install the Keepass helper (url in title) addon
I may have to push my company to switch to this - now if only they would release their own Android / iOS client!
I know there are decent options for both mobile devices but it is harder to pitch a piece of software with multiple vendors than a single, unified vendor when security is a top concern.
> The UI makes it much easier to copy and paste fields and the notes are clearly visible. I often use the notes to store things like github tokens (for git), etc. However, I keep 2FA TOTP codes on my Pebble watch only. If you keep 2FA codes on the same file as your password then it isn't 2 Factor anymore, right?
Technically no, but whether or not that is a problem depends on the threats you're worried about.
I'm personally most worried about 1. credential stuffing, 2. keyloggers/client exploits, and 3. Phishing/MITM attacks.
Using a password database allows me to use different passwords for every site, which defeats #1.
TOTP even if it's in the same database solves for #2 since simply scraping the password isn't enough to gain access.
And #3 isn't addressed at all, even if you use a separate device for TOTP.
What I'm not especially worried about is specific targeted attacks where the attacker is attempting to acquire my database and crack it.
Now, if you store your password database on someone else's cloud, that could become more of a concern, as a mass breach and bulk collection of databases becomes a possible attack vector. But I use syncthing to directly share my DB between devices, so I'm not particularly worried about that.
If you're worried about either of those threats, then a separate TOTP device is absolutely vital. But, for me personally, the inconvenience of it is not worth the additional security.
You read my mind, as i was just asking myself the same thing. I have recently been thinking of switching over to bitwarden from classic keepass...but now i see keepassXC, and wondered what - if any - compelling feature/need that keepassXC brings...?
p.s. - Oh, and the reason for considering even moving to bitwarden is ease of mobile access by several people at once...since schlepping a keepass database via file sync stuff works sort of ok until you have to access the same file via mobile (possible but not great), plus my family and i kept stepping on each other's toes when updating said file, etc. Not hating on keepass, as it has served my family really weell...and i'm very thankful to the keepass devs! It is simply that we might be outgrowing it a tad...maybe.
Do you use any plugins with KeePass? KeePassXC might have those features built in. I had plugins for TOTP, SSH agent, and browser integration in KeePass, and it made setting it up and maintaining it a mild pain, but XC has them out of the box.
I had to use the old/creaky/unmaintained KeePassBrowser addon for Firefox back when I was still on regular KeyPass. The KeePassXC-Browser addon is still supported, and much cleaner.
I use keepass2 at work on a PC/windows and KeepassXC on my home computers (Mac and Linux). The only thing that make me still liking Keepass2 more is its compatibility with plugins. I can't wait for keepassXC to support them.
Never, ever mix Keepass2 and KeepassXC. KeepassXC does not support the sync protocol from keepass2 that allows multiple people/devices to use the same keepass database. We only found out after losing 200+ passwords.
Why do you want plugins? KeePassXC provides most of what KeePass needs plugins for out of the box in usually much better and more stable and tested quality. KeePassXC will never support plugins the way KeePass does and for good reason. Most plugins are unmaintained and some are outright dangerous to use. Your passwords are too precious to let unverified thirdparty plugins handle them.
If you need external functionality that is not available in KeePassXC, you can try to bolt it on via the KeePassXC-Browser API or open a feature request (or even better: pull request) to get it into the core application.
You can also trigger Global Auto-Type from the browser extension with seperate keyboard shortcut (or using context menu), and it handles the URL matching with Auto-Type without any extra extensions.
Multiple devices is a slight pain, you have to keep everything synchronized yourself, and conflicts mean you can lose passwords in your sync service debris (if you even have that feature).
I switched to Bitwarden in order to deal with this.
Did you try diffing the conflicting databases through a tool like keepass-diff before switching?
I'm the author of keepass-diff and built it for my own needs. Looking through the comments here about why people switched from Keepass to Bitwarden, it feels like the compare feature is something that should be integrated to UI clients as many people seem to face this problem. I always assumed it was more because of permissions and better ability to work with it as a team...
I did not, I wasn't aware of keepass-diff and certainly it would've been able to solve the problem. But to tell you the truth I don't think I would use it. This is something that I really don't want to have to worry about regardless of what device I'm using.
Thanks for the insight! I guess it's a hard problem to solve with these conflicts. I'm wondering how it could be automatically resolved if a user has the same thing open multiple times with changes to the same password...
I used KeePassXC for many years. As the number of devices on which I need my password manager proliferated I've moved to BitWarden primarily for the built-in database replication. One can certainly replicate KeePassXC db's using any variety of methods, but it becomes a liability on my time to ensure that it is operating properly. KeePassXC is quite a fine and useful bit of software.
The lack of built-in replication is considered by many (me included) as more secure as the db is only on a single system and never in the cloud or on the wire.
> Are there any "I wish I knew this beforehand" type of tips?
Read my comment on the top of the comments. The top features are browser integration, auto-type and integration with Touch ID/fingerprint reader.
> how would people compare this to something such as 1Password?
KeePassXC auto-type is a lot more powerful. It can be configured in several ways and works with a lot more windows: SSH sessions in terminals, os windows in programs, etc.
OTOH, 1Password is automatically "clouded". With KeePassXC you need to place the encrypted database in a cloud (OneDrive, Google Drive, Apple Drive).
I sync the (strongly) encrypted database throughout my devices with Syncthing and it works flawlessly. I have an old laptop with syncthing running always on to avoid sync conflicts.
You don't have to "make your own cloud" to use Syncthing : you can just set your phone and your laptop as sharing, and never have to handle a server at any time.
Of course it's not magical : for them to be in sync, you'll then have to have both turned on with Syncthing running at the same time.
But if you have something lying around, like an old laptop, it's trivial to have it running, and maintenance is super low, just keep update it from time to time : I have Syncthing running on a low cost server for multiple years, syncing pictures + documents, and the only issue I ever had was disk space running out once.
The other benefit of manually syncing KeePassXC is that you can require it to use a key file in addition to pass phrase. Then you sync the database using another service but not the key file (copy that to each client locally). I'd your cloud provider is compromised they are missing not only your passphrase for brute forcing (good luck) but also the key file.
KeePassXC won't let me upgrade/install the new version without rebooting. Exactly what "service" is it trying to modify at the OS level that it can't do without restarting?
I just tried it. On Windows, after install, you have 2 choices of restarting keepassxc-proxy.exe or rebooting OS. Restarting application failed bc folder/file is being held. It said failed, but without rebooting OS, it seems to have upgraded without problem.
KeePassXC seems more cool from the technical point of view but I like the original KeePass 2 look&feel much more. Is there a way to configure KeePassXC to look and feel like KeePass 2?
PSA: Never, ever mix Keepass2 and KeepassXC when using network shares. KeepassXC does not support the sync protocol from keepass2 that allows multiple people/devices to use the same keepass database. We only found out after losing 200+ passwords.
KeePass has triggers to run on open/close. Set them up to do a sync with your network share and the local database. This way every user has an up to date synced copy.
Switched from Bitwarden to KeepassXC+Syncthing last year, and I'm very pleased. But I personally enjoy collecting and organizing passwords, and I treat the KeePassXC database report as a kind of game that I'm trying to get a high score on (as many unique PWs as possible with high entropy).
KeePassX was abandoned years ago, which is why KeePassXC exists.
KeePass is a different product and more like the original inspiration for KeePassX/XC.
The other critical feature I want is for it to store my expired passwords, once I change them. I have had stupid services where the old passwords were still in use somewhere or the other, and I don't want to delete them.
Right now I just copy past them in the notes, but there should be an easier way.
One thing I like about the original KeePass is that it uses Secure Desktop API on Windows, which makes it difficult for malware/keyloggers to intercept your password as you enter it if you are infected.
I wish KeePassXC would implement this functionality on Windows. Seems there is an open issue, but KeePassXC author says this is just Windows security theater:
I had a discussion today with the author on also on a security topic. I feel that he has a very opinionated take at usable security (nothing strictly bad about it). My problem is that probably anyone can easily extract the key of the registered browser extension. Therefore it is really important to no "remember" the choice to share the password with the browser as it is otherwise rather easy to exfiltrate it (having local access to a running machine). IMHO the security an threat models aof many password managers are only clear to the authors. It is very difficult to make informed choices as a user. I don't like that every password manager claims to have the better solution without really explaining themselves to the user in a sincere way ( including tradeoffs)
Does KeePassXC has triggers like KeePass? I use triggers to auto-mount TrueCrypt drives after opened the password database, does KeepPassCX allow me to do the same thing? Thanks.
What would happen if the synchorized safe is open on two computers at the same time, they both add a new entry roughly at the same time?
I like the idea of this sync but I don't know how the internal implementation would handle this. Dropbox and Nextcloud both sync the files themselves, and in case of a conflict, they preserve both versions, and let you pick which one you'd like to use as the "canonical". It's a pain but at least the data is preserved.
140 comments
[ 3.8 ms ] story [ 153 ms ] threadI'm sure Bitwarden is more than adequate as well though.
I recently tried it, as I don’t need 90% of the features NextCloud offers anyway. Sadly, the installation process seems far more complicated, and I ended up just abandoning it and going back to NC after getting unclear error messages.
I like the idea of self-hosting a lot, but I also think it's fine to have hosted services of OSS (I think you need to be technically oriented to make it work easily and reliably, which isn't everyone).
With Bitwarden, I cannot create a new password or change existing one without being online, but I consider that a small price for not having to deal with conflicts anymore.
I assumed people would switch from Keepass + database synced on a private server to something else when they started working in teams and need better/easier permission models. :)
As you have mentioned it, I have written the tool keepass-diff (<https://github.com/Narigo/keepass-diff/>) to help me for exactly these conflicts and I could quickly resolve the issues with it. It was still useful enough to let me keep using Keepass. Was it not working for you or was it too hard to use because of how it needs to be set up first? Would you have stayed with Keepass + sync if something similar to this was integrated into UI clients?
Not sure if NextCloud could be causing some issues? As I mentioned, I believe Seafile automatically overwrites (to newest version) and it's been fine (there's history if you lose something, which shouldn't happen anyway).
I do think this merge functionality would be very nice in KPXC, but for other reasons: I sometimes use the browser databases to save passwords (when I forget to open KP) and I need to merge the new entires.
Yet, the sync conflicts happened anyways. The first time it was quite shock, why my password doesn't work, but then I found the conflict password file and the password from there worked.
Your tool made it much easier, big thanks for creating it.
Maybe, if the keepassxc had in the UI, that it detected a sync conflict (that would involve a knowledge how the misc sync tools work) and offered merging them, I would probably stayed.
Ultimately, I switched to vaultwarden, on the same above-mentioned NAS. It does not have all the features of the keepassxc, but it is good enough for me, the sync problems disappeared, and the browser integration works a little bit better (doesn't complain that the main app isn't running, while it is).
1. I need a tool that can save not just password, but something more general. For example, a desktop software credential (with BitWarden, I need to open a browser or electron app to do that). Another example would be a PIN required each time I use the voice mail. Or certain PIN for my bank accounts (not the one used to login the online banking). I am aware you can save them in the note section, but it feels better when you can customize these fields. These non-password secrets used to be saved in plain text scattered around in various files on my PC. Now I have a centralized and organized access.
2. I know that with some configuration you can have self-hosted BitWarden vault. But I think KPXC + whatever_file_sync_app is simpler.
3. I actually started using KeePassXC because IT forced me so. I hated it initially, but later discovered it's actually a great tool for managing secrets in general.
4. HN Syndrome: preferring "native" app than web/electron.
Are you using a wlroots compositor like sway or GNOME/KDE?
However, auto typing on Wayland works pretty well if you use wlroots compositors/window managers like sway.
https://github.com/keepassxreboot/keepassxc/issues/2281
I'm considering adding support for keepassxc in tessen but autotype works only on wlroots based compositors like sway right now.
https://github.com/ayushnix/tessen/issues/19
It's a small change but it does reduce the attack surface as well as force me to manage my data myself which I want to do more of.
Also with BitWarden, their UI annoyed me when I needed a password outside the browser. L
I combine it with KeePassium on iOS and Resilio Sync for synchronising across my main and mobile devices. (Syncthing doesn't offer an iOS client, sadly, hence the choice of using Resilio)
I host nextcloud and use strongbox. Nextcloud supports WebDAV and strongbox works well with syncing through that.
This is true, but pricing is currently $3/mo, $15/year, $60 lifetime. So the one time payment is larger than most.
What is the best "backend" for setting up sync between KeePassXC/Strongbox/etc, between multiple clients active simultaneously?
Is there a good reason why we haven't seen something like a REST API enabled backend using KeePassXC as a client? Syncing files using off-the-shelf services is great that it exists, but it's obviously far from an optimal solution.
Having said that, I am in the same camp as some of the other comments in using KPXC for it's AutoType (and ssh agent), so if that's also your requirements then Vaultwarden won't get it done because the Bitwarden clients are aggressively stupid
Of all the Keepass implementations in Android it seems to be the most actively maintained and featureful, but it's great to have a few different options. In addition to KeePassDroid (which I used to use, and have no major issues with) there's another (Authpass) on F-Droid which I haven't yet tried but looks promising.
BTW KeepassXC did not have the same issue.
I feel like this is an oxymoron. At least security updates should be something to look forward to, no?
The difficulty is telling the difference between projects that rarely update because there aren’t any vulns, and projects that rarely update because they don’t care.
I see. You've chosen not to use remote sync?
it took me like 2015-2017 to teach my siblings to use it. now we have copies of each others kbdx files and passwords in our respective files so if there is an emergency to access the others data (which contains btw, all important data besides login credentials, passport numbers, tax information, expiry of policies) and other than the occasional password change which barely happens now because we don't go and willy nilly create accounts or changes.
this is a very low cost/maintenance option because the files exist on our phones, in our backups, on our devices, the whole shebang.
i don't need an online password manager, it simply will not work for me because i am relying on someone else and because the data is on my device, its as secure as the xkcd plumbing password
this works almost like a safekeep in case a person dies and their heirs get to access important stuff which otherwise get lost. i mean my family has a copy of my file with the password
* Runs on Linux/Mac/Windows and there are compatible clients for Android. Make your own cloud with a RaspberryPi referred by a DDNS and you'll have super powers.
* Auto-type. Is tricky to get it working but once you get it you'll become addicted.
* The UI makes it much easier to copy and paste fields and the notes are clearly visible. I often use the notes to store things like github tokens (for git), etc. However, I keep 2FA TOTP codes on my Pebble watch only. If you keep 2FA codes on the same file as your password then it isn't 2 Factor anymore, right?
Little things that bothered me:
* It took me a while to understand how does the Touch ID/fingertip reader works (you need to turn on the checkbox, press Ok on the authentication modal and then touch the reader). Touch ID is one of those things that suddenly you discover you can't live without.
* The browser add-ins are not always smooth and friction-less. Sometimes you need to reload the page, reopen the db. Chrome's add-in is the hardest to get working. Firefox's is better.
* Edit: forget this. As varjolintu explains bellow, this is wrong. ~~You can't have multiple addresses per entry. Some sites will login with different URL's and KeepassXC will not recognize all.~~
But I am still a fan. I'd give it a 8/10.
Thank you. That's very cool.
You can use global Auto-type which brings up Keepass window where you can pick from relevant entries.
You can a Global keyboard shortcut and it will work mostly anywhere.
https://addons.mozilla.org/en-US/firefox/addon/add-url-to-wi...
I can also make it auto-type into remote sessions, non-browser applications, and """""extremely secure""""" fields that don't allow you to paste into them.
I do use the 'url in title bar' browser extension (there are a lot of these) to help it lock on properly.
Create 2 entries for the same site and install the Keepass helper (url in title) addon
I know there are decent options for both mobile devices but it is harder to pitch a piece of software with multiple vendors than a single, unified vendor when security is a top concern.
Technically no, but whether or not that is a problem depends on the threats you're worried about.
I'm personally most worried about 1. credential stuffing, 2. keyloggers/client exploits, and 3. Phishing/MITM attacks.
Using a password database allows me to use different passwords for every site, which defeats #1.
TOTP even if it's in the same database solves for #2 since simply scraping the password isn't enough to gain access.
And #3 isn't addressed at all, even if you use a separate device for TOTP.
What I'm not especially worried about is specific targeted attacks where the attacker is attempting to acquire my database and crack it.
Now, if you store your password database on someone else's cloud, that could become more of a concern, as a mass breach and bulk collection of databases becomes a possible attack vector. But I use syncthing to directly share my DB between devices, so I'm not particularly worried about that.
If you're worried about either of those threats, then a separate TOTP device is absolutely vital. But, for me personally, the inconvenience of it is not worth the additional security.
p.s. - Oh, and the reason for considering even moving to bitwarden is ease of mobile access by several people at once...since schlepping a keepass database via file sync stuff works sort of ok until you have to access the same file via mobile (possible but not great), plus my family and i kept stepping on each other's toes when updating said file, etc. Not hating on keepass, as it has served my family really weell...and i'm very thankful to the keepass devs! It is simply that we might be outgrowing it a tad...maybe.
I had to use the old/creaky/unmaintained KeePassBrowser addon for Firefox back when I was still on regular KeyPass. The KeePassXC-Browser addon is still supported, and much cleaner.
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=keepass
If you need external functionality that is not available in KeePassXC, you can try to bolt it on via the KeePassXC-Browser API or open a feature request (or even better: pull request) to get it into the core application.
I don't see how switching to a different extension will improve anything.... I have global auto-type binded to CTRL-SHIFT-C and it just works
KeePassXC is a great program and combined with synthing, excellent solution to managing your passwords.
Also, how would people compare this to something such as 1Password?
I switched to Bitwarden in order to deal with this.
I'm the author of keepass-diff and built it for my own needs. Looking through the comments here about why people switched from Keepass to Bitwarden, it feels like the compare feature is something that should be integrated to UI clients as many people seem to face this problem. I always assumed it was more because of permissions and better ability to work with it as a team...
The lack of built-in replication is considered by many (me included) as more secure as the db is only on a single system and never in the cloud or on the wire.
Read my comment on the top of the comments. The top features are browser integration, auto-type and integration with Touch ID/fingerprint reader.
> how would people compare this to something such as 1Password?
KeePassXC auto-type is a lot more powerful. It can be configured in several ways and works with a lot more windows: SSH sessions in terminals, os windows in programs, etc.
OTOH, 1Password is automatically "clouded". With KeePassXC you need to place the encrypted database in a cloud (OneDrive, Google Drive, Apple Drive).
Syncthing looks a lot like a "make your own cloud" solution.
I use OwnCloud in a RaspberryPi, instead. But as Moxie Marlinspike famously said: "People don’t want to run their own servers, and never will". (https://moxie.org/2022/01/07/web3-first-impressions.html)
Of course it's not magical : for them to be in sync, you'll then have to have both turned on with Syncthing running at the same time.
But if you have something lying around, like an old laptop, it's trivial to have it running, and maintenance is super low, just keep update it from time to time : I have Syncthing running on a low cost server for multiple years, syncing pictures + documents, and the only issue I ever had was disk space running out once.
KeePassXC had no such issue.
That was CVE-2022-0275 https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=keepass
So is this another KeePass fork, and is different from this one: https://formulae.brew.sh/cask/keepassx ?
There are some small differences between the projects in technical aspects but I don't fully recall the details.
The C in KeePassXC stands for community IRC.
Subjectively I 'd say that if you are wondering which of the 3 to use, go with KeePassXC. That's what I am using.
Right now I just copy past them in the notes, but there should be an easier way.
https://keepassxc.org/docs/KeePassXC_UserGuide.html#_history
https://keepass.info/help/kb/sec_desk.html
I wish KeePassXC would implement this functionality on Windows. Seems there is an open issue, but KeePassXC author says this is just Windows security theater:
https://github.com/keepassxreboot/keepassxc/issues/3460
https://keepass.info/plugins.html#sftpsync
I like the idea of this sync but I don't know how the internal implementation would handle this. Dropbox and Nextcloud both sync the files themselves, and in case of a conflict, they preserve both versions, and let you pick which one you'd like to use as the "canonical". It's a pain but at least the data is preserved.