25 comments

[ 5.2 ms ] story [ 63.5 ms ] thread
Without native apps for iOS to integrate with Safari and apps, password managers are a nonstarter for me.

Presently I use Bitwarden (with a selfhosted Vaultwarden backend) for this reason, and block the phone-home spyware the Bitwarden people ship in the client with DNS blackholing.

Happy to replace it if: a) there is an import path from Bitwarden and b) a good client for iOS that supports the native iOS password manager APIs. I expect further enshittification from Bitwarden in the future, and keep a close eye on new projects like this one as a result.

I don't know about importing from Bitwarden, but a normal Keepass-database will work for you. All you need is a way to sync a file between all your devices. KeePassium on iOS is Open Soruce and integrates very well.
I've used KeeppassCX for ~5 years and the experience is OK at best compared to 1Password and EnPass (which once had a lifetime payment option).

The connection with Firefox (on Linux) regularly breaks. There's lots of subtle bugs and the UX just isn't on the same level.

I'll also happily jump ship if something better comes along that's open source, has great browser and android integration and self hosted.

I'm also eying Bitwarden / Vaultwarden but migration is a pain

Sorry, I don't use Linux much, so I don't have a recommendation. But one of the key advantages of a Keepass-Database is that theres loads of clients, so maybe try another.
> The connection with Firefox (on Linux) regularly breaks.

If the connection breaks, the green button in the username field that fills in your details, turns into a red cross. If you just click the red cross, keepassxc will immediately reestablish the connection. Then click again to fill in. For me, I only have to do this once after unlocking my database.

Sadly this is often not enough for me to reconnect.
Can you elaborate on the "phoning home" part? I can't find anything about that. It seems to me that that would be a major issue on a password manager.
It’s right there in the app privacy label on the App Store.

Alternately, just log all the traffic out of the app, or check the app’s privacy report (iOS now shows you all the hostnames to which an app connects).

in.appcenter.ms is the phone-home hostname.

Could the "sync" mechanism be provided by iCloud, Dropbox, etc. so long as it's end-to-end encrypted?

Managing a vault server sounds like a pain.

The advantage of a vault server is that it can rate-limit your login attempts based on your master password in a much better way than layering an encrypted password store on generic cloud/synced storage using modern PAKEs.
I would add "in the browser" to title.
(comment deleted)
Doesn't appear to be a project that's overly active.
I want to move to something compatible with https://www.passwordstore.org/ - an open standard for keeping your passwords in a folder encrypted with OpenPGP.

The problem is that I'm nervous to give an unknown Android app and browser plugin total control of my passwords and access to my github account when I don't have time to review it's code properly. I have a bit more trust ing the command line tools, but I'd like to be sure that more people are looking at the code before I trust my life to it.

There are browser plugins for `pass` and a beautiful Android app Pass Store by Harsh Shandilya that relies on OpenKeychain.
I found it harder than expected to locate a link to the git repos. A project that advertises as open source should have the git repos prominently displayed.
I'm currently relying on passwords synced with my Firefox Account, but I'm thinking of moving off of it after Firefox not allowing me to change my password (it errors out telling me I entered the wrong password even after having successfully logged in; apparently this is a well known issue with no other solution than to wipe out your Firefox account data).

I'm looking at KeePassXC, which I like, but I'm not thrilled about having to run the desktop app in the background to use the Firefox extension.

Passit looks interesting but I've never heard of it. Anyone have any long-term experience with it?

What about bitwarden (or its rust version vaultwarden), did you consider it?
That's a very appealing website design. Haven't tried the tool, probably don't have any use for it, but for some reason that website really appeals to me.
The first thing I looked at is the security model page. It doesn't give much detail, other than saying "we use libsodium defaults". Ok...which defaults, and how are they used?

The mention of RSA is also a bit of a red flag. RSA is extremely out dated, what excuse is there for using it in new apps?

(Also: I try to avoid being overly critical of people's projects, but password managers are critical pieces of software.)

Looks like the mention of RSA is outdated. Seems from the codebase like it's all libsodium (x25519 + XSalsa20Poly1305) now.

> We formerly used AES and RSA encryption, we prefer to use generic terms now that do not imply any one implementation. We defer to libsodium recommendations on algorithms

https://gitlab.com/passit/passit/-/wikis/security

RSA is less of a footgun than many elliptic curve alternatives (e.g. it usually doesn't suffer from catastrophic compromise in case of reusing entropy in the way that DSA and ECDSA do), though.

Curve25519 is safe in that regard, but isn't yet as ubiquitous, and even though it's quite well-researched at this point, you can't beat RSA in terms of public scrutiny.

If performance doesn't matter as much to you, I'd say RSA is still a valid choice.