I’ve always hated the idea of using a subscription/cloud hosting for password management. I feel like I should have a LOT more control over that stuff and I don’t really want to hand all my keys over to a company.

All my secrets have been going in a highly encrypted archive with a long passphrase, but obviously that isn’t convenient on all devices. It’s been fine, I can open it on any computer but it’s not super quick. It does have the advantage of being able to put in multiple files, notes, private keys but it’s not ideal.

Anyway, finally found something that isn’t subscription, and has a similar philosophy - a highly encrypted archive file, and it’s open source and has heaps of clients including web browser plugins so it’s usable anywhere, and you can sync the vault with any file sync you like.

Thought you guys might appreciate the find, password managers have always been a bit of a catch 22 for me.

Note for android i found keepassxc the best app, and i’m using KeePassHelper browser plugin, and the KeePassXc desktop app as well as the free official one. Apps all seem to be cross platform.

  • shadowbert@kbin.social
    link
    fedilink
    arrow-up
    74
    arrow-down
    1
    ·
    1 year ago

    I personally prefer bitwarden, using a self-hosted vaultwarden. It’s free, it syncs, it’s easy to use.

    • Techognito@lemmy.world
      link
      fedilink
      English
      arrow-up
      12
      ·
      1 year ago

      Passphrase generator, simplelogin/addy.io integration and sync.

      This makes my life so much easier.

    • seang96@spgrn.com
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      1
      ·
      1 year ago

      I used to use keepassxc for years. Kept it synced with sync thing, though eventually work blocked networking with sync thing so I swapped to vaultwarden and never been happier.

      • nyar@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        3
        ·
        1 year ago

        Why sync your passwords from home with your work computer? Just keep them on your phone.

        • OminousOrange@lemmy.ca
          link
          fedilink
          English
          arrow-up
          10
          arrow-down
          1
          ·
          1 year ago

          I could see it being tedious if you had to manually enter long, random string passwords regularly. Though I suppose you could change them to something easier to type. Ctrl+shift+L (bitwarden extension autofill shortcut) is just so much more convenient.

          • nyar@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            2
            ·
            1 year ago

            Why enter personal passwords on work computers so frequently?

            This sounds like an underlying assumption of how time is being spent rather than a technical issue.

    • bazmatazable@reddthat.com
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      I recently made the switch to Vaultwarden when I read a series of articles making predictions about passkeys and how they are lining up to replace passwords. Bitwarden apparently is ready to implement whatever standard becomes most popular and I had FOMO of being left behind if I stuck with keepass only. Previously I was using various keepass compatible apps and then syncing the KDBX database with my Nextcloud. (Vaultwarden is the selfhosted fork of Bitwarden)

      • lue3099@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Vaultwarden isnt a fork because bitwarden isn’t selfhostable. Bitwarden has an official selfhosted version. Vaultwarden is a lightweight rust version of the backend. As the selfhosted version by bitwarden is quite fat. Vaultwarden uses the official webapp of the webvault in their fork.

      • hottari@lemmy.ml
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Exactly the same thought I had when I ditched Bitwarden for it. In my case, the transition was made even easier as I was already using Syncthing on my devices.

    • JubilantJaguar@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      1 year ago

      Not bothered about the potential for keyloggers or even OS-level snooping on what is presumably your privacy-free Android device? Personally I would never type the master password into anything other than a computer running a FOSS stack that I control, but perhaps that is excessive caution.

      • Responsabilidade@lemmy.eco.br
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        1
        ·
        1 year ago

        Well, there is a limit to my paranoid. It’s really hard to find a sweet spot between security and practicality.

        I found mine with this settings I said

      • BlinkerFluid@lemmy.one
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        1 year ago

        Keepass clients typically have biometric input… and let’s not pretend you don’t need to type in your vaultwarden password in Android on the first run, either.

        You could use a usb-c passkey but I know that’s not the majority use case.

        • JubilantJaguar@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          So, biometrics, master password, and USB key - 3 whole options and 3 things I personally will never be letting near Android. Unwarranted caution, no doubt.

  • arrr@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    24
    arrow-down
    1
    ·
    1 year ago

    I installed KeePass(XC) on Android, iOS, Windows, Linux, Mac, for Firefox and Chrome and it’s all synced via encrypted cloud share. It even has OTP functionality so you don’t have to manually type 2FA codes.

      • ebits21@lemmy.ca
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        KeePassium and Strongbox are both great.

        Strongbox is rather expensive if you pay and missing too much if you don’t pay imo. I use KeePassium.

      • arrr@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        1 year ago

        I don’t have an iPhone but I set it up for a family member. I remember we tried out two apps because the first one didn’t have what we needed. One of them was Keepassium, but I don’t remember of it was the one we kept.

    • ebits21@lemmy.ca
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      If you keep the database in the cloud I recommend using a keyfile in addition to the password which is NOT kept in the cloud.

      Very secure that way even if your cloud account is compromised.

      I keep TOTP in a separate database.

  • Synnr@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    16
    arrow-down
    1
    ·
    edit-2
    1 year ago

    Yup, I have been using KeePassXC locally since (one of) the first big LastPass breaches. I thought “password manager company… they know encryption” and then kept some of the most important things stored in my vault including notes of Bitcoin seedphrases etc. Thought "even if they get hacked, they wouldn’t let anyone exfil the huge amount of data from the USER VAULT SERVER… thought “my passphrase is like 25-30 chars long, nobody will crack that”…

    5 years after my last login and I find out the breach happened, user vaults were exfil’d, the encryption was absolute shit, and the notes weren’t even encrypted.

    I don’t trust cloud companies to keep promises or know what they’re doing today. and anything self-hosted isnt Internet accessable unless it’s on dedicated hardware subnetted off and wouldn’t matter if it got hacked.

      • dan@upvote.au
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        The fee is only to have TOTP and a bit of encrypted cloud storage.

        And to keep the company alive. It’s cheap enough that IMO it’s worth paying for if you get a lot of value from it, even if you don’t need the paid features.

    • Quacksalber@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      2
      ·
      1 year ago

      In theory at least, online services would be more safe than a locally decrypted vault. If your computer is compromised, the bad actors can pull your encrypted vault for an unlimited brute force attack. Of course, this can be mitigated by increasing the decryption time. However, if your vault is already decrypted, then bad actors can just pull all your password from your memory.

      I, for one, am decrypting my vault once when I start my PC. In theory, if I were to use an online solution, bad actors wouldn’t be able to pull my vault from memory.

      • Synnr@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        edit-2
        1 year ago

        In theory, if I were to use an online solution, bad actors wouldn’t be able to pull my vault from memory.

        It’s the same issue once you login to your vault via browser extension. They have to download your vault locally on login to decrypt it when you enter your password anyway*. Even if they don’t store your vault password in memory, they either store the entire vault (unlikely for size reasons) or a more temporary key to access the vault. Local compromise is full compromise already.

        *If they don’t, then they either made a giant technological leap, or they’re storing your passwords on a simple database on their servers and that’s not what you want from a password manager.

  • IvanOverdrive@lemm.ee
    link
    fedilink
    English
    arrow-up
    15
    arrow-down
    1
    ·
    edit-2
    1 year ago

    Love KeePass. When LastPass enshittened, I went looking for something immune to enshittification. Best money I never spent

      • shortly2139@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        ·
        edit-2
        1 year ago

        They didn’t use strong encryption by default, Something about not enough iterations of whatever algorithm they use.

        They also got hacked (more than once) , which is roughly when they announced the encryption issue.

        I feel like they got bought by a shitty company too, but that’s beyond me.

        There have been reports that some of these vaults that were stolen have already been compromised, though not sure if there is any proof.

        • ExLisper@linux.community
          link
          fedilink
          English
          arrow-up
          7
          arrow-down
          1
          ·
          1 year ago

          OK, it’s just not what enshitification means. I don’t like the term but if you’re using it wrong it’s just confusing.

          • shortly2139@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            Fair point, I misunderstood. Thought you were asking for more general points.

            As for enshitification, I suppose it started in 2015 when they were bought by LogMeIn (I looked it up), that’s where it generally always starts. Don’t know if the service degraded as I switched around that time. Though getting hacked twice in six months is pretty bad for a company guarding the publics secrets

  • monetize_nothing@kbin.social
    link
    fedilink
    arrow-up
    14
    arrow-down
    1
    ·
    1 year ago

    Are there users that have tried both Keepass and Vaultwarden? I enjoy using Vaultwarden on my Synology but I wonder if it’s worth switching to Keepass.

    • Rootiest@lemm.ee
      link
      fedilink
      English
      arrow-up
      20
      arrow-down
      1
      ·
      edit-2
      1 year ago

      I have both set up right now.

      Things I like better about KeePass:

      KeePass doesn’t use the cloud, you don’t have to worry about the server getting compromised or going down because there’s nothing public-facing to hack. You always know where your password database is.

      KeePass lets you encrypt the database with not only the master password but also using the challenge-response from a YubiKey. That means every time you save your DB the encryption key is rotated and the DB is actually encrypted by two authentication factors.

      While both can add custom fields to an entry, I like that KeePass has the option to set fields as protected so their contents are hidden like the passwords.

      Things I like better about VaultWarden:

      Convenience.

      You can log in to your VaultWarden account on any device from the browser. KeePass requires some software to access the DB.

      The VaultWarden companion software is just better. It just does autofill better. KeePassXC/DX work well but just not as well as the BitWarden software.

      Other thoughts:

      Syncing passwords between devices with KeePass requires 3rd party software like SyncThing. If you break/lose/etc your VaultWarden server you could lose all your passwords with it.

      Always make/test backups.

      • zeluko@kbin.social
        link
        fedilink
        arrow-up
        4
        arrow-down
        1
        ·
        edit-2
        1 year ago

        I like that KeePass has the option to set fields as protected

        Vaultwarden can do that, though its quite stiff in some aspects like folders… subfolders? nonexistant…

        • Rootiest@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          1 year ago

          Ah, I couldn’t find that option.

          I can add custom fields to an entry but I can’t designate them as “protected”

          Of course I also thought at first that you couldn’t attach files but I guess you can, they just didn’t seem to transfer over from my KeePass DB

          • zeluko@kbin.social
            link
            fedilink
            arrow-up
            3
            arrow-down
            1
            ·
            1 year ago

            The interface is weird and unintuitive at times…
            I have a dropdown menu at the button “New custom field” and can select “Hidden”.

        • Saik0@lemmy.saik0.com
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          1 year ago

          Folder/subfolders work just fine… when you make folder ‘a’… you can add subfolder b by typing ‘a/b’

      • nyar@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        1 year ago

        You can have keepass on a USB drive, an exe version that doesn’t require install, along with your db.

        • Rootiest@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          1 year ago

          You sure can.

          But that’s not perfect.
          Often businesses will lock down their computers to prevent unauthorized software from running at all, not just installing.

          • nyar@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            2
            ·
            1 year ago

            And not lock down random external sites they see a user visiting every day that aren’t related to their work functions? Sounds like the SOC needs to get better at their monitoring.

            • dan@upvote.au
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              In my experience, locking down non-work sites is much less common than locking down USB devices and unknown executables. USB devices and random executables are more of a security risk as a USB drive can be used to exfiltrate data very quickly while an executable could contain ransomware, other malware, keyloggers, etc. Sites are sandboxed and limited in terms of what they can do.

            • Rootiest@lemm.ee
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              Like the other commenter said, typically websites are less locked down.

              It’s simpler to sandbox the browser and prevent unauthorized software from running than to block out most of the Internet and deal with complaints all day about the web restrictions

      • Biscoot
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        1 year ago

        I’m on Bitwarden right now and have been thinking of switching to KeePass. My issue keeping me from actually switching is the convenience factor. Can’t imagine making it even more annoying to use for my SO

      • Saik0@lemmy.saik0.com
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        edit-2
        1 year ago

        I use a yubikey on bitwarden (vaultwarden) just fine…
        Custom protected fields exist.
        And you can always hide it in a vpn.

        A big problem with keepass is if two updates to passwords try to sync simultaneously… sync- thing/ other synching software can’t merge only the updates in each file.

        • Rootiest@lemm.ee
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          1 year ago

          I also use aYubiKey in VaultWarden but the key is not used to generate the encryption keys, only the master password is, so you don’t get that added security and benefit of the encryption keys rotating every time you save the DB.

    • Capillary7379@lemmy.world
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      1
      ·
      1 year ago

      I switched from keepass to vaultwarden years ago and for my usage I wouldn’t switch back.

      I needed to be able to share some passwords with other people. I think the clients are much better. I like having a website available as a backup to access a password. All in one package that works well so I don’t need separate mechanism to synchronize between different installations. I like the easy sharing secrets through links and not having to send in cleartext with emails or texts.

      And for selfhosting I like that you only need the server only for syncing newly added secrets - if vaultwarden had to be online always I’d switch back.

  • TiffyBelle@feddit.uk
    link
    fedilink
    English
    arrow-up
    15
    arrow-down
    3
    ·
    1 year ago

    I prefer the KeePassXC fork as it’s written in C++ and not C# so it has better native integration with OSes like Linux, but yeah these are really good solutions with no subscription requirements or necessity to upload to any cloud service.

    • dan@upvote.au
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      it’s written in C++ and not C# so it has better native integration with OSes like Linux

      Not sure what you mean by this. Any APIs that can be called from C++ can also be called from C#. C# apps run natively on Linux, and they support self-contained deployment and native AOT (ahead of time) compilation meaning they can run on any Linux system even if it doesn’t have the .NET Core framework installed.

      • TiffyBelle@feddit.uk
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        This thread is about KeePass and my comments relate to that. If you pull KeePass2 from the repos in Debian, for example, it’s going to pull the Mono runtime to execute it as well because it’s been built, like most C# apps, for JIT compilation. I doubt it’s even possible to compile KeePass2 using AOT compilation.

        This is what the C# KeePass application looks like using the Mono runtime in Debian:

        This is KeePassXC:

        You can see which has better native integration into the desktop out of the box.

        • dan@upvote.au
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          s in Debian, for example, it’s going to pull the Mono runtime to execute it as well because it’s been built, like most C# apps, for JIT compilation.

          .NET Core handles JIT compilation file. It looks like the KeePass developers have not yet updated it to use .NET Core though, which is why it’s pulling Mono in.

          KeePassXC definitely looks nicer, but it’s definitely possible to do that with C# too. The KeePass developers just haven’t kept up with modern .NET.

    • qaz@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      1 year ago

      written in C++ and not C# so it has better native integration with OSes like Linux

      What do you mean exactly?

  • sgtgig@lemmy.world
    link
    fedilink
    English
    arrow-up
    11
    ·
    1 year ago

    I have been using KeePass for eight years. Used to just shuffle the file around with Google Drive, now I have it sync’d with Syncthing across a few devices. I use its notes feature to store associated data like S3 keys and it stores my SSH key and KeePassXC can automatically add it to an SSH agent.

    I don’t really have any complaints about it.

  • nucleative@lemmy.world
    link
    fedilink
    English
    arrow-up
    10
    ·
    1 year ago

    Been a Keepass user for years and years. Absolutely top notch. There are plugins that can auto fill websites, that can open putty ssh sessions, basically everything you can imagine (or build).

  • Thorned_Rose@kbin.social
    link
    fedilink
    arrow-up
    9
    arrow-down
    1
    ·
    edit-2
    1 year ago

    I used to use Keepass (thanks person who said keep ass, I can’t not see that now) for many years but started to get frustrated with stuff not syncing properly and a few other reasons I can’t remember anymore. But I think I’ll have to give it a go again. I’ve been using Enpass for a number of years and it’s been good but I’ve never liked that it’s closed source.

    • ebits21@lemmy.ca
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Just depends what you use for syncing since keepass doesn’t sync itself.

      Syncthing is obviously popular.

      • Thorned_Rose@kbin.social
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        It’s been years and I have Memory Impairment so I’m not sure but I think part of the issue with syncing was that we had a ‘family’ database which made for multiple devices and several people needing to sync that while frustrating at times was OK, until we had an episode of data loss that just killed it for us. Enpass had built in sync, a nicer UI, more features and jut more cohesive across devices.

        But again, my memory is very fuzzy and it’s worth looking into again because as good as Enpass is, it’s not open source.

  • thirdBreakfast@lemmy.world
    link
    fedilink
    English
    arrow-up
    9
    arrow-down
    1
    ·
    1 year ago

    Love KeePass, I use it to store all my passwords including to SyncThing, then I keep my KeePass file in my SyncThing instance so I can recover from a disaster. Definitely nothing could go wrong with that ;-)

  • Ensign Rick@startrek.website
    link
    fedilink
    English
    arrow-up
    9
    arrow-down
    3
    ·
    edit-2
    1 year ago

    What’s amusing is I am purposely not paying for bitwarden because of the check against darkweb leaks or whatever type feature when you pay. That’s seems like an anti privacy thing. I understand it’s a good idea albeit seems to expose a lot of information about you. I would like to do vaultwarden but don’t think I can trust self hosting myself without paying monthly for a vps which I don’t want to do. Home Internet hosting seems to unreliable to me for something that important.

    Just random thoughts of mine here.

    • Solar Bear@slrpnk.net
      link
      fedilink
      English
      arrow-up
      17
      ·
      edit-2
      1 year ago

      because of the check against darkweb leaks or whatever type feature when you pay. That’s seems like an anti privacy thing. I understand it’s a good idea albeit seems to expose a lot of information about you

      For the password leak checks, your passwords are never transmitted. They are one-way hashed locally, and then only the first few characters of the hash are checked against the API provided at https://haveibeenpwned.com which is run and designed by Troy Hunt, one of the most respected people in the cybersecurity industry. He collects major password breaches and makes them available to check against without actually exposing the data. It’s perfectly safe and secure.

    • skilltheamps@feddit.de
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      1
      ·
      1 year ago

      The bitwarden clients also work when there’s no connection to the server, since they sync the vault. You just can’t add any new entries. That means spotty internet is not that much of an issue in terms of using it. It also means, that every device that has a client installed and gets used regularly (to give the client a chance of syncing) is automatically a backup device.

    • Limit@lemm.ee
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      I host vaultwarden at home. No real need for a vps since your passwords are synced to your phone or laptop(whatever client you’re using) and you can just sync it when you’re home if you make changes, or setup a VPN (I use wireguard) and sync on demand when needed.

      That said, I do sync my database to a vps for dr purposes incase my home server suddenly vanishes… for critical services I follow a 3-2-1 backup rule but it’s not absolutely essential.

    • hottari@lemmy.ml
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      1
      ·
      1 year ago

      Follow OP’s approach. Use a Keepass file. It is offline and can be stored anywhere you can reasonably trust. You just need to sync it if you have many clients but syncthing is great for that.

    • Captain Aggravated@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      8
      ·
      1 year ago

      Main thing I prefer about KeePass is that it’s a straightforward app that creates a file. Self-hosting a database seems just that much more complicated.

    • JustARegularNerd@aussie.zone
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      I used to be a KeePass user, but moved away because I was ultimately syncing the database using OneDrive, which I felt at that point it was a cloud password manager, which I didn’t like for being open to the internet and entrusting the security of the company hosting it.

      And yes, I moved to self hosted Vaultwarden with Tailscale and haven’t looked back.

  • LievitoPadre@feddit.it
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    1
    ·
    1 year ago

    I don’t know if they fixed it, I hope so, but not long ago there was a very dangerous vulnerability that allowed an attacker to bring able to access the master password.

    I was using it long time ago, then I discovered Bitwarden and I’m really happy with it. I suggest you to have a look, in terms of UI is better and can be self hosted too.

    • Maestro@kbin.social
      link
      fedilink
      arrow-up
      2
      arrow-down
      1
      ·
      1 year ago

      I think that vulnerability was a non-issue. Someone could get to your password if they had full access to your machine to run arbitrairy code. But if someone has that much access, it’s already game over.

      But yeah, Bitwarden is better IMHO