My new favourite password manager

nucleative, 7 months ago

Been a Keepass user for years and years. Absolutely top notch. There are plugins that can auto fill websites, that can open putty ssh sessions, basically everything you can imagine (or build).

IvanOverdrive, 7 months ago

Love KeePass. When LastPass enshittened, I went looking for something immune to enshittification. Best money I never spent

ExLisper, 7 months ago

Did LastPass do anything besides charge for it service?

hoodlem, 7 months ago

Are there advantages to this over self hosting Vaultwarden?

Lobotomie, 7 months ago

No in my opinion its worse in every way

JustARegularNerd, 7 months ago

I used to be a KeePass user, but moved away because I was ultimately syncing the database using OneDrive, which I felt at that point it was a cloud password manager, which I didn’t like for being open to the internet and entrusting the security of the company hosting it.

And yes, I moved to self hosted Vaultwarden with Tailscale and haven’t looked back.

captain_aggravated, 7 months ago

Main thing I prefer about KeePass is that it’s a straightforward app that creates a file. Self-hosting a database seems just that much more complicated.

fushuan, 7 months ago

For decent privacy oriented tool recommendations, here’s a list.

www.privacyguides.org/en/tools/

www.privacytools.io

There was some drama about the webpages so I’ll link both to avoid angry users. Anyway, KeePassXC is on there, which it seems like it’s a fork of KeePass, you might want to check it out.

MonkderZweite, 7 months ago

Mine is a 3-lines-script that gpg-decrypts to runtime-dir, opens editor, encrypts back, deletes in runtime-dir. Password done via zenity/yad.

sgtgig, 7 months ago

I have been using KeePass for eight years. Used to just shuffle the file around with Google Drive, now I have it sync’d with Syncthing across a few devices. I use its notes feature to store associated data like S3 keys and it stores my SSH key and KeePassXC can automatically add it to an SSH agent.

I don’t really have any complaints about it.

ensignrick, 7 months ago

What’s amusing is I am purposely not paying for bitwarden because of the check against darkweb leaks or whatever type feature when you pay. That’s seems like an anti privacy thing. I understand it’s a good idea albeit seems to expose a lot of information about you. I would like to do vaultwarden but don’t think I can trust self hosting myself without paying monthly for a vps which I don’t want to do. Home Internet hosting seems to unreliable to me for something that important.

Just random thoughts of mine here.

hottari, 7 months ago

Follow OP’s approach. Use a Keepass file. It is offline and can be stored anywhere you can reasonably trust. You just need to sync it if you have many clients but syncthing is great for that.

ensignrick, 7 months ago

Yep I’m very impressed with syncthing. I just started using it a few weeks ago.

skilltheamps, 7 months ago

The bitwarden clients also work when there’s no connection to the server, since they sync the vault. You just can’t add any new entries. That means spotty internet is not that much of an issue in terms of using it. It also means, that every device that has a client installed and gets used regularly (to give the client a chance of syncing) is automatically a backup device.

Limit, 7 months ago

I host vaultwarden at home. No real need for a vps since your passwords are synced to your phone or laptop(whatever client you’re using) and you can just sync it when you’re home if you make changes, or setup a VPN (I use wireguard) and sync on demand when needed.

That said, I do sync my database to a vps for dr purposes incase my home server suddenly vanishes… for critical services I follow a 3-2-1 backup rule but it’s not absolutely essential.

bear, 7 months ago (edited 7 months ago)

because of the check against darkweb leaks or whatever type feature when you pay. That’s seems like an anti privacy thing. I understand it’s a good idea albeit seems to expose a lot of information about you

For the password leak checks, your passwords are never transmitted. They are one-way hashed locally, and then only the first few characters of the hash are checked against the API provided at haveibeenpwned.com which is run and designed by Troy Hunt, one of the most respected people in the cybersecurity industry. He collects major password breaches and makes them available to check against without actually exposing the data. It’s perfectly safe and secure.

thirdBreakfast, 7 months ago

Love KeePass, I use it to store all my passwords including to SyncThing, then I keep my KeePass file in my SyncThing instance so I can recover from a disaster. Definitely nothing could go wrong with that ;-)

shadowbert, 7 months ago

I personally prefer bitwarden, using a self-hosted vaultwarden. It's free, it syncs, it's easy to use.

techognito, 7 months ago

Passphrase generator, simplelogin/addy.io integration and sync.

This makes my life so much easier.

bazmatazable, 7 months ago

I recently made the switch to Vaultwarden when I read a series of articles making predictions about passkeys and how they are lining up to replace passwords. Bitwarden apparently is ready to implement whatever standard becomes most popular and I had FOMO of being left behind if I stuck with keepass only. Previously I was using various keepass compatible apps and then syncing the KDBX database with my Nextcloud. (Vaultwarden is the selfhosted fork of Bitwarden)

lue3099, 7 months ago

Vaultwarden isnt a fork because bitwarden isn’t selfhostable. Bitwarden has an official selfhosted version. Vaultwarden is a lightweight rust version of the backend. As the selfhosted version by bitwarden is quite fat. Vaultwarden uses the official webapp of the webvault in their fork.

InvertedParallax, 7 months ago

Same, and the apps work great.

BaalInvoker, 7 months ago

I use KeePassXC on my laptop, KeePassDX on my phone and sync them with Syncthing.

This ia pretty sweet

AlexSup21, 7 months ago

I have the same setup. It’s really neat.

dbilitated, 7 months ago

it’s so good, wish I’d found it sooner

hottari, 7 months ago

Exactly the same thought I had when I ditched Bitwarden for it. In my case, the transition was made even easier as I was already using Syncthing on my devices.

JubilantJaguar, 7 months ago

Not bothered about the potential for keyloggers or even OS-level snooping on what is presumably your privacy-free Android device? Personally I would never type the master password into anything other than a computer running a FOSS stack that I control, but perhaps that is excessive caution.

BlinkerFluid, 7 months ago (edited 7 months ago)

Keepass clients typically have biometric input… and let’s not pretend you don’t need to type in your vaultwarden password in Android on the first run, either.

You could use a usb-c passkey but I know that’s not the majority use case.

JubilantJaguar, 7 months ago

So, biometrics, master password, and USB key - 3 whole options and 3 things I personally will never be letting near Android. Unwarranted caution, no doubt.

BaalInvoker, 7 months ago

Well, there is a limit to my paranoid. It’s really hard to find a sweet spot between security and practicality.

I found mine with this settings I said

hayalci, 7 months ago

keepass2android is worth a try as well.

RootBeerGuy, 7 months ago

Maybe a silly question, but since I am considering making the jump to a password manager too, I am curious:

If I have a selfhosted server at home that is not connected to the public internet, can I still ise Keepass? Does it have to constantly sync with the server or is it enough that when I get home my passwords are syncing? Could that be a problem?

Clearwater, 7 months ago

I use KeePassXC, but am assuming KeePass is very similar.

You’ll have a single file on your machine that is your encrypted password database. Syncing is not handled by KeePass and is your responsibility.

If you want to sync only when you get home, as long as your sync app that is fine with it, KeePass won’t know or care.

Keep in mind if you make changes on two devices without keeping them in sync, one will probably get overwritten unless you take special care to handle it. (My sync app warns me, then I take both conflicting files and in the KeePass app, I can merge them to solve the conflict without data loss.)

zeluko, 7 months ago

Ideally keypass would allow handling such conflicts internally.
Thats the big disadvantage of a single-file approach.

Could easily be avoided e.g. sync whole folder and now you can have multiple files, e.g. 1 write file per program used.

nx2, 7 months ago

If your server is not “online” you could vpn into your home network and use it that way. Another option is to have it local, meaning for example with bit/vault-warden you can still view your passwords if you don’t have connection. But you can’t edit or add new ones

clmbmb, 7 months ago

You have your local replica of the database on your device and once you’re home or can connect to your home server (through VPN, for example) it will sync with the remote database. I used to have synthing running for this and it worked without issues.

Thorned_Rose, 7 months ago

I used to use Keepass (thanks person who said keep ass, I can't not see that now) for many years but started to get frustrated with stuff not syncing properly and a few other reasons I can't remember anymore. But I think I'll have to give it a go again. I've been using Enpass for a number of years and it's been good but I've never liked that it's closed source.

ebits21, 7 months ago

Just depends what you use for syncing since keepass doesn’t sync itself.

Syncthing is obviously popular.

Thorned_Rose, 7 months ago

It's been years and I have Memory Impairment so I'm not sure but I think part of the issue with syncing was that we had a 'family' database which made for multiple devices and several people needing to sync that while frustrating at times was OK, until we had an episode of data loss that just killed it for us. Enpass had built in sync, a nicer UI, more features and jut more cohesive across devices.

But again, my memory is very fuzzy and it's worth looking into again because as good as Enpass is, it's not open source.

monetize_nothing, 7 months ago

Are there users that have tried both Keepass and Vaultwarden? I enjoy using Vaultwarden on my Synology but I wonder if it's worth switching to Keepass.

Capillary7379, 7 months ago

I switched from keepass to vaultwarden years ago and for my usage I wouldn’t switch back.

I needed to be able to share some passwords with other people. I think the clients are much better. I like having a website available as a backup to access a password. All in one package that works well so I don’t need separate mechanism to synchronize between different installations. I like the easy sharing secrets through links and not having to send in cleartext with emails or texts.

And for selfhosting I like that you only need the server only for syncing newly added secrets - if vaultwarden had to be online always I’d switch back.

Rootiest, 7 months ago

I have both set up right now.

Things I like better about KeePass:

KeePass doesn’t use the cloud, you don’t have to worry about the server getting compromised or going down because there’s nothing public-facing to hack. You always know where your password database is.

KeePass lets you encrypt the database with not only the master password but also using the challenge-response from a YubiKey. That means every time you save your DB the encryption key is rotated and the DB is actually encrypted by two authentication factors.

While both can add custom fields to an entry, I like that KeePass has the option to set fields as protected so their contents are hidden like the passwords.

Things I like better about VaultWarden:

Convenience.

You can log in to your VaultWarden account on any device from the browser. KeePass requires some software to access the DB.

The VaultWarden companion software is just better. It just does autofill better. KeePassXC/DX work well but just not as well as the BitWarden software.

Other thoughts:

Syncing passwords between devices with KeePass requires 3rd party software like SyncThing. If you break/lose/etc your VaultWarden server you could lose all your passwords with it.

Always make/test backups.

gentoo_biscuit, 7 months ago

I’m on Bitwarden right now and have been thinking of switching to KeePass. My issue keeping me from actually switching is the convenience factor. Can’t imagine making it even more annoying to use for my SO

nyar, 7 months ago

You can have keepass on a USB drive, an exe version that doesn’t require install, along with your db.

Rootiest, 7 months ago

You sure can.

But that’s not perfect.
Often businesses will lock down their computers to prevent unauthorized software from running at all, not just installing.

nyar, 7 months ago

And not lock down random external sites they see a user visiting every day that aren’t related to their work functions? Sounds like the SOC needs to get better at their monitoring.

Rootiest, 7 months ago

Like the other commenter said, typically websites are less locked down.

It’s simpler to sandbox the browser and prevent unauthorized software from running than to block out most of the Internet and deal with complaints all day about the web restrictions

dan, 7 months ago

In my experience, locking down non-work sites is much less common than locking down USB devices and unknown executables. USB devices and random executables are more of a security risk as a USB drive can be used to exfiltrate data very quickly while an executable could contain ransomware, other malware, keyloggers, etc. Sites are sandboxed and limited in terms of what they can do.

zeluko, 7 months ago (edited 7 months ago)

I like that KeePass has the option to set fields as protected

Vaultwarden can do that, though its quite stiff in some aspects like folders.. subfolders? nonexistant..

Rootiest, 7 months ago

Ah, I couldn’t find that option.

I can add custom fields to an entry but I can’t designate them as “protected”

Of course I also thought at first that you couldn’t attach files but I guess you can, they just didn’t seem to transfer over from my KeePass DB

zeluko, 7 months ago

The interface is weird and unintuitive at times..
I have a dropdown menu at the button "New custom field" and can select "Hidden".

Rootiest, 7 months ago

Oooh thank you!

Can’t believe I missed that

LievitoPadre, 7 months ago

I don’t know if they fixed it, I hope so, but not long ago there was a very dangerous vulnerability that allowed an attacker to bring able to access the master password.

I was using it long time ago, then I discovered Bitwarden and I’m really happy with it. I suggest you to have a look, in terms of UI is better and can be self hosted too.

Maestro, 7 months ago

I think that vulnerability was a non-issue. Someone could get to your password if they had full access to your machine to run arbitrairy code. But if someone has that much access, it's already game over.

But yeah, Bitwarden is better IMHO

CarlCook, 7 months ago

I really like Strongbox on Mac for managing my Keepass-DBs. It is very well integrated and there even is a „no phoning home“ version that strictly runs locally.

Rootiest, 7 months ago

and there even is a „no phoning home“ version that strictly runs locally.

Shouldn’t that be all the versions?

Why would a password manager app that uses a local database need to phone home?

CarlCook, 7 months ago

Maybe I expressed it a bit awkwardly. The other version has some integrations for syncing with Dropbox etc. and some third-party libraries. Strongbox zero is stripped of all of that.

Rootiest, 7 months ago

Ok that makes more sense lol