KeePassXC 2.6.1(keepassxc.org) |
KeePassXC 2.6.1(keepassxc.org) |
One attack vector I see with Bitwarden is that if the server hosting the web client or the Firefox/Google account that owns the browser extension gets compromised, they could easily be modified to exfiltrate all your data. So unless you always package the browser extension yourself and check the web client's code before using it, your passwords are essentially only as secure as the developer's security measures are strong.
I honestly tried to use Bitwarden, paid for premium for one time key feature and browser extensions comparing to 1pass are much less convenient. For instance, an ability to manage multiple website (e.g. google) accounts is priceless
If you have two logins for the same service with the same URLs they'll appear in the browser extension with the username shown by the title.
If you're instead talking about using the same login credentials on multiple sites, it can do that as well, just edit the item and add a second URL to the site. Now that item will appear on both site URLs
Personally I think it would be awesome if Bitwarden gave you the option to export your password vault as a KDBX4 file. What's the best way to fund a bounty program for adding this feature to Bitwarden?
I am using 1Password with a standalone licence (sunk cost, so 'free' doesn't matter much. Also, C$70 is essentially free when it comes to securing my digital life). I sync a vault with a few co-workers via Dropbox and this is sufficient for us, no need for 1Password.com 'cloud' yet.
We like the UI, and to our knowledge 1Password has the best track record for security, with extensive and continuous testing and no major fuck-ups yet.
What advantages to switching to KeePassXC or Bitwarden are there for us?
But to me it sounds like you have a solution you are very happy with, and you don't mind paying for that solution, so my recommendation would be to stick with it.
Although, as a happy user of KeePassXC, I'm tempted to ask the counter-question: why would I want to pay for 1Password when KeePassXC gives me a great solution for free (and also gives me source code access)?
But KeePassXC is based on the KeePass file format, and to my knowledge that has a better security story than commercial platforms--though it is harder to use.
For example, a couple of years ago Tavis Ormandy at Google Project Zero went through password managers and had unkind things to say (and reported vulnerabilities) about LastPass, 1Password, and Dashlane. He said KeePass looks "sane" or something like that.
1password is closed source and there is no way to verify that it actually encrypts the passwords.
I wouldn’t give someone my passwords to encrypt and store them for me. It’s a simple task and I can just encrypt and store my passwords. I don’t need a shinier UI.
I had to switch to keychain because the safari extension stopped working.
I'll put $100 in right now if the maintainers of KeePassXC are down with this.
The whole database is a single big xml document which is then encrypted with a normal symmetrical encryption method (most of the time AES). And that is already the core of it. There are a few additional things (A user-chosen key-derivation-function is used to increase the brute-force time and there is a header in the binary format with such things as keepass version, which algorithms are used for encrypting and a checksum...).
But in comparison to other cloud-based password managers it's a nice feeling to intuitively "know" whats happening under the hood.
Not sure if there have been audits of this popular fork or the format itself.
IIRC the format is relatively simple: an encrypted XML stream. So it may be OK.
Maybe I simply didn't search good enough, is there any possibility to have such functionality in KeePassXC?
I find the browser integration extension(s) more robust/stable as well, but that could be environmental.
KeePassX won't prompt you at all and silently drops all those changes, whereas KeePassXC will ask what to do.
KeePassXC also seems to immediately save changes upon adding new entries whereas KeePassX requires an explicit <ctrl-s>.
The android app is great too. I use rclone to sync my keepass file to Google Drive which means it is always up to date on my phone too
There's so many different Keepasses...
I'd like to use the same db file between Windows, Linux and Android, and I'd like to be able to autoenter without a browser plugin, at least on Windows.
One thing that was a killer feature for me: keepass2Android was WAY better to in integration to my android devices. Tried to convince family to use a password manager, but lastpass was a failure on some devices. Keepass with sync to some cloud is perfect - database with multiple copies, works well.
For sharing between devices I found Firefox Send to be useful (before it went down, hope it comes back), also Keybase filesystem is one of my go-tos as well.
Maybe I’m being overly cautious, but I sleep better at night knowing my DBs are encrypted.
Fwiw, I've lately been using Resilio Sync, which is BitTorrent style peer-to-peer between devices I control and encrypted over the wire as well. It also supports advanced encrypted shares where you can even have "know nothing" devices that help to seed/participate in your shares but can't read/write inside them, as an interesting tool in "personal cloud hosting".
They are sold to ZOOM...since then i dont use it anymore
Another comment mentioned using a key-file, so maybe I will revisit that approach, since I used password only when I started.
For me 12 characters password with default 60 000 iterations seems safe enough. My estimation is that it would take at least millions of dollars to break it and my passwords are not worthy of that. You can easily make it into unbreakable for a foreseeable future by using something like 16-characters random password and 10 millions of iterations.
Key file of enough length is like an unbreakable password. But you probably can't remember it, so be careful not to lose it. My database is accessible on public URL which I remember and I remember my password, so I can always download it anywhere and open it. I think that it's a big advantage and I wouldn't want to lose it.
When I decided to start using a password manager, I was drawn to Keypass since it is open source and I don't have to rely on any third party service. But learning how to use it correctly, and juggle your db files among all your devices requires a sound, thought out strategy!
On Android this presents some issues though, since the last I checked the keyfile had to be added to the "SD Card" class storage, which other apps can also access. If you are on android and go this route, be really careful about the types of apps you install that have Storage permissions (good advice in general, of course).
I'm not blown away by the iPhone in general honestly, but being able to sync everything between the Mac devices is super convenient. The ability to easily share files wireless-ly between all of them via Airdrop is fantastic. Great use cae for moving KBDX files, or in this case key-files is super useful.
Just plugins for Firefox and Chrome, AFAIK, actually. And a command line client that's just a wrapper for the website. No full-featured client available. KeePassXC can be a better option for interop with 1pass than 1pass is, on Linux, depending on what you need.
[1] https://discussions.agilebits.com/discussion/114964/1passwor...
[2] Read-only for now, as it is a development preview.
HN discussion: https://news.ycombinator.com/item?id=24054112
Is that supposed to be an endorsement or a warning?
Your choice. It was an endorsement.
You're also potentially opening yourself up to any apps/tools that are keeping an eye on your clipboard if you're copying and pasting. Auto-type might help with that, but I also wouldn't hold my breath for such a feature coming.
Compromising everything is easier, it means you have to change the password for everything and know it was compromised.
If only SOME stuff is compromised then you don't know what was compromised so you end up having to change everything anyway.
I mean, that's at least my approach. I'd rather know I needed to keep an eye on everything rather than some things. At least then I know I can take appropriate precautions.
I think the separation of concerns outweighs the KeepassXC<->Browser integration part.
If your computer is compromised (meaning occasional copy&paste is not secure) you have WAY more problems than only Keepass and phishing.
Its a poor argument for choosing browser extensions over cut & paste because the circumstances where it has an advantage are incredibly specific.
I agree that malware that has that power could do something else, but the parent post incorrectly asserted that the specific attack of keylogging would work, which it doesn't. I wasn't arguing that as the reason to use them over copy/paste.
The main thing extensions save you from is phishing attacks because they verify the origin of the page is correct for the entry, which is a really common attack and a hard thing for humans to verify consistently, and doesn't require any malware on your machine.
A lot of time you can attribute compromises to ignorance rather than malice.
So an app that is stupidly logging the clipboard and doing dumb things with that data, rather than being a malicious app.
Not much can help you if an app on your machine is in a position of power.