I’ve always hated the idea of using a subscription/cloud hosting for password management. I feel like I should have a LOT more control over that stuff and I don’t really want to hand all my keys over to a company.
All my secrets have been going in a highly encrypted archive with a long passphrase, but obviously that isn’t convenient on all devices. It’s been fine, I can open it on any computer but it’s not super quick. It does have the advantage of being able to put in multiple files, notes, private keys but it’s not ideal.
Anyway, finally found something that isn’t subscription, and has a similar philosophy - a highly encrypted archive file, and it’s open source and has heaps of clients including web browser plugins so it’s usable anywhere, and you can sync the vault with any file sync you like.
Thought you guys might appreciate the find, password managers have always been a bit of a catch 22 for me.
Note for android i found keepassxc the best app, and i’m using KeePassHelper browser plugin, and the KeePassXc desktop app as well as the free official one. Apps all seem to be cross platform.
You must log in or register to comment.
I personally prefer bitwarden, using a self-hosted vaultwarden. It’s free, it syncs, it’s easy to use.
I recently made the switch to Vaultwarden when I read a series of articles making predictions about passkeys and how they are lining up to replace passwords. Bitwarden apparently is ready to implement whatever standard becomes most popular and I had FOMO of being left behind if I stuck with keepass only. Previously I was using various keepass compatible apps and then syncing the KDBX database with my Nextcloud. (Vaultwarden is the selfhosted fork of Bitwarden)
Vaultwarden isnt a fork because bitwarden isn’t selfhostable. Bitwarden has an official selfhosted version. Vaultwarden is a lightweight rust version of the backend. As the selfhosted version by bitwarden is quite fat. Vaultwarden uses the official webapp of the webvault in their fork.
Yup, I have been using KeePassXC locally since (one of) the first big LastPass breaches. I thought “password manager company… they know encryption” and then kept some of the most important things stored in my vault including notes of Bitcoin seedphrases etc. Thought "even if they get hacked, they wouldn’t let anyone exfil the huge amount of data from the USER VAULT SERVER… thought “my passphrase is like 25-30 chars long, nobody will crack that”…
5 years after my last login and I find out the breach happened, user vaults were exfil’d, the encryption was absolute shit, and the notes weren’t even encrypted.
I don’t trust cloud companies to keep promises or know what they’re doing today. and anything self-hosted isnt Internet accessable unless it’s on dedicated hardware subnetted off and wouldn’t matter if it got hacked.
In theory at least, online services would be more safe than a locally decrypted vault. If your computer is compromised, the bad actors can pull your encrypted vault for an unlimited brute force attack. Of course, this can be mitigated by increasing the decryption time. However, if your vault is already decrypted, then bad actors can just pull all your password from your memory.
I, for one, am decrypting my vault once when I start my PC. In theory, if I were to use an online solution, bad actors wouldn’t be able to pull my vault from memory.
In theory, if I were to use an online solution, bad actors wouldn’t be able to pull my vault from memory.
It’s the same issue once you login to your vault via browser extension. They have to download your vault locally on login to decrypt it when you enter your password anyway*. Even if they don’t store your vault password in memory, they either store the entire vault (unlikely for size reasons) or a more temporary key to access the vault. Local compromise is full compromise already.
*If they don’t, then they either made a giant technological leap, or they’re storing your passwords on a simple database on their servers and that’s not what you want from a password manager.
I cannot stop reading it as keep ass
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters NAS Network-Attached Storage SSH Secure Shell for remote terminal access VPN Virtual Private Network
[Thread #215 for this sub, first seen 13th Oct 2023, 19:05] [FAQ] [Full list] [Contact] [Source code]
What’s amusing is I am purposely not paying for bitwarden because of the check against darkweb leaks or whatever type feature when you pay. That’s seems like an anti privacy thing. I understand it’s a good idea albeit seems to expose a lot of information about you. I would like to do vaultwarden but don’t think I can trust self hosting myself without paying monthly for a vps which I don’t want to do. Home Internet hosting seems to unreliable to me for something that important.
Just random thoughts of mine here.
The bitwarden clients also work when there’s no connection to the server, since they sync the vault. You just can’t add any new entries. That means spotty internet is not that much of an issue in terms of using it. It also means, that every device that has a client installed and gets used regularly (to give the client a chance of syncing) is automatically a backup device.
because of the check against darkweb leaks or whatever type feature when you pay. That’s seems like an anti privacy thing. I understand it’s a good idea albeit seems to expose a lot of information about you
For the password leak checks, your passwords are never transmitted. They are one-way hashed locally, and then only the first few characters of the hash are checked against the API provided at https://haveibeenpwned.com which is run and designed by Troy Hunt, one of the most respected people in the cybersecurity industry. He collects major password breaches and makes them available to check against without actually exposing the data. It’s perfectly safe and secure.
I use KeePassXC on my laptop, KeePassDX on my phone and sync them with Syncthing.
This ia pretty sweet
Not bothered about the potential for keyloggers or even OS-level snooping on what is presumably your privacy-free Android device? Personally I would never type the master password into anything other than a computer running a FOSS stack that I control, but perhaps that is excessive caution.
Well, there is a limit to my paranoid. It’s really hard to find a sweet spot between security and practicality.
I found mine with this settings I said
Maybe a silly question, but since I am considering making the jump to a password manager too, I am curious:
If I have a selfhosted server at home that is not connected to the public internet, can I still ise Keepass? Does it have to constantly sync with the server or is it enough that when I get home my passwords are syncing? Could that be a problem?
You have your local replica of the database on your device and once you’re home or can connect to your home server (through VPN, for example) it will sync with the remote database. I used to have synthing running for this and it worked without issues.
