I have been using KeePass for years. Why should I go to KeePassX or KeePassXC?
Their FAQs isn't too convicing!
> KeePass is a very proven and feature-rich password manager and there is nothing fundamentally wrong with it. However, it is written in C# and therefore requires Microsoft's .NET platform. On systems other than Windows, you can run KeePass using the Mono runtime libraries, but you won't get the native look and feel which you are used to.
KeePassXC, on the other hand, is developed in C++ and runs natively on all platforms giving you the best-possible platform integration.
> On systems other than Windows, you can run KeePass using the Mono runtime libraries, but you won't get the native look and feel which you are used to.
This is extremely funny because they actually replaced the native UI with their own terrible theme. So actually, they deliberately sabotaged their own argument for using KeePassXC!
Granted, you can switch to the "classic UI", at least until they get rid of that. But there are a number of issues, including that the accent colors don't match, and there are a ton of complaint issues on their Github page:
Yeah their constant revisions to the UI lately has made me start reaching for Bitwarden more and more. There was once a time I could run it on Windows, Linux, Mac, at home or at work, and it all looked the same. Now I'm always guessing where things moved to or how to copy additional attributes...
FWIW, KeePassXC's auto-type can help keep your clipboard free of passwords; its built-in ssh-agent can keep your unencrypted keys off disk; it has the ability to read 1Password .opvault (that is perhaps becoming less important now that their 1Password for Linux is coming out, but it still has no support for _local_ vaults and I'm not holding my breath they'll fix that) ... and that's the best list I can come up with not having actively used either of the other clients
Built in SSH agent - to store you ssh keys and make them available to your ssh clients. KeePass supported it to too, but awkwardly through an extension which needed to be separately installed.
why use self-hosted when it can just run on MY computer? From over 10 years in development and lived all over the world, it taught me to NOT trust the internet. Keep password and really files local whenever possible. Put not so important files on hosting! USB drive are big now.
Not all password managment is for one person only. Sometimes you want something that can serve a whole team with some sort of granular level of who is allowed to see what. And from what I understood bitwarden is way better for that usecase than keepass.
I use keepass myself, because for my usecase it is the appropriate thing to use. At least I think it is.
I'm not sure what the benefit to locally hosted solutions like KeePassXC are to BitWarden. You can't beat BitWarden's ease of use and you don't have to manage storage / backups yourself. Bitwarden is open source, has passed multiple independant audits and has easily verified 0 knowledge / e2e crypto (they can't see your data on their servers). What more could you want?
>You can't beat BitWarden's ease of use and you don't have to manage storage / backups yourself.
You're managing your "self-hosted solution" and only a tiny share of people runs one anyway. Syncing a file along with other data/backups is a sufficient compromise between security and convenience for many people.
I'll give you two reasons I use it over Bitwarden.
Bitwarden autotype is very sketchy on my (admittedly older) Android phone. For some apps it straight up doesn't show up, on others the prompt disappears when I need it. The alternative is to use the system clipboard which is absolutely terrible and no one should ever do it, especially on smartphones. The special keyboard option that KeepassDX and Keepass2Android provide are significantly better without being too inconvenient in my opinion. Whether or not the autotype issue is fixed on newer Android versions is irrelevant, I shouldn't have to switch out a perfectly working phone just for a workflow I can live without.
Also Keepass has been a standard for so long that I just trust it more. If tomorrow Bitwarden were to disappear off the face of the planet (I'm aware it doesn't work that way), I'd have to export my passwords and look for another solution. This is probably mitigated by self-hosting but I have neither the infrastructure nor the inclination to do so. I can theoretically at least continue to use my kdbx file on any platform without issue, sticking to a particular version of a client that I like or switching it out for another if I'm so inclined. No hijinks involved.
I will concede that the sync is not as convenient but I use Syncthing and Snapdrop for a bunch of other stuff already so I don't mind, not to mention the fact that I feel better about my vault never being exposed to the internet in any form.
I have some contracts with large corps and US govt (non-military) that forbid my use of any password manager with cloud hosting.
The language is somewhat ambiguous and obviously written before things like LastPass/Dashlane/etc. even existed, but I tend not to editorialize when it comes to security reqs.
Maybe BitWarden would work for my purposes, but I have no complaints about KeePass, so I don't know why I'd switch.
On a quick scan, the "BITWARDEN LICENSE AGREEMENT" mentions
"Commercial Module License". So some sort of Opencore and, TBH, I'm too lazy to check out further the implications.
On the other hand bitwarden_rs is GPL-v3. Like it or not, at the very, it is very clear where it stands.
Interestingly, KeePassXC has multiple licences and take the time to neatly list what is under which.
I'd rather not run .NET (or especially MSSQL) if I can avoid it. I get enough of that shitshow at work...
Besides, Syncthing (with history enabled) gives me backups "for free" as part of the regular sync, whereas I'd still have to set that up myself when hosting Bitwarden.
On MacOS I've been using MacPass (https://macpassapp.org/) for years, which uses the same file format (so can use KeePass with the same DB on other platforms) but is more Mac OS-y.
I am on 10.13.6 and use KeePassXC just fine, although I do build it from source, so that probably explains our different experiences. I just wanted to chime in that the accurate statement seems to be the prebuild dmg from them fails to run on < 10.15
* create groups of any unicode characters by myself and specifically black or whitelist them for the pw generation,
* manage all keyboard shortcuts, both the local and global ones,
* auto-type with a global shortcut any chosen entry individually—but username, password, and otp in particular—so that I don't have to fix the seq and delays every time the website changes or I'm somewhere with slower internet.
The process would be:
either press a global shortcut to find an entry or pre-select it in the app, then use other global shortcuts to auto-type the attributes individually
* copy the password from the editing menu without revealing it,
What's your usecase for such long passwords? 55 lower case ASCII characters (a-z) have over 258 bits of entropy.
As an example, that's more than the key length of AES-256. If my limited understanding is correct that would mean it gives no additional brute-force resistance to use a password longer than 55 lower case characters for anything AES-256 encrypted (and thus also for anything weaker than AES-256). Similar logic should apply if the password gets hashed to 256 bits or less (e.g. SHA-256 or bcrypt with 192bits).
Does that matter? Some passwords are a long-term security solution so who knows what kind of flaws, advances, or use cases you may have to deal with. The limits should be whatever the software and hardware permits.
Besides, a local password generator can be a convenient way to generate random strings for other uses as well.
Apple has keychain linked to an icloud account but it's subpar of a password manager at best. Most mac people who I know that are techy just use lastpass.
Readit News
Their FAQs isn't too convicing!
> KeePass is a very proven and feature-rich password manager and there is nothing fundamentally wrong with it. However, it is written in C# and therefore requires Microsoft's .NET platform. On systems other than Windows, you can run KeePass using the Mono runtime libraries, but you won't get the native look and feel which you are used to. KeePassXC, on the other hand, is developed in C++ and runs natively on all platforms giving you the best-possible platform integration.
This is extremely funny because they actually replaced the native UI with their own terrible theme. So actually, they deliberately sabotaged their own argument for using KeePassXC!
Granted, you can switch to the "classic UI", at least until they get rid of that. But there are a number of issues, including that the accent colors don't match, and there are a ton of complaint issues on their Github page:
https://github.com/keepassxreboot/keepassxc/issues/5280https://github.com/keepassxreboot/keepassxc/issues/5092https://github.com/keepassxreboot/keepassxc/issues/5301
- Safer web browser integration (uses WebExtension Native Messaging, rather than a localhost service)
- Built-in YubiKey integration
- "Health check" dashboard that shows you problematic passwords (expired, weak, reused, Have I Been Pwned integration)
And OnlyKey support too!
Keepass is the best but the others are still fine as well.
One thing a colleague mentioned about bitwarden that might be good is that you can basically "share" parts of your password store with external users.
That could be great if you are the IT guy that convinced people to use a password manager but sometimes still needs access to passwords.
For my usecase that never was important which Is why I am sticking with keepass which is pretty great
I use keepass myself, because for my usecase it is the appropriate thing to use. At least I think it is.
You're managing your "self-hosted solution" and only a tiny share of people runs one anyway. Syncing a file along with other data/backups is a sufficient compromise between security and convenience for many people.
Bitwarden autotype is very sketchy on my (admittedly older) Android phone. For some apps it straight up doesn't show up, on others the prompt disappears when I need it. The alternative is to use the system clipboard which is absolutely terrible and no one should ever do it, especially on smartphones. The special keyboard option that KeepassDX and Keepass2Android provide are significantly better without being too inconvenient in my opinion. Whether or not the autotype issue is fixed on newer Android versions is irrelevant, I shouldn't have to switch out a perfectly working phone just for a workflow I can live without.
Also Keepass has been a standard for so long that I just trust it more. If tomorrow Bitwarden were to disappear off the face of the planet (I'm aware it doesn't work that way), I'd have to export my passwords and look for another solution. This is probably mitigated by self-hosting but I have neither the infrastructure nor the inclination to do so. I can theoretically at least continue to use my kdbx file on any platform without issue, sticking to a particular version of a client that I like or switching it out for another if I'm so inclined. No hijinks involved.
I will concede that the sync is not as convenient but I use Syncthing and Snapdrop for a bunch of other stuff already so I don't mind, not to mention the fact that I feel better about my vault never being exposed to the internet in any form.
The language is somewhat ambiguous and obviously written before things like LastPass/Dashlane/etc. even existed, but I tend not to editorialize when it comes to security reqs.
Maybe BitWarden would work for my purposes, but I have no complaints about KeePass, so I don't know why I'd switch.
On the other hand bitwarden_rs is GPL-v3. Like it or not, at the very, it is very clear where it stands.
Interestingly, KeePassXC has multiple licences and take the time to neatly list what is under which.
Besides, Syncthing (with history enabled) gives me backups "for free" as part of the regular sync, whereas I'd still have to set that up myself when hosting Bitwarden.
https://github.com/keepassxreboot/keepassxc/issues/5584
* set generated pw length beyond 128 back
* create groups of any unicode characters by myself and specifically black or whitelist them for the pw generation,
* manage all keyboard shortcuts, both the local and global ones,
* auto-type with a global shortcut any chosen entry individually—but username, password, and otp in particular—so that I don't have to fix the seq and delays every time the website changes or I'm somewhere with slower internet.
* copy the password from the editing menu without revealing it,* show the attributes in place of the notes
What's your usecase for such long passwords? 55 lower case ASCII characters (a-z) have over 258 bits of entropy.
As an example, that's more than the key length of AES-256. If my limited understanding is correct that would mean it gives no additional brute-force resistance to use a password longer than 55 lower case characters for anything AES-256 encrypted (and thus also for anything weaker than AES-256). Similar logic should apply if the password gets hashed to 256 bits or less (e.g. SHA-256 or bcrypt with 192bits).
Besides, a local password generator can be a convenient way to generate random strings for other uses as well.
Deleted Comment
I think if you use a MacBook you can use a "universal clipboard" of some kind [1] but I use a linux thinkpad.
[1]: https://support.apple.com/en-us/HT209460
[1]: https://apps.apple.com/us/app/strongbox-keepass-pwsafe/id897...
Apple only cares about your security if you're gonna continue being a paying customer.