If you were curious like I was, about why this fork was necessary, I found this on their About page:
KeePassXC is a community fork of KeePassX which aims to incorporate stalled pull requests, features, and bug fixes that have never made it into the main KeePassX repository.
Judging from TFA it's due to KeePassX having one maintainer, so the pull requests all bottleneck with him. Also mentioned is that one desirable outcome of this is that KeePassXC developers are given co-maintainer status of KeePassX and that they re-merge down the line.
I use KeepassX on my desktop PC and have been looking for an iOS app that can open the database. I found one but it occurred to me that I have no idea who wrote it or whether they can be trusted with my passwords. And iOS offers no way to prevent an app using the internet, so I couldn't be sure it wasn't leaking my passwords back to HQ - unlike on the (Linux) desktop where I can run it in an environment that I control (relatively speaking - no need to point out that I haven't personally audited the kernel).
Am I being overly paranoid? How should I be approaching the issue of trusting the developers of password managers?
> Am I being overly paranoid? How should I be approaching the issue of trusting the developers of password managers?
Hmm. Maybe? The trouble is at some point you have to trust someone and there isn't a good way to measure this. Even if the source of the iOS app was open (I don't know if it is, just a hypothetical) there is no guarantee that the source you looked at is the same that was used to compile the binary itself.
I use one for iOS. I sure hope it's trustworthy. But if it isn't...well I don't really know where to turn to. LastPass? I tried them before but was amazing at how awful the UX was and I was too paranoid that someone would eventually find a flaw, get in and expose everyone's passwords ever because it's a cloud service...I am likely too paranoid.
I've been complaining about the LastPass UX for years. Just in the past month I've noticed them start to quietly roll out improvements - one feature at a time. Gives me hope that in a few months the situation will be completely different. As for the trust thing, yeah... I don't even trust myself.
I can attest to MiniKeePass's quality. I've been using it for years now.
I upload my keepass and key file to Dropbox (I know, I know) and then export them to MiniKeePass from the Dropbox app. MiniKeepass auto-associates the key file with the kdbx if it has the same filename as the kdbx, but with a .key extension. I can even edit the DB with Minikeepass and upload it back to Dropbox. It's not as sexy as an Android setup, but it works quite well for me.
This is my exact setup too. Perfectly happy with it. I do wish the iOS app could load my db file each time I start it but I also understand the reasons it can't so I'm ok with it.
On a related note. On Android "android.permission.INTERNET" is a normal permission and is automatically granted without prompting the user. However, it's explicitly included in an APK's manifest (use-permission) and Google's tools inject this automatically on your behalf.
Does anyone know what happens if you remove the permission from an APK's manifest with apktool etc?
For piece of mind it'd be nice to disable Internet access for certain apps.
EDIT: I know there are solutions when rooted, and also virtual VPN solutions when not rooted. However, in the latter case you have to trust the VPN with all your traffic.
But surely the danger feared by most people on computers is not people in their office peeking at their notebook to memorize a password or two? Surely the average person worried about their passwords has in mind the Bulgarian mafia getting all their passwords and ruining their life for some time to come?
In that context, it seems to me, a paper solution is not totally daft.
The rule of thumb that I apply is to use a very strong, very hard to remember vault password, and to write that down and store it with your taxes or something.
The reasoning being that the thief breaking into your home doesn't care about a random sequence of characters, and how it might allow him to steal your online identity if he boots your computer and finds your vault file.
He cares about the resell value of your camera, iPhone and maybe Macbook.
This is the problem my startup is going to solve! It's going to be a service connecting muggers and burglars who steal your physical stuff with criminals who want your passwords! I'm going to call it Robbr!
I used a natty paper notebook for years and in fact I borrowed this method from my mother who seems to feel guilty that she writes this stuff down but I try and reassure her that its ok. In fact I've recently moved away from the notebook for myself because I felt that if somebody breaks into my residence and takes that notebook (not all thieves are ignorant of how valuable a password book is, especially when this contains banking passwords) then all is lost. I'm using the KeePass/dropbox combo with a long passphrase these days though as I've decided that its more secure than the notebook and I can put more explicit information in there (and files), though it is somewhat nerdy so I still recommend the paper notebook for people like my mother.
I am considering that I should store the keepass database somewhere else as a backup but not sure exactly where (at least the file server at my work) and also that I should tell the passphrase to somebody (perhaps an old university friend I don't see often; he does not live nearby or work with me) in case of my untimely demise
You're not overly paranoid. I compiled the open-source MiniKeePass iOS client myself. I don't install from the App Store because I can't know what's in those binary bits.
I'm not sure if it will work, but you can give [1] a try. It's as opensource as it gets, works in browser and you can deploy it yourself on your own server.
I would love to audit it but I lack both the time and knowledge. How would I verify that what I've audited is the source for the actual binary that the App Store delivers to my phone?
You can compile and deploy the app yourself onto your devices with a free developer account. If the one-inch wall around the garden is too high, then maybe the garden isn't a place for you.
A free developer account and a Mac, since only a Mac will run the compiler and the code signer. Inch and a half, maybe, especially as I gather OS X virtualization is much improved since they started giving the OS away free.
From the text it looks like one of the selling points is integration with apps like browsers so you don't have to copy/paste passwords, as with KeePassX.
Personally, to me that sort of integration has always seemed like a bad idea. I'm glad that my password database can't talk to my browser programmatically. One less thing to go wrong.
If assuming competent development is bad, as you claim, why would it be a better idea to use a closed source password manager like LastPass instead of an open source fork of KeepassX? If this program can accomplish everything that LastPass can accomplish, while also being open source, surely that's more trust worthy then a closed source implementation that you could not audit.
I'm not interested in the closed- or open- source aspects of the issue. I'm interested in allowing other browser extensions to access my passwords. The issue is whether or not passwords should be stored in a browser extension, not about access to the source code.
If you have a keylogger on your system, you're screwed.
Anyway, it doesn't necessarily protect from keyloggers for a couple of reasons:
1 - The password to the password database will be recorded by the keylogger. The password database can then be copied by the intruder and then opened using the logged password.
2 - Any password you type in to the password management app can be logged by the keylogger, so browser integration does not help.
1. KeePass has an option to allow entering the master password on a [secure desktop][1].
2. You usually don't type passwords into the password management app, you generate them.
But yes, generally it's best if you don't get your computer infected with malware in the first place. Obviously if your computer is compromised there'll always be some way for sufficiently advanced malware to steal your password database.
1. That doesn't matter if the computer has a physical keylogger installed (for example, between the keyboard and the port the keyboard plugs in to, or inside the keyboard itself, etc).
2. Generating passwords would help protect them from keyloggers and is a reason to do so. But as far as I know no password manager prevents people from typing in passwords, and I'm sure a lot of people do for a variety of reasons (from importing old passwords or passwords generated on another device to creating memorable passwords or because the password generation mechanism of the password manager is inadequate in some way, etc).
I love browser integration but am not willing to go to lastpass, therefore have to stay with the ugly, but well functioning .NET keepass2 client on desktop and with the nice keepass2android.
> From the text it looks like one of the selling points is integration with apps like browsers so you don't have to copy/paste passwords, as with KeePassX.
Can you provide source please? thank you.
This [1] says the opposite: (quoting from the github issue):
"I removed the milestone for now since we are not sure if we actually want our users to expose their passwords over a network protocol with questionable security record. The security of both KeePassHTTP and KeePassRPC is doubtable and in their current state we would prefer not to have them as part of the main KeePassXC product.
This doesn't mean KeePassXC will never support it, it only means that at the moment we don't have immediate plans and an implementation needs further discussion."
Mono's WinForms shim is... less than stellar, sadly.
Occasionally, text goes some unreadable colour. And it crashes when I click while holding down Super. And it only follows the GTK colour scheme sometimes; enabling night mode ended up with a beautiful mix of black-on-black-with-white-stripes.
Oh, and widgets like buttons look like a poor man's copy of Windows 95.
Though, to be fair, I now seem to be unable to trigger the above bugs in the latest build, so I guess it's no longer quite as much of an issue.
>Occasionally, text goes some unreadable colour. And it crashes when I click while holding down Super. And it only follows the GTK colour scheme sometimes; enabling night mode ended up with a beautiful mix of black-on-black-with-white-stripes.
Yes, all of the above. Plus having several hundreds of mono libs installed for just one app. That app runs 100% of time, but still...
Yes, i just found it, thanks!
Unfortunately, the on Firefox side, i can only use PassIFox extension, which has been too barebone to fit my needs. KeeFox has been excellent - especially if you have multiple accounts associated with single domain or even subdomains. What i use a lot is to open up a website with particular credentials (search in KeeFox by Ctrl-1) or to generate passwords (Ctrl-4) (good if you are the one making logins for other people).
Yea, lastpass got burned by it with their chrome extension. After that, I switched from a web password manager to desktop password manager. Less attack surface area.
You don't have to use it. Also, a recently landed change allows you to exclude that feature entirely from the compiled binary if you want to build it yourself.
Personally the best feature I'm using KeePassXC for is the auto-reload feature. I sync my kdbx file with Tresorit across couple computers, and the auto-reload feature ensures that I'm always modifying the latest version.
This is something lacking in the original KeePassX.
This isn't a great idea for a few reasons, but if you're looking for something like this, its possible to do it with a few lines of bash - Shitty Password Manager (https://github.com/nindalf/shitty-password-manager)
It is manipulating the clipboard and inserting keystrokes (to switch between text fields in the login box). Unfortunately any running X app can do that. I would like more isolation too. QubesOS is the only thing I know of that does it.
I may be wrong, but it wasn't there several hours ago (also at the same time I couldn't find a repo link on the About page either). Currently I still find it not visible enough.
I haven't tried it yet, but maybe this will address some of my pet peeves. My primary peeve is that, in keepassx, there is no fantastic way to handle password changes. I can generate a new password, but the only way to get it into a webpage without overriding the old password in the database is to show it on the screen and then copy the visible text.
(My second peeve is that the "type the password" feature types the username and password, making it useless for the more annoying disabled-paste password prompts.)
Every entry should have a complete history of all passwords. I'm not sure why you'd be worried about the new password overwriting the old one. It's not gone forever.
You can also customize the auto-type on a per site basis. Only the default types U + P. It can be anything you want it to be.
Select the old entry and click the "Show" button at the bottom, it takes you to the entry tab but with the old data in place so you can copy the old password.
You can also precc Ctrl-c to copy the password of any entry. And I believe type the password can be configured since my keepassx doesn't do what you describe, it only types out the password.
While we're at it, is there any open source self-hosted alternative to LastPass etc.?
At this point we'd even go so far as just using a good Keepass Client that comes with a comfortable "send encrypted password blob to xy email, than call him and tell him this decryption password"-function.
As KeePass uses a single (encrypted) file, you can use any hosting service that you want. Just make sure you save the new version back into your storage when you edit entries. You can use Owncloud, Google Drive, OneDrive, ...
because now you have to think about the attack surface of the browser; CSRF, auditing your chrome extensions to try to make sure none of them are exfiltrating your tab contents / metadata, etc etc etc
Ahh shit, and i was just beginning to think that a site i found a while back (can't remember the name) which used a hash function to generate your passwords
Don't forget that with KeePass you can also use as many files as you want. I know that I've been slowly moving from a single password file to a small constellation of context-specific password files. It's an interesting tool in the toolbox and you can even use that to help do things like manage the sync characteristics per KeePass file (this file should never leave this device, this file is synced by Resilio Sync, I'm alright with this other file hanging out in my OneDrive for easy access on devices I only partially trust, etc).
I just recently started using it myself, and I completely agree it works well for my use-case.
I did find one major annoyance; the forced-use of colours for the "Directory" names. I did some digging and found out that within the program it calls the external program 'tree' for the display.
I edited the file (/usr/local/bin/pass) from:
tree -C -l
to
tree -n -l
It was much easier then I expected, and I was pleased I didn't need to use a Hex-editor.
I should have specified better. The main reason why LastPass is interesting at all, is Team Support + a good web UI. We need to be able to send passwords to team-members so we have one source of truth for our logins.
bitwarden was mentioned in a previous thread as a free and open source alternative to lastpass. It works on mobile and the desktop. Maybe it's worth to take a look - https://bitwarden.com/
Not that I'm aware of. There's a bunch of commercial ones, including ours, but development costs make it hard to just open source it if we don't have assurance that people will actually buy whatever value-added services around we can come up with.
Thats the usual chicken + egg problem. Thing is, i don't trust LastPass or any other commercial solution at all, because there is no public auditing possible. And LastPass has had breaches so there is precedence.
But I really get where you are coming from, as we are also a SaaS Shop that has to walk that particular line.
You could create a new KeePass file to send in the email and copy the only password entry you need into the new file, then send then file and out-of-band the password to that file.
You could probably even script a KeePass plugin to automate several of those steps.
I tried to stick with KeePass.x for the longest time, but keeping the keepass databases in sync across multiple platforms/devices, while possible, was very much a pain and quite a clunky/messy process which always required me to remember to do something after updating the database anywhere. I eventually gave up and migrated to Lastpass which "Just Works™" on all my devices.
Keep it in Dropbox, then it's on all your devices.
I keep my KeePass database in my Dropbox, behind 2FA, with the main Dropbox password being a random string stored within the KeePass database. I have KeePass itself stored on my Dropbox as well, so I don't even need to install it to other Windows PCs, simply run the program. And the KeePass2Android app works quite well with this configuration.
I do the same and find it easy to use. I also store a key file in a different cloud service so that both would need to be compromised along with the password to access the database.
I do the same, but it is a hassle. I constantly get warnings in KeePass that the database file has changed and have to click 'Yes' so it merges the changes. It's always worked so far, but I guess if I click the wrong button I will loose an entry.
Sometimes I get conflict files in the Dropbox folder. Not often, but a few times over the last year.
On iOS I have to open Dropbox and re-export the database file to see new entries. If I ever want to add or change an entry on mobile I have to manually export the file back into Dropbox. If the database in the app wasn't up-to-date, that will loose any entries added on desktop.
The KeeFox extension for Firefox works but is unreliable, especially on Linux.
I transfer the database, keyfile, and exe files to the new target, then login. Or I might just hand-type the random-string, viewed from my phone, because I am a hardcore operations administrator. In the event of a catastrophic loss of access, I retain backup codes physically recorded in a safe location. And the keyfile, database, & exe are currently in 3 separate devices of mine.
All 3 PCs are in one location, as I only have one living location and rent no colo or VMs. But I'm not worried about having some sort of Dropbox access issue at the same time as a physical incident at my residence, as the probability is (I think) still lower than my very low risk avoidance.
Also not the GP, I do the same thing. In my case I need access to one of my devices with Dropbox configured (my laptop or my phone are most likely, my server syncs too)
Dropbox stores the files locally (on the phone, the kdbx file is marked to be cached and updated offline and I use dropsync)
If someone deletes my kdbx file from my Dropbox account, and I don't realize this in time (before all my devices sync _and_ my backups run out, so very small chance given the nature of the file) I'm in a lot of trouble...
Not the GP, but the password manager's database is likely setup as a Dropbox app. So when you login to your password manager, it retrieves the latest copy of the database. I do this with KeeWeb (cross platform PW manager compatible with KeePass database, although KeePass is better on Windows because of autotype).
I think KeepassXC includes the "auto-reload" patch, which causes the database to be automatically reloaded whenever the file changes; if you also enable auto-save this allows for fully automatic synchronization if you to store your encrypted database file in Dropbox or similar.
Holy shit, this has actually been such a problem for me in the past. To the point where I actually had "read-only" copies of the db to avoid any corruption or password loss.
I also like how LastPass can be administered by company / team admins, has 2FA, allows you to share passwords (or groups of passwords) with people (or teams of people), has some built in tools to help automate password updates, and can give you a quick at a glance audit of which passwords are old / insecure / are used more than once / are used for services that have been reported hacked and should be changed.
But... HackerNews hates LastPass for some reason... still haven't quite figured out why. (= It's a great service.
To say something cliche... aren't you letting perfect be the enemy of good? =P
Most teams (you'll agree?) have horrible aggregate password management. With every person storing passwords their own way... and only a few people actually having good passwords... isn't security at the organization level really crappy? Here's a real world example... you can have all the security you want on your servers... but if someone in legal still has access to the "Passowrd123" for the AWS account... isn't the team at a disadvantage? Another cliche warning: I need to care about forests, not trees.
At least with LastPass (or whatever other system you can think of that's similar) you can setup "pretty good" team-based policies... share passwords with people who need access (and often not even expose the actual password just access to it so you don't have to change everything in the event of turnover)... set up dead man switches on key accounts (for the hit by the bus scenario we all talk about)...
I know that LastPass has made my life significantly easier since adding it to a number of companies I consult for. I don't know of any security issues first-hand, and I've been using their service for 7 years (personally, and 5 years with teams). I like all the self-hosted options I keep reading about -- glad people are taking security more seriously... but at the end of the day if it's not a comprehensive team-based solution, it's just not something I want to put any stock in. If I can't administer it across a team, if it's just another "personal use only" type option... I don't find any value to it in the workplace.
One difference is that Dropbox isn't the only option: there's Google Drive, Amazon Drive, OneDrive, Box, OwnCloud, Syncthing, Resilio Sync, SFTP, and many other "plain dumb file sync" tools to choose from. That certainly increases the security footprint some. You might know I synchronize a KeePass file with a cloud provider, but you might not know which cloud provider, and while the chances of any one particular cloud provider being hacked are somewhat large it seems, the chances of all of them being hacked enough at the same time that you find the KeePass file needle in my particular cloud footprint haystack is hopefully pretty rare. It's also something that if you get wind of an attempt in progress you can mitigate/defend by switching sync services or removing it from sync altogether until the attempt ends...
Because it's "dumb file sync" with a number of options, there are also some really interesting options with interesting security footprint trade-offs of their own. Resilio Sync, for instance, originally known as "BitTorrent Sync", supports peer-to-peer sync and more interestingly supports "encrypted peers" where you can have a cloud provider participate that "knows nothing" about what is inside the synced folder but can still share/sync it with your devices that do.
Similarly, if someone develops something crazy like a killer secure and somehow user friendly IPFS sync option tomorrow, you could switch immediately.
Not that similar. The reward-to-effort ratio for attacking LastPass is much better, you'll gain access to the passwords of so many users. With Dropbox, its less likely that you'll find something valuable and therefore less worthwhile to try. Most users would store their vacation photos, perhaps income tax info which might be useful but not as instantly exploitable as passwords.
Plus the password database is likely encrypted with a decently long master password and encrypted with AES (assuming this if the user has gone to the trouble of using a PW manager with Dropbox sync, hopefully with Dropbox 2FA also). That should be enough to keep out virtually all hackers, barring perhaps a nation state. For an extra level of security, you can (with KeePass at least) require a master password and key file (perhaps stored offline on a USB key), which will likely keep out virtually anyone.
Not really. If dropbox is compromised and they get your .kdbx file they've still got to be able to break that (unless you use the same password for dropbox and your kdbx file....which is not a good idea).
You don't have to keep all of your credentials in LastPass. For example, I don't store any email credentials or important accounts such as Google or Microsoft. Everything else (like HN) is negligible if LastPass gets owned.
Depending on the use case. If you're working in a company and need to share something with a co-worker (like credentials for some web service), team-based solutions are the safest solution.
I use Syncthing on a central server that automatically pushes changes that I make to KeePass to every other device that is connected to the server. It's been amazingly useful.
Honestly, as a programmer/ops knowing git and always having a terminal somewhere around, I see no reason to use something else than https://git.zx2c4.com/password-store
It uses a git repo as storage, gpg encrypts passwords, provides perfect completion and there is an android app. Everything is dead simple and open source.
Don't you find it annoying having to switch to a terminal to log in to a site in your browser? I personally love LastPass. It's free for my use case and there's plugins for popular browsers, mobile apps, and a CLI app if you really want it.
The community has even produced a cross-platform GUI client, an Android app, an iOS app, a Firefox plugin, Chrome plugin, a Windows client, a pretty Python QML app, a nice Go GUI app, an interactive console UI, Alfred integration (1) (2) (3), a dmenu script, OS X integration, git credential integration, and even an emacs package.
I wouldn't say it's a feature. I can use LastPass without installing any browser addons if I want. I just prefer the convenience. But I can understand why people might prefer stick with a terminal password manager.
`pass` stores the name of the entry in plain-text (as the filename of the encrypted file), so you have to either obfuscate the names of the entries or it leaks the name of the site that the entry is for.
I understand this is a valid concern for some, but I generate random long passwords and never reuse them, so I can live with unencrypted entry names (that contains site+login)
I previously used KeePassX, which was great due to the multiplatform support. However the project seemed stalled, and I've since switched to the excellent KeeWeb; it's Electron based and is in general more modern.
I'm very interested in trying it, just a little worried about it's stability. I guess I'm slightly biased against Electron apps due to some bad experiences.
I'm just worried it will corrupt the database or something.
Not OP, but I've been using it for work passwords since spring 2016, and finally started using it personally in the last few months.
I had one UI-related saving issue, but the creator quickly responded to the PR and fixed it in a later version.
What are the benefits of using a "real" password manager, such as this one, compared to a plain encrypted file in vim? I thought that benefit was syncing across devices but it turns out the http feature of keepass wasn't implemented in all clients.
How well specified is the kdbx format? Is there a console client? Is the code readable? Keepass seems to have spawned an entire ecosystem of tools and clients, so I'm curious which of these tools are actualy usable.
If you want to stay with a solution any moderately experienced developer can audit themselves without investing too much time, but would like to add a bit of user friendliness, have a look at pass¹.
It is nothing more than a script that calls the GnuPG binary and the tree command line utility for displaying a tree of files. It uses your GPG-keypair to encrypt text files. You can add as much info as you like, but by convention the first line of each file is assumed to be the password:
# Generate a 32-character random password.
pass generate sites/news.ycombinator.com 32
# Copy the password to the clipboard; this will ask you to unlock your GPG-key.
pass -c sites/news.ycombinator.com 32
# Find stuff.
pass find news
# Edit the file (e.g., add the username).
pass edit sites/news.ycombinator.com 32
All files are GPG-encrypted plain text files in a directory on disk. Easy to backup as well.
There is a rather sweet feature you can use to share some passwords with someone. You can add a list of GPG key IDs in a file called .gpg-id in any of the subdirectories of your password store, and share that subdirectory using a syncing tool such as SyncThing². My partner and I each have our own password store, but share a directory called 'together' via SyncThing. All passwords stored there are encrypted using both our GPG-keys by pass, whilst our private entries remain encrypted just for our own respective keys.
> What are the benefits of using a "real" password manager, such as this one, compared to a plain encrypted file in vim?
• You get a proper password generator out of the box.
• Vim's encryption is awful: The current default method is documented to be feasible brute-forceable on a Pentium 133 MHz, and the optional "strong" setting is Blowfish (with an undocumented key-derivation function which is presumably awful as well), which Schneier wanted to have phased out 10 years ago – and by now we're seeing an increasing amount of successful attacks. Do not use VimCrypt if you want your data safe. (If you happen to have GPG set up on all your devices anyway, it can be a decent alternative.)
• Never underestimate convenience when it comes to security. Anything that makes it harder for someone to use their password manager increases the risk of password reuse.
Can you share your encrypted vim file with others? (Honest question). Keepass can also enable browser autocompletion. Kbdx is actually very much underspecified, but it's not terribly difficult to reverse engineer apparently. The main problem (iirc) is that the most recent format version has extensions that very few clients understand.
It's popular because it's the least common denominator for "cross-platform portable encrypted key-value local storage". The sync support missing is actually a feature for most users. There are much better alternatives when you trust a third-party server.
I can't speak to security, but from a functional standpoint the tree and key-value structure of password managers allows easier third party integration into browsers etc, compared to a flat file.
Also you have search and don't expose the other passwords as you would in a textfile. There is pretty good apps for Keepass, which offer a Keepass Keyboard so you don't need to use the clipboard (which can be read by any app on Android for instance).
KeePass uses an encrypted database file to store your passwords, which allows you to store custom fields for each entry, search by field contents, have protected fields, attach files to entries, or keep a revision history of changes made to an entry which enables easy syncing of the same database stored on multiple devices.
You could do almost all of that with a plain text encrypted file, but KeePass keeps it all neat and sorted.
Awesome! I am a heavy user of KeePass, and I also use all three main operating systems regularly, so this has always been an annoying issue to have. I usually get around it by using KeePass2Android on my phone and typing out passwords by hand on the other device. Could be worse.
I hope developing an official Android and iOS app is on the list. There are third party alternatives (such as the one I just mentioned), but if the goal is to be completely cross-platform then let's push those out too.
There's one thing I worry about with keeping all my passwords in a single file - if a government agent gains access to it, I'll have to decrypt it, which will reveal the password to my key, my key, and a full list to all web sites I have accounts at and a list of those accounts. Let's say you have an alt reddit account you use to post to /r/ihatedonaldtrump, congratulations, now the government knows with certainty that it was you. It's one thing to see your IP making requests to reddit.com - you can just give them your normal username and password, but with a single password file, you give them all your usernames and passwords. Maybe I'm overly paranoid, but I don't like keeping passwords to anything that might be remotely questionable in a normal encrypted password file.
On the flip side, if the file in question contains an account to a questionable site, could you withhold the key/password to it under the clause against self-incrimination? I.e. you're sued for insulting Donald J. Trump's itty bitty tiny handsy-wandsies, but you also have an account at buymarijuanaonline.com, so you can't give them access to your password database, because you'll incriminate yourself in a different crime.
R: KeePass 1.x and 2.x are the official KeePass releases, KeePassX is a community port in C++ originally built for Linux/Unix but now it includes builts for Windows too. Most people that recommend KeePassX over KeePass 2.x is because they are (.NET/Mono)fobics, plain paranoids or just haters of microsoft. KeePassX and KePassXC aren't improved versions of KeePass they are just ports to C++ (for Linux and Windows) of KeePass.
With my latest password overhaul I switched to the master password system, not requiring any compromisable database of passwords as with password managers:
There also is a counter used for hashing. So for a new password you just increment the counter. Remembering the counter for every site sounds too complicated, but you could store that in a file without losing much (any?) protection.
Wouldn't you want to maybe... encrypt that file? Seems almost circular unless you use something like stenography to embed the data somewhere. I'm not personally too thrilled by a counter file to replace a different file, at that point I feel like I'm losing features.
Yeah, but then you need to carry the file with you, opening it (especially on mobile) is super clunky, and when you get to a site that doesn't support numbers/letters/whatever that the generator uses, it's hell. I used to use that, but I switched to KeePass2 and it's much better.
Note that the algorithm/app I mentioned does use the salt mentioned at the end as a possible solution. The counter problem is still there, but I don't feel it is a big issue.
How does that work with stuff such as odd password complexity rules (such as only digits allowed), enforced rotation, leaked password etc? It sounds like it would need to store more state than a master password.
From the same (master password, site identifier) combination you can generate the most common passwords. The app has categories short, medium, long, max, PIN (4 digits), phrase.
There also is a counter used for hashing. So for a new password you just increment the counter. Remembering the counter for every site sounds too complicated, but you could store that in a file without losing much (any?) protection.
It is rather worrying that they mention "keypasshttp" as being one of the pull request which was never merged, although it is all about functionality and not security, just to point out a few months after in another issue that users should stop using this plugin because of a vulnerability:
https://github.com/keepassxreboot/keepassxc/issues/147#issue...
I don't really know how secure KeepassX is, but this fork doesn't look like it is any more secure, at least for the time being.
I've been using Codebook (formerly known as STRIP) because it is partly open sourced, however they do not offer a desktop client for Linux and they only sync with commercial cloud services, so I'm looking for an alternative. Is there an overview that compares the various password managers out there?
I've been wondering is there any disadvantage in using password hashers (either as plugins like [0] or standalone) for generating safe passwords? It seems like a great idea to me, yet most people here seems to be prefer full blown PW manager apps or even online services for this. Am I missing something?
I consider them more insecure than a reasonably well made password manager, all that is between you and any possible site you will ever register on or have registered on, is a master password.
On the other hand, I can change my Lastpass/Keepass password regularly, denying a cracker access to my accounts in the future.
The security of any password manager, including hashers, is not only how secure it is against attacks, but how secure it is after it has been successfully attacked and how easy it is to recover full security without losing too much data.
I've been using Keeweb for the last year or so and I'm very happy with it. The mobile experience is a little subpar but it works fine in a pinch, and the integrated syncing with your own storage services is handy.
On iOS, I use MiniKeePass, as KeeWeb is compatible with KeePass databases. I sync by pushing the latest copy of the DB via iTunes maybe once a week, takes about 30 second. Maybe that helps.
Thanks but I'm on Android and I sync using Google Drive.
The two primary issues I have with KeeWeb on mobile are:
- Typing my master password every time is tedious on a touchscreen, I really miss LastPass's fingerprint reader integration here.
- The back button closes the app entirely, making me have to enter that tedious password again. This can be fixed be reworking the webapp to use the HTML5 history API, but just hasn't been done yet. Issue here https://github.com/keeweb/keeweb/issues/331
Finally! Very excited for an improved solution. It would be nice to have something like this on iOS and Android too, but at least my Mac and Windows computers will be able to play nice.
Too bad this isn't mentioned on the download page. I haven't used snaps until now, and I see there is no menu item. I can start via the terminal, and guess I have to add it to the menu myself.
KeePassXC is a community fork of KeePassX which aims to incorporate stalled pull requests, features, and bug fixes that have never made it into the main KeePassX repository.