
KeePassXC 2.6.1 - phoerious
https://keepassxc.org/blog/2020-08-19-2.6.1-released/
======
mikece
KeePassXC and Bitwarden are the best password managers in existence right now:
KeePassXC if you want to be disconnected from the cloud and Bitwarden if you
want both the convenience of cloud-based password management AND high
security.

~~~
kspacewalk2
>best password managers in existence right now

I am using 1Password with a standalone licence (sunk cost, so 'free' doesn't
matter much. Also, C$70 is essentially free when it comes to securing my
digital life). I sync a vault with a few co-workers via Dropbox and this is
sufficient for us, no need for 1Password.com 'cloud' yet.

We like the UI, and to our knowledge 1Password has the best track record for
security, with extensive and continuous testing and no major fuck-ups yet.

What advantages to switching to KeePassXC or Bitwarden are there for us?

~~~
chucky
Source code access, and being free of charge seems to be the main things you
would get compared to 1Password. Also, great Linux support (from what I've
heard 1Password only recently even added a Linux-compatible client).

But to me it sounds like you have a solution you are very happy with, and you
don't mind paying for that solution, so my recommendation would be to stick
with it.

Although, as a happy user of KeePassXC, I'm tempted to ask the counter-
question: why would I want to pay for 1Password when KeePassXC gives me a
great solution for free (and also gives me source code access)?

~~~
spanhandler
> (from what I've heard 1Password only recently even added a Linux-compatible
> client).

Just plugins for Firefox and Chrome, AFAIK, actually. And a command line
client that's just a wrapper for the website. No full-featured client
available. KeePassXC can be a better option for interop with 1pass than 1pass
is, on Linux, depending on what you need.

~~~
george_perez
No, they have a client now.
[https://discussions.agilebits.com/discussion/114964/1passwor...](https://discussions.agilebits.com/discussion/114964/1password-
for-linux-development-preview)

HN discussion:
[https://news.ycombinator.com/item?id=24054112](https://news.ycombinator.com/item?id=24054112)

~~~
spanhandler
Guess that hasn't made it to their "download for linux" page on the main site
yet. It still offers the plugins, with an alternate option for the command
line tools.

------
ObsoleteNerd
I’ve been using KeePassXC almost as long as it’s been available, and couldn’t
be happier. Database stored on my NAS and synced to Dropbox for when I’m out,
gives me access on all my devices without having to worry about whether x or y
service will still be around in a year or 2.

~~~
40four
Started using Keypass about a year ago, I really like it. Just wondering if
Dropbox is considered a safe place to store the DB files? I did this for a
while, but then I got paranoid and switched to something fully encrypted.

For sharing between devices I found Firefox Send to be useful (before it went
down, hope it comes back), also Keybase filesystem is one of my go-tos as
well.

Maybe I’m being overly cautious, but I sleep better at night knowing my DBs
are encrypted.

~~~
vbezhenar
Your database is encrypted by default. Additional encryption won't hurt, of
course, but you can absolutely use Dropbox.

~~~
40four
Right, I guess my concern was a brute force attack on a DB file if it fell
into the wrong hands. I looked at the main website again though, and
apparently the official Windows app has some protection against this. It says
however, KeypassX (and I assume therefore KeypassXC) does not have the same
level of protection.

Another comment mentioned using a key-file, so maybe I will revisit that
approach, since I used password only when I started.

~~~
vbezhenar
To prevent brute force attack, you should choose long enough password and
adjust iterations parameter on Key transformation. Basically more iterations =
more time to brute force, but your application will spend more time opening
the database. Longer password = less likely for brute force to succeed.

For me 12 characters password with default 60 000 iterations seems safe
enough. My estimation is that it would take at least millions of dollars to
break it and my passwords are not worthy of that. You can easily make it into
unbreakable for a foreseeable future by using something like 16-characters
random password and 10 millions of iterations.

Key file of enough length is like an unbreakable password. But you probably
can't remember it, so be careful not to lose it. My database is accessible on
public URL which I remember and I remember my password, so I can always
download it anywhere and open it. I think that it's a big advantage and I
wouldn't want to lose it.

~~~
40four
Great, Thanks for the advice!

When I decided to start using a password manager, I was drawn to Keypass since
it is open source and I don't have to rely on any third party service. But
learning how to use it correctly, and juggle your db files among all your
devices requires a sound, thought out strategy!

------
mikece
I have read that the KDBX4 password database is "very secure" but am curious
if any hacking challenges have been conducted to see if anyone can break it?
The challenge I have in mind put some kind of contact info in an entry and
then post the KDBX file on a public site for anyone to download and try to
hack. If you get it open, use the info to contact the contest organizers and
once you explain how you overcame the security and it's replicated you get
however much has been donated as a hack bounty.

I'll put $100 in right now if the maintainers of KeePassXC are down with this.

~~~
Mikescher
I'm no cryptographic expert, but I always liked the simple design of the kdbx
files. So simple that I can understand it and see tat there are no (obvious,
assuming the underlying algorithms are called correctly) problems:

The whole database is a single big xml document which is then encrypted with a
normal symmetrical encryption method (most of the time AES). And that is
already the core of it. There are a few additional things (A user-chosen key-
derivation-function is used to increase the brute-force time and there is a
header in the binary format with such things as keepass version, which
algorithms are used for encrypting and a checksum...).

But in comparison to other cloud-based password managers it's a nice feeling
to intuitively "know" whats happening under the hood.

------
ProNeo
Any reason to switch over from KeePass to KeePassXC? I'm only using Windows so
the cross platform argument doesn't hit me actually.

~~~
oropolo
The KeePassXC developers are quite conscious about memory security and
implement that in XC in a way that's not really possible with a .NET
application like KeePass: [https://keepassxc.org/blog/2019-02-21-memory-
security/](https://keepassxc.org/blog/2019-02-21-memory-security/)

------
nix23
KeePassXC and pass (the standard unix password manager) are the absolut best.
Thanks allot to the maintainers!!

~~~
random_dork1
Is there an easy way to import/export between them?

~~~
nix23
Yeah under "Migrating to"

[https://www.passwordstore.org/](https://www.passwordstore.org/)

~~~
random_dork1
thanks! If I find a way to use multiple stores in pass, I will switch to it.
It seems that it's autofill on Android is a lot better than any Keepass app
that I tried.

~~~
random_dork1
Found this tutorial: [https://www.gilesorr.com/blog/shared-
passwordstore.html](https://www.gilesorr.com/blog/shared-passwordstore.html)
There are two ways of having multiple stores and sharing them, but I am not
too sure I like these solutions....

------
k33n
Currently running KeePassX. Maybe I'll give this a whirl. The key concept with
the KeePass family of projects is that your passwords remain on your device,
and don't get synced to some cloud you have no control over.

~~~
nickcw
I moved from KeepPassX to XC recently. It has the same features but the user
interface is so much better.

The android app is great too. I use rclone to sync my keepass file to Google
Drive which means it is always up to date on my phone too

~~~
pedro2
Android app? Which one?

~~~
mikece
Keepass2Android is what I've used.

~~~
nickcw
That is what I'm using too

~~~
otachack
Same! If you haven't already, please consider Patreon or just donating to the
dev directly. We use his app constantly and it's great to support him!

------
flytram
I have a free drop box account and use it to store kdb file. What is a better
alternate if I want to access to kdb file from more than 3 devices
(combination of windows + ios devices.)

~~~
ProNeo
Syncthing

~~~
flytram
I did read the other comment about syncthing; but that requires setting up a
server. Do not want to go that route.. :)

~~~
trulyrandom
Syncthing does not require setting up a server. Your devices connect to each
other directly, or through a relay if that's not possible.

~~~
flytram
Thanks.. Will give a try...

------
brokenmachine
Can anyone tell me which Keepass they recommend?

There's so many different Keepasses...

I'd like to use the same db file between Windows, Linux and Android, and I'd
like to be able to autoenter without a browser plugin, at least on Windows.

~~~
lytedev
I believe this one, KeePassXC, is the most-recommended one.

~~~
brokenmachine
Is the db format standard - ie can I sync the same file between Android/Linux
and KeePassXC and use it in all of them?

~~~
benhurmarcel
Yes, it’s the same format

------
roel_v
I switched to KeePassXC a few months ago from KeePass. The UI is quite clunky
in places, but that's easier to live with than being beholden to some online
service...

~~~
MikusR
KeePass doesn't have any online service.

~~~
ffpip
I think he was talking about both Keepass and KeepassXC's UI

------
swayson
Love this project.

