
New, portable, open source password manager for Windows - nvr82
https://www.ylvapasswordmanager.com/
======
gruez
Why this over keepass?

Also, a quick skim of the source code shows that the program keeps the
decrypted file on-disk[1]. That seems like a huge vulnerability if you don't
have FDE enabled.

[1]
[https://github.com/nrosvall/ylva/blob/2a4afcfb3727151fa09fdd...](https://github.com/nrosvall/ylva/blob/2a4afcfb3727151fa09fdd7fa4bd58954b457dd6/Ylva/MainWindow.cs#L175)

[https://github.com/nrosvall/ylva/blob/2a4afcfb3727151fa09fdd...](https://github.com/nrosvall/ylva/blob/2a4afcfb3727151fa09fdd7fa4bd58954b457dd6/Ylva/EncryptionAES.cs#L154)

~~~
regecks
I think you need FDE no matter what. e.g. Hibernation will dump your passwords
to disk, even if they're only kept in in unmanaged, VirtualProtect'ed memory.

------
whatl3y
I unfortunately agree with the sentiment of others from this only being
supported on windows. I built a CLI password manager[1] sort of as a learning
exercise, but to this day I use it daily and have over 250 accounts managed in
it. I temporarily back up the encrypted file to S3 in case my computer blows
up, but for some reason I have a small sense of satisfaction that my passwords
don’t live in a 3rd party like LastPass, even though I’m aware of the auditing
and scrutiny they go through consistently to maintain credibility for what
they do.

[1] [https://github.com/whatl3y/hide](https://github.com/whatl3y/hide)

~~~
captn3m0
LastPass has been breached 3 times, and they’ve had RCEs in their Chrome
Extensions.

------
keltex
Another one I've used for years is password safe:

[https://pwsafe.org/](https://pwsafe.org/)

Free and open source.

~~~
phs318u
Same. And I'm surprised by how rarely it gets mentioned in these kind of HN
discussions. I would have thought given it's origins (originally designed by
Bruce Schneier and open-sourced in 2002 [0]), it would have a bigger
following.

[0]
[https://www.pwsafe.org/history.shtml](https://www.pwsafe.org/history.shtml)

------
Someone
Portable… for Windows? It’s a .Net application using Windows Forms. That’s
open sourced, and thus portable in theory. In practice, it’s Windows only.

Turns out they use a different meaning of “portable”:

 _”Open source version of Ylva is available as a single binary file which is
portable by default. You can run it from a USB stick.”_

~~~
santoshalper
In the world of Windows applications, portable means that the program can be
run without any installation or storing anything locally. So you could run it
off a usb or other portable storage. This is a common usage.

------
NoPicklez
But this can't go everywhere my password are needed, why would I use this?

Not to be harsh, but LastPass (and others) works across Mac, PC, IOS & Android
in multiple ways. A password manager to a degree needs to make my life easier,
this means being portable and compatible.

------
noisy_boy
I have been using Keepassx[1] with Syncthing[2] for synchronizing the password
database. It has been a great experience due to following reasons beyond the
crypto advantages:

\- Open source

\- Peer to peer without having to share file contents with central server like
Dropbox etc.

\- Full featured Android and Linux (KeepassXC) clients with nice UIs (on
Android I have the option of using fingerprint auth to open my database)

\- Autofill integration on Android (I haven't tried on Linux)

[1]: [https://www.keepassx.org/](https://www.keepassx.org/) [2]:
[https://syncthing.net/](https://syncthing.net/)

~~~
m-p-3
I use KeeWeb[1] on MacOS, iOS and Windows, and KeePass2Android[2] on my
Android device which has decent autofill. They all also supports cloud storage
natively, so I don't have to worry about keeping them in sync.

I do use Syncthing for other stuff though.

[1]: [https://keeweb.info/](https://keeweb.info/) [2]:
[https://play.google.com/store/apps/details?id=keepass2androi...](https://play.google.com/store/apps/details?id=keepass2android.keepass2android)

------
loop0
I’ve been using Bitwarden for a little more than a month and it is by far the
best password manager I used. And being open source is a very nice bonus. I’m
going for tue paid option to support the company behind it.

~~~
mehrdadn
Does it have the following? They're what have kept me stuck on KeePass:

\- Browser integration (a single key combo unlocking & filling in passwords)

\- OTP support

\- SSH agent and key storage

\- Entry-level (rather than file-level) synchronization

\- Google Drive synchronization

\- Automatic history maintenance

\- Storing arbitrary additional data

\- Icons (makes identifying entries so much faster)

~~~
maccard
It does have a decent browser integration, OTP support, history support (last
5 passwords) support for arbitrary additional data and icons.

Having not read the source code, or investigated the details, my understanding
is the sync is entry based over file based. On multiple occasions I lost data
to Keepass's insane lack of sync functionality, I've never once done the same
with Bitwarden. Google drive sync is kind of moot as the sync happens on a
server (which you can run yourself).

~~~
mehrdadn
> my understanding is the sync is entry based over file based

> Google drive sync is kind of moot as the sync happens on a server

Confused, so are you saying there is a server that does entry-based syncing?
KeePass it's the KeePass client that resolves conflicts at the entry level
with whatever is on Google Drive (which it connects to via plugins).

~~~
maccard
Apologies, I spoke too quickly. I'm unable to edit my original post to fix it.

The sync is client side according to [0]. I can't find specifics in any
documentation on whether it works at an entry or file level, however I wonder
is that actually important? Just because you sync at a file granularity
doesn't mean you can't resolve entries individually.

My experience with Keepass was that my changes would get stuck in a conflict
file that Dropbox would generate if you happened to use Keepass in 2 places at
once, as they don't support syncing and force you to manually go through [1]
on every device.

[0][https://help.bitwarden.com/article/how-is-data-securely-
tran...](https://help.bitwarden.com/article/how-is-data-securely-transmitted-
and-stored/)

[1][https://gist.github.com/cmcginty/07869f3c6c27ecb0fef84ca7900...](https://gist.github.com/cmcginty/07869f3c6c27ecb0fef84ca7900e7bb7)

~~~
mehrdadn
I was using "syncing" and "resolving" synonymously. What I was distinguishing
between was keeping the most recent file (which is what happens if you use
typical cloud syncing for the whole database file) vs. the most recent entry
in a given file (which is what you get when KeePass itself gets a chance to
actually examine both versions and figure out conflicts internally).

I can't figure out how the KeePass (or the plugin you use, or whatever it is)
was handling your Dropbox syncing; it sounds like it was doing a dumb file-
level merge, when in fact it's capable of doing much better than that. I use
the Google Sync Plugin which has never failed me, even when I'd modified
databases on two clients independently before syncing. It uses the
ImportUtil.Synchronize() function which I think is what handles the dirty
details. See the Technical Details section here:
[https://keepass.info/help/v2/sync.html](https://keepass.info/help/v2/sync.html)

~~~
maccard
> What I was distinguishing between was keeping the most recent file vs. the
> most recent entry in a given file

Sure! (sorry, have finally had my morning coffee). I believe that Bitwarden
handles it correctly via "live sync" [0]. - albeit it's been a transparent
process to me. I've generated logins on my mobile, and logged into them within
30s via the browser extensions on my desktop PC.

> I can't figure out how the KeePass (or the plugin you use, or whatever it
> is) was handling your Dropbox syncing;it sounds like it was doing a dumb
> file-level merge

It was, and it was excruciating. However, this is one of the issues I have
with Keepass - it may be possible to do better, but the default behaviour is
abhorrent.

From the link you gave, it explicitly calls out the issue in "advanced"
synchronisation schemes under "Local <-> Master" [1]. If you don't correctly
follow the setup steps you can end up with [2] which can (and does) result in
data loss. The (as far as I can tell) official (as far as I can tell) forums
seem to be happy to pass the buck [3] and say "Oh that's not our problem,
that's the sync services problem".

> I use the Google Sync Plugin which has never failed me

I don't doubt that for a minute, but for someone migrating from
LastPass/OnePass to Keepass, searching for "How to sync keepass across
machines" will _never_ point you to the google sync plugin.

[0] [https://blog.bitwarden.com/live-sync-bitwarden-apps-
fb7a5456...](https://blog.bitwarden.com/live-sync-bitwarden-apps-fb7a54569fea)
[1]
[https://keepass.info/help/kb/trigger_examples.html#dbsync](https://keepass.info/help/kb/trigger_examples.html#dbsync)
[2]
[https://sourceforge.net/p/keepass/discussion/329221/thread/2...](https://sourceforge.net/p/keepass/discussion/329221/thread/22255c46/)
[3]
[https://sourceforge.net/p/keepass/discussion/329221/thread/9...](https://sourceforge.net/p/keepass/discussion/329221/thread/9deb1dc3/)

~~~
mehrdadn
> I believe that Bitwarden handles it correctly via "live sync"

That looks cool!

Re: your other comments though: you're not doing a fair comparison. Try
letting Dropbox trash your %AppData%\Bitwarden folder and then let me know how
well LiveSync handles syncing! That's what you're doing to KeePass.

> However, this is one of the issues I have with Keepass - it may be possible
> to do better, but the default behaviour is abhorrent.

This _isn 't_ the "default behavior" though. The default behavior is in fact
to synchronize everything correctly... if you only give it a chance to do
that. But if you insist on letting your Dropbox desktop sync pull the rug out
from underneath KeePass and replace the whole database randomly, it's
literally impossible for KeePass to know what the old entries were to be able
to merge them -- it doesn't have them anymore. It needs an old copy of the
database around so it can compare the two, and those instructions tell you to
make a second copy so it can do its job. That seems pretty fair to me -- what
more can you expect? You didn't even give it a chance to do its job, and
instead let someone else just trash the place while it's gone, then blame it
for not actively fighting your attempts to do that?

This is why KeePass has plugins like KeeAnywhere [1]. You're supposed to use
those instead of syncing your database like a normal file. [2] So KeePass
actually gets a chance to do its job... if you only let it!

[1]
[https://keepass.info/plugins.html#keeanywhere](https://keepass.info/plugins.html#keeanywhere)

[2] Well, KeePassX[C] folks will beg to differ and just tell you to keep doing
what you were already doing and it'll work Just Fine (TM), and that what you
were seeing happening in front of your eyes was supposed to be vanishingly
unlikely. It's basically gaslighting as far as I can tell, but somehow they
can pretend it doesn't affect them, so I dunno...

~~~
maccard
Understood re; Dropbox and appdata however that doesn't change the fact that
if you search for how to sync Keepass across machines that's what you're told
to do! The fact that they don't consider syncing a core part of the password
manager and are happy to tell people to take awful workarounds (and not
mention that it can be resolved with a plug-in anywhere on the main site)
tells me that I don't want to use that project.

Pity we didn't have this discussion 18 months ago, I might not have left
keepass

~~~
mehrdadn
> The fact that they don't consider syncing a core part of the password
> manager

> and not mention that it can be resolved with a plug-in anywhere on the main
> site

Again, you're accusing them of something that's false! They very much do see
this as core functionality and explicitly tell you how to synchronize right
there in the synchronization section [1]:

 _If one of the files to be synchronized is stored in an online storage (like
e.g. Amazon 's S3, DigitalBucket, ...), you need an online storage provider
plugin (e.g. KeeAnywhere, KeeCloud or KeePassSync)._

> and are happy to tell people to take awful workarounds

The only bit I'll give you is that the workaround isn't user-friendly, and
that they should probably leave a note mentioning the much-more-user-friendly
plugins in the Trigger Examples [2]. But aside from that, if you actually
follow their workaround, it should work just fine -- as I understood your
problem was that you _didn 't_ follow their workaround, then you blamed them
for the resulting file conflicts...

[1]
[https://keepass.info/help/v2/sync.html](https://keepass.info/help/v2/sync.html)

[2]
[https://keepass.info/help/kb/trigger_examples.html#dbsync](https://keepass.info/help/kb/trigger_examples.html#dbsync)

------
dusted
I'll shamelessly plug my own open source password manager, not because it's
mine but because I believe it is better. And it is more portable, just put it
in your pocket! It's at [https://finalkey.net/](https://finalkey.net/)

------
aasasd
Hmm, I guess this year everyone writes their own password manager.

(Can we have a year of fast PIM outliners? The competition is pretty sparse
there.)

------
ejcx
The first thing I do whenever someone writes their own password manager is to
read the Encrypt function. This one is AES-CBC with its own hand rolled
integrity scheme. Not very strong by modern standards

~~~
beefhash
Doesn't look very hand rolled to me. It's standard HMAC. The only unusual
thing is the timing-unsafe comparison[1], which probably needs fixing. It
_looks_ like an attempt was made at a constant-time comparison (|= ^ pattern
sure looks like it), but the early return breaks it again. I'm not sure if
much can be gained from a timing attack in this particular instance though,
since the key fully depends on user input in the first place.

(By the way, even Microsoft's own documentation doesn't use constant-time
comparisons for HMAC[2]!)

[1]
[https://github.com/nrosvall/ylva/blob/2a4afcfb3727151fa09fdd...](https://github.com/nrosvall/ylva/blob/2a4afcfb3727151fa09fdd7fa4bd58954b457dd6/Ylva/EncryptionDataIntegrity.cs#L38-L44)

[2] See the example on [https://docs.microsoft.com/en-
us/dotnet/api/system.security....](https://docs.microsoft.com/en-
us/dotnet/api/system.security.cryptography.hmacsha256?view=netframework-4.8)

~~~
ejcx
I'm not a C# expert by any means. Is the IntegrityHash of the plaintext, and
not the ciphertext?
[https://github.com/nrosvall/ylva/blob/2a4afcfb3727151fa09fdd...](https://github.com/nrosvall/ylva/blob/2a4afcfb3727151fa09fdd7fa4bd58954b457dd6/Ylva/EncryptionAES.cs#L78)

That would be a really serious flaw. If not, hand rolled AES-CBC-SHA256....
why not just use an AEAD implementation? This is exactly why I look at these.
There's a lot of nuance to that one decision, and so it usually gives quite a
bit of signal about the project as a whole.

------
stevekemp
As soon as I saw "verkkokauppa" in the list I assumed it was a Finnish
developer.

It looks like a nice project, but I'd echo the other compaints - having a
tree, or folders, would make it much more useable.

I tend to have a structure which looks like this (simplified):

    
    
        Git/
           github.com
           gitlab.com
        Servers/
           ssh.example.com/
              root.txt
           ssh.example.org/
              webmail.txt
        Websites/
           lwn.net
    
    

Having all the items in a flat list soon becomes very crowded. Checking my own
password store I have over 300 entries.

------
bboygravity
All password managers and form fillers I've tried are quite terrible at
correctly finding and filling fields/text boxes. They all seem to rely on
finding patterns for things to fill from code. Which doesn't work. As there is
no clear pattern accross billions of non-standard web-forms.

Does anybody know of pw managers that work using image recognition (OCR-like)
on the GUI to find fillable fields? AKA: using the same form-API that humans
do?

~~~
ubercow13
I would guess that it wouldn't be worth the hassle of the inevitable
inaccurate identifications. The most ergonomic password entry tool I've used
is rofi-pass [1]. It's so effortless that I don't think anything smarter could
improve on it in practice. It works in a predictable and way in any
application (eg SSH pw in a terminal) without any complex integrations being
needed and once you get used to using the hotkey it's basically as quick as
form autofilling.

[1] [https://github.com/carnager/rofi-pass](https://github.com/carnager/rofi-
pass)

------
tenebrisalietum
I tried this briefly under Wine in Linux. On the surface it doesn't look like
it has 2 features I really like about Keepass:

\- Folders. I like using folders and subfolders to keep related sets of
passwords together.

\- Support for attachments. Keepass lets me keep track of keyfiles, notes, and
certificates in addition to passwords. Ylva has a notes field but I really
like Keepass's ability to attach files.

The QR integration is interesting I guess, I don't have any apps that allow QR
code for password input but if I did it would be useful.

------
mrgalaxy
This is nice and all, but what am I going to do with a Windows only password
manager? I use several different OSs and a phone. It's pretty much a must that
my password manager works on all of them.

------
walrus01
What does this achieve over the feature set of keepassx?

------
pnunesc
I use Passbolt at work for a geo-deslocated team and it works very good.

------
rekshaw
The title is a bit of an oxymoron.

"...portable...for Windows"

~~~
detaro
In the context of Windows applications, "portable" is also used to mean "runs
without installation/further dependencies, you can just run it from a folder
somewhere".

------
runxel
No, please not another password manager... I have not looked into it much, but
hell, it looks like it even ships its own crypto.

------
ComodoHacker
Not a single word about how security features are implemented. Not very
convincing for HN audience.

~~~
eps
Please don't take on yourself to speak for everyone even if the point itself
is valid. That's been bad manners since the BBS days if not earlier.

