
KeepassXC – A cross-platform community fork of KeepassX - karlgrz
https://keepassxreboot.github.io/
======
dublinben
If you were curious like I was, about why this fork was necessary, I found
this on their About page:

KeePassXC is a community fork of KeePassX which aims to incorporate stalled
pull requests, features, and bug fixes that have never made it into the main
KeePassX repository.

~~~
sleavey
Do you know why they have been stalled? Perhaps there's a good reason, like
code auditing? Just a shot in the dark - I have no idea.

~~~
roddux
Judging from TFA it's due to KeePassX having one maintainer, so the pull
requests all bottleneck with him. Also mentioned is that one desirable outcome
of this is that KeePassXC developers are given co-maintainer status of
KeePassX and that they re-merge down the line.

~~~
shincert
That's cool. But if that's all this project is, couldn't they have just talked
to the one maintainer and offer to help him and be on the team?

~~~
thecardcheat
[https://github.com/keepassxreboot/keepassxc/issues/43](https://github.com/keepassxreboot/keepassxc/issues/43)
states the maintainer hasn't been commenting on PRs. I looked on the keepassx
GitHub and some issues with no response are over 2 years old.

------
jl6
I use KeepassX on my desktop PC and have been looking for an iOS app that can
open the database. I found one but it occurred to me that I have no idea who
wrote it or whether they can be trusted with my passwords. And iOS offers no
way to prevent an app using the internet, so I couldn't be sure it wasn't
leaking my passwords back to HQ - unlike on the (Linux) desktop where I can
run it in an environment that I control (relatively speaking - no need to
point out that I haven't personally audited the kernel).

Am I being overly paranoid? How should I be approaching the issue of trusting
the developers of password managers?

~~~
manuw
I use MiniKeePass
([https://github.com/MiniKeePass/MiniKeePass](https://github.com/MiniKeePass/MiniKeePass))
on iOS and keepassx2 on Linux. Works fine.

~~~
zymhan
I can attest to MiniKeePass's quality. I've been using it for years now.

I upload my keepass and key file to Dropbox (I know, I know) and then export
them to MiniKeePass from the Dropbox app. MiniKeepass auto-associates the key
file with the kdbx if it has the same filename as the kdbx, but with a .key
extension. I can even edit the DB with Minikeepass and upload it back to
Dropbox. It's not as sexy as an Android setup, but it works quite well for me.

~~~
Andrenid
This is my exact setup too. Perfectly happy with it. I do wish the iOS app
could load my db file each time I start it but I also understand the reasons
it can't so I'm ok with it.

------
snowwrestler
From the text it looks like one of the selling points is integration with apps
like browsers so you don't have to copy/paste passwords, as with KeePassX.

Personally, to me that sort of integration has always seemed like a bad idea.
I'm glad that my password database can't talk to my browser programmatically.
One less thing to go wrong.

~~~
est
So you don't need a password manager. Just save to a encrypted txt file and
grep them.

~~~
snowwrestler
You can't grep for plaintext in an encrypted file. That's kind of the point of
encryption.

~~~
loup-vaillant

      $ decrypt psswd.txt | grep "mywebservice.com"
    

Though now the password is displayed on the terminal... Not great, but better
than exposing the whole database.

------
sschueller
Here is the repository which isn't linked anywhere on the site:
[https://github.com/keepassxreboot/keepassxc](https://github.com/keepassxreboot/keepassxc)

~~~
lps41
Yes it is, right at the top of the Download page:
[https://keepassxreboot.github.io/download](https://keepassxreboot.github.io/download)

~~~
the_duke
Yeah but I had to search for a few minutes before I found it too.

There should be a clear and visible Github banner or big link with the logo.

~~~
Ajedi32
There's a GitHub icon in the upper-right corner which is visible on every page
on the site.

~~~
nirv
I may be wrong, but it wasn't there several hours ago (also at the same time I
couldn't find a repo link on the About page either). Currently I still find it
not visible enough.

------
amluto
I haven't tried it yet, but maybe this will address some of my pet peeves. My
primary peeve is that, in keepassx, there is no fantastic way to handle
password changes. I can generate a new password, but the only way to get it
into a webpage without overriding the old password in the database is to show
it on the screen and then copy the visible text.

(My second peeve is that the "type the password" feature types the username
_and_ password, making it useless for the more annoying disabled-paste
password prompts.)

~~~
dublinben
Every entry should have a complete history of all passwords. I'm not sure why
you'd be worried about the new password overwriting the old one. It's not gone
forever.

You can also customize the auto-type on a per site basis. Only the default
types U + P. It can be anything you want it to be.

~~~
crypt1d
hmm I don't really see this feature in KeepassX, the history tab only shows
changes to the entry name not the passwords. Am I missing something?

~~~
temprature
Select the old entry and click the "Show" button at the bottom, it takes you
to the entry tab but with the old data in place so you can copy the old
password.

------
Roritharr
While we're at it, is there any open source self-hosted alternative to
LastPass etc.?

At this point we'd even go so far as just using a good Keepass Client that
comes with a comfortable "send encrypted password blob to xy email, than call
him and tell him this decryption password"-function.

~~~
jbi
As KeePass uses a single (encrypted) file, you can use any hosting service
that you want. Just make sure you save the new version back into your storage
when you edit entries. You can use Owncloud, Google Drive, OneDrive, ...

~~~
zymhan
LastPass provides a web frontend though, which may be a feature GP is after.

I mean, I think having a Web UI for your password manager is fucking insane,
but some people like it.

~~~
andai
What is insane about it?

~~~
philsnow
because now you have to think about the attack surface of the browser; CSRF,
auditing your chrome extensions to try to make sure none of them are
exfiltrating your tab contents / metadata, etc etc etc

~~~
andai
Ahh shit, and i was just beginning to think that a site i found a while back
(can't remember the name) which used a hash function to generate your
passwords

hash(strong_master_pass + site + user)

was a perfect solution...

------
mmel
I tried to stick with KeePass.x for the longest time, but keeping the keepass
databases in sync across multiple platforms/devices, while possible, was very
much a pain and quite a clunky/messy process which always required me to
remember to do something after updating the database anywhere. I eventually
gave up and migrated to Lastpass which "Just Works™" on all my devices.

~~~
stephengillie
Keep it in Dropbox, then it's on all your devices.

I keep my KeePass database in my Dropbox, behind 2FA, with the main Dropbox
password being a random string stored within the KeePass database. I have
KeePass itself stored on my Dropbox as well, so I don't even need to install
it to other Windows PCs, simply run the program. And the KeePass2Android app
works quite well with this configuration.

~~~
baal80spam
You say that your Dropbox password is a random string so I assume you don't
remember it. How do you log in to Dropbox in this case?

~~~
stephengillie
I transfer the database, keyfile, and exe files to the new target, then login.
Or I might just hand-type the random-string, viewed from my phone, because I
am a hardcore operations administrator. In the event of a catastrophic loss of
access, I retain backup codes physically recorded in a safe location. And the
keyfile, database, & exe are currently in 3 separate devices of mine.

~~~
yjftsjthsd-h
Physically stored in _one_ location? Is that sufficient?

~~~
stephengillie
All 3 PCs are in one location, as I only have one living location and rent no
colo or VMs. But I'm not worried about having some sort of Dropbox access
issue at the same time as a physical incident at my residence, as the
probability is (I think) still lower than my very low risk avoidance.

------
FatalBaboon
Honestly, as a programmer/ops knowing git and always having a terminal
somewhere around, I see no reason to use something else than
[https://git.zx2c4.com/password-store](https://git.zx2c4.com/password-store)

It uses a git repo as storage, gpg encrypts passwords, provides perfect
completion and there is an android app. Everything is dead simple and open
source.

~~~
michaelmior
Don't you find it annoying having to switch to a terminal to log in to a site
in your browser? I personally love LastPass. It's free for my use case and
there's plugins for popular browsers, mobile apps, and a CLI app if you really
want it.

~~~
luca_ing
From the pass website[1]:

\--------------------

The community has even produced a cross-platform GUI client, an Android app,
an iOS app, a Firefox plugin, Chrome plugin, a Windows client, a pretty Python
QML app, a nice Go GUI app, an interactive console UI, Alfred integration (1)
(2) (3), a dmenu script, OS X integration, git credential integration, and
even an emacs package.

\--------------------

If this weren't the case, I'd agree :-)

[1] [https://www.passwordstore.org/](https://www.passwordstore.org/)

~~~
compuguy
True, but the chrome plugin has issues (something to do with the native
messaging executable not working):
[https://github.com/dannyvankooten/browserpass/issues/28](https://github.com/dannyvankooten/browserpass/issues/28)

------
mierle
I previously used KeePassX, which was great due to the multiplatform support.
However the project seemed stalled, and I've since switched to the excellent
KeeWeb; it's Electron based and is in general more modern.

[https://keeweb.info/](https://keeweb.info/)

~~~
eracors
How long have you been using this?

I'm very interested in trying it, just a little worried about it's stability.
I guess I'm slightly biased against Electron apps due to some bad experiences.

I'm just worried it will corrupt the database or something.

Have you experienced anything like that?

~~~
scott_karana
Not OP, but I've been using it for work passwords since spring 2016, and
finally started using it personally in the last few months. I had one UI-
related saving issue, but the creator quickly responded to the PR and fixed it
in a later version.

(Used KeePassX in both contexts previously)

------
zyxzkz
Why not change the name entirely, then? KeepassX is already a terrible one.

Makes me think of DOS software from 1998.

~~~
alanbernstein
KeepassX is a clone/port of Keepass, if you weren't aware. Keepass is a decent
name IMO.

~~~
hughes
How about QuiPasse?

~~~
nerflad
Que pasa?

~~~
djazzy
Que se passe-t-il ?

------
xorcist
What are the benefits of using a "real" password manager, such as this one,
compared to a plain encrypted file in vim? I thought that benefit was syncing
across devices but it turns out the http feature of keepass wasn't implemented
in all clients.

How well specified is the kdbx format? Is there a console client? Is the code
readable? Keepass seems to have spawned an entire ecosystem of tools and
clients, so I'm curious which of these tools are actualy usable.

~~~
Freak_NL
If you want to stay with a solution any moderately experienced developer can
audit themselves without investing too much time, but would like to add a bit
of user friendliness, have a look at _pass_ ¹.

It is nothing more than a script that calls the GnuPG binary and the _tree_
command line utility for displaying a tree of files. It uses your GPG-keypair
to encrypt text files. You can add as much info as you like, but by convention
the first line of each file is assumed to be the password:

    
    
        # Generate a 32-character random password.
        pass generate sites/news.ycombinator.com 32
        # Copy the password to the clipboard; this will ask you to unlock your GPG-key.
        pass -c sites/news.ycombinator.com 32
        # Find stuff.
        pass find news
        # Edit the file (e.g., add the username).
        pass edit sites/news.ycombinator.com 32
    

All files are GPG-encrypted plain text files in a directory on disk. Easy to
backup as well.

There is a rather sweet feature you can use to share some passwords with
someone. You can add a list of GPG key IDs in a file called _.gpg-id_ in any
of the subdirectories of your password store, and share that subdirectory
using a syncing tool such as SyncThing². My partner and I each have our own
password store, but share a directory called 'together' via SyncThing. All
passwords stored there are encrypted using both our GPG-keys by _pass_ ,
whilst our private entries remain encrypted just for our own respective keys.

1: [https://www.passwordstore.org/](https://www.passwordstore.org/)

2: [https://syncthing.net/](https://syncthing.net/)

~~~
slyall
I've been using pass for a year or two. It works fairly well and the built in
git for syncing/history is nice.

However the lack of a good mobile client is starting to nag me. There are ones
that sort of work but appear to be quite clunky.

I'm looking seriously at Enpass[1] as an alternative since it has good multi-
platform support (I use desktop Linux, Windows and Mac plus Android).

[https://www.enpass.io/](https://www.enpass.io/)

~~~
emilecantin
I use Password Store[0] as a mobile client; it works fairly well. I have my
private key on a Yubikey, it even works with that.

0:
[https://play.google.com/store/apps/details?id=com.zeapo.pwds...](https://play.google.com/store/apps/details?id=com.zeapo.pwdstore)

------
ubershmekel
Bruce Scheneier designed Password Safe:
[https://pwsafe.org/](https://pwsafe.org/)

It's not one multiplatform app, but there's an equivalent format app on every
platform.

------
po1nter
ASnyone know why there's no Windows version yet? I'd like to know how this
compares to the original .Net KeePass.

~~~
jhoechtl
You mean the KeepassX which did not require .NET and was also cross-platform?

[https://www.keepassx.org/](https://www.keepassx.org/)

~~~
roddux
I think perhaps po1nter meant the actual 'KeePass':
[http://keepass.info/](http://keepass.info/)

------
herpderperator
Awesome! I am a heavy user of KeePass, and I also use all three main operating
systems regularly, so this has always been an annoying issue to have. I
usually get around it by using KeePass2Android on my phone and typing out
passwords by hand on the other device. Could be worse.

I hope developing an official Android and iOS app is on the list. There are
third party alternatives (such as the one I just mentioned), but if the goal
is to be completely cross-platform then let's push those out too.

------
Asooka
There's one thing I worry about with keeping all my passwords in a single file
- if a government agent gains access to it, I'll have to decrypt it, which
will reveal the password to my key, my key, and a full list to all web sites I
have accounts at and a list of those accounts. Let's say you have an alt
reddit account you use to post to /r/ihatedonaldtrump, congratulations, now
the government knows with certainty that it was you. It's one thing to see
your IP making requests to reddit.com - you can just give them your normal
username and password, but with a single password file, you give them all your
usernames and passwords. Maybe I'm overly paranoid, but I don't like keeping
passwords to anything that might be remotely questionable in a normal
encrypted password file.

On the flip side, if the file in question contains an account to a
questionable site, could you withhold the key/password to it under the clause
against self-incrimination? I.e. you're sued for insulting Donald J. Trump's
itty bitty tiny handsy-wandsies, but you also have an account at
buymarijuanaonline.com, so you can't give them access to your password
database, because you'll incriminate yourself in a different crime.

------
problems
Does it support the new kdbx4 format which is using Argon2 instead of a custom
AES-based KDF?

Why should I move from KeePass2 to this? Prettier GUI under Linux?

~~~
SadWebDeveloper
> Does it support the new kdbx4 ...?

R: NO,
[https://github.com/keepassxreboot/keepassxc/issues/148](https://github.com/keepassxreboot/keepassxc/issues/148)

> Why should I move from KeePass2 to this?

R: KeePass 1.x and 2.x are the official KeePass releases, KeePassX is a
community port in C++ originally built for Linux/Unix but now it includes
builts for Windows too. Most people that recommend KeePassX over KeePass 2.x
is because they are (.NET/Mono)fobics, plain paranoids or just haters of
microsoft. KeePassX and KePassXC aren't improved versions of KeePass they are
just ports to C++ (for Linux and Windows) of KeePass.

------
mrich
With my latest password overhaul I switched to the master password system, not
requiring any compromisable database of passwords as with password managers:

[http://masterpasswordapp.com/](http://masterpasswordapp.com/)

You can even implement the algorithm yourself if you don't trust the app
(which does not require any permissions on Android).

~~~
pipework
Have you seen the comments for this[0] thread?

* What happens when you need to change any single one of those passwords? Don't you need to change all of them?

[0]:
[https://news.ycombinator.com/item?id=12889807](https://news.ycombinator.com/item?id=12889807)

edit: "any single..." includes the master password itself & any of the
individual site passwords for that master password.

~~~
mrich
There also is a counter used for hashing. So for a new password you just
increment the counter. Remembering the counter for every site sounds too
complicated, but you could store that in a file without losing much (any?)
protection.

~~~
pipework
Wouldn't you want to maybe... encrypt that file? Seems almost circular unless
you use something like stenography to embed the data somewhere. I'm not
personally too thrilled by a counter file to replace a different file, at that
point I feel like I'm losing features.

------
stinos
Anyone knows how this compares to KeePass (without any X suffixes)? (apart
from that it has no binaries from Windows apparantly)

------
hiq
The reasons for the fork are explained in details there:
[https://github.com/keepassxreboot/keepassxc/issues/43#issuec...](https://github.com/keepassxreboot/keepassxc/issues/43#issuecomment-254045934)

It is rather worrying that they mention "keypasshttp" as being one of the pull
request which was never merged, although it is all about functionality and not
security, just to point out a few months after in another issue that users
should stop using this plugin because of a vulnerability:
[https://github.com/keepassxreboot/keepassxc/issues/147#issue...](https://github.com/keepassxreboot/keepassxc/issues/147#issuecomment-272525411)

I don't really know how secure KeepassX is, but this fork doesn't look like it
is any more secure, at least for the time being.

------
Tepix
I've been using Codebook (formerly known as STRIP) because it is partly open
sourced, however they do not offer a desktop client for Linux and they only
sync with commercial cloud services, so I'm looking for an alternative. Is
there an overview that compares the various password managers out there?

~~~
datashaman
[https://en.wikipedia.org/wiki/Comparison_of_password_manager...](https://en.wikipedia.org/wiki/Comparison_of_password_managers)

------
dr_hooo
I've been wondering is there any disadvantage in using password hashers
(either as plugins like [0] or standalone) for generating safe passwords? It
seems like a great idea to me, yet most people here seems to be prefer full
blown PW manager apps or even online services for this. Am I missing
something?

[0] [https://chrome.google.com/webstore/detail/password-hasher-
pl...](https://chrome.google.com/webstore/detail/password-hasher-plus-
pass/glopbmohkffbnplcjbbbfmmimfhfnhgd?hl=en)

~~~
gliptic
The main problems I find with hashers are:

* No way to change password without storing things

* No way to handle site-specific rules without storing things

* No way to store auxiliary data (URLs, usernames, etc.)

* No way to see which sites you have accounts on

~~~
dr_hooo
Makes sense, from a usability PoV, thanks.

------
hailsaytan
What happened to the Windows binaries?

------
Tepix
Is there a password manager that can sync to WebDAV?

Even if the data is encrypted, by using 3rd party services such as DropBox you
risk someone trying to crack your passphrase without you noticing.

~~~
NoGravitas
You can use KeePassX or its friends, and sync using Owncloud/Nextcloud. Those
both use WebDAV for their syncing backends.

------
Gelob
I've been using Keepass Desktop which apparently isn't available for download
anymore but it was much better than keepassx

[https://github.com/PixelPaws/KeePass-
Desktop](https://github.com/PixelPaws/KeePass-Desktop) [https://www.pixel-
paws.de/en/](https://www.pixel-paws.de/en/)

~~~
raphaelh
Could you elaborate a bit on why it was much better?

------
shmerl
The FAQ should explain the reason for the fork. I couldn't find anything about
that, and that was the first question I had.

~~~
rcthompson
The explanation is right here:
[https://keepassxreboot.github.io/project](https://keepassxreboot.github.io/project)

But I agree, they should definitely link to it from the FAQ, since a lot of
people are going to look there first.

~~~
shmerl
Thanks for the pointer!

------
snockerton
Looks like someone was willing to spend some time on an audit of the original
KeePass:

[https://www.ghacks.net/2016/11/22/keepass-audit-no-
critical-...](https://www.ghacks.net/2016/11/22/keepass-audit-no-critical-
security-vulnerabilities-found/)

------
jacobmischka
I've been using Keeweb for the last year or so and I'm very happy with it. The
mobile experience is a little subpar but it works fine in a pinch, and the
integrated syncing with your own storage services is handy.

[https://keeweb.info](https://keeweb.info)

~~~
patrickk
On iOS, I use MiniKeePass, as KeeWeb is compatible with KeePass databases. I
sync by pushing the latest copy of the DB via iTunes maybe once a week, takes
about 30 second. Maybe that helps.

~~~
jacobmischka
Thanks but I'm on Android and I sync using Google Drive.

The two primary issues I have with KeeWeb on mobile are:

\- Typing my master password every time is tedious on a touchscreen, I really
miss LastPass's fingerprint reader integration here.

\- The back button closes the app entirely, making me have to enter that
tedious password again. This can be fixed be reworking the webapp to use the
HTML5 history API, but just hasn't been done yet. Issue here
[https://github.com/keeweb/keeweb/issues/331](https://github.com/keeweb/keeweb/issues/331)

~~~
patrickk
A quick google for "kdbx android" turns up this:
[http://www.keepassdroid.com/](http://www.keepassdroid.com/)

Maybe that fixes the downsides of using KeeWeb on Android.

~~~
jacobmischka
Thanks, but this experience looks worse than KeeWeb, even with its couple
downsides.

------
rkv
> Binary package for OS X >= 10.7

But I get:

> You have OS X 10.11.6. The application requires OS X 10.12 or later.

??

Edit: Looks like this is a known issue[1].

1\.
[https://github.com/keepassxreboot/keepassxc/issues/181](https://github.com/keepassxreboot/keepassxc/issues/181)

------
Unkechaug
Finally! Very excited for an improved solution. It would be nice to have
something like this on iOS and Android too, but at least my Mac and Windows
computers will be able to play nice.

------
eriknstr
Compiles and installs without trouble on FreeBSD 11.0. Great :D

------
reddotX
on Ubuntu, "snap install keepassxc"

~~~
arviewer
Too bad this isn't mentioned on the download page. I haven't used snaps until
now, and I see there is no menu item. I can start via the terminal, and guess
I have to add it to the menu myself.

~~~
jcastro
The snap should most certainly install an icon, could you file a bug? Thanks!
[https://bugs.launchpad.net/snapd](https://bugs.launchpad.net/snapd)

------
coding123
I guess I can finally upgrade to the kdbx (v2) format. I had to use kdb
because there was no good kdbx editor for OSX.

~~~
stekern
KeePassX supports .kdbx and runs on macOS.

\- [https://www.keepassx.org](https://www.keepassx.org)

------
verandaguy
Does this incorporate enough changes compared to KeePassX to warrant an audit?

------
balajics
Is there any enhancements in UI? I dont find any screenshot posted in the repo

~~~
arviewer
I don't see a difference. But this is just a starting point I guess.

------
tiatia
How is the database stability of this program?

The last password program I used had often, very often a corrupted database.

