
KeePassXC 2.6.0 Released - varjolintu
https://keepassxc.org/blog/2020-07-07-2.6.0-released/
======
preek
I've been using KeePassXC ever since switching from OSX to Debian Linux. On
OSX, I used 1Password and have been an advocate for years.

However, after being forced to upgrade (and pay again) multiple times due to
API changes, and the integration stopped working with various browsers, I
wasn't a happy customer anymore. KeePassXC works just as good, if not better.
I'm using it on Debian, with browser extensions and on iOS (and sometimes even
on my old Macbook Pro on OSX). Being FOSS, I'm not afraid anymore that stuff
will stop working at some point, because some proprietary API is deprecated.

~~~
cies
You might want to checkout BitWarden. A FOSS server exists (even on in Rust,
iirc) and there are opensource clients as well (browser plugins maintained by
BitWarden). This system is "zero knowledge", the server does not get to see
the passwords in normal operation (it does in case of imports, which I think
is a huge security flaw one can mitigate by not importing).

Another thing: Keepass(XC) became a snap package on recent Ubuntus. If there's
one piece of software I dont want to be a snap package it is this tool. It get
slow, ugly and hard to find (in a process tree). This is the last piece of
software I want to run in snap.

~~~
rlpb
> Another thing: Keepass(XC) became a snap package on recent Ubuntus.

"became" is misleading. It's available as a snap if you want to use it. It
[also] remains available from the apt repository maintained in the traditional
way.

Of course if you want keepassxc on Ubuntu 20.04 from apt/deb, you'll get
2.4.3, because that is the traditional way. The snap available is 2.6, because
consuming the latest directly from upstream is how snaps work. You can choose
with methodology you prefer.

~~~
cies
Dit not know that, but after "just installing it", it was suuuper slow and
ugly (very not matching my other apps) and I could not find the process it was
running as at first (snap obfuscates that). Also it could not read a file I
put in /tmp.

I want to use a tool to protect my privacy, please not package that in some
security-unproven test-bed of a packaging/execution method please.

(Also found the calc app was in snap, and thus verrrry slow to start, then I
dumped Ubuntu altogether)

------
siraben
KeePassXC + Nextcloud has surplanted any other password manager for me for the
last two years. The OTP integration is great as well.

~~~
nicolaslem
For me the winning combo is KeePassXC + Syncthing.

~~~
Lendal
Yes, the best feature about KeePassXC is this ability to do your own syncing.
I work at a Fortune 500 where they block every syncing service except
OneDrive, so that's what I have to use.

~~~
fidelramos
You might be able to get Syncthing to work if you use a relay server listening
on port 443, it would depend on their firewall.

------
room505
I've been using the original KeePass for a long time. I'm an architect, not a
coder/software developer. So my question is a bit naive on this forum, but why
is KeePass 10mb installed and KeePassXC 108mb if they do the same thing? I
like that KeePass has plugins that I can tailor to my needs. Does KeePassXC
make the same security software changes as KeePass? I forgot one more
question, can I use KeePass2Android if I switched?

~~~
SamuelAdams
Hi there, I have a genuine question about your comment and I apologize if this
comes across as attacking, that is not my intent at all.

> why is KeePass 10mb installed and KeePassXC 108mb

Why does the file size matter? Are the devices you use so short on storage
that an extra 100 mb is an issue? Obviously if it was something like 50 GB
then yes, that makes sense but in general most HDD's and devices have GB's of
empty space.

~~~
mellow2020
> Why does the file size matter? Are the devices you use so short on storage
> that an extra 100 mb is an issue?

No, but just about any aspect of computing benefits from smaller file sizes,
or smaller data size in general, starting with CPU caches, RAM caching of
files, file transfers, including syncing things over the network, backing
things up. The more free space a SSD has, the smarter it can be about wear
leveling (I _think_ , though I have no idea how much this matters in
practice).

I mean sure, if the data just sits there, and you don't do anything else with
the machine but run a password so manager, it really doesn't matter, but we
tend to run dozens programs actively with even more running in the background,
all of this adds up quick even on one machine. And then there are billions of
people using even more devices.

In this case, I like using KeePassXC portable, so if the size is the result of
having less outside dependencies, I'm fine with it, don't get me wrong. But
generally, this attitude of just throwing hardware at software is a problem,
which by now it has reached gigantic proportions IMO, and you made the
argument generally.

Imagine some kind of character encoding that is exactly Unicode, but every
character gets repeated 10 times... not for any useful reason, just so people
can show they can afford beefy hardware and waste it. Would you use it?

We cannot even begin to imagine what our current hardware would be capable of,
if we only allowed ourselves the time to use it well. Consider that this runs
on hardware from 1981:
[https://www.pouet.net/prod.php?which=65371](https://www.pouet.net/prod.php?which=65371)

The same achieved with less is always better, I'll just claim that. The whole
universe in all it's infinite wealth cannot change that, and we live on a
planet that's about to get ruined real hard because of our consumption of
materials and energy. Storage may very well become so big and cheap as to be
practically infinite, but CPU will always cost energy.

For one-off things with limited use, knock yourself out, of course, but if you
package something for distribution, it may stay around "forever" and get
handled countless times, by servers and end-users, so if it can be made
smaller without making it worse and without extreme hassle, make it smaller.

------
Paul-ish
If you like KeePassXC you should consider donating. I donate $5 a month
because it's worth paying for good software.

[https://keepassxc.org/donate/](https://keepassxc.org/donate/)

------
rburhum
I am assuming there are ways to turn off health checks to “ Have I Been
Pwned”. I never want my local password manager to do outcalls for any
reason...

~~~
ObsoleteNerd
You manually run the audit, and it makes it very clear that it’s about to do
an online activity:

[https://github.com/keepassxreboot/keepassxc/pull/4438](https://github.com/keepassxreboot/keepassxc/pull/4438)

------
trabant00
Another option you should consider:
[https://www.passwordstore.org/](https://www.passwordstore.org/)

It's just a bash script that used gpg and git. I find it the most KISS
solution. Not available on phones but I don't trust my phone with my secrets
anyway.

~~~
c0bruhh
I use "Pass - Password Store" [1] for iOS and it works a charm for me.

You have to import your GPG key to it and set up your git connection to your
server and you're all set.

It also supports OTP generation which is really nice.

[1]: [https://apps.apple.com/us/app/pass-password-
store/id12058205...](https://apps.apple.com/us/app/pass-password-
store/id1205820573)

~~~
marcthe12
How is it compared to keepassxc.

------
the_svd_doctor
How trusted are the iOS/Android app compared to the "mainstream" desktop
clients like KeepassXC ? I'm a bit wary of downloading a "random client" from
the App Store. Are those audited/trusted as much ?

~~~
tinalumfoil
I've been using Keepass2Android [0] for a few years now (synced with the
desktop client) and haven't had any issues. I'm not aware if any audits on it,
but I'm not sure the risk of a developer pushing malicious binaries is that
much higher on the play store than the arch/debian/snap/brew repositories.

[0]
[https://github.com/PhilippC/keepass2android](https://github.com/PhilippC/keepass2android)

~~~
the_svd_doctor
I imagine those on iOS/Android are "complete" re-implementation of the client.
Isn't that the case ?

~~~
tinalumfoil
I've never contributed to it, but my understanding is KeepassXC is both a
library and desktop client (and cli client, which I've never used) and that
the app uses the library to manipulate the database. This piece of
documentation seems to confirm this.

[https://github.com/PhilippC/keepass2android/blob/master/docs...](https://github.com/PhilippC/keepass2android/blob/master/docs/Keepass2Android-
Apk.md)

------
ilitirit
Does anyone know if the browser integration is similar to/better than Lastpass
or Bitwarden? Does it even have browser integration?

~~~
ricardbejarano
I use the browser extension all the time (Chrome).

When it works, it works great. You can tell the extension to auto-fill and
auto-submit, so that it feels like you had been logged in from the very
beginning.

The problem is, it works (in my experience) around 80% of the time. I'm
guessing it's not on them since it requieres websites to follow certain
standards in order to have autodetectable login form fields, but it's a pain
nonetheless.

Try it, it takes a couple mins to set up. The best feature IMO is the keyboard
shortcuts to fill in details.

~~~
varjolintu
Many non-standard fields may cause problems with the extension. You can always
try to set Custom Login fields for a certain page which allows you to override
input fields for username and password use.

------
Sander_Marechal
Word of warning: Don't use KeePassXC when your co-workers use KeePass2 using a
network drive. KeePassXC doesn't support KP2's sync protocol. You'll clobber
other people's changes when you save using XC. It took us a few weeks before
we noticed that many passwords were missing.

~~~
Florin_Andrei
But that sounds like the wrong thing to do. Why are you all pointing all your
apps at a shared "database" file? And how about locking issues?

~~~
SloopJon
This seems to be a supported feature of KeePass 2:

"When invoking the 'Save' command, KeePass checks whether the file on
disk/server has been modified while you were editing it. If it has been
modified, KeePass prompts whether you want to overwrite or synchronize with
the file."

[https://keepass.info/help/v2/sync.html](https://keepass.info/help/v2/sync.html)

KeePassXC, on the other hand, does not seem to have been designed for shared
synchronization:

"Cloud synchronization ... can be easily accomplished by simply storing your
KeePassXC database inside your shared cloud folder and letting your desktop
synchronization client do the rest. We prefer this approach, because it is
simple, not tied to a specific cloud provider and keeps the complexity of our
code low."

[https://keepassxc.org/docs/#faq-cloudsync](https://keepassxc.org/docs/#faq-
cloudsync)

~~~
quicksilver03
The synchronization feature is what's keeping me on KeePass 2 (running on Mono
in Linux) , despite the fact that the interface looks completely out of place
in my KDE system.

------
mlukaszek
Also a user. Works well in general, although I continue to be sad to see the
arrogance during argumenting in an issue that is a valid and necessary usecase
for many people using online banking.
[https://github.com/keepassxreboot/keepassxc/issues/725](https://github.com/keepassxreboot/keepassxc/issues/725)

~~~
Firerouge
Surely that sort of individual character checking of passwords implies
plaintext password storage.

Seems reasonable not to go out of the way to support obscure insecure password
entry methods.

~~~
greggyb
I bet they just hash every character of the password separately!

/s

------
i_am_proteus
KeepassXC with the .pdb synced with git and locally-distributed .key files has
been my go-to for years. I don't use browser extensions.

------
sandreas
I'm excited to try this out. Just to mention two interesting projects:

On MacOS I use: [https://macpassapp.org/](https://macpassapp.org/) (Open
Source)

I always wanted to try: [https://www.passbolt.com/](https://www.passbolt.com/)
(Self-hostable)

~~~
vehemenz
I switched from MacPass to KeePassXC because it supports newer versions of the
KeePass database spec and is compatible with Windows and Linux. If you ever
end up sharing password databases, it's a must.

~~~
balladeer
Could you please specify what is the dataspec support difference between
MacPass and KeePassXC? As for formats they both support KDBX4. But yes,
MacPass dev and releases are very slow. It's just that it has been such a
functional and stable native app since years.

------
elric
While we're on the subject of password managers ... I'm still looking for one
with decent multi-user & group support, with audit trails, which is self-
hosted. Bitwarden sounded promising, but I'm put off by their MS based stack
and their pricing model. Any other recommendations would be greatly
appreciated.

~~~
berkes
I'm not sure what you mean by "their MS based stack", but if it is not about
the build tools (.net etc), but about them hosting on azure: Bitwarden can be
selfhosted just fine on Linux. [https://github.com/bitwarden/server#linux--
macos](https://github.com/bitwarden/server#linux--macos)

~~~
thayne
Unless it's changed since I looked at it, it requires MS SQL Server, which
does run on linux, but isn't FOSS, and is very expensive to license if you
aren't already using it.

~~~
Semaphor
> and is very expensive to license if you aren't already using it.

Not FOSS, but the express edition is free as in beer and the limits should not
matter at all for bitwarden (I think the main one is max 10 GB). I prefer
KeepassXC + Keepass2Android + Nextcloud though ;)

------
mwexler
Thoughts on comparing this to bitwarden? Pros, cons?

~~~
kileywm
Having used both, Bitwarden has been a better overall experience for me and
much better for my friends and family. I still like both of them.

KeePassXC

* [Pro] Excellent desktop app. Fast, easy, polished, powerful (TOTP available by default).

* [Pro] Great data ownership philosophy and data storage flexibility.

* [Con] Poor cross-platform app experience, especially on mobile (iOS in particular).

* [Con] Tinkering required to sync data. This isn't a big deal for many of us on here, but presented a large barrier to entry for my non-tech-savvy friends & family.

Bitwarden

* [Pro] Excellent cross-platform experience.

* [Pro] Low barrier to entry via SaaS, making it a good option for less-than-tech-savvy folks. This is ignoring the nice option to self-host.

* [Pro] Sharing features (haven't actually used them).

* [Pro] Web vault is accessible via web browser (accessibility).

* [Con] Web vault is accessible via web browser (increased attack surface).

* [Con] App is a tad slow (electron), but this is an acceptable price to pay for the good cross-platform experience.

~~~
piaste
I self-host Bitwarden and I haven't even bothered to install the desktop app.
Since I have a browser open at all times, I just use the browser extension.

Also, I think the Android client is quite a bit better than Keepass2Android.

~~~
Semaphor
I tried bitwarden once and didn’t like it (can’t remember why, don’t care, no
interest in switching ;) ), so I never tried their mobile client. But I’d be
interested in what’s better than K2A, I think the modern Android experience
with it is awesome.

~~~
piaste
A few things I remember: adding new entries was clunkier in k2a because I had
to tap multiple times to select things like category/folders that I didn't
care about. Bitwarden has better URI matching as I could choose the matching
rule. BW has better search, or rather it displays search results in a more
useful way. The autofill service also seemed to work more reliably, and I
don't think k2a showed the matching logins right in the autofill drop-down
menu, but I could be misremembering there.

Ultimately though it was the browser extensions, combined with the self-
hosting option, that sold me on BW. None of the Keepass plugins I tried over
the years worked that well. BW has extensions for both Firefox on Android and
Vivaldi on desktop that are as solid as anything I've tried.

------
qwerty456127
Why do people insist on putting everything, even passwords, in folders? I find
categorizing files, let alone passwords, into a strict taxonomy a particularly
hard job of questionable usefulness.

It would be much handier if we could just tag the records with a number of
tags + add a description and/or comment rather than put it in a folder. I
always use search rather than manual folder tree navigation anyway.

------
awill
Years ago I used KeePassX. It became stale, ugly, and didn't have a good
Android app. KeePassX then moved to .NET, and didn't work well on Linux, so I
looked around. I settled on enpass as it was a paid app without a
subscription, and withyour choice of sync/backup. Enpass has excellent
desktop/mobile apps with sync using your choice of cloud service. I'm very
happy with it.

~~~
120photo
I actually just finished moving from 1Password to Enpass. KeePassXC was in the
mix and is nice but what killed it for me was the lack of credit card /
template support. Did not like the 1Password move from offline storage to
online sync. You can buy a license but it is about $70 or so per platform.
Enpass desktop is free and I can sync to my Synology using WebDav. That all
said, I really hope KeePassXC vastly improves because I would love love love
to use as much OSS as I can.

------
eric1293
How does Keepassxc compare to other password managers (passwordstore with gpg-
agent/gnome keyring, 1password, Bitwarden, etc) in terms of protecting secrets
when the vault is unlocked?

For example, part of data may be held unencrypted in RAM that could be read by
OS or other programs. Any use of TPM?

------
virgilp
Wait, so there's Keepass, KeepassX and KeepassXC? I understand the X is cross-
platform (initially was linux-only) whereas presumably Keepass is win-only;
but what's the "community fork" for? Why not improve KeepassX? And why don't
KeepassX and Keepass merge now?

~~~
delfinom
Keepass 1 is .NET Framework based. Keepass 2 is .NET Framework and has a Mono
build of varying success. 1 and 2 are the originals and still actively
developed.

KeepassX has stalled development since 2016 but was a true cross platform
desktop client

KeepassXC is the fork of X and at this point in time is lightyears ahead of X.

I'm sure the developers of XC may have wanted to contribute to X but X seems
to have been spearheaded by a single developer who stalled on letting other
devs become maintainers. So the community forked it.

But to answer the question, it's impossible to merge X and the original
because their code bases are in entirely different languages and arguably X
doesn't give you anything than the one man dev show.

------
gigababe
I used to use KeePass and KeePassXC for years at a time, but the amount of
time I have saved not having to mess with syncing issues more than makes up
for the ~$30 a year for 1password that always works across windows, linux, ios
and mac.

------
amedvednikov
Is it better than KeePassX?

~~~
donmb
I like the design of X more Not sure what is better in XC though

~~~
amedvednikov
X looks very unnatural on macos

[https://i.imgur.com/JtXVZW2.png](https://i.imgur.com/JtXVZW2.png)

------
muska3
I'm curious why would anyone on Windows use KeePassXC instead of KeePass. Are
KeePass plugins compatible?

~~~
deeter72
For me personally because the author of KeePass is a stubborn person who is
hellbent on not using a VCS. I see no reason why one would not use a VCS in
2020. From a security point of view this is a massive violation of trust due
to the fact that a criminal entity could hypothetically sneak into the
computer of the author of KeePass and modify a cpp file to link to malware and
the author will have no idea of it and when he compiles and distributes it. He
would have unknowingly distributed malware which due to the context of the
application can cause massive damage.

I do know that I can compile myself but still I cannot audit every single
release, this can be migitated by myself using git and extracting tar files on
every release. But this should not be this difficult.

KeePassXC on the other hand is more practical and works on all platforms
consistently and is easy to compile with cmake and has convenient cmake
switches to disable network connectivity.

------
phonebucket
Has anyone migrated from Lastpass to KeePassXC? Was it difficult?

~~~
Semaphor
Lastpass to Keepass2 years ago, it was simply export/import. I assume it’s
pretty much the same for XC

------
donmb
I like the simplicity/design of KeePassX more than XC

------
runxel
Been on the "regular" KeePass all along.

Should I switch?

~~~
raziel2p
I switched many years ago because Keepass didn't work well (or at all) on
Linux. Since then, I think KeepassX and especially KeepassXC have surpassed
the original Keepass in quality - so yes.

One thing that really amazed me was recently (1-2 years ago) KeepassXC got rid
of the lock file and made it possible for multiple processes/computers to
seamlessly work on the same file. This is fantastic for situations like having
2 computers running at the same time, opening a Keepass database file from
Dropbox.

~~~
runxel
Fair point, but I'm a Windows user, so that alone is not really an argument.

The interface looks better, sure, but nothing really makes me to be
dissatisfied.

~~~
tw04
Browser integration was a major issue with Keepass - haven't used it in years
so I don't know if they've fixed it so you don't need the plugin hack.

~~~
Semaphor
That was my reason to switch from 2 to XC (on Windows) as well. Far superior
browser support.

