
KeePass: OpenSource Password Manager - Mitt
http://keepass.info/
======
ghoul2
I have tried pretty much every one of the well known password managers (that
are open source and work on linux), but never found any of them very
convenient to use.

Until I came across this: [http://www.zx2c4.com/projects/password-
store/](http://www.zx2c4.com/projects/password-store/)

It is simply the easiest, most intuitive password manager out there. One of
those things that, once you come across them, you wonder why it took so long
for something this logical to come into existence. I am not associated with
the project, but these are just a few things I love about "pass"

1\. Command-line based: which means I can script it, I can run it remotely,
etc.

2\. Uses Git to store the passwords: full revision history, changelog, and
remote push/sync features that git is SO good at. Other password managers have
to reinvent that whole wheel and none seems to do a good job. This also
eliminates the need for "hosted" solutions - which I just simply refuse to
use.

3\. GPG for password encryption: once again, such a natural, awesome way to do
things. GPG is already the safest way practical way to secure data-at-rest. I
can rest easy that no silly homegrown encryption system was invented. Also, as
long as I have the keys, in the worst case I can do the decryption myself, if
I do not have access to "pass".

The only thing I believe it might lack is the fact that the names of the
entries are in the clear. Which means I cannot setup a github(private)
repository as remote for my pass store: the passwords themselves would still
be gpg encrypted, thus safe, but the repository will leak names of all
websites and userIDs.

In anycase, kudos and thanks to the devs!

~~~
ygra
I think just pressing a hotkey to auto-type the correct password and username
based on the currently active web page, program, window, etc. is easier still
than opening a terminal and running a command. To me at least.

~~~
ghoul2
Well, I always have guake running, so for me doing it all on the command-line
is WAY faster and more convenient. I forgot to mention that "pass" also has
command line completion - which makes retrieval trivial.

I would also be surprised if someone somewhere hasn't already written an
"autotype" layer over pass, but thats not something I am personally interested
in.

I do agree that for end users this may not be the case. For non-technical
people (my parents, for example), I mostly recommend writing their passwords
down on paper. They have very few passwords as-it-is, and almost none of them
are critical.

My own use case, where I have literally hundreds of pieces of info I need to
secure (passwords, key-files, gpg keys, ssh keys, etc), is very different from
that of such users. Hence different tools.

Oh, also, "pass" can copy the password to the clipboard, making the copy-paste
scenario trivial. In fact, it goes even further by clearing the pass from the
clipboard after a preset time.

~~~
ygra
KeePass can copy to clipboard or do autotype. And I'd say every password
manager _has_ to make sure to clear the clipboard afterwards in such cases.
This is basic and bog-standard functionality which was present in every
password manager I used so far.

------
dewiz
I'm quite surprised to see this on HN homepage, I mean this is such a great
and popular tool that I would expect everyone to know about it and find it
just an obvious link not to upvote.

Does anyone know if there is a lib to read and write into keepass archives
programmatically, e.g. from a C# app? that would be quite useful to manage in
an automated way some credentials for production systems, sharing tha archive
via versioning repos in a team.

~~~
abrussak
This may work:
[http://keepass.info/help/v2_dev/scr_index.html](http://keepass.info/help/v2_dev/scr_index.html)

~~~
rat87
The first link in that link describes a flexible command line you can use for
a number of operations. The second describes how you can write c# like script
files that will be loaded. Both require the KPScript extension. Why not just
bundle/reference keepass.exe since its a .net executable? see
[http://stackoverflow.com/a/9028433/259130](http://stackoverflow.com/a/9028433/259130)
. Also if you haven't tried it yet you might want to try messing about with
[https://www.linqpad.net/](https://www.linqpad.net/) (run c# as script
file/interactively) like he did.

------
hedwall
And if you need multiplatform, there is always KeePassX [1]. I use it on Mac
OS X, Windows, iOS, Android and Linux, and it just works.

[1][https://www.keepassx.org/](https://www.keepassx.org/)

~~~
avtar
The dependencies for this seem more appealing than KeePass but unless my
searching skills are not up to par there don't appear to be any browser
autocompletion plugins.

~~~
aprescott
I've found autotype to be more than enough personally:
[http://keepass.info/help/base/autotype.html](http://keepass.info/help/base/autotype.html)

In fact, I usually just copy the password with Ctrl-C and the username with
Ctrl-B. You can configure a secure clipboard erase after n seconds.

One thing I really wish had better support is ssh-based entry-level sync of
databases[1]. Keepass has a plugin for it but I don't know the status for
KeepassX 2 (currently in a non-stable release state). If I could point
KeepassX at an SSH remote path and have it transparently sync at the entry
level it'd be almost perfect.

[1]:
[http://keepass.info/help/v2/sync.html](http://keepass.info/help/v2/sync.html)

~~~
ytjohn
I've used autotype before and it works fantastic, but you have to be super
careful with it. It basically switches back to the last window you had open
and immediately types your username and password in. It is very easy for this
to type your credentials into the wrong window. When using it (I used it a lot
for vmware sessions through an rpd connection), I would find myself clicking
back and forth from the target window to keepass a couple times to ensure I
was going to hit the right window.

------
AceJohnny2
I've been having it on my various systems (Windows, Linux, Android) in the
sidelines for a couple months, and after initial fiddling, still haven't
actually started using it.

This is mostly because I don't want to have to deal with copy-pasting my
password between the KeePass app and the browser (where most of my passwords
are needed). Luckily, there are autofill plugins that exist for Chrome [1],
Firefox [2], and Android [3].

However:

\- said plugins work with KeePass2 which on Linux the GUI theme to the point
of being almost unusable (as a C# app using WinForms, it doesn't respect
GTK/Qt themeing well).

\- getting the KeePass2 plugin needed for the browser plugins requires jumping
through hoops on Linux and I haven't gotten it to work (yet?).

\- I'm sharing my KeePass database on DropBox (with its own security
considerations...) to synchronise between the different systems and...

\- The Android app just won't open the shared database.

So it feels like I'm 60% of the way there, but I still don't have a usable
system. Hints appreciated.

[1]
[https://chrome.google.com/webstore/detail/chromeipass/ompiai...](https://chrome.google.com/webstore/detail/chromeipass/ompiailgknfdndiefoaoiligalphfdae?hl=en)
[2] [https://addons.mozilla.org/EN-
us/firefox/addon/passifox/](https://addons.mozilla.org/EN-
us/firefox/addon/passifox/) [3]
[https://play.google.com/store/apps/details?id=com.hanhuy.and...](https://play.google.com/store/apps/details?id=com.hanhuy.android.keepshare&hl=en)

~~~
jlgaddis
For personal use, I've been using LastPass for a few years but have been
slowly migrating away from it in recent months. I'm switching to KeePassX
which I already use for $work-related data. (I have intentionally avoided the
Mono-based applications.)

KeePassX has similar "auto-fill" functionality as well. It's not as perfect or
as seamless as LastPass but it is definitely usable (after a bit of one-time
per-site tweaking in some cases). Having recently decided that using LastPass
presents a non-zero risk, the extra effort I have to spend w/ KeePassX is
certainly worth it, IMO.

Although I don't do it now, I have in the past kept my password databases in
Dropbox. With Dropbox also installed on my iPhone, I am able to access my
password databases use "MiniKeePass" on iOS without any issues.

In addition, there are Windows, Linux, and OS X versions of KeePassX and all
of them can open up my .kdb files without any issues.

~~~
LocalPCGuy
As others have said, why migrating away from LastPass? They definitely seem to
be doing things properly in terms of security and I've been very happy with
the security, as well as the ease of use when I set it up on a new machine.

~~~
revasm
The problem with in-browser password management is that the attacker does not
need to escape the browser. Code injection (via XSS or a browser exploit) into
a running extension is likely easier than defeating the seccomp-IPC
implementation or the AppArmor/SELinux profiles which protect the system.
Addons like LastPass are mainly concerned with remote server weaknesses, but
nothing will protect the browser from itself.

Another opinion: It's weird loading a browser+environment for non-browser
passwords (SSH, HTTP/WebDAV, etc), and it's equally weird managing the
passwords separately.

------
gibybo
For those looking for something ultra lightweight, I highly recommend pwdhash
([http://pwdhash.com](http://pwdhash.com)). It's not a password manager, it's
just an open source hashing algorithm that protects you from sites storing
your password poorly. Instead of depending on them to store your password in a
one-way hash, it does it on your end before sending the password to the site.

The algorithm is very roughly base64encode(hash(password + domain)), and then
truncated to match your original password length.

The form on the site is just a demo (and backup if you need to use it outside
of your own browser). What you really want is the extension (for most major
browsers). You can type in the same strong password to every site and the
extension will always hash it to the site specific password so you don't have
to worry about them storing it poorly. You can also use unique master
passwords for certain sites, if you so choose.

~~~
stormbrew
Oh nice, I've been thinking about something like this a lot lately. I don't
really like the idea of truncating the generated password, though. I'd rather
it use a proper KDF and fill the password field to its limit.

~~~
gibybo
I think the reason they did it is because a lot of sites have maximum password
lengths that would prevent the full output. Those are exactly the type of
sites that you want to be using something like this on.

~~~
stormbrew
Sure, but as long as the site actually sets the password length limit on the
field it shouldn't matter. It will obviously be truncated a lot of the time,
but I'd rather it be truncated at thelongestpossible point.

From looking around it seems like the reason is that they wanted the visual
representation of typing the password to reflect the number of characters you
actually typed as you type them. I'm not sure if this comes out true, though,
as I can't actually get it to work in chrome.

~~~
gibybo
The chrome extensions requires putting '@@' at the start of the password
field. This turns it yellow to indicate it is now active for that field.

>Sure, but as long as the site actually sets the password length limit on the
field it shouldn't matter.

Yes, but in my experience sites rarely implement this. If they do, it's
probably inconsistent (i.e. different limits on the login field, create
account, and reset password fields).

~~~
stormbrew
Yep, tried that. Just doesn't do anything at all as far as I can tell. Maybe
it has issues with linux chromium? I dunno.

Re password lengths, my experience is that they usually truncate on the server
side at that point, rendering it pretty moot. But yes, I do see this problem.
I'm just not sure you're not going to run into it either way if you're
practicing good password hygiene. I'd still prefer it make an attempt at
adding as much difficulty to the password as possible, though.

------
goodside
I recommend OneShallPass ([http://oneshallpass.com](http://oneshallpass.com))
over KeePass. It's open source and auditable like KeePass, but:

1) It doesn't have to be compiled or installed, since it's just a monolithic
HTML page with all JS/CSS inline.

2) It has a free, optional hosted service that stores encrypted passwords with
pure client-side decryption, so you can get your passwords from any web-
enabled device without having to trust the host.

~~~
ScottWhigham
_1) It doesn 't have to be compiled or installed, since it's just a monolithic
HTML page with all JS/CSS inline._

The obvious and huge difference then would be that KeePass requires a password
or key file to open but an HTML page requires only a browser or text editor.
Major, major difference to me.

~~~
goodside
> The obvious and huge difference then would be that KeePass requires a
> password or key file to open but an HTML page requires only a browser or
> text editor. Major, major difference to me.

Did you spend even two seconds looking at OneShallPass? _Literally the second
thing on the page_ is a field asking for a passphrase, and yet you came here
to complain that it doesn't require a passphrase.

The passwords are encrypted. The fact you can read the decryption algorithm in
your text editor doesn't let anyone know your passwords, any more than you
being able to download and read the source of KeePass lets you read other
people's KeePass passwords.

------
brownbat
I use a password locker.

It makes me wish there was an open standard for sites to negotiate a new entry
with a password manager, something automatic in the background for new
registrations.

Site could send password restrictions, like allowed and required character
types, minimum length, even maximum length, though that last one would be
frowned upon. The locker would reply with a preferred username and random
password and add same to the database upon acceptance.

~~~
borplk
God damn what you mentioned is a brilliant idea. I wish there was some
standard for it. These are problems that I'm often inclined to work on
solving, but unfortunately they are also the kind that need lots of time and
adoption and formal procedures and acceptance from a large group of people to
go anywhere so I tend to just day dream about them for a little while then
give up, hoping some standard body or an organization like Mozilla do
something about it.

~~~
brownbat
Whats the barrier to an RFC? Can just anyone submit one? I'll try a writeup if
anyone thinks it's worth putting out there.

~~~
borplk
I don't think there's any significant barrier to publishing it (probably no
barrier at all). But my perception is everything comes after that ... this
kind of stuff tends to be very slow moving.

------
da_n
The only problems I have with KeePass are it is Windows-first (though I know
there are third part native clients for Linux, OS X, Android etc) and that
browser integration is not comparable to something like LastPass. I do want to
get away from LastPass as my trust in the cloud (especially US based cloud
services) took a dive after Snowdon.

~~~
jwcrux
Except that Lastpass doesn't know your passwords. Everything is encrypted
before it is sent to Lastpass using a password you control.

~~~
deafbybeheading
...and a mechanism provided by the party you are attempting to secure
passwords from. I use LastPass, but just sayin'.

------
snitko
Been using them for a long time. Best software for these purposes. Developers,
if you see this, please enable Bitcoin donations.

------
luckyno13
I have been using this for right at 2 years now and I like it. I havent tried
others but it serves my needs and satisfies whatever attributes I need to feel
safe.

At times, it contributes to what I call "log in anxiety" in that it
necessitates opening the program, and inputting a password to get my other
password. But no one ever said the extra security was synonymous with
convenience.

And I dont leave it open, nor do I allow it to store any information in
browser plugins as this seems counter productive to the sensitive passwords I
use in this program.

------
Brajeshwar
Being on OS X, I have moved to 1Password. I'm, to this day, a dedicated
proponent of Keepass. Anyone, asking me to suggest a Password Manager - my
first answer is Keepass (Windows or Linux). Even for OS X, if one cannot
afford 1Password yet or do not want to buy it just yet, Keepass is the one.

* Spend some time learning the Keyboard shortcuts and you're all set.

* Keep the Keepass File on Dropbox, so it's sync across your machines and is backed up.

* Sharing common credentials with a team - server login details, team site details etc - have a common Keepass File on Dropbox and share it with your team. Suggestion is to open it as "read-only" unless you're adding new entries.

* You can also have an additional layer of security by using an additional (optional) Key Locker File (besides the main password) to lock Keepass. You can have that on a thumb-drive or some place you know.

* One thing I really wish 1Password has what Keepass has is the auto-generation a password when you enter a new entry. One can set parameters of what password is generated. I have click to get that in 1Password.

P.S. If I remember correctly, Keepass even has a portable version.

~~~
8bitpony
Regarding password generation, if you're using OS X you can use Alfred with a
workflow to generate a password.

------
tzs
If I may, I have a question that was inspired by using password managers.

Does anyone see any security issues with supporting on a website allowing the
user name and password to be entered together in one field? The normal way of
entering the user name into one field and the password into another would
continue to work. The site would simply check and if the user name field
content is blank, and the password field content has a space in it, the
password field content will be assumed to actually be the user name and
password together, separated by a space.

The idea here is that you'd then be able to enter both the user name and the
password with a single copy/paste operation. This would be convenient when
using a password manager on an iPad. I sometimes get tired of having to do
this:

1\. unlock password manager

2\. copy user name

3\. switch to browser

4\. paste user name

5\. switch back to password manager

(If using most paranoid security settings, insert another step of "unlock
password manager")

6\. copy password

7\. switch to browser

8\. paste password

If the website supported my single-field option, I could just set the password
manager to stop the computer user name and password is the password field, and
then it is only unlock/copy/switch/paste.

~~~
mwww
I believe that instead of messing around with a known standard (username +
password fields), it would be better if web services would implement two-
factor authentication. Password managers would become useless then, because
you would be able to use simple passwords that you may remember, while being
even more secure.

------
fekberg
A while back I set off half a day to setup KeePass, not that setting up
KeePass takes that long - but generating random passwords for all the sites
that I use did. KeePass is great, there's an app for Windows Phone that is
great and there is a third party plugin for Chrome that will both enter and
help me save passwords when the vault is open.

Great software, everyone should be using password vaults.

------
ParadisoShlee
I love KeePass, but I want the freaking policy to apply to the database and
not the application opening the database - Which is crazy talk!

------
jrabone
Really want to start using KeePass on Android with an NFC token, but it looks
like the YubiKey Neo might get a new version soon to support U2F. Anyone know
if the U2F thing is worth waiting for? Don't want to spend $50 (probably £50)
to find it's obsolete next week.

------
DDR0
I started using KeePassX because it was a good cross-platform way to store my
passwords. I'd had a couple cases where a password had simply gone -missing-
for me, so I figured it was time to put all my eggs in one basket and try to
not drop _that_. I figured it was less of a security vulnerability than
reusing the same password a bunch of times. I've currently got the kbd file up
on the internet at large, in case my house burns down. I figure it'll make HN
if the .kbd files are ever found to be hackable, right?

It's a sort of wishful, hopeful approach to password security, really.

------
mnicolosi
I'm a long-time user of pass ([http://www.zx2c4.com/projects/password-
store/](http://www.zx2c4.com/projects/password-store/)). I prefer tools that
integrate well with the command-line, but there's a few things I didn't like
about pass, so I started my own password manager, called passman
([https://github.com/manicolosi/passman](https://github.com/manicolosi/passman)).

I wouldn't recommend using it yet, but any feedback would be super helpful.

------
kriro
I have been using it since version 1. Unfortunately I have upgraded to KP2
which can't easily export/import to KeePassX which is what I want to switch
to, mostly because I very rarely use Windows these days and when I do I don't
really need my PW-DB.

I'm syncing it via ownCloud for as a testrun (https, non-US site) and it works
fine. Not sure I ultimately want to do that via the cloud though. Might just
switch to using a USB stick especially since merging DBs works pretty well.

~~~
cyphax
I have this problem as well. For some reason KeePass 2.x (Windows, at work)
cannot read KeePass 1.x databases and KeePassX on my Linux computer at home.
So if I want to exchange between the 2, I have export from KeePass 2.x, so now
I have 2 databases that are generally in sync, until I forget to export it. So
not ideal. I'm considering switching from KeePass 2.x to KeePass 1.x
(currently 1.26, released in July of last year, so not too old) but I wish
these applications would get their compatibility on the same level.

edit: I wasn't sure if KeePassX had a Windows port -- it does and I downloaded
it to replace KeePass at work with.

------
TuxLyn
Installed it, seen "I understand that my encrypted data will be sent to
LastPass" then uninstalled it. O_O Yeah, definantly better use KeePassX
software. Passwords should never be stored online no matter how secure the
service claims to be. Especially with recent revelations about all this
privacy/security issues in USA. The KeePassX is still in alpha stages, the
only availble stable linux version right now for KeePassX is v0.4.3

------
nkg
Using it and loving it. At the office, we have a usb key that contains the key
file to open Keepass. So it's like a key that's also a key, you know...

------
alkonaut
Is this a desktop-only solution, i.e. no mobile? Then it is bound to be a no-
go for most users. My checklist is pretty short:

1\. Clients available on web and/or all platforms, must be able to add/copy to
clipboard passwords on all platforms. 2\. Synced or Shared database between
all clients. 3\. No subscription cost (upfront cost OK).

Nice-to-have things would be browser plugins, command line interface etc., but
that isn't essential.

~~~
hrktb
It has mobile counterparts. The copy/paste part is Ok, the syncing depends on
the clients. I think syncing is always through some other service, some apps
claim a nice integration with dropbox, some are more tedious (I use
miniKeePass on iOS and it's not fun to sync), but you won't have any fees
other that what you pay for dropbox or some other third party storage.

Overall keepass is far from perfect and lacks polish, but it's good enough for
most purposes, and doesn't require an internet connection, which opens more
use cases (keeping banking info or wifi passwords for instance)

------
Fogest
If I save the database to dropbox so that I have it on multiple PC's at once,
how can I ensure I do not overwrite a database that has new entries?

For example say on PC-A I make a change and save it. On PC-B I have the old
database still opened and loaded in KeePass. What happens if I then save in
PC-B without opening the database up? That means I just lost the one password?

~~~
hughc
I've had this experience with 2.x and as I recall, on machine B where the file
was already open with unsaved changes, I was prompted to merge changes after
Dropbox updated the file on disk. Without recalling the details, I was pretty
impressed.

~~~
Fogest
Ah okay. Did not know there was a merge function!

------
Mitt
I put a tiny Truecrypt container on my file hoster (HiDrive, Skydrive,
Dropbox, etc.) in which I store the KeePass keystore. The keystore itself
can't get decrypted, but in case AES has weaknesses one first needs to crack
the triple encryption of AES+Serpent+Twofish of the Truecrypt container.

~~~
hughc
You've added another dependency into the mix here.

I've been comfortable storing my database in Dropbox, with a decent length
master password (15char+) on the assumption that it uses a high quality hash
that would make bruteforcing the encryption impractical, without having to add
another layer of encryption above it. Curious if others feel this is a
reasonable assumption?

~~~
jcculb
I do that and keep a Key file locally off Dropbox. The combination should be
pretty secure.

------
malbs
Using KeePass combined with btsync - fairly decent combination. Have my db
synch'd across all my devices, and available from any desktop machine I have
access to. Haven't tried using the android version, but I'm sure it works
well.

Now I just have to trust the security of btsync

------
deadfall
I love this product. I found it via a stackoverflow question about how to
store credentials safely. I started using it over a month ago because I have
just stored everything in text files (ips, usernames, pass, secure urls,
etc...) and wanted to be more organized and secure.

------
vu3rdd
I use this small commandline application called assword[1]. Available on
Debian and probably quite easy to get it to work on other GNU/Linux based
systems.

[1] [http://finestructure.net/assword/](http://finestructure.net/assword/)

------
hyyypr
(Disclaimer: I work for Dashlane). I am sad and curious about the fact that
nobody mentions Dashlane here. Is it because you guys never heard of it? Or
something else ?

I realize KeePass has they key advantage of being open source, but we have
good UX :)

Very interested in your thoughts...

~~~
csmithuk
From my perspective, there is no source code to review so we have to trust you
to have made sensible security decisions, which at least I don't.

UX isn't a big win. KeyPassX is good enough i.e. works with keyboards
entirely, is open source, is reviewed, goes to extra lengths not to leave
stuff floating around in RAM as well. Oh and works across all platforms I use.

------
fletchowns
I've been a long time user of Password Safe. Any compelling reason to switch
to KeePass?

~~~
joyofdata
Password Safe is the real deal because the master wrote it:

[https://www.schneier.com/passsafe.html](https://www.schneier.com/passsafe.html)

It is convenient enough - and when it comes to such sensitive digital areas,
then I defenitely prefer to take a conservative position over cloud based and
client side encrypted solutions.

------
Fogest
Any way to transfer LastPass passwords? I've got a huge deal of entries in
Lastpass

~~~
jlgaddis
That was my biggest issue with switching as I have hundreds of entries in
LastPass. I spent a few hours moving over my most important/frequently used
entries. For the "leftovers", I simply move 'em from LastPass to KeePassX as I
need/use them.

~~~
Fogest
I just figured out I could get the portable LastPass -> Export CSV, and then
import that in KeePass

~~~
uptown
Just make sure you don't have some sort of system-wide backup in-place that's
going to backup the CSV file, in clear-text, on your disk during the
migration.

------
srathi
Does anyone know a way to read usernames/passwords from a KDBX file hosted on
Dropbox/Google Drive (similar to 1passwordAnywhere)? That way, if I'm at a new
computer, I do not need to download KeePass to open my KDBX.

------
drdeadringer
I forget how I came to KeePass, but I've been using it since around late-2006.

I like how it [the .kdb file, really] can be accessed//written_to in both
Linux and Windows, and that it has a usb-portable version.

------
grumps
I've been using Keepass2 for several years and I couldn't be happier. Although
its slightly buggy at times on Linux and getting it running on Mac can be a
bit difficult.

------
beefsack
It doesn't look so flash using my dark theme unfortunately (Gnome 3, Blackbird
theme):

[http://i.imgur.com/NQYDBQ8.png](http://i.imgur.com/NQYDBQ8.png)

~~~
prg318
Looks like the menu widget and icons are not using GTK for whatever reason. It
may be worth pinging the KeePass developers with a screenshot showing that the
GTK theme is not being respected properly when rendering the menu - the menu
even looks odd using a light-colored theme like Clearlooks because it doesn't
match the theme.

~~~
AceJohnny2
KeePass 2 is built on C# and works in Mono. It doesn't use Gtk# but WinForms,
which on Linux doesn't follow theming well.

------
karmelapple
Love it. Use it with Dropbox, and it has a quirk or two with the lock file,
but overall it's fantastic. Highly recommended.

------
ClayM
I use KeePass + DropBox + KyPass on my iOS devices, which integrates perfectly
with iOS DropBox.

Very happy with the combination.

~~~
calt
I do something similar. I have a keyfile that I copy over manually so that
people need to get more than just my password + .kdb

------
joebeetee
How does it compare to 1Password? Lmgtfy, I know, just wanted HN's thoughts.

~~~
Mitt
It is GPL and you have the control over your keyfile(s). A browser plugin for
the commercial services could any time sneak evil bits in, so you might feel
less safe with them (they could upload your masterkey or your decrypted
keyfile, when asked by the NSA).

~~~
kyrra
Evil bits could just as easily sneak into Keepass if the author wanted to. It
would require someone else constantly auditing all commits along with
verifying binary builds posted on the website match the current source's
compiled output.

Edit: my above comment is just to prove a point. We put trust in a lot of the
software we run. Software being open source does provide some safety, but very
very few people will go through the effort to make that verification.

------
nl
Also KeepassDroid on Android.

------
gegtik
I like KeePass2 personally

~~~
stusmall
What are the differences? I'm using 1.x and haven't found it lacking yet. I
tried 2.x for a work password db and didn't find anything that really stuck
out from my casual usage of it.

~~~
isxek
One difference I immediately see is 2.x doesn't use lock files. If you sync
password DB's using Dropbox, all you need to do is relaunch the software to
open the updated DB.

I use 1.x mostly as a backup.

------
iambowen
1Password is another good option, but it will cost you a bunch.

~~~
joebeetee
It's completely worth it. It took me ages to decide, but it's absolutely
indispensable now.

------
pvinis
if one would use projects like this or pass for storing website passwords,
what more do those programs offer that firefox sync does not? legitimately
asking here..

------
cjcenizal
Somewhat ambiguous domain name!

------
Fasebook
For some odd reason, KeePass conforms to the OSI model, so it is trivial to
circumvent by NSA, since it communicates with its resource protocols
(metadata) to XKeyScore via the presentation layer.

------
leantx
Guys, perhaps you should take a look at this and be a little careful with the
use of this kind of programs.
[https://twitter.com/_sinn3r/status/429789012673302528](https://twitter.com/_sinn3r/status/429789012673302528)

~~~
yetfeo
If you have malware on your device that snoops your clipboard activity then
you've lost - that's not 'this kind of programs' fault.

