
KeePassXC 2.3.0 released - louib
https://keepassxc.org/blog/2018-02-28-2.3-released/
======
minimaxir
Previous thread about KeepPassXC 2.2.0:
[https://news.ycombinator.com/item?id=14633576](https://news.ycombinator.com/item?id=14633576)

I used KeePassXC for a period, but from these release notes, the UI/UX still
isn't great. If you're on macOS, I recommend MacPass, which feels more native
to the system, is compatible with existing KBDX databases and most-
importantly, is also open-source:
[https://github.com/MacPass/MacPass](https://github.com/MacPass/MacPass)

~~~
laurent123456
Also macPass is compatible with Keepass database 1.0, unlike KeepassXC.

~~~
Florin_Andrei
You can import v1.0 DBs into the new app.

~~~
laurent123456
Yes but then it becomes a v2 database which is no longer compatible with
keepass 1 on Windows.

------
zaarn
KPXC is currently my favorite password manager. Much more portable than
Keepass itself (Mono, lots of plugins just don't work).

I do recommend that anyone without PW manager atm either try KPXC or Keepass
itself. It's worth it for your security.

------
076ae80a-3c97-4
I highly recommend [https://keeweb.info/](https://keeweb.info/) if you're
looking for an attractive, easy to use, cross-platform and Open Source
solution. I've been using it on Windows and MacOS for years without any major
issues. It's by far the best looking front-end for keepass databases I've
seen.

~~~
agildehaus
Unfortunately it's slow as hell. KDBX4 file, ChaCha20/Argon2 30 rounds, that
takes under a second to open in KeePassXC took 10 seconds in this app.

Electron apps ...

------
scrollaway
Since it got a lot of positive attention last time, here's a rough guide on
getting started with password management, aimed at readers here who are not
currently using a password manager:

[https://leclan.ch/password-managers/](https://leclan.ch/password-managers/)

TLDR: Download KeepassXC and start using it. :)

~~~
zouhair
What does it do that Keepass/KeepassX cannot do? I looked at their website and
nothing new shows up.

~~~
scrollaway
I address that at the bottom of my post. Keepass is the original, KeepassX is
the Qt rewrite.

KeepassXC got Qt 5 support, a bunch of misc QOL improvement patches, is
actively maintained (unlike KeepassX) and also received some nice extra
features such as TOTP 2FA support. It's a superset of KeepassX, so there's no
real reason to use KeepassX at this point.

------
ff_
The best UX improvement in this release (IMHO) is pretty buried in the
changelog, and I don't see it mentioned here: no more lock files!

If you use Keepass on something like Dropbox it's a blessing.

~~~
TacticalMalice
The mentioned issue has the following statement which makes me wonder whether
concurrent use on sync services is supported atm:

> I was going to add tests for "concurrent" access of the same file in phase 2
> of these changes. Phase 2 is refactoring the saving process entirely to make
> it asynchronous and robust to file sync services.

~~~
zaarn
From my experience, it already works somewhat. Atleast, whenever I overwrote
the file in Nextcloud and my desktop pulled the update, it would merge the
changes automatically.

------
TorKlingberg
I currently use KeePass2 + Dropbox + Kee (Firefox) + MiniKeePass (iOS). Can
KeePassXC + plugins replace those, and what are the advantages?

~~~
nwah1
The announcement mentioned that they just released a new Firefox addon called
KeepassXC-Browser.

KeepassXC doesn't work on iOS. It is just a replacement for KeePass2

------
dlandis
Does anyone know what the license is for this software? It looks like there
are NINE different license files in the repo:
[https://github.com/keepassxreboot/keepassxc](https://github.com/keepassxreboot/keepassxc)

Did they just copy paste every different license they could find into the
repo?

~~~
th3zero
KeePassXC maintainer here.

This comment is really funny and made me laugh.

Anyway we are following the Debian guidelines. The full copyright for each
component and file is specified in the COPYING file in the root of the
repository along side with each author.

------
piracykills
> Add support for KDBX 4.0, Argon2 and ChaCha20 [#148, #1179, #1230, #1494]

I can finally give this a shot without having to use the weird custom AES-
based KDF Keepass used to use. Awesome.

Congrats on the release.

~~~
guessmyname
Last week I started reverse engineering the KDBX 3.1 file format _(for fun)_.

Does anyone knows where is the specification for KDBX 4.0?

EDIT: Found it — [https://github.com/keepassxreboot/keepassxc-
specs](https://github.com/keepassxreboot/keepassxc-specs)

~~~
agildehaus
I don't believe the XML format has changed at all. Just the key derivation,
stream cipher, and some changes to the binary header.

~~~
hacking_nomad
The XML Format has changed. Entries and Groups now support custom data. This
was only supported on the database in KDBX3.1. Also, the settings now have a
modified date which makes synchronising them when merging databases a lot
easier.

The other changes are done to the binary format as you say. Also to make the
file smaller, attachments are now stored compressed "as is" instead of
encoding them in base64 and adding them to the XML structure.

------
alfuananzo
Is it worth to migrate from Keepass2 to this? Any interesting user
experiences?

~~~
Ajedi32
I'm strongly considering it just based on the community surrounding each
project.

KeePass 2 seems to still be hosted on Sourceforge, and I'm not even sure where
to get a copy of the latest (non-release) version of the source. The
[Sourceforge repo][1] seems to be an outdated SVN repo which was last updated
in 2009, and I don't see any description of how to contribute code to the
project anywhere. As a result I'm not really sure how to gauge the level of
activity on the project itself. Similarly, the website is ancient and doesn't
seem to have kept up with the times; I seem to recall it was only recently
that it even got HTTPS support.

In contrast, KeePassXC is hosted on GitHub, development is done out in the
open, and it's trivial to see that in just the last year there were [dozens of
individual contributors][2]. The website looks clean, is user-friendly with
up-to-date documentation, and a [contribution guide][3] is plainly visible in
the README on GitHub.

As a result, I feel a bit better about the long-term prospects of KeePassXC
over KeePass 2.

[1]:
[https://sourceforge.net/p/keepass/code/HEAD/tree/](https://sourceforge.net/p/keepass/code/HEAD/tree/)

[2]:
[https://github.com/keepassxreboot/keepassxc/graphs/contribut...](https://github.com/keepassxreboot/keepassxc/graphs/contributors?from=2017-02-26&to=2018-02-28&type=c)

[3]:
[https://github.com/keepassxreboot/keepassxc#contributing](https://github.com/keepassxreboot/keepassxc#contributing)

~~~
gruez
source code is available at
[https://keepass.info/download.html](https://keepass.info/download.html)
(scroll down to "Other Downloads and Resources")

~~~
Ajedi32
That's just a zipped snapshot of the source code as of the current release; it
doesn't necessarily reflect current development on the project.

With KeePassXC for example, even though the latest release came out less than
a day ago I can see that there have already been [14 commits][1] to the
`develop` branch since that release. I can't find the equivalent of such a
branch for KeePass 2.

[1]:
[https://github.com/keepassxreboot/keepassxc/compare/2.3.0......](https://github.com/keepassxreboot/keepassxc/compare/2.3.0...3f7f1aa47f3d94fd86bab489ec627de034bb1d10)

------
awill
I was a longtime user of KeePassX. The UI was terrible, but it was free, open
source and most importantly cross platform. After KeePass2 made the DB
incompatible and rewrote everything in C# it stopped being a proper cross
platform product and I investigated aternatices. I've since moved to enpass
and I'm very happy. Enpass is a great, native app on Win/Mac/Linux and has
native Android/iOS apps (with fingerprint support etc..). Great UI, no
subscription fees, no cloud hosting (though it syncs to your personal dropbox,
gDrive, OwnCLoud etc..). I couldn't ask for more.

~~~
tmikaeld
Only problem with it as i see it, it's closed source.

I switched to Bitwarden for that reason alone.

With that said, Bitwarden has it's issues:
[https://github.com/bitwarden/browser/issues/77](https://github.com/bitwarden/browser/issues/77)

------
nmy
Remove lock file [#1231] is a good one for the ones who sync their KPXC
databases between devices

------
nathan_long
Anybody use this along with a non-tech significant other? How does it compare
to commercial password managers in terms of usability?

~~~
paulryanrogers
Usability is too low, unapproachable for non techies. Even my somewhat
technical spouse found it unusable after a few months.

It could be better with good browser plugins, but then you have the same
security tradeoffs as more polished services like Bitwarden or LastPass.

~~~
adrianmonk
> _with good browser plugins_

This latest version KeePassXC has a whole new browser plugin:

[https://github.com/keepassxreboot/keepassxc-
browser](https://github.com/keepassxreboot/keepassxc-browser)

So maybe it has reached that point now? Not that I've tried it, but it's at
least promising that they've been working on it.

------
cryptos
I'd prefer if a password would be generated by default, when you create a new
entry. That's the way KeePass works and it encourages to use strong generated
passwords (instead of user created passwords).

Another thing I'd like to have is a details view for each key in the list view
([https://keepassxc.org/images/screenshots/linux/screen_002.pn...](https://keepassxc.org/images/screenshots/linux/screen_002.png)).
Something like the bottom panel here:
[https://keepass.info/screenshots/keepass_2x/main_big.png](https://keepass.info/screenshots/keepass_2x/main_big.png)
(but please more beautiful). I have a scenario where I need an additional
authentifiction factor besides that password that I store in KeePassXC, too.

~~~
varjolintu
Actually, there is a details view. Check the settings if it's disabled.

------
shmerl
Great replacement for keepassx which got stuck with Qt 4 forever.

------
sapphire_tomb
I really wanted to switch to using KeePassXC instead of the original one, as
it's definitely a better user experience for the most part when you're
flipping between OSes (Windows 10 and various Linux distros in my case). But
my workflow requires I keep my kdbx in a git repo in order to sync between
work and home, and I cannot get used to the missing "Synchronise with File"
feature, which the original Keepass has, but KeePassXC omits.

------
SCdF
Does anyone know of an iOS client that supports Argon2? The amazing
Keepass2Android already supports it, but I can't move to it until there is
also an iOS solution…

------
JamesCoyne
Anybody have thoughts about where to store the encrypted database for backup?
Would it be foolish to keep the database somewhere publicly accessible?

~~~
nas
I store the .kdbx (database) file on a network synced folder (e.g. like
dropbox or gdrive). However, I use a "key file" in addition to a password. The
key file is not synced and remains on computers that I control. I also have a
backup copy on external media.

~~~
fauigerzigerk
Aren't you worried about that fact that any program you run could potentially
read all your passwords using the key file?

~~~
Macha
You can have a composite password to unlock consisting of keyfile +
passphrase.

~~~
fauigerzigerk
Ah, I see! That makes sense.

------
eikenberry
I always find it interesting to see which of the new distro agnostic packages
these applications provide. In this case AppImage and Snap.

It really looks like AppImage is taking the lead among these new packaging
technologies. When the project does provide these sorts of packages you always
see AppImages, but rarely see Snap or Flatpak based images.

------
m-p-3
The Chrome Web Store link seems to 404.

[https://chrome.google.com/webstore/detail/keepassxc-
browser/...](https://chrome.google.com/webstore/detail/keepassxc-
browser/iopaggbpplllidnfmcghoonnokmjoicf)

~~~
m-p-3
Looks like the link in the github repo isn't up to date, here's another one
I've found [https://chrome.google.com/webstore/detail/keepassxc-
browser/...](https://chrome.google.com/webstore/detail/keepassxc-
browser/oboonakemofpalcgghocfoadofidjkkk)

------
bdz
Is it worth moving to this from 1Password? I mean I don't have any problems at
all tho I use an old version (6 on Mac, 4 on Win), the permanent license
version not this new subscription.

I was thinking to use this with Dropbox, Chrome, and iOS client (MiniKeePass?)

~~~
xylia
I suggest using Bitwarden (open source) instead. See my article:
[https://greycoder.com/bitwarden-excellent-free-password-
mana...](https://greycoder.com/bitwarden-excellent-free-password-manager/)

~~~
drdaeman
The linked article is _very_ light on details to be called a comparison.

Let me try to make it a little bit more detailed.

====================

Bitwarden:

\- Is essentially a service (with FLOSS client software and FLOSS server
code).

\- Quite polished browser integration (to the extent browsers allow it).

\- Third party server holding the encrypted data. Proprietary (in a
"completely unique, not compatible with anything else" sense) sync protocol.

\- Symmetric encryption key is encrypted with master key but it is NOT changed
(with re-encrypting all the entries) when master password is changed. I'm not
sure if there is an option to re-encrypt the data in case the symmetric key is
compromised, although this should be doable via APIs.

\- Data is encrypted and signed, but some of the data structure (folder
layout, TOTP existence, revision dates) is (theoretically) accessible to the
service owners. Check out snippets at [https://github.com/jcs/bitwarden-
ruby/blob/master/API.md](https://github.com/jcs/bitwarden-
ruby/blob/master/API.md) for info.

\- Has some nice extras built-in, like domain equivalence logic.

\- Self-hosted option is available (official Docker images using .NET Core and
Microsoft SQL Server and unofficial third-party implementation in Ruby). I'm
not sure how this works with licensing.

====================

Keepass:

\- Is primarily a standalone application. Or, better say, applications, as
there are multiple independent implementations for many platforms.

\- Has browser integration, but all options (KeepassXC-Browser and PassIFox)
are feel somewhat less polished.

\- Has composite credentials (in addition or instead of master password it can
use i.e. keyfiles). Supported mechanisms vary with implementation.

\- If the encryption keys are compromised you can trivially re-encrypt the
database to avoid further leaks.

\- File format is essentially a large encrypted and signed XML file (data
block) with some extensible header that defines the crypto details.
[https://keepass.info/help/kb/kdbx_4.html](https://keepass.info/help/kb/kdbx_4.html)

\- You handle the sync however you want it. For KeepassXC you need make
database available in a filesystem. For Keepass and Android app there are also
SFTP, WebDAV, Dropbox, Google Drive and some other options available. The only
sync that's in the app is a logic for merging databases.

====================

Please correct me if I got something wrong. Thanks.

~~~
zie
I don't see anything wrong, but will add:

Bitwarden has a desktop app(electron .. sigh but is cross-platform) and has
integrations with all the major browsers (Safari, Firefox, Chrome, IE)

Bitwarden also has Mobile support (iOS, Android & UWP).

KeepassXC only does Chrome(and family) and Firefox I believe.

Running your own bitwarden server is not difficult, and there are 3
implementations that I know about:

    
    
        The original .NET: https://github.com/bitwarden/core
        The Ruby one: https://github.com/jcs/bitwarden-ruby/
        The Go one: https://github.com/VictorNine/bitwarden-go

~~~
zaarn
KeepassXC supports KDBX4 so any client that can read KDBX4 can be used
alongside it. KeepassXC is also definitely a desktop app, it can do autotyping
and similar things.

There is Android and iOS support via keepass2android and <insert ios app name
here>.

You can safely put your KDBX file on dropbox/gdrive/nextcloud/ipfs.

~~~
zie
Yes, I wasn't trying to say KeepassXC can't in some way also do most of these
things. But the experience is very different.

Bitwarden is basically identical across all the platforms. KeepassXC is not,
since it's totally different apps for mobile, etc.

------
teilo
The thing that keeps me in 1Password is its Team Vault support. Nothing works
quite so well for maintaining a shared password vault. If I didn't need that,
I'd drop 1Password for KeePass in a heartbeat.

~~~
wheresvic1
Why not just make a keypass db for your shared passwords, put it on dropbox
and share it with your team?

Or put it in git even, if you want better traceability.

------
kertis
Actually it's cool that it was forked. But qt5 apps have pretty bad fonts view
on my xfce desktop especially with black themes like Ark dark. That's why I am
on KeepassX so far.

------
znpy
Serious question: why should I leave KeePassX ?

~~~
sigzero

      Q: Why KeePassXC instead of KeePassX?
     
      A: KeePassX is an amazing password manager, but hasn't seen much active development for quite a while. Many good pull requests were never merged and the original project is missing some features which users can expect from a modern password manager. Hence, we decided to fork KeePassX to continue its development and provide you with everything you love about KeePassX plus many new features and bugfixes.

------
diimdeep
UI/UX is terrible, I suggest try MacPass or KeeWeb

------
therealmarv
is it stable again? Last version was constantly crashing when modifying a new
passwort entry again. This is something which is unacceptable for a password
manager IMHO.

~~~
mdaniel
Did you file an issue over that behavior?

~~~
therealmarv
the bug is still there. 2.3 can still crash after creating a new entry and
reedit the password. I will try to reproduce the error with a new kdbx and
report the bug.

