Jonnax 2 months ago

I was only aware of Keepass itself. What are the differences between KeypassXC, KeepassX and Keepass?

  • mrrsm 2 months ago

    KeePass is the original project. It is an open source dotnet application. The source code, as of the last time I checked, is released as a tar/zip with the binaries only.

    KeePassX is an open source c++ application. It was one of the cross platform applications to manage KeePass databases. It has not been under very active development for a while.

    KeePassXC is a fork of KeePassX which is under active developement. They have added many features and improvements and has stayed up to date with kdbx updates.

    • packet_nerd 2 months ago

      KeePassXC is fantastic, I especially like the good Yubikey integration. The one small feature I miss from the original KeePass was the password templates. I like all my passwords to follow a grouped pattern so its easier to type into a phone or something while still being strong.

      • arunc 2 months ago

        Keepass has templates for password generators. You can create custom templates as well. I've been using it since 2008 without any issue.

        • Meph504 2 months ago

          do you mean keepassXC? His statement was saying he missed this feature that is in keepass.

      • true_tuna 2 months ago

        I use keepassxc with yubikey as well. I like it because it’s cross-platform. It works quite well.

    • sebazzz 2 months ago

      Is KeePassXC also audited? The main KeePass has had multiple security audits, also thanks to the EU who funded it one time. Seems relevant for a password manager.

  • ufo 2 months ago

    The difference is the UI. They all use the same* database format underneath.

    Thr original Keepass was at first a Windows only app, so KeepassX was created as a cross platform reimplementation using Qt. Nowadays Keepass uses .Net and also is cross platform but Linux users prefer Qt because it feels more "native" than .Net.

    KeepassXC is a more recent fork of KeepassX, which added a bunch of extra features. Notably, it added support for version 4 of the keepass database format, and it also allows you to use a browser extension to enter passwords inside web browser forms without needing to cut and paste.

  • ggttuu 2 months ago

    I'm a LastPass user trying to switch to KeePassXC. I tried it once on my computer but couldn't find a way to create folder inside a folder inside a folder and so on. I like organizing everything so this is the only thing holding me from switching to KeePass. BTW is it possible to do that in KeePass? I haven't explored it a lot.

    • WorldMaker 2 months ago

      I've got a complex hierarchy of folders (Groups in Keepass terminology) in some of my Keepass files. It's definitely possible to do, some of the UIs are better than others at making it obvious.

jeltz 2 months ago

While I love KeePassXC this is just a minor bug fix release.

  • Lendal 2 months ago

    It is, but the 2.4 release introduced integrated updates. I was still on 2.3 and wasn't aware of this, or that my KeePass was out of date until I saw this this morning. So I am thankful for the heads up. :)

theandrewbailey 2 months ago

I switched to KeePassXC a few months ago (from KeePass). It was a no brainer when I noticed that I didn't need plugins anymore, since SSH keys, TOTP, and browser integration came out of the box.

ComodoHacker 2 months ago

KeePassXC still lacks in-memory protection, so I stay with KeePass, with all its .NET troubles.

  • phoerious 2 months ago

    (Full disclosure: I contribute to KeePassXC)

    In fact, KeePassXC has shown to have better memory protection than KeePass: https://keepassxc.org/blog/2019-02-21-memory-security/ (note the article is from February, some things have changed since then, see below). The only thing we do not have at the moment is in-memory encryption. We do, however implement the following security measures on all platforms:

    - prevent swapping of master key hashes (using gcry_malloc_secure)

    - prevent non-root / admin access to our process memory (KeePass does NOT have this)

    - overwrite all dynamically allocated memory with zeros on free

    - disable any kind of coredump or crash reporting

    A patch for in-memory encryption is being worked on, but needs further testing before it can be merged: https://github.com/keepassxreboot/keepassxc/pull/3055

    Please note that this still cannot fully prevent swapping out of secrets. As soon as things are to be displayed somewhere in the GUI, they are basically out of our hands. We also cannot fully protect everything while the database is being loaded or written. However, the same applies to KeePass. There is just too much going on with memory management on modern operating systems.

    • ComodoHacker 2 months ago

      Thank you. You convinced me to try KeePassXC again.

  • antongribok 2 months ago

    I thought that it did now. For example this PR: https://github.com/keepassxreboot/keepassxc/pull/3020

    Edit: Also, see this PR: https://github.com/keepassxreboot/keepassxc/pull/371

  • _red 2 months ago

    Can elaborate more on the practical benefits of encrypted memory? Presumably this is mainly good for multi-user systems? On the average single-user system it seems that if you can already read memory there are 1000 other possible exploits that are cheaper / easier to perform (ie. keylog, screen capture, etc).

    • gruez 2 months ago

      AFAIK the only thing it protects you from is generic malware that scans process memory for passwords. It’s trivial to bypass though: all you need to do is patch the code as it’s running to dump all the plaintext entries for you.

      > there are 1000 other possible exploits that are cheaper / easier to perform (ie. keylog, screen capture, etc).

      Keepass has mitigations for those as well.

    • SamuelAdams 2 months ago

      Crash reports often include memory dumps. Firefox automatically reports these to Mozilla - there's plenty of other software that auto-reports crash data as well. If that crash data includes in-memory credentials, that could lead to your master password being compromised.

  • vbezhenar 2 months ago

    What troubles? I recently started to use it, and so far I did not encounter any troubles. For me the killer feature of KeePass is that it allows me to safely use it without typing master password using -pw-enc command line argument. I hated to type my password every day over and over again with 1Password. Especially because I understand that it's very weak protection if someone already break in my computer.

    • butteroverflow 2 months ago

      I reckon OP dislikes the need to have the whole Mono runtime to run one small-ish application. At least that's the reason I always preferred the native ports.

      • vbezhenar 2 months ago

        Ah, I'm Windows user, I didn't even know that you could run KeePass on non-Windows systems.

    • blattimwind 2 months ago

      > without typing master password using -pw-enc command line argument

      Process command lines are world-readable on various operating systems, so passing passwords over them is generally not a good idea.

      • vbezhenar 2 months ago

        It's not a clear text password. It's encrypted with Windows user credentials. If someone just steals it, it won't be useful by itself.

giancarlostoro 2 months ago

Been using BitWarden since I stopped using LastPass (lost my 10 year old vault) anybody know of any good reviews of all the different types of password managers that go into the security flaws / considerations?

amaccuish 2 months ago

Anyone got any good recommendations for an iOS client. I've just moved from android and there's several but not sure which to pick, which are opensource etc.

  • varjolintu 2 months ago

    Strongbox is the best one right now. It supports KDBX 4, while older minikeepass doesn't.

    • amaccuish 2 months ago

      Ye I'm using that right now but 25.99 GBP is a lot for me as a student. I know software development isn't free, don't mind paying say 10, but 25.99 is quite a stretch for me :(

  • ws66 2 months ago

    I use KyPass on iOS and I am happy with it. I think it is 6$ on the app store.

koolba 2 months ago

Anybody know if they've fixed (or plan to fix) the sort by latest modification date of all records? That was the one missing feature from going from KeePassX to KeePassXC.

  • noisy_boy 2 months ago

    I am able to sort by latest modification date (not sure if thats what you meant).

mieses 2 months ago

I switched from KeePass to KeeWeb because of the user interface and Google Drive integration. KeeWeb is an open source cross platform Electron app.

alexnewman 2 months ago

Why should I switch from pass (git+pgp) to keepassx ?What's one feature in keepassx nto in pass/passx

  • ufo 2 months ago

    For me the biggest difference is that you have a single encrypted database file, and that no metadata is stored unencrypted. By default, pass uses file names as keys, so website names are stored in the clear. (To fix this on pass.you need to use pass-tomb, which I found very clunky, and could never get working quite right)

    Another thing I like about keepassxc is that it has lots of features. It comes with a flexible passwird generator, has a friendly GUI UI, can be integrated to the web browser using an extension, and there are compatible android apps you can use on your phone.

    • benoliver999 2 months ago

      I agree about the metadata. I like pass but it's a flaw for sure. At least it's upfront about it.

      Most other issues are covered with pass, like a good android app etc etc.

      • elagost 2 months ago

        You could always use pass-tomb, which is an extension that stores the entire tree encrypted.

        https://github.com/roddhjav/pass-tomb#readme

        • ufo 2 months ago

          As I mentioned further up, pass tomb needs to be installed separately (which is not trivial depending on your distro) and is clunky to use. AFAIK it also cannot be used to encrypt the password database on Android.

          It also really bugs me that an important security feature like this one is not the default.

          • alexnewman 2 months ago

            tomb seems fine on ios and android. I don't use it though

    • alexnewman 2 months ago

      This is a common claim, and besides that fact that tomb fixes it and is supported on all distributions, I'm not convinced it's a problem. What's the threat model? That folder should be 700 anyway? Or is this just paranoia?

  • benoliver999 2 months ago

    I am a pass user and for me the big drawback is that is exposes the website names by design.

diehunde 2 months ago

Is it possible to sync your passwords with other devices?

  • ativzzz 2 months ago

    Yes, you can store the database file in a shared drive (not sure that's proper security though)

    • ufo 2 months ago

      That is secure as long as you have a good master password

      • packet_nerd 2 months ago

        KeePassXC works really well with Yubikey too. I use a Yubikey and a short pin for the password.

      • Tepix 2 months ago

        You can use password protection on the drive as well as IP restrictions. You could even offer the drive only in your home network on your NAS.

      • sexydefinesher 2 months ago

        You can use a combination of a password to together with a key stored locally on all devices

    • diehunde 2 months ago

      But how do you read the passwords from let's say iOS ? I don't see any iOS client on the website. Thanks.

      • ativzzz 2 months ago

        You need to download an app. Search keepass on ios (I use android so I can't recommend one to you). They won't be made by the same people, but they can use the same password database

      • Tepix 2 months ago

        You use any Keepass compatible iOS client and access the same file (for example using a WebDAV share)

  • noisy_boy 2 months ago

    I setup two-way sync of the database with my android phone using syncthing - works flawlessly.

    • ativzzz 2 months ago

      What's the difference between just opening the file directly on a shared drive? Possible conflicts with opening the database in multiple apps?

      • noisy_boy 2 months ago

        Wouldn't that require mounting of the shared partition on Android (or making it available is some day)? With syncthing, there is no such requirement.