Do you have any ideas for a password safe that stores its data locally (an encrypted cloud drive is available for synchronizing), offers clients for Linux, Win and Android and has some amenities like filling in passwords in browsers?
My family needs to learn password safety, and I want to make it easy for them.
There’s desktop apps for Linux/Win, an app for Android and browser integration.
Keepassxc is a good choice, in the long run. It uses an open standard to save the passwords, and is supported by many clients. Consider using syncthing, if you want to sync the password files directly between your different devices. (In case you don’t want a cloud solution)
My primary password manager is Bitwarden, but I use Keepass as well for having a local backup as well as for it’s 2fa feature. It works pretty well.
It is also very convenient, has nice keyboard binding and allows for other fields along with the passwords.
I’m using keepassXC for that, there are clients for Linux, Windows and Android. Also there are browser plugins. The android app I’m using is KeepassDX, you also find it on f-droid
I’m using it for years now, started out syncing it to Google drive, but nw i have my own nextcloud server
Same. I’m using KeepassXC on Linux and Android using Google Drive.
Using the same setup! Database on a Nextcloud instance and desktop (Win/Linux) clients as well as the Android client for years.
Keepass Password Safe: I started it on Windows, moved on to OSX for 10 years and am now exclusively on Linux and my Keepass library migrated through all OS’s. Used it too on both iOS and Android. My Keepass file lives on my online cloud storage so it’s accessible for all means.
What app do you use on iOS? I used Keepass for a while but switched to bitwarden because of the bad apps (i tried 2 or 3) on iOS.
I honesty can’t remember, it’s been awhile, but I do know Strongbox is being praised for Keepass database use. More info here: https://strongboxsafe.com/updates/how-to-use-keepass-on-your-iphone-ipad-mac/
Thanks! I’m going to try that then.
It was definitely touch-and-go for a while but a couple years ago Keepassium popped up and I recommend it highly as a Strongbox competitor.
Been using Keepass, and it seems like a solid choice for local password vault. It’s not as convenient at other vaults like bitwarden (unless there’s a browser extension i could use), and i dont know how the android side of it looks.
There is a browser extension, but you don’t really need it.
Keepass has a “global auto type” hotkey. If your entries are saved with the correct info, all you have to do is press the hotkey for global auto type and keepass selects the correct entry and types username/password automatically.
Besides what shadeless@discuss.tchncs.de said: try KeePassHttp
Bitwarden works nicely. It will work locally unless you sync as far as I know.
As other’s have recommended: Yes, KeePass. On desktop i recommend KeepassXC and the plugins for your favorite webbrowser. And on mobile whatever app works best for you, Strongbox on iOS and KeepassDX on Android are doing pretty great and the integration is also working well.
On mobile you can also save the database password secured with your favorite screen unlocking feature and have webdav, ftp or others available for sync. On android you could also use nextcloud sync or syncthing.
Bitwarden or Vaultwarden.
Bitwarden, Bitwarden, Bitwarden. Use their free vendor-hosted service, and don’t fixate on self hosting or handling syncing of local files. They are highly transparent and well regarded, and this is the way to go if you want any hope of converting your family.
Personally I selfhost with vaultwarden - thats just my style. Botwarden vendor hosting is just fine
For more advanced use and if you want to keep passwords in git for version control and synchronize with other devices/people:
https://www.passwordstore.org/
Runs on Linux, Windows, Android.
… and integrates with chrome, I think
… but might be less intuitive for less-technical people
Since its for your family and some password manager is better than no password manager , I feel bitwarden is the most convenient solution. Its a good balance between security and paranoia.
For you keepass would make sense .
This, consider Bitwarden. The password save will be in the cloud, i.e. on someone else computer, but all your devices are probably on the cloud to some degree with the risk of hostile takeover.
Bitwarden’s sync and browser integration is top-notch and more importantly just works.
With the keepass* family you need to work out your personal setup, which clients can sync with what storage. And do they integrated with your favorite browser and apps?
Your family will understand and love Bitwarden. The client is open-source and encryption happens locally (unless on the web app), so you can approve it. Maybe KeePass* will work for you personally or for some special passwords, where security is more important than availability…
I’d recommend Standard Unix Password Store. I’ve been using it for two years and it works fine. You have to solve synchronisation by yourself i use git for it but you can also use rsync or syncthing or anything else. It also has extensions for most web browsers includong firefox and chrome. It has clients for android ios windows and unix like operating systems. You can also use it with dmenu or rofi like i do.
While this is not exactly what you are looking for, have you considered deterministic password generators? There’s a nice explanation how they work in the Passwordmaker Pro Introduction.
The main downside of deterministic password generators is that their master password can be brute-forced from a single known password and the generator’s settings (so, don’t use the default settings…).
Their main advantage is that they don’t store the passwords anywhere, therefore you don’t need synchronization, or worry about the provider’s data safety (which, as the LastPass leak has shown, should in general not be trusted).
If deterministic generators aren’t an option for you, I’d also suggest KeePass.
You still need synchronization, and any deterministic password manager that doesn’t provide it will break eventually. Any time a site experiences a breach you’ll be forced to change your password, so you need to synchronize a counter for that for each account. Also, different sites have different (and often mutually incompatible) composition and length rules (in blatant violation of NIST SP 800-63b recommendations), which need to be synchronized to ensure generated passwords actually work for the account.
True. However the need for synchronization is rather infrequent and can easily be done via sneakernet.
There is something else I would like to highlight, about the problem if a single password gets leaked: At least with PasswordMaker Pro I wouldn’t only increase the counter for that one site, but rather change it (ideally to a new random number) globally, and change passwords everywhere. The way PasswordMaker Pro uses the counter is that it just gets appended to the input url before hashing. For the hash algorithms that aren’t using HMAC this is equivalent to just prepending that counter to the master password, so, a bad actor could just brute-force the combination of increment and master password, and get access to all sites that used the same master password and increment.
So, yeah, that’s another big downside. If one password gets leaked, you can either rely on the attacker never finding out that it’s a deterministic one, or you can do the same “change every password” dance that you have to perform if your password manager’s cloud service data gets leaked.
If your KeePassXC databate gets leaked and you had a secure master password (10+ Diceware words or similar), you can do nothing (it’s encrypted).
Yeah, PasswordMaker Pro isn’t built with protection against brute-forcing, sadly. That risk could be mitigated though, by choosing an algorithm that takes a few moments to compute a single password, instead of doing so in mere nanoseconds…
I’m half tempted to write such an app myself (would be a nice upgrade after doing the PasswordMaker Pro port for Sailfish OS), but I’m also in the middle of another spare time project, so, probably not anytime soon…
If you don’t want to self host then I suggest Bitwarden as the only service I would recommend. If you want/are willing to self host Bitwarden. Just stay away from Lastpass.
I can wholeheartedly support that statement. Been using a locally hosted bitwarden instance for a few years now, never head an issue and the Browser plugins work great.
Also: actual desktop clients on all three platforms There are some discussions on HackerNews, about some VC which invested there and what the impact will be, but nothing actually popped up
If you want to make it easy, just use the built in password manager in Firefox or Chrome. They are good enough for 99%.
@WenAmon Also advocating for KeepassXC here. Plays nice with “synced” folders, like with NextCloud, too.
Even comes with ssh-agent which is perfect for persons like me 👌
Alas I’d never install it on my Android. That’s my 2FA device. Not much sense in putting all in the same place - even if it offers integrated TOTP 🙃
The only exception may be the TOTP that Steam uses, that is one digit shorter and not supported by the usual (RFC 6238) ones.
