Hello. I have been using KeepassXC on my Linux box synced to Nextcloud and then using Keepass2android and it really has been working very nice. I checked out bitwarden about a year ago and they did not supported nested folders (which I need for customer folders, etc). However, now they do and it looks nice. And they completed that 3rd party audit which is huge. So I am considering self hosting it. My concerns are as follows:
#1) Only one very talented developer of bitwarden. The “hit by a bus thing”. #2) Self hosting puts the burden of keeping up on security updates, etc. Especially with the latest doomsday docker security revelation.
I could use their cloud but I believe it is in Azure. I guess I like my roll my own solution but I am always looking at alternatives. Bitwarden does look nice
Reason #1 not only the hit by the bus but hi I have this pile of money would you sell it to me and stick around for a short time to get my offshore guy up to speed.
I to use KeepassX on Linux and on my one and only Windows laptop. Must agree it works welll keep the DB on USB stick. Also have Yubikey for Linux laptops.
I use KeePass2 (v 2.41) on Linux with KeePass2Android and LastPass primarily. Last year I experimented with Bitwarden Desktop app image and Android App and still maintain it, but it’s just an experiment. Just looked at KeePassX and XC. I like the passphrase generating tool in XC that’s missing in X and KP2. Are these equally secure but differ in interface akin to linux distros or is one better maintained than another? The cross platform has appeal since I have macOS in the house too. May have to switch apps.
Pretty sure XC is a fork of X. And they added the ability to have browser extensions (which I would never use with any password managers). Plus XC looks much nicer. If you have android check out Keepass2Android. Great piece of software.
I tried to get the extension to work and it was not a smooth process then it told me I needed to update XC, so I added the ppa and updated. After that it didn’t work. I’ll stick with NOT using browser extension with XC.
Is it safe using the same kdbx file with KeePass2 or KeePassXC? This FAQ is confusing:
I don’t have issues with LastPass extension and have used with FF, Chrome and Chromium over the years. I did get KeePassXC to work, but it’s clunky and it fails if the URL in your database doesn’t match the sign-on URL which happens with many sites that open a dialog or have one dialog for username and another for passwd. I can live without KeePassXC integration, but they’ve got work to do to make it seamless.
Keep the database on a USB stick. You are probable talking Windows since you wrote Keepass and while compatible with KeepassX and KeepassXC it is Windows based and Windows is akin to Swiss cheese. Refer to opening sentence, no matter what OS you are running. Consider the Yubikey or Duo as well.
Just checked again and no mention of KeepassX or XC in article but I will speculate that on Linux it would be more secure simply because it’s Linux, now, nothing is bullet proof get a big enough bullet it will get through. The reason I keep encrypted DB on USB stick. A few degrees of separation.
Actually I have always had the same concerns as you regarding the browser extensions. That is why I always refused to use browser extensions. I am begrudgingly using the bitwarden browser extension on a limited basis but browser extensions have proven to be vulnerable. It has happened to other password managers. But it is so convenient to use a browser extension. I would be curious what others think about this.
I have the same concerns especially for critical applications. Nothing is perfect and anything assembled can be disassembled. Securing remote access is always a worrisome undertaking.
@Paulser Yes I did see Tom’s video. I did make the switch to BW and self host behind a firewall and access via VPN. It works well. My vault is protected via a yubikey. I am still uneasy about using browser extensions with l any password manager but I do for most sites. And since I am all in I am also using the BW TOTP as well which is really super convenient as well. But in effect it is now 2 step and not really 2fa. And with the news recently of malware grabbing 2fa keys from apps such as Google authenticator and, authy, etc I am relying on the yubikey more and more. But that is another story.