Considering Bitwarden..Thoughts

Hello. I have been using KeepassXC on my Linux box synced to Nextcloud and then using Keepass2android and it really has been working very nice. I checked out bitwarden about a year ago and they did not supported nested folders (which I need for customer folders, etc). However, now they do and it looks nice. And they completed that 3rd party audit which is huge. So I am considering self hosting it. My concerns are as follows:

#1) Only one very talented developer of bitwarden. The “hit by a bus thing”.
#2) Self hosting puts the burden of keeping up on security updates, etc. Especially with the latest doomsday docker security revelation.

I could use their cloud but I believe it is in Azure. I guess I like my roll my own solution but I am always looking at alternatives. Bitwarden does look nice

Any thoughts on this?


Reason #1 not only the hit by the bus but hi I have this pile of money would you sell it to me and stick around for a short time to get my offshore guy up to speed.
I to use KeepassX on Linux and on my one and only Windows laptop. Must agree it works welll keep the DB on USB stick. Also have Yubikey for Linux laptops.

I use KeePass2 (v 2.41) on Linux with KeePass2Android and LastPass primarily. Last year I experimented with Bitwarden Desktop app image and Android App and still maintain it, but it’s just an experiment. Just looked at KeePassX and XC. I like the passphrase generating tool in XC that’s missing in X and KP2. Are these equally secure but differ in interface akin to linux distros or is one better maintained than another? The cross platform has appeal since I have macOS in the house too. May have to switch apps.

Pretty sure XC is a fork of X. And they added the ability to have browser extensions (which I would never use with any password managers). Plus XC looks much nicer. If you have android check out Keepass2Android. Great piece of software.

1 Like

I’ll check out KeepassXC.

I tried to get the extension to work and it was not a smooth process then it told me I needed to update XC, so I added the ppa and updated. After that it didn’t work. I’ll stick with NOT using browser extension with XC.

Is it safe using the same kdbx file with KeePass2 or KeePassXC? This FAQ is confusing:

My versions are:
KeePass2 2.4.1
KeepassXC 2.3.4

I can open my db from either.

Browser extensions can be problematic when version of same and browser version introduces mismatch. Happens in FF but usually catches up.

1 Like

I don’t have issues with LastPass extension and have used with FF, Chrome and Chromium over the years. I did get KeePassXC to work, but it’s clunky and it fails if the URL in your database doesn’t match the sign-on URL which happens with many sites that open a dialog or have one dialog for username and another for passwd. I can live without KeePassXC integration, but they’ve got work to do to make it seamless.

I use both Lastpass and Bitwarden and I must say I prefer Bitwarden, especially on my Android phone, it seems to work better that Lastpass.

1 Like

via @two06 through twitter

“In this post, we’re going to take a quick look at Frida and use it to steal credentials from KeePass.”

this was brought to my attention by Maurice (@offsecmoe) co-host of how-they-got-hacked. Thanks Moe!

Keep the database on a USB stick. You are probable talking Windows since you wrote Keepass and while compatible with KeepassX and KeepassXC it is Windows based and Windows is akin to Swiss cheese. Refer to opening sentence, no matter what OS you are running. Consider the Yubikey or Duo as well.

Using KeepassXC here on Linux. I like the USB idea tho.

I had two thoughts after reading the article:

  1. why is he not reporting to project rather than publishing?
  2. if you’ve got access to my database on my system and running code there, you own it.

Are you saying other KeePass (2, XC) variants not subject to this? If that statement was in article, I missed it.

Just checked again and no mention of KeepassX or XC in article but I will speculate that on Linux it would be more secure simply because it’s Linux, now, nothing is bullet proof get a big enough bullet it will get through. The reason I keep encrypted DB on USB stick. A few degrees of separation.

1 Like