I currently use KeepassXC that is synced through NextCloud. The sync isn’t very elegant, especially on my phone. So I’m looking for a new password manager, which has a native server sync support that I can self host. What do y’all recommend? I need at least a phone app and a browser integration that can autofill.
If you can’t self host --> KeePass If you can self host --> Vaultwarden
Is VW audited in the same way that BW is?
I hear good thing about Vaultwarden, but the web UI is horrible.
Vaultwarden’s web UI is very confusing, especially the search feature. And it’s difficult to move items between folders/collection. The desktop app is available as DEB/RPM package but without auto-update, which isn’t great.
Fon now I’m sticking to KeepassXC because the desktop app for my Linux distribution has a package for it and allows auto-update. The UI works well, and it has decent browser integration. Syncing isn’t smooth, but I can live with this.
Vaultwarden is not to be used in itself you can for example use the bitwarden app but with your vaultwarden server
You’re right. Above, I was referring to the bitwarden desktop app. See https://github.com/bitwarden/desktop
It’s an electron app, and there’s no auto-update solution for DEB packages (ie no DEB repo for apt auto update).
Some people are probably happy with it, but I prefer KeepassXC which is more lightweight (ie not electron based) and can auto update via APT.
Good thing the KeepassXC can be used as a 2nd factor authenticator, though it has TOTP only, doesn’t offer HOTP.
I also use Unix pass and self host a git repo over Tailscale to keep it synced across devices. Works like a charm so long as I remember to push whenever I edit a password somewhere.
One of the big flaws of snapshot-based VCSs like get is the patch order mattering—which causes conflicts. I would love to see an alternative built on Darcs or Pijul with their Patch Theory-based VCS system that does not have the flaws Git does.
I like to use SyncThing for my keepass vault. Imo it’s about as simple and elegant as it can get without involving third party services.
I know you’re asking for an integrated sync but this has been flawless for me and only rarely notice a delay between machines including android, linux, and windows (less that 30s in any case)
I haven’t seen it mentioned here so I’ll throw it out there - 1Password. It’s just a very smooth experience that I really appreciate.
Got a free family subscription through my work. Before that I was paying for it.
1Password is just great. Wonderful Linux support (desktop app, cli client, identity agent for SSH).
The major update to version 8 was rolled out to Linux first, actually.
One of the few pieces of software where you feel that the developers care about their product.
Agreed. The experience is so easy and well integrated that it has been trivial to get my whole family on it. Being open source would be very nice though. That lack of transparency due to closed source is my only real gripe with it.
They are closed source, but their white papers are very good
Big fan of Keeppass + syncing program of choice. It has served me well for years. If you don’t like nextcloud pick a different syncing app.
There’s a lot of arguments for one solution or the other based on security or privacy, but let me present a different scenario:
Imagine you’re in a natural disaster. Your home based self hosted server is down because of a general rolling network outage or just irrecoverably destroyed. Your offsite on the other side of the county is in a similar state. Can your cloud hosted backup be accessed at generic, public computer in a shelter or public building?
Bitwarden can. It has specific instructions for doing so as safely as possible.
For native sync, the two good and reputable alternatives are Bitwarden and Proton Pass
2nding the Bitwarden, absolutely love it. I moved from LastPass years ago and never looked back.
3rded moving from LastPass to Bitwarden and never looking back. I got out when LogMeIn got in.
I used to be a rabid advocate of self hosting password managers, and was switching between Vaultwarden and KeepassXC every few months. But Proton offered a lifetime subscription to Proton Pass with unlimited Simple login aliases, and I bought it now use this exclusively.
Vaultwarden is perfect imo
I use KeepassXC on desktop, KeepassDX on my phone and keep it all synced with Syncthing. Works great
This is the way.
Hackers have increased their focus on cracking password managers by extracting data from RAM and registry, compromising local and cloud storage.
Have you tried syncthing? It works great with keepassxc.
Vaultwarden is pretty easy to self host.
+1 for Keepass + Syncthing. Free, no cloud, always synced.
Yeah this is me. It’s been just perfect for many years now.
This is faultless for me
Which one? Or both?
Actually keepassdx, and sounding syncthing
Bitwarden.
My recommendation: Don’t use Vaultwarden (self hostable server side of bitwarden. Really easy to run and use). Why? You’re not a security personal, and securing your vault isn’t your job. You might do a slight mistake that’ll lead to the compromise of your vault.
The people at Bitwarden have their work dedicated to securing the vaults and all they do is security. And they’ll probably do it better then you. When it comes to serious matter, I prefer to trust the professionals.
VW isn’t the self hostable version of BW. It’s a complete rewrite. I don’t know if it is audited in the same way as BW, so I wouldn’t recommend it until you check that. BW can be self hosted as it is. VW is a rewrite with all the premium features unlocked for free
Doesn’t the server just hold an encrypted vault? What could go wrong when the server is compromised? Just thinking out loud I don’t know the answer
Security is also about backups. 3 Replicas 2 Formats 1 Offsite location
Yep, that’s right. In theory you could share the encrypted DB with the public and not degrade security. (Still don’t do that though…)
I just don’t want any unauthorized persons anywhere near my vaults in general. I also see my vault as a critical service that requires high availability, and I know enough about system administration to know that my network and I are not qualified to provide that.
Just to play devils advocate. Bitwarden.com is a much more valuable target. My instance is behind a VPN. I think its actually far more likely Bitwarden will have a breach similar to LastPass then I will. But I agree with you mostly.
The data stored on Bitwarden’s servers is completely encrypted though, which means a breach will not yield useful data, unlike the plain text storage for LastPass.
I have the ability to selfhost BW so I am interested in counterpoints.
Yes I agree. I was just offering a counter to the statement that Vaultwarden isnt as safe as Bitwarden. They both are encrypted but my vaultwarden instance is a lot less likely to experience a breach than Bitwarden. The guys with real skill are going after Bitwarden not me.
Ignoring the security aspect of it Bitwarden is responsible for hosting a fault tolerant, highly available web app.
They have redundant networking, redundant servers, load balancers, redundant databases.
While you could host this yourself to these tolerances it’s work and it’s not free.
If you’re using your password manager to the fullest you have a different password for every resource out there. It’s more than a minor inconvenience if you get locked out of your passwords.
Their service is dirt cheap and it’s absolutely worth every penny.
If you’re on Android I had seen a better UX for synching with the client Keepass2droid than with KeepassXC or KeepassDX.
On iOS maybe try Keepassium.
I do the exact same thing as OP with KeepassDX at work and works pretty nice so far, since I gave KeepassDX the right acces rights on the nextxloud directory.
What diferences have you figured out so far with Keepass2android in comparison ?
KeePassXC doesn’t have an official client, does it? Also, KeePassDX has a better UI IMO, is updated much more frequently & is on Fdroid.
I was sure that KeePassXC had an Android client but it seems like my memory tricked me. I do prefer the overall UX of KeePassDX but when I tried several Android KeePass clients during the pandemic I remember that KePass2Droid had an easier Nextcloud sync setup than what KeePassDX offered.
