So I have an admission here: I keep seeing HN stuff about these networked password managers and I don't quite understand the appeal.
Is it because everybody else is swapping between several different computers, and you need the synchronization?
I just have everything in KeepassXC, and the ciphertext is subject to the same kind of backup regime I use for other files, [edit: and also additionally] a copy kept on a USB stick in my pocket.
It’s phones, mainly. People do also have multiple other devices, yes. For me another big pro is having a realtime offsite backup and being able to survive simultaneous loss of all my devices, which is plausible in correlated scenarios like a burglary, fire, mugging, car crash, etc, but I don’t know how much others think of that one.
The people I know who use KeePass live like they’re disabled. You ask them to sign up for something and they need to schedule a half hour for it two weeks out. Ask them to use a website and they need to wait until they’re home because their biweekly manual data transfer was put off because of whatever. And if they ever drop their phone, it’s this totally unforeseeable panic they’re still recovering from two months later. I’m far from convinced it must be like this, but I’m also far from convinced that most KeePass people—or people using any other strategy—have really thought this through.
Weird. I keep my KeePass database on NextCloud, and the only difference between home and phone is that on a bad network I may need a few seconds for KeePassDX on the phone to decide to use its cached copy of the database rather than the latest one. It would probably be even smoother if I used Syncthing. I assume non-technical people ought at least be able to put their KeePass files on DropBox?
> > I assume non-technical people ought at least be able to put their KeePass files on DropBox?
> Non-technical people would not do something this complicated. They don’t even have password managers, let alone a setup like this.
Google Drive/iCloud/OneDrive/Dropbox are already used by non-technical users - moreso than SaaS password managers.
> Shoot, even a lot of technical people (like me) wouldn’t bother with this. It’s why I pay for a cloud-based password manager.
What do you do for when you want to access some other type of file across devices, like notes or photos? If you have notes.txt on an FTP server, just put passwords.kdbx alongside it. If you're subscribing to some new service for each individual filetype you want to sync, with nothing for arbitrary files, that seems like considerably more hassle overall to me.
For other types of files, I have different apps: Obsidian Vaults with Syncthing, but that’s not accessible from the internet. And I like having my passwords across all my devices, updating anywhere I am.
And for me, it’s just not worth the headache (and security risk) of hosting my own password manager.
How many separate services do you have for accessing files across devices, and what do you do for filetypes outside of what they cover?
> And I like having my passwords across all my devices, updating anywhere I am.
That's how it works for me with a passwords.kdbx file on my FTP server (but any cloud storage works). Same for any filetype.
> And for me, it’s just not worth the headache (and security risk) of hosting my own password manager.
What's the security risk? If anything, it's SaaS password managers that seem to semi-regularly get hit with breaches (well, mostly LastPass).
You don't need to host anything for KeePass - just plop the file next to your notes/etc.
Headache seems greater overall if you're juggling a large number of subscriptions, particularly when they start ramping up payment or moving features you rely on to higher tiers.
> What's the security risk? If anything, it's SaaS password managers that seem to semi-regularly get hit with breaches (well, mostly LastPass).
Talk to your local security engineer :)
On a venting note, this mentality is a frustration I have with SV, because I see it a lot. They don’t know what they don’t know, and think they can just stand up businesses without understanding the domain.
Ok - I made the assumption that your (s)FTP was publicly available over the internet. (It’s safer if not, but then you don’t get the benefits of syncing from anywhere that I get.)
If your FTP is open to the internet, you are now responsible for alerting / monitoring, IPS/IDS, proper config management, routine automated patching, IP allow/blocklisting… all of these things require regular maintenance. Even if you stick it behind a VPN, you will need to patch, alert on, and configure the VPN and everything behind it as well, as VPNs can be compromised.
That’s why, unless I really wanted to spend time hardening the spit out of it, there’s no way I’m self hosting my passwords. I’m happy to just pay a password manager to handle all of that.
> you are now responsible for [...] there’s no way I’m self hosting my passwords
You don't need to host anything new or take on any patching responsibilities for anything you weren't before. I already had an FTP server, so put it on there. Wherever you already access arbitrary files across devices (you didn't answer what you do for files outside of your filetype-specific subscriptions, but I'd assume you just have iCloud or something) should work fine.
Not that there are zero reasons to use a SaaS password manager, just that I disagree Keepass is somehow insecure or prohibitively technical for regular users. The solution a lot of people already seem to gravitate towards (if not just password reuse) is "passwords.txt on Google Drive".
Multiple devices and family sharing. My wife and I share several accounts, so it's really nice that we can move them between private and shared vaults on 1Password.
I swap between my phone and my computer. Sometimes I need to get an account password on a workstation, and I can just login online rather than typing several lengthy generated passwords.
Most of the workstations I use completely block USB storage devices (but not fido2 keys!)
What would be super nice is to have USB wedge that I can just send my passwords from my phone to any computer like this https://www.inputstick.com/ (Expensive, sold out and also doesn't ship to the USA)
My KeePassXC database auto-syncs to my Nextcloud instance. Nextcloud client on PCs, Keepass2Android on my phone, and it's the same end result as Bitwarden but without the shenanigans.
Do you have a solution for auto-merging conflicting changes? Because I think that's the real difference, editing on a laptop and on a desktop before the sync can occur, can cause data-loss (for my potentially naive use of keepassxc anyway).
I've never seen this happen, because (as far as I can tell) all KeePassXC clients auto-save the file any time a change is made, and all the Nextcloud clients auto-sync as soon as the file changes. Keepass is also resilient to the underlying file changing while you have, say, the edit password dialog open.
If a conflict did happen though, newer versions of Nextcloud just keep both copies and alert you to resolve it. If I had to resolve this I'd probably try the built-in database merger first: https://keepassxc.org/docs/KeePassXC_UserGuide#_merging_data...
There are several factors at play making conflicts almost impossible:
- A central device can be immediately synced to. For Nextcloud, it could be a server, for direct synchronization that I use (Syncthing), my phone (almost always online) is the intermediate device for all.
- You are usually online when creating accounts/password, so an sync can happen directly after a change
- And finally: How often do you actually _create_ accounts rather than just read the database? And how often do you do it on two devices in quick succession?
Merge conflicts on NextCloud are terrible, but for a KeePass file, I don't think this comes up very much. My laptop syncs from Nextcloud whenever it's online, and my phone syncs whenever it opens or modifies the file. Nobody else is using my laptop or phone, and certainly not my keepass vault. I would probably have to go out of my way to use both my laptop and my phone offline and add/change passwords during that time in order to get a merge conflict.
How do you get data loss?keepassXC,DX saves a conflict copy and warns you. Anytime I've seen the warning over ~10 years it's been a non issue. Like I add an entry on PC, walk away from the 'save db' prompt for a day and then update something on my phone so I have 1 new account on both. I see the warning and so I have to hit one button to do the basic merge or whatever and it's done.
Having a password manager synced to phone, desktop, laptop, browsers is handy. I used Keepass 10 years ago but I prefer integrated experiences now, particularly since I often pull them up on mobile.
Also consider teams or multiple teams across an org sharing secrets. Flat files are a tough sell, so these apps eliminate almost all the hassle. We pay for a lot of 1Password accounts, and I couldn’t imagine rolling our own solution.
In my case it's exactly that. I have a Linux gaming workstation, a work-issued (and managed) MacOS laptop and a Google-branded (Pixel) Android phone.
Bitwarden just works in all those places and the tech was, by all accounts, rock solid. AND I can pay for it instead of trying to leech off some privacy-ambiguous free tier.
Someone else made it similar comment, so I clarified the phrasing of my original post. The main backup of allll my decades of digital junk is independent and happens elsewhere.
Even if I had a USB-stick of magical capacity and reliability, I wouldn't want to have to remember to connect and disconnect it constantly.
Syncing is a huge part, UX is another. I was using KeePass on my desktop for several years before I met my wife, and having her use it was a complete failure. She did not like the workflow. Having to open another another tool, login, search for the correct site, and copy/paste the password was too much friction. And that was when things worked.
Syncing was an utter disaster. Inevitably something would cause syncs to be delayed, and then there would be a conflict and one of our changes would be silently lost. We were constantly going to lookup a password we entered, and finding it was not there anymore, at which point I would have to dig through sync conflict backup files and manually reenter the passwords that were lost, or go through the password reset flow for the sites. It was a giant mess, and that was just with two desktops and a laptop. I was using btsync at the time but all the issues I encountered apply to any file based synchronization, like syncthing, nextcloud or dropbox. Performing whole database file synchronization is simply not the right approach for password safe.
I eventually switched over to self-hosted BitWarden with the browser plugin and it has been much smoother.
I realize the wording in my comment was a little ambiguous, but don't worry, that's in addition to my files in general. (Restic, Backblaze B2, memorized passwords/keys, regular integrity checks of remote data.)
After all, even with godlike storage-media on my keychain, it would still be susceptible to a mugger or falling down a deep hole. Until that happens, it provides redundancy and convenience, provided I can bring it to a trustworthy computer.
I used to use syncthing to solve that problem, until the developer dropped the distribution because of the Google's anti-social behavior.
But the interface of every software on a phone is so atrocious that I have never actually seen any benefit from having a password manager there that I could copy stuff from. So now I just don't have it, and haven't seen any loss yet.
That said, I store way more low-value passwords on the Firefox manager (that is synchronized) than high-value ones on the offline manager.
Is it because everybody else is swapping between several different computers, and you need the synchronization?
I just have everything in KeepassXC, and the ciphertext is subject to the same kind of backup regime I use for other files, [edit: and also additionally] a copy kept on a USB stick in my pocket.