Get the top HN stories in your inbox every day.
diego_moita
varjolintu
You can have multiple URL's per entry. However, those only work with the browser extension. Edit entry and go to Browser Integration tab. There's a list of additional URL's.
ajot
I use clones of older entries if I need multiple URLs. I didn't know about this, thanks!
diego_moita
Wow! Now I feel stupid.
Thank you. That's very cool.
joshuajill
On Linux at least you don't really need a browser extension and can arguably reduce the attack surface
You can use global Auto-type which brings up Keepass window where you can pick from relevant entries.
You can a Global keyboard shortcut and it will work mostly anywhere.
jabroni_salad
One of the things I like about the auto-type is that you can reconfigure it on a per-site basis in case the login sequence isn't the usual. I can have it page through my company's sso labrynth, enter tenancy IDs, trigger my preferred duo method or even navigate to a subpage after logging in. With most other PW managers you are just left with what it gives you and if it doesn't detect the logon fields, that's just too bad.
I can also make it auto-type into remote sessions, non-browser applications, and """""extremely secure""""" fields that don't allow you to paste into them.
I do use the 'url in title bar' browser extension (there are a lot of these) to help it lock on properly.
WHA8m
I really like the DELAY function. YouTube is one of those sites where they have email and password on different cards/sites, so I can just add a delay of about 3 seconds and the auto fill in will work:)
nerdponx
There is also a "username-only option for this site" popup that sometimes can detect this kind of login flow, and usually handles it correctly.
BaseballPhysics
> The UI makes it much easier to copy and paste fields and the notes are clearly visible. I often use the notes to store things like github tokens (for git), etc. However, I keep 2FA TOTP codes on my Pebble watch only. If you keep 2FA codes on the same file as your password then it isn't 2 Factor anymore, right?
Technically no, but whether or not that is a problem depends on the threats you're worried about.
I'm personally most worried about 1. credential stuffing, 2. keyloggers/client exploits, and 3. Phishing/MITM attacks.
Using a password database allows me to use different passwords for every site, which defeats #1.
TOTP even if it's in the same database solves for #2 since simply scraping the password isn't enough to gain access.
And #3 isn't addressed at all, even if you use a separate device for TOTP.
What I'm not especially worried about is specific targeted attacks where the attacker is attempting to acquire my database and crack it.
Now, if you store your password database on someone else's cloud, that could become more of a concern, as a mass breach and bulk collection of databases becomes a possible attack vector. But I use syncthing to directly share my DB between devices, so I'm not particularly worried about that.
If you're worried about either of those threats, then a separate TOTP device is absolutely vital. But, for me personally, the inconvenience of it is not worth the additional security.
Melatonic
I may have to push my company to switch to this - now if only they would release their own Android / iOS client!
I know there are decent options for both mobile devices but it is harder to pitch a piece of software with multiple vendors than a single, unified vendor when security is a top concern.
undefined
nkg
I love it and I didn't know of any of these features! :)
tormock
> Edit: forget this. As varjolintu explains bellow, this is wrong. ~~You can't have multiple addresses per entry. Some sites will login with different URL's and KeepassXC will not recognize all.~~
Create 2 entries for the same site and install the Keepass helper (url in title) addon
yumiris
Love KeePassXC - it's a beautiful and speedy program which simply just works without ever causing any problems. The original KeePass always struck me as a tad heavy due to its somewhat archaic aesthetic and dependency on Mono, whereas KeePassXC looks modern and requires minimal resources and dependencies.
I combine it with KeePassium on iOS and Resilio Sync for synchronising across my main and mobile devices. (Syncthing doesn't offer an iOS client, sadly, hence the choice of using Resilio)
zuhsetaqi
I use Strongbox on iOS which I highly recommend checking out. It's payed (one time) but open source
undefined
fn-mote
> payed (one time)
This is true, but pricing is currently $3/mo, $15/year, $60 lifetime. So the one time payment is larger than most.
nerdponx
I've easily gotten $60 worth of value out of it. Happy to pay that kind of money for software that I use frequently and that works well.
ASalazarMX
There's also KeePassium, where you can use one database for free. I use several, so Strongbox for an Apple family account was worth the price.
Maakuth
I'm not iOS user myself, but I hear Möbius sync (https://apps.apple.com/us/app/möbius-sync/id1539203216) is reasonably good Syncthing client wrapper for it.
willis936
I could never get mobius to behave as I wanted.
I host nextcloud and use strongbox. Nextcloud supports WebDAV and strongbox works well with syncing through that.
Semaphor
I switched from KeePass to KeePassXC some years ago when I realized the XC browser extension was better than what KeePass offered. Sync via my own Nextcloud, KeePass2Android on mobile, works great :)
circularfoyers
Have you tried KeePassDX?
JeremyNT
I'm using KeePassDX on Android (sync'd to KeepassXC on PC using syncthing). It works quite well and the GUI feels quite polished.
Of all the Keepass implementations in Android it seems to be the most actively maintained and featureful, but it's great to have a few different options. In addition to KeePassDroid (which I used to use, and have no major issues with) there's another (Authpass) on F-Droid which I haven't yet tried but looks promising.
worble
The only issue with KeepassDX is that it doesn't yet support yubikey NFC for challenge response mode, although it's on their roadmap I believe.
Semaphor
No, hadn’t even heard of it (or forgotten about it), it didn’t exist when I chose K2A, and I’m not having any issues. Might check it out anyway.
undefined
longstation
KPXC is brilliant. Recently I switched to it from BitWarden and I am satisfied. The only issue for me is the autotype support on Wayland (it's not there yet; currently only able to auto fill password and username for xwayland app).
Semaphor
Curious, why did you switch from BitWarden? It’s usually the other way around (though personally I never felt the need to switch from KPXC).
longstation
Sorry for the late reply. BitWarden is great. I really don't have anything to complaint (before BitWarden, I was using browser built-in password manager). However, I changed. I start to value the following:
1. I need a tool that can save not just password, but something more general. For example, a desktop software credential (with BitWarden, I need to open a browser or electron app to do that). Another example would be a PIN required each time I use the voice mail. Or certain PIN for my bank accounts (not the one used to login the online banking). I am aware you can save them in the note section, but it feels better when you can customize these fields. These non-password secrets used to be saved in plain text scattered around in various files on my PC. Now I have a centralized and organized access.
2. I know that with some configuration you can have self-hosted BitWarden vault. But I think KPXC + whatever_file_sync_app is simpler.
3. I actually started using KeePassXC because IT forced me so. I hated it initially, but later discovered it's actually a great tool for managing secrets in general.
4. HN Syndrome: preferring "native" app than web/electron.
Semaphor
Ah, didn’t know Bitwarden doesn’t support extra fields like that, that is something I use as well. Thanks for the reply, it’s rare to hear about some (even personal) negatives of bitwarden :)
gnramires
I chose KPXC because I am in easy access to the database, and since I already pay for cloud hosting I just sync the database on the cloud (I use Seafile, I recommend!). Open and convenient :)
I'm sure Bitwarden is more than adequate as well though.
vetinari
I've migrated from KPXC to Bitwarden because of all the sync conflicts and having to diff different versions and figuring out, which data is latest (yes, keepass-diff is a thing).
With Bitwarden, I cannot create a new password or change existing one without being online, but I consider that a small price for not having to deal with conflicts anymore.
Semaphor
> I use Seafile, I recommend
I recently tried it, as I don’t need 90% of the features NextCloud offers anyway. Sadly, the installation process seems far more complicated, and I ended up just abandoning it and going back to NC after getting unclear error messages.
brightball
I am curious why you switched from Bitwarden? Usually when people are exiting a password manager it’s migrating to Bitwarden or KeePass but you’re the first I’ve heard moving from Bitwarden itself.
antiframe
I too switched from BitWarden to KeePass. I was reading about browser security and became concerned about running my password manager in the same process as the browser and relying on its sandbox. With KeePassXC I have the option to either forgo browser integration completely or use their addon which communicates to the manager and asks for an entry, which prompts for permission itself or uses an allow list by URL. That makes it much harder for a website to somehow break the sandbox and access my entire database.
It's a small change but it does reduce the attack surface as well as force me to manage my data myself which I want to do more of.
Also with BitWarden, their UI annoyed me when I needed a password outside the browser. L
mrandish
I'm not the person you asked but I switched from BitWarden to KeepassXC. BW was very good so the only reason I looked for an alternative was I wanted something that would support entering passwords with autotype in OS apps instead of just the browser.
longstation
Sorry for my late reply. I replied for the other question above.
ayushnix
> The only issue for me is the autotype support on Wayland
Are you using a wlroots compositor like sway or GNOME/KDE?
longstation
I am using both KDE and GNOME. When Firefox is under xwayland, it works. When switched to wayland, it stops working.
ayushnix
Looks like a known issue.
https://github.com/keepassxreboot/keepassxc/issues/2281
I'm considering adding support for keepassxc in tessen but autotype works only on wlroots based compositors like sway right now.
undefined
dorfsmay
Not sure what you mean but the default KeepassXC on Fedora 35 with Wayland does not do autofill in Firefox.
ayushnix
I'm going to take a guess and say that you're using GNOME if you're using Fedora and yeah, I don't think auto type works on GNOME's wayland version yet. They're working on their own protocol called libie the last time I checked.
However, auto typing on Wayland works pretty well if you use wlroots compositors/window managers like sway.
joshuajill
I'm on Debian Bullseye stable with Wayland GNOME out of the box, and autotype works fine.
wheybags
Been using keepassxc with self hosted seafile for sync for a few years now. Keepassdx on android. Super happy with this combo.
k8sToGo
Is KeepassDX better than KeepPass2Android?
LeonidasXIV
In my experience - yes. I used Keepassdroid and on a new phone decided to try K2A but ended up much preferring the UI of KeepassDX. Its autofill works really well.
running101
I recently researched password managers, settled on keypassxc. Happy I did. I use keypassxc on windows + keypassxc chrome plugin, strongbox on iOS and google drive for syncing. All works seamlessly.
rekoil
I'll probably be switching from 1Password soon, as they get ready to force their Electron implementation onto customers. I downloaded Strongbox but I was surprised to find that configuring the storage backend was super confusing.
What is the best "backend" for setting up sync between KeePassXC/Strongbox/etc, between multiple clients active simultaneously?
Is there a good reason why we haven't seen something like a REST API enabled backend using KeePassXC as a client? Syncing files using off-the-shelf services is great that it exists, but it's obviously far from an optimal solution.
mdaniel
If you're after a rest backend for your password manager, Vaultwarden is likely what you're after
Having said that, I am in the same camp as some of the other comments in using KPXC for it's AutoType (and ssh agent), so if that's also your requirements then Vaultwarden won't get it done because the Bitwarden clients are aggressively stupid
wink
This might have been 2.6 already but I find the new flat interface kinda meh. Sure, not everyone was happy with the old 2.4 "native windows 95" look but with the new one everything just feels too big, like a mobile app on the desktop :(
dividuum
On my Linux version, there's View > Theme > Classic.
Psychotherapist
There is a "Compact Mode" you can turn on via the View Menu up top, maybe that helps :)
electrotype
I use regular KeePass for one reason only: its ability to open a remote database using SFTP.
npteljes
How does this system handle conflicts?
electrotype
How exactly, I don't know the details. But there is a built-in "synchronize" feature.
npteljes
What would happen if the synchorized safe is open on two computers at the same time, they both add a new entry roughly at the same time?
I like the idea of this sync but I don't know how the internal implementation would handle this. Dropbox and Nextcloud both sync the files themselves, and in case of a conflict, they preserve both versions, and let you pick which one you'd like to use as the "canonical". It's a pain but at least the data is preserved.
mhb
I use KeePass. Should I switch to KeePassXC?
joshuajill
Also this: KeePass logged password in plaintext. Really bad CVE case. KPXC had no such issue.
pieter_mj
That's pretty bad. Luckily not on windows.
refracture
Well I wasn't motivated to move but I am now.. that is rough.
theandrewbailey
Do you use any plugins with KeePass? KeePassXC might have those features built in. I had plugins for TOTP, SSH agent, and browser integration in KeePass, and it made setting it up and maintaining it a mild pain, but XC has them out of the box.
mhb
WebAutoType. I'll give XC a try. Thanks.
AdmiralAsshat
Recent convert here. The answer is Yes.
I had to use the old/creaky/unmaintained KeePassBrowser addon for Firefox back when I was still on regular KeyPass. The KeePassXC-Browser addon is still supported, and much cleaner.
mxuribe
You read my mind, as i was just asking myself the same thing. I have recently been thinking of switching over to bitwarden from classic keepass...but now i see keepassXC, and wondered what - if any - compelling feature/need that keepassXC brings...?
p.s. - Oh, and the reason for considering even moving to bitwarden is ease of mobile access by several people at once...since schlepping a keepass database via file sync stuff works sort of ok until you have to access the same file via mobile (possible but not great), plus my family and i kept stepping on each other's toes when updating said file, etc. Not hating on keepass, as it has served my family really weell...and i'm very thankful to the keepass devs! It is simply that we might be outgrowing it a tad...maybe.
mhb
Follow-up - I switched and it was a good decision.
323
One thing I like about the original KeePass is that it uses Secure Desktop API on Windows, which makes it difficult for malware/keyloggers to intercept your password as you enter it if you are infected.
https://keepass.info/help/kb/sec_desk.html
I wish KeePassXC would implement this functionality on Windows. Seems there is an open issue, but KeePassXC author says this is just Windows security theater:
riedel
I had a discussion today with the author on also on a security topic. I feel that he has a very opinionated take at usable security (nothing strictly bad about it). My problem is that probably anyone can easily extract the key of the registered browser extension. Therefore it is really important to no "remember" the choice to share the password with the browser as it is otherwise rather easy to exfiltrate it (having local access to a running machine). IMHO the security an threat models aof many password managers are only clear to the authors. It is very difficult to make informed choices as a user. I don't like that every password manager claims to have the better solution without really explaining themselves to the user in a sincere way ( including tradeoffs)
acquacow
Anyone know an easy way to keep it matching domains when the subdomain changes?
eg: account.domain.com changes to signon.domain.com at some point and it stops matching.
I've gone in and saved some accounts as just domain.com to prevent this, but when creating new passwords/etc, it always adds the current URL and the problem happens again after some time.
Thanks!
KingJulian
Been a happy user of KeePassXC for over 4 years now. I keep the password databases and keys synchronised across devices using Syncthing. Once I've set this up, it's pretty transparent and I haven't had to tinker with it.
tormock
Same setup, the DB only came out of sync (conflict) a few times but that's because with my setup Syncthing is only doing it's thing when I'm on my local network...
KingJulian
> Same setup, the DB only came out of sync (conflict) a few times but that's because with my setup Syncthing is only doing it's thing when I'm on my local network...
I see. You've chosen not to use remote sync?
Get the top HN stories in your inbox every day.
What I love on KeePassXC:
* Runs on Linux/Mac/Windows and there are compatible clients for Android. Make your own cloud with a RaspberryPi referred by a DDNS and you'll have super powers.
* Auto-type. Is tricky to get it working but once you get it you'll become addicted.
* The UI makes it much easier to copy and paste fields and the notes are clearly visible. I often use the notes to store things like github tokens (for git), etc. However, I keep 2FA TOTP codes on my Pebble watch only. If you keep 2FA codes on the same file as your password then it isn't 2 Factor anymore, right?
Little things that bothered me:
* It took me a while to understand how does the Touch ID/fingertip reader works (you need to turn on the checkbox, press Ok on the authentication modal and then touch the reader). Touch ID is one of those things that suddenly you discover you can't live without.
* The browser add-ins are not always smooth and friction-less. Sometimes you need to reload the page, reopen the db. Chrome's add-in is the hardest to get working. Firefox's is better.
* Edit: forget this. As varjolintu explains bellow, this is wrong. ~~You can't have multiple addresses per entry. Some sites will login with different URL's and KeepassXC will not recognize all.~~
But I am still a fan. I'd give it a 8/10.