I mostly agree! However, I plan on posting an article on HN soon discussing some of the issues with the .kdbx file format that KeePass and derivatives use within the next couple of days. KeePass has such great potential, but falls short compared to some of its (local) competitors.
I don’t recommend any of them. Some of them have critical metadata leakage issues (Pass and derivatives, which leak the number of accounts & their names) and most others are not open source—an immediate disqualification for a local password manager. KeePassXC is my choice on desktop. Keepassium on iOS.
It's not centralized, of course; you still have to download the entire database, and then potentially upload the entire database again for any changes; but it doesn't have these vulnerabilities.
The database is encrypted, so theoretically it doesn't matter if other people have it, but what a chad. I suppose these are not your real passwords, or are low-value ones, because there could be zero-days we don't know about.
A bunch of them have changed since I migrated to iCloud Passwords, but no, that is an actual real passwords database with every internet account of mine that I knew about as of around December 2024.
I tuned the encryption to take a short while to unlock for even a high-tier desktop CPU, to the tune of slow password hashes. I actually somewhat enjoyed the delay every time I opened up the database...
Haha this was a powermove. It is genuinely great that since it’s just a file you can host it anywhere you want. S3, WebDAV, your own site. I personally use copyparty and WireGuard for my kdbx file. I find it better than syncthing because there’s an obvious master copy (edited in place), and there’s no good way to keep syncthing running all the time on iOS, which can lead to sync conflicts.
Hello. I use copyparty on my LAN hosting the kdbx file. It is exposed via webdav for my phone's client (keepassium). It is always available for KeePassXC (you can use rclone or just webdav in the file explorer). This is backed up to b2 every hour. I use WireGuard to access the LAN when I am not home. My phone autoconnects to WireGuard as soon as it is on any network that is not my home network.
I sometimes casually include tokens in my comments (changing a few characters here and there) to make people gasp but parent is taking it to a different level.
I recently orchestrated this, although in my case I've chosen to use 1password's cloud based store as my primary secret store, so I'm accepting some exposure right off the bat that you might not be comfortable with.
Basically, I have a borg backup job which runs every day, in a 3-2-1 replication strategy with the backups being sent both to a locally encrypted NAS (backups themselves have an additional layer of encryption via borg) as well as off-site with BorgBase. Those backups scoop up an export of 1password that I have a reminder to kick off manually about once a month via this script: https://github.com/eblume/blumeops/blob/main/mise-tasks/op-b...
The password that decrypts the key (along with the password that decrypts the backup) is stored on a piece of paper in a fireproof safe in my house. I've got a reminder to practice the entire DR process every six months, although I've only done it once so far as this is all pretty new.
Thanks, it's also available via my 1password cloud account, so it'd have to be a joint fire at my home and the 1password data center (and my phone, for that matter). Pretty bad day I feel.
Unrelated note: this was the first time I've linked to my static generated docs for this project and it was really fun watching the grafana dash of my fly.io nginx proxy pick up all the scraping traffic. Thanks for warming my cache :) I work with this tech all the time at my day job but this is the first time I've hosted something from my home, it's genuinely made my afternoon to see it light up.
I sync the database to my phone, and a couple of other devices too with syncthing. I need it on my phone anyway to log into accounts while I'm out and about.
What clients are you using ? Trying syncthing with synctrayzor with my windows boxes and Synctrain on my iPhone and it’s mostly alright but still a little spotty.
I'm also using Synctrayzor on my Windows 10 machine. I'm on Android using the official Syncthing app there as well as on Linux. It sometimes takes a while for them to discover each other, and it of course works better when all the devices are on my home network. The only real problem I've encountered is when filenames have special characters another OS doesn't like.
Hey thanks for the quick reply! Yeah, I've noticed the discoverability is a lot more consistent when I just foreground the app on both devices and let it sit for 10-15 seconds. So used to instant gratification in this age :\
Well, the same issue exists for your BitWarden recovery keys or 2fa method. You need to have proper and redundant off site backups for anything valuable.
How often do your change your passwords? Assuming they are decently long and all that, why would you change them at all other than when a site gets breached?
The only reason my Keepass database changes is because I make new accounts on sites every now and then, and that's a fairly rare thing these days. And if I get so ungodly unlucky that my house burns down before my off-site database is updated to have that new account listed, I'll still have access to the email that account is associated with, so I can still recover the account either way.
Every time I add an account, for one. And there's still plenty of (dumb) sites which force me to change my password and sometimes username periodically.
Keeping an offsite database in sync is tedious, especially if it's delivered via sneakernet.
I add an account to that database maybe twice a year, probably less. Do you make a lot more accounts than that?
The off-site solution I have updates a lot more often than that, although that's only because only the really important stuff is backed up in that way; the stuff I truly need to survive my house burning down.
I'm almost done with that aspect of my life now, but every school year it feels like there's a new slate of apps, parent communication portals, etc. I need to manage these as well.
It's way more often than twice a year for me. And it's accelerating.
Fair enough, but it’s genuinely super easy to have a regular copy of your password manager saved in the cloud. You can also have a less frequently updated version stored somewhere physical that isn’t your house. My house burning down has never been a concern for me, as I’ve taken the proper precautions for my data.
One of the things the article touches on is encouraging these vendors to migrate their customers to more secure/modern security standards. How is this handled with KeePass with it being, by its very nature, decoupled?
Not the parent, but a heavy user of Keepass. When you unlock your database, you can re-key it with several options for encryption algorithm, key derivation, and the transform rounds. I also have it set up with my Yubikeys as a kinda-sorta two factor for an added layer of security.
To keep the encryption modern regular updates are made to the program, and any migration would happen when re-encrypting the database. Checking my earliest entry, I've used it for 15 years without a hiccup.
I take your point, and usually you're right, but in this case "modern features" includes things like having an "extract" button show up when you right click an archive file in Explorer.
You can have that, and in an even better way: Simply disable the blight that is Windows 11 context menus and go back to real context menus.
I’m not even joking, they are basically superior in every way. They open faster, they have only one visual axis and they support all the shell extensions you remember. (Too many shell extensions could make them just as slow though.)
reply