In the meanwhile KeepassXC cannot do simple things like bulk editing.

@@jonathandawson3091What do you mean by bulk editing? Also, what other simple things are problematic about KeePassXC?

@@martinlutherkingjr.5582 Bulk editing, e.g add/remove tag, change icon, set notes, etc. for a number of passwords at once.

@@jonathandawson3091 BitWarden is good until your passwords are leaked like LastPass. I prefer KeyPass and store my passwords offline encrypted. I don't trust any company storing my data on their own server.

@@roberth_pereira you can self host bitwarden if you don‘t want to trust them with your passwords

I moved to KeePassXC back in August when the initial news about LastPass dropped. It's a great solution, requires a bit of extra effort to setup and maintain due to the nature of the product using a DB file. I'm thinking that moving forward I'll be spinning up Vaultwarden for my daily use, and use KeePassXC to store my keys with a hardware token (YubiKey) Spare key is not stored with DB file, primary key is on me at all times and the DB file is offline/cold/secure in both a safe and safety deposit box. What are your experiences with deploying Vaultwarden? *Edited for spacing and clarity, content did not meaningfully change.

@@NOX-ID47 I've only had the one instance running and it's been going since my initial deployment, very straightforward using docker compose, I believe there is support for SQL however my data is stored in an sqlite DB so the configuration was even simpler. One port exposed via haproxy reverse proxy on my pfsense box and all my devices, (phones, tablets, laptops and browser extensions), sync effortlessly and handle totp etc. I don't offer the service out to anyone else and it's just for my use, I back up my database locally and off-site weekly/monthly using a duplicati container, all encrypted. It has been a great experience and the feature set doesn't leave me wanting for anything.

@@jsnwal Thanks for sharing.

Vaultwarden is NOT a fork of Bitwarden. There is much confusion on this topic, but Vaultwarden is in fact a complete rewrite in RUST of the Bitwarden server to be a compatible backend for the official upstream clients. Unfortunately being a rewrite, there are still of course some features Vaultwarden is missing, and some that will never be added according to devs.

@@KentSapp you are correct it is a rewrite, amended my OP

KeePassXC is compatible with KeePass databases. It's rewritten in c++, much better program, so it's a pretty much a drop in replacement. But yes, for the 400 person use case, then bitwarden is the obvious solution.

@@entelin i am actually using KeePassXC. It's good. :)

The clincher with password managers is really is it on-prem, or is it cloud? Most are cloud based, and that's not necessarily a bad thing. And there are even some "new" ones, like Uniqkey where they've taken user friendliness and admin insight (without exposing actual passwords) pretty far. Purely commercial, though, but any company will wind up paying a couple bucks per user and month for anything commercial. User friendly simplicity is imo a real key factor for companies that aren't like Lawrence Systems, ie they're not full of mega nerds. Users hate complexity. You could never sell an average company on using Keepass, because it's just not suited to it in its current form. Bitwarden as well is a bit of a stretch but it's closer. Still pretty "techy", though. Nerds forget just how godawful users can be at this stuff.

I too am using the exact same setup as you are. Very easy to set up and maintain. I do make use of a key file to add another layer of security. YubiKey is my next thing to try with it.

What android app are you using? There is only 3rd party apps available?

@@shanehart2017 For me "Keepass2Android" does the job quite well on my phone. Comes with an own keyboard to avoid keylogging by third-party-keyboards and can be set up to fetch the database via webdav, which makes synchronizing with my Nextcloud really easy, while it also keeps a cached version on your phone, so you're not screwed, if you have no connection to your cloud for some reason.

Same, I use KeepassXC for my desktop and the app on my Android devices. I store the database file to my free google drive space. So its always cached and backed up for free plus there is a plugin for Firefox if you choose to use it.

Syncing files around is not a good solution compared to a client/server model. I use XC, but my phone is not involved in anything secure. If I did want to do something like that then bitwarden would be the way to go.

Bitwarden really is much better than LastPass. I have used both.

saves time but undermines the entire point of 2FA

Yep, one of the reasons why I love using KeepassXC. Keyfile is a must have and make sure it's not sync'd anywhere. It's sorta PITA getting the key file onto my mobile devices without using some kind of a sync service such as Nextcloud (self hosted) but once it's there it's a layer of security that I love having. There is one feature I wish KeePassXC had is multiple key files on a key ring. Meaning each device have it's own key file to the same database in case one gets compromised you just invalidate that key file in your database.

Try this. On say your desktop, make a password change on a web site. Then go to your Apple phone (for example) and try to login to said site with Bitwarden login. In my experience, I have to manually initiate a forced sync both on the device I made the change on AND the phone before it will update the new password in the vault. It’s not automatic and that has become extremely annoying.

@@curtispavlovec As I said, I spent a day updating all my relevant passwords. The various instances of bitwarden seemed to sync them across the devices just fine.

KeePassXC can convert the database from KeePass 2 without an issue.

I know I'm late to reply, but multiple password managers may someday let us store passkeys in them, and use a master password (or another passkey) to lock the vault. 1Password already lets you store passkeys in it. Bitwarden is also adding support for passkeys in the near future. I heard about these things from KZbin videos, and from blog posts made by 1Password and Bitwarden.

Great to hear!

@@sirmongoose if you keep login to 10-15 shuts every day I doubt you can stands

well the video did address that both solutions will use the last cached version of the passwords in the event of loss of access. Or at lest BW does so even without power you can still see the last password on record. But if you want it yeah both have local implimentations

Bitwarden apps cache the passwords when offline.

@@LAWRENCESYSTEMS Yeah but if you didn’t force sync just before it died you won’t have the latest vault data. This is a problem I noticed right away with Bitwarden. The sync is clumsy and slow and often I have to manually initiate a forced sync on multiple devices to get current vault data. It’s absurd to me. The sync should be automatic and constant when a vault update is made on any platform or device out to the others.

@@curtispavlovec I have not had any issues with the sync and how fast it happens.

@@LAWRENCESYSTEMS Maybe it’s specific to Apple devices? I updated passwords this weekend for several sites and when I changed the passwords on my Chromebook and then went to log in using Bitwarden on my iPhone it always had the old (now wrong!) password until I manually initiated a sync on both my Chromebook and my iPhone. Had to do that each time I made any password change.

Yes, if a site lost control of the passwords but not their TOTP it would help.

​@Jo Blow Keep in mind that the Bitwarden two-step login only protects the login and not the encrypted vault. The LastPass attackers bypassed the logins entirely by accessing the vaults directly. I'm not saying the same will happen to Bitwarden. Just be aware that the master passphrase needs to be strong to prevent attackers who do have the vault.

I tie my TOTP in with Bitwarden and implement Duo but may switch to FIDO

@@ericesev I don't have this issue with KeePassXC as I use both key file and password to decrypt the database. Plus the database (encrypted vault) is stored locally.

Just use Bitwarden and their back end.

In Linux you can use cracklib-check locally

You can calculate the entropy yourself for any 'password' (not passphrase) generated by Bitwarden's password generator once you know the entropy per character. A particular redditor gave useful information regarding this. I will paste what he commented below. (The comment is around 1 year old from today) "Using Bitwarden's password generator (letters, numbers, special characters) you get 6.129 bits of entropy per lettter. So 20 characters would give you 122.58 bits of entropy - a very secure password. If you use avoid ambiguous characters you get 6.022 bits per character which doesn't change things much (120.44 vs. 122.58). I personally use 42 because it gives 257.418 bits of entropy, and with Bitwarden's design you max out the security at 256 bits (before you take into account any known vulnerabilities in any of the algorithms). Of course this assumes a randomly generated password and not one you create yourself using your own magic system. You will come across some people here that say they use 999 character passwords for the extra security but they don't understand how the encryption/hashing/kdfs work - you gain nothing in security going beyond 256 bits of entropy. Sure someday we will have new and improved encryption and hashing functions that offer 512 bits of security and then it may make sense to have longer passwords but we aren't there today and having a longer password today will not help when that day comes (you would need to regenerate/re-encrypt). TL;TD: 20 characters is very secure and more than adequate until quantum computers are more accessible." To add on from my side, you should consider going forward with a passphrase exclusively for your master password and also one that is generated randomly. Do not add anything from your side to a randomly generated passphrase and do not make a passphrase up yourself. If I am not mistaken, a passphrase would be easier for you to remember although would take longer to type. Regarding how many words for your passphrase, I will recommend to go with a 10 word passphrase at least. Yes that seems a lot in terms of length, especially when compared to Bitwarden allowing a mere 3 word passphrase generation, however, based on what I have read, you should go with a 10 word passphrase at least, if you are going to use a passphrase as your master password. Feel free to ask any questions.

Dunno, never used Dashlane.

No, if an attacker has a copy of the encrypted vault, 2FA does not apply. 2FA protects your login to the cloud servers. You need the 2FA to login and download the encrypted vault. The encrypted vaults from LastPass/Bitwarden/1Password do not require 2FA to open the vault. So if someone were to steal the encrypted vault without logging in, the 2FA would not provide any protection. This is what happened with LastPass.

While KeepassXC lacks the ability to sync one database to another in real time you can use any sync'ing tool like OneDrive or Nextcloud to sync everyone's database to the master. This is fine for small number of people but for large groups I'd use something like BitWarden Enterprise.

I'd make use of a key file in addition to your master password to add another layer of security. Office365 is a large infrastructure that's constantly being hammered by hackers. If somehow that encrypted database gets stolen at least with the key file and master password they will have a hard time cracking it.

My 2FA is on my phone so my password manager is not.

Use diceware

@@JoergWessels I don’t trust it nor any “lists” circulating online of supposed words or phrases. There has to be something better.

Vaultwarden is a fork maintained by a third party. I always prefer to use the first party service.

I'd like to think that people who are smart enough to know how to self-host are smart enough to keep that database file is offline. Can't really hack it if it's offline on an encrypted drive.

@@GeorgeG472 Sure, _some_ people are smart enough. But I'd be willing to bet that the majority are not. And some of those people are going to open ports on their firewall to some ancient WordPress installation that allows an attacker access to everything.

@@AlexDresko I think "common sense" is what is needed when dealing with security. You can be a genius in setting up a Linux server but don't bother securing it is not going to be a good day.

You make a fair point. But, what happened at LP aptly illustrates that smartness isn't the end-all/be-all. The reason people are leaving LP isn't that they were breached, so much as the company has demonstrated on ongoing culture of irresponsibility and sloppiness in keeping their customer's data safe. For example, some customer's 'Password Iterations Count' was left at 5000, 500, or even ONE, while others had been automatically updated to 100,100. Some vault data was left unencrypted. These are things we have just found out since the last breach, and this with smart people on their staff.

Never used it, I've only seen paid reviews of it, I didn't see anything compelling that would make me want to use it over bitwarden

Not likely as I don't use passbolt or know of any compelling reason I should use it.

Nope

KeePassXC does not currently have native WEBDAV support.

@@LAWRENCESYSTEMS Am I mistaken with Keepass then, I use XC on Android with my Webdav server, on Windows normall Keepass with the webdav URL. Have a nice 2023!

@@edwardvanhazendonk Tom is correct. The old version of KeePass2 did have that feature. I've moved to KeePassXC and use Nextcloud to sync the database.

Cloudflare Tunnel

I don't know how the bitwarden implementation of letsencrypt is, but..... it is possible to get certificates from letsencrypt without opening your firewall - you'd need to use DNS validation instead [letsencrypt will ask you to add a TXT value to DNS to prove you own the domain, rather than needing to have port 80 open to vlaidate]

I use HAProxy with a wildcard certificate kzbin.info/www/bejne/oKHchqBraNyYY7s

Could also use traefik with a wildcard cert.

Export the vault, or if you self host backup the server.

@@LAWRENCESYSTEMS thanks

There is a keepass version for android and I believe one for the iphone.

How to do what?

@@LAWRENCESYSTEMS the process of how one gets started with either product Ps . No really crucial question. I don't really use any managers.. but i was curious 🧐 Ps I followed your pfsense vids ans they are top notch, as well 🙂

It can be topped. For the highest security you want the database, password keyfile and database password all to reside on different systems. If you store the database on a private Nextcloud server or NAS and leave the keyfile on the decrypting client system only, then KeePass will fetch the database in RAM and clear it after it has been closed. That way an attacker would not have access to both in one go. For the password, obviously, the separate system is your brain.

I agree. Same with KeePass*. They control the code and can make it leak passwords to the internet at each update interval.

@@ericesev with KeePass there are two key differences: 1) you control when and if to update and have access to the code to review and/or build yourself (or someone you trust) 2) there are lots of independent and different clients to chose from (KeePassXC vs. KeePass is a prime example) ...point #2 is a double-edged sword -- on one hand each new implementation is a new risk, but on the other, each team is motivated to uphold the reputation and knows that with the source in the open (contrary to bitwarden's paid service) it is trivial to verify the binaries as well as to check the source itself. (do not know about bitwarden in this regard, self-hosting could have the same advantages)

@@ericesev and for completeness, when using an app, you can completely block its access to the network thus making this vector exfiltration far less likely... ...that is unless you use a browser plugin which makes an app no better than a website you do not control. If security is a requirement I usually recommend using an app (KeePass/KeePassXC or the like) without any browser integration and sync via something like syncthing (preferably) -- there are enough eyes on these projects to make a fuss if something odd would start happening and you (reasonably) control the whole chain from GUI to vault and from machine to machine....

​@@AlexNaanou It just comes down to trust for me. How can I trust the binaries from KeePass/syncthing match the source? Per Ken Thompson's Reflections on Trusting Trust; How can I trust the compiler used to compile KeePass wasn't malware? My comment wasn't meant as a criticism against KeePass. I was only stating that one needs to trust KeePass too. I think we just draw the line differently on where we are willing to place our trust.

@@ericesev I'd agree with you on the trust issue, but there are limits to it... If you are paranoid you could compile everything yourself, you could compare the binaries to the official ones (though this is a can of worms I'll not get into) but if that is really needed is threat-scale (or paranoia-scale ;) ) dependent.... the end result is that your data is under your control with some potential vectors of outside attack that can be mitigated based on again threat-scale and need or simply left to trust, that is not a big compromise IMHO. But if you compare that to a service that you do not control, then the threat surface is orders of magnitude larger, in addition to all the app issues you've touched on, the service-provider employs lots more people (usually), outside contractors, outsources some work, any link in this chain can be or get careless, they can be or get malicious, the web infrastructure can get compromised, your browser (or extension) can get compromised, ...etc. and contrary to the app, you have no way to audit, test, sandbox any of that, you are transferring quite sensitive data to a domain completely outside of your control based fully on trust.

I never did make use of Keeshare as never got it to work. Figured long as NextCloud app keeps the database in sync'd I'm golden. Will have to take a closer look now.