keepass xc has a browser extension that work's quite well and if even if it doesn't detect login fields the autofill in keepassxc works just as well too.
What I hate the most about Bitwarden is that the desktop app is a stinking bloated Electron web app and not a proper native (Qt) app like with KeepassXC. That was the deciding factor for me choosing KeepassXC.
That may be the case, but on the other hand, we have Browser extensions. I haven't even bothered to install the App in over a year or something, because there is no need for me. In 99% of my usecases, I need passwords in my Browser anyway.
Another thing. Keepass does have 2 factor authentication. But it does not have TOTP based authentication. You have physical keys and you also have a key file. Secure enough I would say.
Good overview. However, not enough credit given to ability to sync database with mobile devices (e.g. keepass2android and keepasium for iphone - I've used the former quite a bit and it syncs seamlessly and easy to set up). Also no discussion of hardware security keys or key file for added security with keepassxc.
I think its all about your threat model. I like bitwarden, lots of great featiures, transparent audits, open source. but may not be the be the best for someone of higher risk of attack. Good enough for most of us though.
@@playtester6635 good enough for most. Except its likely that nobody is targetting you. There is a chance someone is targetting Bitwarden in general though, so its still a security risk. At least Bitwarden encrypts everything though, so there's that :P
I prefer KeepassXC for personal stuff. I do use bitwarden for work stuff and it is convenient. Interesting point about the clipboard history. For Ubuntu it doesn't come with a clipboard manager and it does clear history after 10 sec (can't paste pw anymore) which I find much more convenient (and safer) than having to override it manually when using Bitwarden on the work laptop.
Typically, the SSH Agent allows you to store ssh keys in the password manager itself, and you point your .ssh/config file at the socket of the password manager. It forces you to authenticate in order to use your keys.
Thank you. I was intrigued when he mentioned this feature because I thought that was what is was for. A layer of encryption for your ssh keys (assuming that is what you are saying) would increase my security - especially since that is what I use instead of passwords to connect to remote intranet machines.
KeepassXC does recognize the system theme, but just like any other QT5 application you need to setup qt5ct and the like. I thought you were already using Syncthing? but that's the best tool not just for this but everything regarding file synchronization...
Like that bitwarden added Argon2id recently as a KDF function but for me KeepassXC still wins due to being able to use a Key file which just adds so much more entropy.
The fact that you control how the database in synchronized is not a security upgrade unless you are a security professional. Otherwise, I would say you stick to a service where they spent a lot of time thinking about it and they have experts.
Hello Bitwarden won't recognize a login page that only asks for the username (once the username is entered, the NEXT page asks for the password). How to get Bitwarden to recognize this situation? It works ok if the page asks for both the username and password.
Lately, I've been looking for a local password manager to help me manage my accounts and passwords w/o remembering the passwords. I then install pass, The Standard Unix Password Manager which I found from DistroTube's video. And then I watched this video about KeepassXC. If you have tried pass before, which one is better in your opinion between pass and KeepassXC??
The BitWarden Android version is VERY unstable on my Lenovo M10 tablet, and very reliable on my Pixel 6a phone But overall, I like BitWarden, The convenience and value of its ability to sync across all platforms can not be over stated. I also REALLY like it's ability to search for compromised passwords. I've just switched to Linux and have tried a LOT of distros (settling on Ubuntu, I think) but I'e noticed that the UNIQUE login password I used for Zorin was compromised within the week. Is this a common Linux issue?
It's not easy to come up with a truly unique pass below 16 characters. Pretty much most of the passwords are already hashed in rainbow tables. You have to use 16+ chars of full ASCII, or 6-8 words for a passphrase, anything else is not secure anymore (GPUs are insanely powerful nowadays).
i've used bitwarden i also have tried keepass but with forgetting things and if i changed my passwords or something i'd be afraid i'd forget something. like right now its been awhile since i used keepass and i'd have to go in and probably re write my passwords and stuff in a new file just cause i've changed or added some stuff since the last time i used it. but now that im back on linux and got a laptop i can keep up with it easier but if you just have mobile its kinda a pain.
i also will say it says you can import your bitwarden passwords and stuff but either cause it was first time using it or what not but it seemed like when i tried to import them it put them in the wrong text field so i had to literally type every password out lol so thats one thing i don't really like about the keepass i would eventually like to get stuff off the internet though like paswords its just gonna take me some getting used to or learning.
I'm currently working on my own password manager. It's going to use local storage only, with the option to backup somehow (haven't gotten that far yet). I'm hoping to have it released in the next month or two.
@@chuckmuckamuck8001 Not currently published. I doubt I'll open source it. My method of "encryption" relies rather heavily on "security through obscurity" (I know, I'm awful) and releasing the sources would negate that. (I'm writing it for myself, as is the case with the majority of my software.) It's rare that I don't open source something I have publicly released, but in this case I feel it's the right choice. 🤷♂️
In my opinion you should make a keepassxc client. Trying to come up with your own encryption and organization will only make it harder to switch in case you get compromised or something.
@@joelchrono On the one hand, I'm not terribly worried about super high security. There's no server to compromise, and if someone else has access to your device(s), you really have bigger worries. On the other hand, I think it would take a "hacker" some time to get something useful out of "kSM~/j+(oJ,$l+" or "-k/E,R,WOFm3mKN$.F", two phrases "encrypted" using a simplified version of my method. (Or maybe I'm just kidding myself, who knows.)
security through obscurity, statistically you'd be safer keeping your passwords in a plain text file on your desktop than on a major target like bitwarden
But if someone got to your text file, would you detect that breach? Bitwarden is a major target but I'm confident they would detect a breach. Even Lastpass detected the breach and dragged their tail on notification, but we were notified.
I recently got a 2FA code sent to my phone ,which indicated someone had my bank account user number and was attempting to change my password using the "forgot password" option. Of course , using 2FA prevented any further progress for the criminal. I notified the bank and their fraud department got as far as locating to origin of the attempt as being in the region I reside. I have never given my bank account user number to anyone and I was intrigued as to how the criminal got it. Was it just a random number attempt? Was it an "inside job" by a bank employee? Or the only other thing I could think of was that years ago I used LastPass but closed my LP account after their first data breech. I was wondering if my data still exists on LastPass servers even though I closed my account. I used Bit Warden briefly and then went to Keepassxc. I synchronise the KP database on my devices using Syncthing
Want more Linux content? Follow me on Mastodon: fosstodon.org/@thelinuxcast
Kee-pass-ex-see vs keep-ass-secs-ee pronunciation debate should replace the guh-nome debate. Much more fun 😊
😂
keep-ass-secs-ee wins every time
Yes lmfao
You could run your own Bitwarden server, so that you don’t have to keep your passwords outside of your network.
Exactly. Keeping it on local proxmox over cloudflare tunnel. For double security
But that wouldnt sync with your phones right
@@marcusaurelius3487 yes it will but its not for noobs. you could host bitwarden server on a raspberry pi thats always on for instance.
I use them both. Bitwarden mostly for the browser extension, and KeepassXC for its flexibility. One effectively acts as a backup to the other.
Do you import/export back and forth between them or manually copy/paste in order to update?
@@donpeer4477 I copy/paste at the time of entry. It's usually just a few more seconds.
keepass xc has a browser extension that work's quite well and if even if it doesn't detect login fields the autofill in keepassxc works just as well too.
KeePassXC has a browser extension, though? Pretty good too.
@@xmaverickhunterkx Yes, KeepassXC has a browser extension. It's garbage, IMO, compared to Bitwarden.
What I hate the most about Bitwarden is that the desktop app is a stinking bloated Electron web app and not a proper native (Qt) app like with KeepassXC. That was the deciding factor for me choosing KeepassXC.
That may be the case, but on the other hand, we have Browser extensions. I haven't even bothered to install the App in over a year or something, because there is no need for me. In 99% of my usecases, I need passwords in my Browser anyway.
I use Bitwarden for 2 years now, never had a complaint.
A hacker's not getting my handwritten paper! lol
But how do you a backup? In case of a fire? Or write long complex passwords faster?
Never wrote down passwords in 30 plus years. Also wrote a password manager in 2005 though. Been using Bitwarden for years now...
When you make a NAS/home server, I think you should make a docker containing this. That's what I'm thinking of doing.
I'll probably do something like this too, eventually, when I have the money and room to set up a home server!
How reliable would it be to just use an old laptop for this and some data storage?
I would use Podman. But basically it's the same on the low level
I do that with bitwarden (vaultwarden)
buuut there are disadvantages unless you have a static ip
Another thing. Keepass does have 2 factor authentication. But it does not have TOTP based authentication. You have physical keys and you also have a key file. Secure enough I would say.
Good overview. However, not enough credit given to ability to sync database with mobile devices (e.g. keepass2android and keepasium for iphone - I've used the former quite a bit and it syncs seamlessly and easy to set up). Also no discussion of hardware security keys or key file for added security with keepassxc.
Bitwarden all the way... But Keepass is probably safer if you prefer offline password management.
I think its all about your threat model. I like bitwarden, lots of great featiures, transparent audits, open source. but may not be the be the best for someone of higher risk of attack. Good enough for most of us though.
@@playtester6635 good enough for most. Except its likely that nobody is targetting you. There is a chance someone is targetting Bitwarden in general though, so its still a security risk. At least Bitwarden encrypts everything though, so there's that :P
@@joelchrono All they have is the hash on the bitwarden side.
You can host your own BitWarden server.
@@umka7536 true, but it's not completely offline though like KeePass is.
I would personally recommend hardening your password manager with a physical security key.
KeepassXC supports YubiKey.
I prefer KeepassXC for personal stuff. I do use bitwarden for work stuff and it is convenient.
Interesting point about the clipboard history. For Ubuntu it doesn't come with a clipboard manager and it does clear history after 10 sec (can't paste pw anymore) which I find much more convenient (and safer) than having to override it manually when using Bitwarden on the work laptop.
Don't mean to evangelize BitWarden but in the options there's clipboard clear timer
@@jacmy ooh thanks just enabled it. Never crossed my mind to check haha much appreciated
Typically, the SSH Agent allows you to store ssh keys in the password manager itself, and you point your .ssh/config file at the socket of the password manager. It forces you to authenticate in order to use your keys.
Thank you. I was intrigued when he mentioned this feature because I thought that was what is was for. A layer of encryption for your ssh keys (assuming that is what you are saying) would increase my security - especially since that is what I use instead of passwords to connect to remote intranet machines.
KeepassXC does recognize the system theme, but just like any other QT5 application you need to setup qt5ct and the like.
I thought you were already using Syncthing? but that's the best tool not just for this but everything regarding file synchronization...
Like that bitwarden added Argon2id recently as a KDF function but for me KeepassXC still wins due to being able to use a Key file which just adds so much more entropy.
Keepassxc has 2FA in the form of key files or hardware keys.
I use a key file in an obscure directory deep in the file system
I use both. One essentially acts as a backup for the other.
On my pc I use keepassXC and on android I use keepassDX I can use fingerprint to unlock my database with it
The fact that you control how the database in synchronized is not a security upgrade unless you are a security professional. Otherwise, I would say you stick to a service where they spent a lot of time thinking about it and they have experts.
The clipboard integration in keepassxc works perfectly in my Plasma NixOS machine. It might be xfce problem but I don't really know much.
How come these companies don't use MFA: Multi-Factor Authentication.
KeePassXC have multi authentication possibilities. It can be setup to require a key file or even hardware key (or both), in addition to the password.
Had tried both and more. The convenience and security of bitwarden is unmatched...
keepassxc uses qt, you could use gtk plugin for qt so that it can use native theme
If you just qt, then it doesn't follow set QT things either. Because I have one of those set for my system and it didn't follow it.
@@TheLinuxCast you have to click on View > Theme > Follow System Theme (or smth like that) for it to follow your qt theme
Hello Bitwarden won't recognize a login page that only asks for the username (once the username is entered, the NEXT page asks for the password). How to get Bitwarden to recognize this situation? It works ok if the page asks for both the username and password.
Bitwarden ❤
Lately, I've been looking for a local password manager to help me manage my accounts and passwords w/o remembering the passwords. I then install pass, The Standard Unix Password Manager which I found from DistroTube's video. And then I watched this video about KeepassXC. If you have tried pass before, which one is better in your opinion between pass and KeepassXC??
The BitWarden Android version is VERY unstable on my Lenovo M10 tablet, and very reliable on my Pixel 6a phone But overall, I like BitWarden, The convenience and value of its ability to sync across all platforms can not be over stated. I also REALLY like it's ability to search for compromised passwords. I've just switched to Linux and have tried a LOT of distros (settling on Ubuntu, I think) but I'e noticed that the UNIQUE login password I used for Zorin was compromised within the week. Is this a common Linux issue?
It's not easy to come up with a truly unique pass below 16 characters. Pretty much most of the passwords are already hashed in rainbow tables.
You have to use 16+ chars of full ASCII, or 6-8 words for a passphrase, anything else is not secure anymore (GPUs are insanely powerful nowadays).
i've used bitwarden i also have tried keepass but with forgetting things and if i changed my passwords or something i'd be afraid i'd forget something. like right now its been awhile since i used keepass and i'd have to go in and probably re write my passwords and stuff in a new file just cause i've changed or added some stuff since the last time i used it. but now that im back on linux and got a laptop i can keep up with it easier but if you just have mobile its kinda a pain.
i also will say it says you can import your bitwarden passwords and stuff but either cause it was first time using it or what not but it seemed like when i tried to import them it put them in the wrong text field so i had to literally type every password out lol so thats one thing i don't really like about the keepass i would eventually like to get stuff off the internet though like paswords its just gonna take me some getting used to or learning.
I'm currently working on my own password manager. It's going to use local storage only, with the option to backup somehow (haven't gotten that far yet). I'm hoping to have it released in the next month or two.
On GitHub?
@@chuckmuckamuck8001 Not currently published. I doubt I'll open source it. My method of "encryption" relies rather heavily on "security through obscurity" (I know, I'm awful) and releasing the sources would negate that. (I'm writing it for myself, as is the case with the majority of my software.)
It's rare that I don't open source something I have publicly released, but in this case I feel it's the right choice. 🤷♂️
In my opinion you should make a keepassxc client. Trying to come up with your own encryption and organization will only make it harder to switch in case you get compromised or something.
@@joelchrono On the one hand, I'm not terribly worried about super high security. There's no server to compromise, and if someone else has access to your device(s), you really have bigger worries.
On the other hand, I think it would take a "hacker" some time to get something useful out of "kSM~/j+(oJ,$l+" or "-k/E,R,WOFm3mKN$.F", two phrases "encrypted" using a simplified version of my method. (Or maybe I'm just kidding myself, who knows.)
@@helloimatapir under other circumstances I would agree with you, but I have my reasons.
Pen and Paper solos.
@Kro oxygen/brain solos your water/fire.
The best password manager - only "Orthodox" pass 👍
Vault Warden video please.
Sync a keepass password file with cryptomator in cloud
security through obscurity, statistically you'd be safer keeping your passwords in a plain text file on your desktop than on a major target like bitwarden
But if someone got to your text file, would you detect that breach? Bitwarden is a major target but I'm confident they would detect a breach. Even Lastpass detected the breach and dragged their tail on notification, but we were notified.
Bitwarden forsure
I recently got a 2FA code sent to my phone ,which indicated someone had my bank account user number and was attempting to change my password using the "forgot password" option.
Of course , using 2FA prevented any further progress for the criminal.
I notified the bank and their fraud department got as far as locating to origin of the attempt as being in the region I reside.
I have never given my bank account user number to anyone and I was intrigued as to how the criminal got it.
Was it just a random number attempt?
Was it an "inside job" by a bank employee?
Or the only other thing I could think of was that years ago I used LastPass but closed my LP account after their first data breech.
I was wondering if my data still exists on LastPass servers even though I closed my account.
I used Bit Warden briefly and then went to Keepassxc.
I synchronise the KP database on my devices using Syncthing
🔐🛡👍