keepass xc has a browser extension that work's quite well and if even if it doesn't detect login fields the autofill in keepassxc works just as well too.
What I hate the most about Bitwarden is that the desktop app is a stinking bloated Electron web app and not a proper native (Qt) app like with KeepassXC. That was the deciding factor for me choosing KeepassXC.
That may be the case, but on the other hand, we have Browser extensions. I haven't even bothered to install the App in over a year or something, because there is no need for me. In 99% of my usecases, I need passwords in my Browser anyway.
Good overview. However, not enough credit given to ability to sync database with mobile devices (e.g. keepass2android and keepasium for iphone - I've used the former quite a bit and it syncs seamlessly and easy to set up). Also no discussion of hardware security keys or key file for added security with keepassxc.
Another thing. Keepass does have 2 factor authentication. But it does not have TOTP based authentication. You have physical keys and you also have a key file. Secure enough I would say.
I think its all about your threat model. I like bitwarden, lots of great featiures, transparent audits, open source. but may not be the be the best for someone of higher risk of attack. Good enough for most of us though.
@@playtester6635 good enough for most. Except its likely that nobody is targetting you. There is a chance someone is targetting Bitwarden in general though, so its still a security risk. At least Bitwarden encrypts everything though, so there's that :P
KeepassXC does recognize the system theme, but just like any other QT5 application you need to setup qt5ct and the like. I thought you were already using Syncthing? but that's the best tool not just for this but everything regarding file synchronization...
Like that bitwarden added Argon2id recently as a KDF function but for me KeepassXC still wins due to being able to use a Key file which just adds so much more entropy.
Lately, I've been looking for a local password manager to help me manage my accounts and passwords w/o remembering the passwords. I then install pass, The Standard Unix Password Manager which I found from DistroTube's video. And then I watched this video about KeepassXC. If you have tried pass before, which one is better in your opinion between pass and KeepassXC??
Typically, the SSH Agent allows you to store ssh keys in the password manager itself, and you point your .ssh/config file at the socket of the password manager. It forces you to authenticate in order to use your keys.
Thank you. I was intrigued when he mentioned this feature because I thought that was what is was for. A layer of encryption for your ssh keys (assuming that is what you are saying) would increase my security - especially since that is what I use instead of passwords to connect to remote intranet machines.
Hello Bitwarden won't recognize a login page that only asks for the username (once the username is entered, the NEXT page asks for the password). How to get Bitwarden to recognize this situation? It works ok if the page asks for both the username and password.
The fact that you control how the database in synchronized is not a security upgrade unless you are a security professional. Otherwise, I would say you stick to a service where they spent a lot of time thinking about it and they have experts.
i also will say it says you can import your bitwarden passwords and stuff but either cause it was first time using it or what not but it seemed like when i tried to import them it put them in the wrong text field so i had to literally type every password out lol so thats one thing i don't really like about the keepass i would eventually like to get stuff off the internet though like paswords its just gonna take me some getting used to or learning.
i've used bitwarden i also have tried keepass but with forgetting things and if i changed my passwords or something i'd be afraid i'd forget something. like right now its been awhile since i used keepass and i'd have to go in and probably re write my passwords and stuff in a new file just cause i've changed or added some stuff since the last time i used it. but now that im back on linux and got a laptop i can keep up with it easier but if you just have mobile its kinda a pain.
The BitWarden Android version is VERY unstable on my Lenovo M10 tablet, and very reliable on my Pixel 6a phone But overall, I like BitWarden, The convenience and value of its ability to sync across all platforms can not be over stated. I also REALLY like it's ability to search for compromised passwords. I've just switched to Linux and have tried a LOT of distros (settling on Ubuntu, I think) but I'e noticed that the UNIQUE login password I used for Zorin was compromised within the week. Is this a common Linux issue?
I prefer KeepassXC for personal stuff. I do use bitwarden for work stuff and it is convenient. Interesting point about the clipboard history. For Ubuntu it doesn't come with a clipboard manager and it does clear history after 10 sec (can't paste pw anymore) which I find much more convenient (and safer) than having to override it manually when using Bitwarden on the work laptop.
I'm currently working on my own password manager. It's going to use local storage only, with the option to backup somehow (haven't gotten that far yet). I'm hoping to have it released in the next month or two.
@@chuckmuckamuck8001 Not currently published. I doubt I'll open source it. My method of "encryption" relies rather heavily on "security through obscurity" (I know, I'm awful) and releasing the sources would negate that. (I'm writing it for myself, as is the case with the majority of my software.) It's rare that I don't open source something I have publicly released, but in this case I feel it's the right choice. 🤷♂️
In my opinion you should make a keepassxc client. Trying to come up with your own encryption and organization will only make it harder to switch in case you get compromised or something.
@@joelchrono On the one hand, I'm not terribly worried about super high security. There's no server to compromise, and if someone else has access to your device(s), you really have bigger worries. On the other hand, I think it would take a "hacker" some time to get something useful out of "kSM~/j+(oJ,$l+" or "-k/E,R,WOFm3mKN$.F", two phrases "encrypted" using a simplified version of my method. (Or maybe I'm just kidding myself, who knows.)
I recently got a 2FA code sent to my phone ,which indicated someone had my bank account user number and was attempting to change my password using the "forgot password" option. Of course , using 2FA prevented any further progress for the criminal. I notified the bank and their fraud department got as far as locating to origin of the attempt as being in the region I reside. I have never given my bank account user number to anyone and I was intrigued as to how the criminal got it. Was it just a random number attempt? Was it an "inside job" by a bank employee? Or the only other thing I could think of was that years ago I used LastPass but closed my LP account after their first data breech. I was wondering if my data still exists on LastPass servers even though I closed my account. I used Bit Warden briefly and then went to Keepassxc. I synchronise the KP database on my devices using Syncthing
security through obscurity, statistically you'd be safer keeping your passwords in a plain text file on your desktop than on a major target like bitwarden
But if someone got to your text file, would you detect that breach? Bitwarden is a major target but I'm confident they would detect a breach. Even Lastpass detected the breach and dragged their tail on notification, but we were notified.