Any comments on KeePassXC?

Long ago and probably here at TidBITS, I found a reference to a password manager called KeePassXC that EFF seems to be endorsing. However, I could only find one instance of “KeePass” in TidBITS Talk, and that was just a passing reference, so maybe I heard about it somewhere else. It’s free, which is nice, but even nicer is that it does not have a subscription model. Does anyone have something good or bad to say about this program?

I’m partial to EFF, although I do wish the page linked above would confirm that it is published by the Electronic Frontier Foundation. If I’m misguided in my belief that EFF is somewhat better than average as an advocate for the little people, please educate me.

In another digression in the first post of this topic (how many people derail their own threads, and on the first post at that?), I was going to append this to the thread Password Managers, but the software told me the last activity there was ten months ago and suggested that maybe I didn’t really want to post there. I started this new thread, and the software told my topic was similar to two existing threads (neither of which seemed similar to me) and suggested maybe I should post in one of them. Adam, please merge this if it’s appropriate, but add a comment about when to start a new thread and when to resurrect an old thread. Thanks.

1 Like

I’m partial to the nonprofit EFF too. I’m also partial to Consumer Reports, which does not allow mention of their studies and evaluations in the advertising or marketing of the products they review, and neither organization sells or accepts advertising. To do so could create conflicts of interest, stuff like “a product got the best score and review because they gave a big donation.” And Amazon, Yelp and other user review based services have come under fire, including many instances companies of paying or giving free products to people who will write good reviews:

https://www.consumerreports.org/cro/news/2011/09/why-consumer-reports-has-a-no-commercial-use-policy/index.htm

I do think both organizations advocate for a little person like me.

I’ve also just started looking into KeePassXC. I’ve been a 1Password user forever, but lately the product has grown a bit too big and complex for my tastes. I don’t need any of the fancy functionality (teams, watchtower, their own cloud…) and I feel as though every extra feature brings with it the opportunity for configuration errors and software vulnerabilities. I think the 1Passwod dev team does a great job, and I still think it’s a fantastic product, but I’m no longer really in their target demographic.

What attracted me to KeePassXC is that it is supported on Tails, a privacy-focused OS that I use a lot. The Tails team carefully vets their included software for security, so their imprimatur means a lot to me.

What KeePassXC lacks (as far as I know) is any kind of sync capability, though you can apparently share a KeePassXC database over a sync service such as Dropbox or (my current go-to) Resilio Sync. Note, however, that one can encounter difficult data-loss scenarios when sharing single-user databases across multiple devices.

I’m also considering going full retro, and storing my passwords using Standard Notes, though the complete lack of browser integration would probably either drive me crazy or prompt me to try to emulate that functionality using Keyboard Maestro.

When the pandemic heat has cooled a bit, I’ll try migrating to KeePassXC and report back.

Thank you, @MMTalker, for your thoughts on EFF. I subscribe to Consumer Reports, in part for exactly the reason you mention. I sometimes disagree with Consumer Reports’ logic, ratings, or discussion, but I do like knowing that the reviewer reached a different conclusion than I did rather than the reviewer was bought off.

Thank you, @ron, for your thoughts.

I do not anticipate doing it, but could the KeePass database be stored in iCloud to allow access from different devices? I have never used Dropbox, Resilio Sync, or any other sync service (on an Apple platform; employment required some strange nonsense), so I don’t know if iCloud would be better, worse, or different.

Would you elaborate on that, please?

At present, I store passwords in a locked Excel file. Is that similar to what you are considering?

The main problem I’ve encountered with storing passwords in my Excel file is web sites that decide pasting should be disabled. What is the rationale with that? Would an integrated password manager be able to paste text in such a web page?

Ron Risley wrote:

I’m also considering going full retro, and storing my passwords using
Standard Notes https://standardnotes.org/

I hadn’t heard of it but I’ve been looking for an encrypted notebook, so I went to sites looking for the open source info. Unfortunately, it uses the Electron platform, which has a history of it’s own vulnerabilities. It’s widely used and heavily attacked. Electron also tends to not be true to the OS it runs on, like Java apps.

I’m considering using Strongbox, also open source with extra features if you pay (either a one time price or subscription). It lets you use a number of standard encryption schemes and password file formats, including Password Safe and KeePass 1 and 2. The interface is adequate, though I’d prefer a free form notebook (I have no interest in an app doing the typing for me.) Mac/iOS only, and you can download full xcode projects (it might not include the pro features, I haven’t looked) if you want to bypass the iOS App Store. On the other hand, I don’t know anything about the developer or his qualifications–
security software is hard.

The only thing I have ever intentionally used iCloud for is FindMy, so I don’t know much about it. In theory, it should work, but KeePassXC might, for example, have trouble connecting to the database from an iOS device.

The problem with putting any kind of (formal or informal) database file on a sync platform and then accessing it from multiple devices is that more than one device might try modifying the database at the same time. If two devices try writing to the exact same field, for example, only the later write will get saved; the earlier one will be obliterated. If the database has internal structures (most do), and modification of the database isn’t atomic, then writing to even different fields of the database can cause the internal structures to become corrupted.

Programs designed to have multiple users writing to the same file take steps (locking, semaphores, journaling…) to prevent corruption and data loss.

Bottom line: sync is hard. Just throwing a file designed for single-user access onto a sync platform will probably work 98% of the time, but that last 2% could be tragic.

Similar, but StandardNotes supports strong encryption and synchronization among multiple devices (including Android and iOS). You can even run your own server if you don’t want your encrypted data leaving your own infrastructure.

Pure, unadulterated ignorance and stupidity justified by screaming “BUT SECURITY!!!” with no clue what they’re saying. You might want to look into Stop the Madness if you are using Safari.

I’m not sure what your threat model might be, but if you’re worried about some kind of malware running with root privilege attacking your apps, then you probably have bigger problems. I’m not aware of a password manager that is proof against local code running with privilege. 1Password is certainly vulnerable, as they admit without rancor on their site: “this isn’t a new security issue, it basically confirms that once the system is compromised, the game is over.” Even pure userspace code that is running rogue on your system could mount a successful social engineering type attack against Apple’s Keychain or 1Password, as both systems have a habit of soliciting your master password asynchronously in ways that gives users no reasonable way to establish the authenticity of the request.

In a more realistic scenario, the Electron vulnerabilities come into play when it’s used for apps like Slack that have potentially unvalidated or unsantized data coming from potentially hostile sources. Since the only data Standard Notes sees is coming from you, it’s unlikely that you’re going to pwn yourself.

Alas, the lack of platform fidelity is a drawback. For example, drag-and-drop is poorly supported on the macOS client, and printing is MIA.

You might be interested in this take on other Electron issues from Mo Bitar, SN developer:

Not accepting ads and such may prevent them from showing favoritism toward advertisers, but it doesn’t guarantee unbiased reviews.

Consumers publishes plenty of advocacy articles for a variety of political issues alongside product reviews. I don’t know if they can be trusted to give accurate reviews when some manufacturers advocate similar issues and others advocate opposite positions.

I personally don’t trust them because I’ve identified lots of mistakes when they review product categories that I know well - like computers and other personal electronic devices. Since I know they can’t be trusted to get their facts straight for these items, why would I trust them not to make similar mistakes regarding products I know nothing about?

Many decades ago, Consumer Reports focused almost entirely on product reviews. And the articles read like lab reports - documenting their methodologies and presenting their raw data alongside the conclusions. Today, I rarely if ever see that quality of reporting. So I have no way of evaluating the review - all I get are conclusions that I am expected to trust on faith.

The not for profit and highly respected Columbia Journalism Review ran an excellent article about Consumer Reports and The Wirecutter. It reminded me of an advocacy campaign CR ran in the 1950s - 60s that was influential in making seat belts in cars mandatory, and in passing legislation requiring people to use them. They continue to advocate for health and safety regulations, as well as for issues concerning credit and banking, insurance and lots of other issues I personally agree with.

However, I do not agree with most of their evaluations of Apple products. When it comes to Macs as a personal purchase, I am probably more interested in design, graphics, typography, color accuracy than the average desktop or laptop user. This admitted snobbery does spill over into how I think about their reviews about Apple’s iOS devices as well.

But I have beeen happy with my recent switch to a different laundry detergent recommended by CR, I have been with so many other consumer products they recommended over decades. And though I know I’m risking the curse of the evil eye, my family has never gone wrong with any of the cars they recommended. And I’ve done well with the Wirecutter’s reviews also.

KeePassXC is great. I used the old KeePass to manage my passwords for years before I switched to 1Password. I experimented with switching back to KeePassXC a while back because I wanted to switch to more open-source software, but I eventually just fell back on 1Password because it makes things so easy.

In this case, I think a new topic was appropriate, since you’re asking about a specific app, which is better than the more-general Password Managers topic that you mentioned.

As far as the Discourse warning about replying to a topic that’s more than 6 months old, I seldom think that’s an issue, so I found the setting and disabled it.

In general, if it’s appropriate to ask a question in the context of an article, I do prefer that people post in the appropriate article’s comment stream, rather than in the general TidBITS Talk category so the comment gets associated properly with the article and bolsters it for posterity and SEO.

Maybe I am naive, but I fail to see the real need for high security for passwords on simple webpages, say like TidBits. Where for my bank’s webpage I see a need for the highest security. So for the former, I just let Safari store the username and password. For others I sort do as suggested with an Excel sheet, but I developed two algorithms I can do in my head, and store the algorithm ‘keys’ or hints in a text file, that is sync’d with my iPhone. Then on top of that most web pages deserving of high security like Banks now have two factor authorization.
However I see some massive security holes. 1) Apple sends alerts to the mac I am on with a code to get on Apple sites, I see no security in that, the code should be sent to my other device, 2) if I get a two factor authorization code via text, iMessages picks it up and allows with a click for it to be entered. That too does not seem to add any security. These two factor authorization codes should be sent only to the device I am NOT on. When I am on my Mac I usually have my phone with me, but that could be a pain if I am on my phone without my Mac (I rarely access secure sites on my phone). Maybe for two factor authorization you need another code to see the code sent.
But for these 3rd party PassWord managers I have always wondered how easy it would be for them to send the database to someone else.

There is an argument for not worrying about passwords for certain accounts. I still use 1Password for everything for the various reasons.

  1. I want a unique password for every site. One the passwords are cracked on one site those credentials (user name, often the e-mail address) are tested through automation on every banking site in the world. Many people use the same password on every site they use.

  2. It is easier for me. I let 1Password enter the passwords for me. I don’t worry if this low priority site is using a password reserved for low priority sites.

  3. It is easy to make a site look like your site’s name by taking advantage of unicode. 1Password (or lastpass, etc) won’t autofill a password for me if the name isn’t right. If I have to copy and paste a password that is a warning that something is wrong. Same with letting Safari remember it.

Good password managers provide the option for no password recovery under any conditions. So if you lose your LastPass password you’ve lost all of your passwords. You want a password manager where the company publishing the software cannot crack your database.

–Paul Chernoff

3 Likes

I forgot one other item. No matter how innocuous, a website where you have an account might have information that might help someone with identity theft. In business we have to explain that security is important to everyone. There are those who believe that they don’t have access to anything important (they are usually wrong on that count) but it isn’t unusually for someone to crack an intern’s email account and use that to convince others to provide information that leads to cracking more important accounts. So same idea here. If someone has your email address and information on your interests they might be able to use that information to impersonate you and get more valuable information from others.

4 Likes