this post was submitted on 16 Jun 2023
22 points (100.0% liked)

Linux

157 readers
1 users here now

Everything about Linux

RULES

founded 2 years ago
MODERATORS
 

Do you have any ideas for a password safe that stores its data locally (an encrypted cloud drive is available for synchronizing), offers clients for Linux, Win and Android and has some amenities like filling in passwords in browsers?

My family needs to learn password safety, and I want to make it easy for them.

top 42 comments
sorted by: hot top controversial new old
[–] [email protected] 27 points 2 years ago (3 children)

https://keepassxc.org/

There's desktop apps for Linux/Win, an app for Android and browser integration.

[–] [email protected] 3 points 2 years ago

Keepassxc is a good choice, in the long run. It uses an open standard to save the passwords, and is supported by many clients. Consider using syncthing, if you want to sync the password files directly between your different devices. (In case you don't want a cloud solution)

[–] [email protected] 2 points 2 years ago* (last edited 2 years ago)

My primary password manager is Bitwarden, but I use Keepass as well for having a local backup as well as for it's 2fa feature. It works pretty well.

[–] [email protected] 20 points 2 years ago* (last edited 2 years ago) (2 children)

I'm using keepassXC for that, there are clients for Linux, Windows and Android. Also there are browser plugins. The android app I'm using is KeepassDX, you also find it on f-droid

I'm using it for years now, started out syncing it to Google drive, but nw i have my own nextcloud server

[–] Quazatron 5 points 2 years ago

Same. I'm using KeepassXC on Linux and Android using Google Drive.

[–] [email protected] 2 points 2 years ago

Using the same setup! Database on a Nextcloud instance and desktop (Win/Linux) clients as well as the Android client for years.

[–] [email protected] 12 points 2 years ago (1 children)

Keepass Password Safe: I started it on Windows, moved on to OSX for 10 years and am now exclusively on Linux and my Keepass library migrated through all OS's. Used it too on both iOS and Android. My Keepass file lives on my online cloud storage so it's accessible for all means.

[–] [email protected] 1 points 2 years ago (2 children)

What app do you use on iOS? I used Keepass for a while but switched to bitwarden because of the bad apps (i tried 2 or 3) on iOS.

[–] [email protected] 1 points 2 years ago (1 children)

I honesty can't remember, it's been awhile, but I do know Strongbox is being praised for Keepass database use. More info here: https://strongboxsafe.com/updates/how-to-use-keepass-on-your-iphone-ipad-mac/

[–] [email protected] 2 points 2 years ago

Thanks! I'm going to try that then.

[–] [email protected] 1 points 2 years ago

It was definitely touch-and-go for a while but a couple years ago Keepassium popped up and I recommend it highly as a Strongbox competitor.

[–] olicvb 8 points 2 years ago* (last edited 2 years ago) (2 children)

Been using Keepass, and it seems like a solid choice for local password vault. It's not as convenient at other vaults like bitwarden (unless there's a browser extension i could use), and i dont know how the android side of it looks.

[–] [email protected] 4 points 2 years ago

There is a browser extension, but you don't really need it.

Keepass has a "global auto type" hotkey. If your entries are saved with the correct info, all you have to do is press the hotkey for global auto type and keepass selects the correct entry and types username/password automatically.

[–] [email protected] 2 points 2 years ago* (last edited 2 years ago)
[–] [email protected] 8 points 2 years ago* (last edited 2 years ago)

Bitwarden or Vaultwarden.

[–] [email protected] 8 points 2 years ago

Bitwarden works nicely. It will work locally unless you sync as far as I know.

[–] [email protected] 7 points 2 years ago

As other's have recommended: Yes, KeePass. On desktop i recommend KeepassXC and the plugins for your favorite webbrowser. And on mobile whatever app works best for you, Strongbox on iOS and KeepassDX on Android are doing pretty great and the integration is also working well.

On mobile you can also save the database password secured with your favorite screen unlocking feature and have webdav, ftp or others available for sync. On android you could also use nextcloud sync or syncthing.

[–] humdrumgentleman 6 points 2 years ago (1 children)

Bitwarden, Bitwarden, Bitwarden. Use their free vendor-hosted service, and don't fixate on self hosting or handling syncing of local files. They are highly transparent and well regarded, and this is the way to go if you want any hope of converting your family.

[–] [email protected] 2 points 2 years ago

Personally I selfhost with vaultwarden - thats just my style. Botwarden vendor hosting is just fine

[–] [email protected] 5 points 2 years ago (1 children)

Since its for your family and some password manager is better than no password manager , I feel bitwarden is the most convenient solution. Its a good balance between security and paranoia.

For you keepass would make sense .

[–] [email protected] 3 points 2 years ago

This, consider Bitwarden. The password save will be in the cloud, i.e. on someone else computer, but all your devices are probably on the cloud to some degree with the risk of hostile takeover.

Bitwarden's sync and browser integration is top-notch and more importantly just works.

With the keepass* family you need to work out your personal setup, which clients can sync with what storage. And do they integrated with your favorite browser and apps?

Your family will understand and love Bitwarden. The client is open-source and encryption happens locally (unless on the web app), so you can approve it. Maybe KeePass* will work for you personally or for some special passwords, where security is more important than availability....

[–] [email protected] 4 points 2 years ago (1 children)

While this is not exactly what you are looking for, have you considered deterministic password generators? There's a nice explanation how they work in the Passwordmaker Pro Introduction.

The main downside of deterministic password generators is that their master password can be brute-forced from a single known password and the generator's settings (so, don't use the default settings...).

Their main advantage is that they don't store the passwords anywhere, therefore you don't need synchronization, or worry about the provider's data safety (which, as the LastPass leak has shown, should in general not be trusted).

If deterministic generators aren't an option for you, I'd also suggest KeePass.

[–] [email protected] 2 points 2 years ago (1 children)

You still need synchronization, and any deterministic password manager that doesn't provide it will break eventually. Any time a site experiences a breach you'll be forced to change your password, so you need to synchronize a counter for that for each account. Also, different sites have different (and often mutually incompatible) composition and length rules (in blatant violation of NIST SP 800-63b recommendations), which need to be synchronized to ensure generated passwords actually work for the account.

[–] [email protected] 1 points 2 years ago (1 children)

True. However the need for synchronization is rather infrequent and can easily be done via sneakernet.

There is something else I would like to highlight, about the problem if a single password gets leaked: At least with PasswordMaker Pro I wouldn't only increase the counter for that one site, but rather change it (ideally to a new random number) globally, and change passwords everywhere. The way PasswordMaker Pro uses the counter is that it just gets appended to the input url before hashing. For the hash algorithms that aren't using HMAC this is equivalent to just prepending that counter to the master password, so, a bad actor could just brute-force the combination of increment and master password, and get access to all sites that used the same master password and increment.

So, yeah, that's another big downside. If one password gets leaked, you can either rely on the attacker never finding out that it's a deterministic one, or you can do the same "change every password" dance that you have to perform if your password manager's cloud service data gets leaked.

[–] [email protected] 1 points 2 years ago (1 children)

If your KeePassXC databate gets leaked and you had a secure master password (10+ Diceware words or similar), you can do nothing (it's encrypted).

[–] [email protected] 1 points 2 years ago

Yeah, PasswordMaker Pro isn't built with protection against brute-forcing, sadly. That risk could be mitigated though, by choosing an algorithm that takes a few moments to compute a single password, instead of doing so in mere nanoseconds...

I'm half tempted to write such an app myself (would be a nice upgrade after doing the PasswordMaker Pro port for Sailfish OS), but I'm also in the middle of another spare time project, so, probably not anytime soon...

[–] [email protected] 4 points 2 years ago (1 children)

If you don't want to self host then I suggest Bitwarden as the only service I would recommend. If you want/are willing to self host Bitwarden. Just stay away from Lastpass.

[–] [email protected] 2 points 2 years ago

I can wholeheartedly support that statement. Been using a locally hosted bitwarden instance for a few years now, never head an issue and the Browser plugins work great.
Also: actual desktop clients on all three platforms There are some discussions on HackerNews, about some VC which invested there and what the impact will be, but nothing actually popped up

[–] [email protected] 3 points 2 years ago (1 children)

For more advanced use and if you want to keep passwords in git for version control and synchronize with other devices/people:

https://www.passwordstore.org/

Runs on Linux, Windows, Android.

[–] [email protected] 1 points 2 years ago (1 children)

... and integrates with chrome, I think

[–] [email protected] 2 points 2 years ago

... but might be less intuitive for less-technical people

[–] [email protected] 3 points 2 years ago

@WenAmon Also advocating for KeepassXC here. Plays nice with "synced" folders, like with NextCloud, too.

Even comes with ssh-agent which is perfect for persons like me 👌

Alas I'd never install it on my Android. That's my 2FA device. Not much sense in putting all in the same place - even if it offers integrated TOTP 🙃

The only exception may be the TOTP that Steam uses, that is one digit shorter and not supported by the usual (RFC 6238) ones.

[–] [email protected] 2 points 2 years ago

What about Bitwarden, with the Vaultwarden service running on e.g. tchncs.de

[–] [email protected] 2 points 2 years ago

I'd recommend Standard Unix Password Store. I've been using it for two years and it works fine. You have to solve synchronisation by yourself i use git for it but you can also use rsync or syncthing or anything else. It also has extensions for most web browsers includong firefox and chrome. It has clients for android ios windows and unix like operating systems. You can also use it with dmenu or rofi like i do.

[–] [email protected] 2 points 2 years ago

If you want to make it easy, just use the built in password manager in Firefox or Chrome. They are good enough for 99%.

[–] [email protected] 1 points 2 years ago

https://buttercup.pw/

Linux, Win, Mac, OS, Android. You can sync across platforms for free with dropbox or google drive

[–] [email protected] 0 points 2 years ago (1 children)

My recommendation for Linux and Windows is KeepassXC if you want an offline-manager. There are compatible managers available on Android, KeepassXC recommends KeePassDX and KeePass2Android.

I’ve been wanting to write an article on this topic for a while. My current, very incomplete draft is here, please don’t share it outside this thread as long as it retains the draft-note.

[–] [email protected] 1 points 2 years ago
load more comments
view more: next ›