KeeWeb VS keepassxc

It is actually sort of how I used it as well, though through nextcloud. It did still remain a hassle. It also requires all different apps to be maintained and equally safe.

Keeweb for example has not had an active maintainer since 2022 https://github.com/keeweb/keeweb/issues/2022

Best KeePass Mac client: Also KeeWeb but as a standalone app

I prefer KeeWeb on Desktop (Mac, Windows and Linux) but I agree that keepass is the most flexible and secure system for passwords

Web access to keepass database: KeeWeb. It works fully in browser, so the only web server needed to push static content, after that set KeeWeb backened pointing to WebDAV to sync DB with other devices (Strongbox on iPhones or Keepass2Andorid for android). KeepassXC on Linux doesn't have native sync, but you can use wine to run original keepass which works much better and natively support synchronization over multiple protocols

KeeWeb is an open-source password manager that's compatible with KeePass. This cross-platform tool is available for browser and desktop and doesn't require any server or additional resources. Credit for this recommendation goes to techtornado.

To make Dropbox work in your self-hosted app, go to this Wiki page.

Oof, I found a whole ton of anti-open-source-software quotes on the related Github issue https://github.com/keepassxreboot/keepassxc/issues/10406 :

> When required, the authenticator must perform user verification (PIN, biometric, or some other unlock mechanism). If this is not possible, the authenticator should not handle the request.

> [A passkey provider certification process] is currently being defined and is almost complete.

> This implementation is not spec compliant and has the potential to be blocked by relying parties.

> Then you should require its use when passkeys are enabled ... [You may be blocked because] you have a passkey provider that is known to not be spec compliant.

> I suspect we'll see [biometrics] required by regulation in some geo-regions.

> I see a lot of misinformation and incorrect guesses about the intentions of various parties in the recent threads. If it would be helpful, I'm willing to have a [private, non-public] call with interested parties to try and answer some of the questions that have been raised to ensure we have a common technical understanding of FIDO/WebAuthn.

I felt reasonably positive about Passkeys while writing this blog post, but continuing to read the spec authors' insistence that only Big Tech may handle these problems is extremely worrying. I really want to like this feature, but the authors are acting like complete jerks and driving me away.

One of the Passkeys/WebAuthn spec people made a huge fuss over how KeePassXC did their export function https://github.com/keepassxreboot/keepassxc/issues/10407

By using the built in device attestation feature to blackball any passkey providers that allow that, apparently:

https://github.com/keepassxreboot/keepassxc/issues/10407#iss...

Now imagine a whitelist of acceptable providers. Suddenly, you don't even own your credentials anymore.

KeepassXC.

https://keepassxc.org/

Recently switched over from a premium Bitwarden account to it. Import from Bitwarden was a breeze.

Note that KeepassXC only writes to a local encrypted db file. Syncing that across devices is left to you. I used Syncthing for that.

Should be noted that there's still debate on user presence, to the point that someone submitted a CVE[0][1] on KeePassXC for not abiding by this part of the protocol (and which I take Keepass's side).

[0] https://github.com/keepassxreboot/keepassxc/issues/9339

[1] https://keepassxc.org/blog/2023-06-20-cve-202335866/

At Linux, I manage local 2FA with Numberstation GUI. It can import export.

sudo apt install numberstation

I manage passwords with KeepassXC

sudo apt install keepassxc

There is also newer version with additional features:

https://github.com/keepassxreboot/keepassxc

I can save you some of that research. The KeePass family of password managers are open source and based around a shared file format. They save your passwords in an encrypted file on your computer or phone’s local drive. An ecosystem of apps by different people can parse that file format (after you enter your master password), and at least one app can export as CSV or HTML, so migration is not a problem.

Since your passwords are in a local file, there is no online password manager that can be hacked. If you worry that your local password manager software will have malicious updates posted, you only have to read news at the time you download an update, which can be as infrequent as you like.

If you need to share passwords among your devices, you can store the encrypted file in a generic file syncing service such as Google Drive or Dropbox. Those services are less of a target for hackers than dedicated password managers, and even if someone obtains that file, your passwords will be safe as long as your master password is strong.

Specific KeePass clients I recommend: https://keepassxc.org/ on desktop, https://github.com/PhilippC/keepass2android on Android.

> Do you just use a password manager

Yes. I recommend KeePassXC[1] or GoKey[2].

> Log in with Google, Apple

No, never!

[1] https://keepassxc.org/

https://github.com/keepassxreboot/keepassxc/issues/10407#iss...

> You absolutely should be preventing users from being able to copy a private key!

Huh? This is dumb. Users should be able to do whatever they want with their private keys. Looks like the post in on point about the push to take away control from the user.

> and then I'll use passkeys in keepassxc.

If the auth cartel deigns to allow it:

https://github.com/keepassxreboot/keepassxc/issues/10407

https://news.ycombinator.com/item?id=39698502

https://news.ycombinator.com/item?id=39706876

Attestation makes passkeys inherently anti-user, full stop.