KeepassXC – A cross-platform community fork of KeepassX

If you were curious like I was, about why this fork was necessary, I found this on their About page:<p>KeePassXC is a community fork of KeePassX which aims to incorporate stalled pull requests, features, and bug fixes that have never made it into the main KeePassX repository.

I use KeepassX on my desktop PC and have been looking for an iOS app that can open the database. I found one but it occurred to me that I have no idea who wrote it or whether they can be trusted with my passwords. And iOS offers no way to prevent an app using the internet, so I couldn&#x27;t be sure it wasn&#x27;t leaking my passwords back to HQ - unlike on the (Linux) desktop where I can run it in an environment that I control (relatively speaking - no need to point out that I haven&#x27;t personally audited the kernel).<p>Am I being overly paranoid? How should I be approaching the issue of trusting the developers of password managers?

From the text it looks like one of the selling points is integration with apps like browsers so you don&#x27;t have to copy&#x2F;paste passwords, as with KeePassX.<p>Personally, to me that sort of integration has always seemed like a bad idea. I&#x27;m glad that my password database can&#x27;t talk to my browser programmatically. One less thing to go wrong.

Here is the repository which isn&#x27;t linked anywhere on the site: <a href="https:&#x2F;&#x2F;github.com&#x2F;keepassxreboot&#x2F;keepassxc" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;keepassxreboot&#x2F;keepassxc</a>

I haven&#x27;t tried it yet, but maybe this will address some of my pet peeves. My primary peeve is that, in keepassx, there is no fantastic way to handle password changes. I can generate a new password, but the only way to get it into a webpage without overriding the old password in the database is to show it on the screen and then copy the visible text.<p>(My second peeve is that the &quot;type the password&quot; feature types the username <i>and</i> password, making it useless for the more annoying disabled-paste password prompts.)

While we&#x27;re at it, is there any open source self-hosted alternative to LastPass etc.?<p>At this point we&#x27;d even go so far as just using a good Keepass Client that comes with a comfortable &quot;send encrypted password blob to xy email, than call him and tell him this decryption password&quot;-function.

I tried to stick with KeePass.x for the longest time, but keeping the keepass databases in sync across multiple platforms&#x2F;devices, while possible, was very much a pain and quite a clunky&#x2F;messy process which always required me to remember to do something after updating the database anywhere. I eventually gave up and migrated to Lastpass which &quot;Just Works™&quot; on all my devices.

Honestly, as a programmer&#x2F;ops knowing git and always having a terminal somewhere around, I see no reason to use something else than <a href="https:&#x2F;&#x2F;git.zx2c4.com&#x2F;password-store" rel="nofollow">https:&#x2F;&#x2F;git.zx2c4.com&#x2F;password-store</a><p>It uses a git repo as storage, gpg encrypts passwords, provides perfect completion and there is an android app. Everything is dead simple and open source.

I previously used KeePassX, which was great due to the multiplatform support. However the project seemed stalled, and I&#x27;ve since switched to the excellent KeeWeb; it&#x27;s Electron based and is in general more modern.<p><a href="https:&#x2F;&#x2F;keeweb.info&#x2F;" rel="nofollow">https:&#x2F;&#x2F;keeweb.info&#x2F;</a>

Why not change the name entirely, then? KeepassX is already a terrible one.<p>Makes me think of DOS software from 1998.

What are the benefits of using a &quot;real&quot; password manager, such as this one, compared to a plain encrypted file in vim? I thought that benefit was syncing across devices but it turns out the http feature of keepass wasn&#x27;t implemented in all clients.<p>How well specified is the kdbx format? Is there a console client? Is the code readable? Keepass seems to have spawned an entire ecosystem of tools and clients, so I&#x27;m curious which of these tools are actualy usable.

Bruce Scheneier designed Password Safe: <a href="https:&#x2F;&#x2F;pwsafe.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;pwsafe.org&#x2F;</a><p>It&#x27;s not one multiplatform app, but there&#x27;s an equivalent format app on every platform.

ASnyone know why there&#x27;s no Windows version yet? I&#x27;d like to know how this compares to the original .Net KeePass.

Awesome! I am a heavy user of KeePass, and I also use all three main operating systems regularly, so this has always been an annoying issue to have. I usually get around it by using KeePass2Android on my phone and typing out passwords by hand on the other device. Could be worse.<p>I hope developing an official Android and iOS app is on the list. There are third party alternatives (such as the one I just mentioned), but if the goal is to be completely cross-platform then let&#x27;s push those out too.

There&#x27;s one thing I worry about with keeping all my passwords in a single file - if a government agent gains access to it, I&#x27;ll have to decrypt it, which will reveal the password to my key, my key, and a full list to all web sites I have accounts at and a list of those accounts. Let&#x27;s say you have an alt reddit account you use to post to &#x2F;r&#x2F;ihatedonaldtrump, congratulations, now the government knows with certainty that it was you. It&#x27;s one thing to see your IP making requests to reddit.com - you can just give them your normal username and password, but with a single password file, you give them all your usernames and passwords. Maybe I&#x27;m overly paranoid, but I don&#x27;t like keeping passwords to anything that might be remotely questionable in a normal encrypted password file.<p>On the flip side, if the file in question contains an account to a questionable site, could you withhold the key&#x2F;password to it under the clause against self-incrimination? I.e. you&#x27;re sued for insulting Donald J. Trump&#x27;s itty bitty tiny handsy-wandsies, but you also have an account at buymarijuanaonline.com, so you can&#x27;t give them access to your password database, because you&#x27;ll incriminate yourself in a different crime.

Does it support the new kdbx4 format which is using Argon2 instead of a custom AES-based KDF?<p>Why should I move from KeePass2 to this? Prettier GUI under Linux?

With my latest password overhaul I switched to the master password system, not requiring any compromisable database of passwords as with password managers:<p><a href="http:&#x2F;&#x2F;masterpasswordapp.com&#x2F;" rel="nofollow">http:&#x2F;&#x2F;masterpasswordapp.com&#x2F;</a><p>You can even implement the algorithm yourself if you don&#x27;t trust the app (which does not require any permissions on Android).

Anyone knows how this compares to KeePass (without any X suffixes)? (apart from that it has no binaries from Windows apparantly)

The reasons for the fork are explained in details there: <a href="https:&#x2F;&#x2F;github.com&#x2F;keepassxreboot&#x2F;keepassxc&#x2F;issues&#x2F;43#issuecomment-254045934" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;keepassxreboot&#x2F;keepassxc&#x2F;issues&#x2F;43#issuec...</a><p>It is rather worrying that they mention &quot;keypasshttp&quot; as being one of the pull request which was never merged, although it is all about functionality and not security, just to point out a few months after in another issue that users should stop using this plugin because of a vulnerability: <a href="https:&#x2F;&#x2F;github.com&#x2F;keepassxreboot&#x2F;keepassxc&#x2F;issues&#x2F;147#issuecomment-272525411" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;keepassxreboot&#x2F;keepassxc&#x2F;issues&#x2F;147#issue...</a><p>I don&#x27;t really know how secure KeepassX is, but this fork doesn&#x27;t look like it is any more secure, at least for the time being.

I&#x27;ve been using Codebook (formerly known as STRIP) because it is partly open sourced, however they do not offer a desktop client for Linux and they only sync with commercial cloud services, so I&#x27;m looking for an alternative. Is there an overview that compares the various password managers out there?

I&#x27;ve been wondering is there any disadvantage in using password hashers (either as plugins like [0] or standalone) for generating safe passwords? It seems like a great idea to me, yet most people here seems to be prefer full blown PW manager apps or even online services for this. Am I missing something?<p>[0] <a href="https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;detail&#x2F;password-hasher-plus-pass&#x2F;glopbmohkffbnplcjbbbfmmimfhfnhgd?hl=en" rel="nofollow">https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;detail&#x2F;password-hasher-pl...</a>

What happened to the Windows binaries?

Is there a password manager that can sync to WebDAV?<p>Even if the data is encrypted, by using 3rd party services such as DropBox you risk someone trying to crack your passphrase without you noticing.

I&#x27;ve been using Keepass Desktop which apparently isn&#x27;t available for download anymore but it was much better than keepassx<p><a href="https:&#x2F;&#x2F;github.com&#x2F;PixelPaws&#x2F;KeePass-Desktop" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;PixelPaws&#x2F;KeePass-Desktop</a> <a href="https:&#x2F;&#x2F;www.pixel-paws.de&#x2F;en&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.pixel-paws.de&#x2F;en&#x2F;</a>

The FAQ should explain the reason for the fork. I couldn&#x27;t find anything about that, and that was the first question I had.

Looks like someone was willing to spend some time on an audit of the original KeePass:<p><a href="https:&#x2F;&#x2F;www.ghacks.net&#x2F;2016&#x2F;11&#x2F;22&#x2F;keepass-audit-no-critical-security-vulnerabilities-found&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.ghacks.net&#x2F;2016&#x2F;11&#x2F;22&#x2F;keepass-audit-no-critical-...</a>

I&#x27;ve been using Keeweb for the last year or so and I&#x27;m very happy with it. The mobile experience is a little subpar but it works fine in a pinch, and the integrated syncing with your own storage services is handy.<p><a href="https:&#x2F;&#x2F;keeweb.info" rel="nofollow">https:&#x2F;&#x2F;keeweb.info</a>

&gt; Binary package for OS X &gt;= 10.7<p>But I get:<p>&gt; You have OS X 10.11.6. The application requires OS X 10.12 or later.<p>??<p>Edit: Looks like this is a known issue[1].<p>1. <a href="https:&#x2F;&#x2F;github.com&#x2F;keepassxreboot&#x2F;keepassxc&#x2F;issues&#x2F;181" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;keepassxreboot&#x2F;keepassxc&#x2F;issues&#x2F;181</a>

Finally! Very excited for an improved solution. It would be nice to have something like this on iOS and Android too, but at least my Mac and Windows computers will be able to play nice.

Compiles and installs without trouble on FreeBSD 11.0. Great :D

on Ubuntu, &quot;snap install keepassxc&quot;

I guess I can finally upgrade to the kdbx (v2) format. I had to use kdb because there was no good kdbx editor for OSX.

Does this incorporate enough changes compared to KeePassX to warrant an audit?

Is there any enhancements in UI? I dont find any screenshot posted in the repo

How is the database stability of this program?<p>The last password program I used had often, very often a corrupted database.