One attack vector I see with Bitwarden is that if the server hosting the web client or the Firefox/Google account that owns the browser extension gets compromised, they could easily be modified to exfiltrate all your data. So unless you always package the browser extension yourself and check the web client's code before using it, your passwords are essentially only as secure as the developer's security measures are strong.
I honestly tried to use Bitwarden, paid for premium for one time key feature and browser extensions comparing to 1pass are much less convenient. For instance, an ability to manage multiple website (e.g. google) accounts is priceless
If you have two logins for the same service with the same URLs they'll appear in the browser extension with the username shown by the title.
If you're instead talking about using the same login credentials on multiple sites, it can do that as well, just edit the item and add a second URL to the site. Now that item will appear on both site URLs
Personally I think it would be awesome if Bitwarden gave you the option to export your password vault as a KDBX4 file. What's the best way to fund a bounty program for adding this feature to Bitwarden?
I am using 1Password with a standalone licence (sunk cost, so 'free' doesn't matter much. Also, C$70 is essentially free when it comes to securing my digital life). I sync a vault with a few co-workers via Dropbox and this is sufficient for us, no need for 1Password.com 'cloud' yet.
We like the UI, and to our knowledge 1Password has the best track record for security, with extensive and continuous testing and no major fuck-ups yet.
What advantages to switching to KeePassXC or Bitwarden are there for us?
But to me it sounds like you have a solution you are very happy with, and you don't mind paying for that solution, so my recommendation would be to stick with it.
Although, as a happy user of KeePassXC, I'm tempted to ask the counter-question: why would I want to pay for 1Password when KeePassXC gives me a great solution for free (and also gives me source code access)?
But KeePassXC is based on the KeePass file format, and to my knowledge that has a better security story than commercial platforms--though it is harder to use.
For example, a couple of years ago Tavis Ormandy at Google Project Zero went through password managers and had unkind things to say (and reported vulnerabilities) about LastPass, 1Password, and Dashlane. He said KeePass looks "sane" or something like that.
1password is closed source and there is no way to verify that it actually encrypts the passwords.
I wouldn’t give someone my passwords to encrypt and store them for me. It’s a simple task and I can just encrypt and store my passwords. I don’t need a shinier UI.
I had to switch to keychain because the safari extension stopped working.
One thing that was a killer feature for me: keepass2Android was WAY better to in integration to my android devices. Tried to convince family to use a password manager, but lastpass was a failure on some devices. Keepass with sync to some cloud is perfect - database with multiple copies, works well.
For sharing between devices I found Firefox Send to be useful (before it went down, hope it comes back), also Keybase filesystem is one of my go-tos as well.
Maybe I’m being overly cautious, but I sleep better at night knowing my DBs are encrypted.
Fwiw, I've lately been using Resilio Sync, which is BitTorrent style peer-to-peer between devices I control and encrypted over the wire as well. It also supports advanced encrypted shares where you can even have "know nothing" devices that help to seed/participate in your shares but can't read/write inside them, as an interesting tool in "personal cloud hosting".
They are sold to ZOOM...since then i dont use it anymore
I'll put $100 in right now if the maintainers of KeePassXC are down with this.
The whole database is a single big xml document which is then encrypted with a normal symmetrical encryption method (most of the time AES). And that is already the core of it. There are a few additional things (A user-chosen key-derivation-function is used to increase the brute-force time and there is a header in the binary format with such things as keepass version, which algorithms are used for encrypting and a checksum...).
But in comparison to other cloud-based password managers it's a nice feeling to intuitively "know" whats happening under the hood.
Not sure if there have been audits of this popular fork or the format itself.
IIRC the format is relatively simple: an encrypted XML stream. So it may be OK.
Maybe I simply didn't search good enough, is there any possibility to have such functionality in KeePassXC?
I find the browser integration extension(s) more robust/stable as well, but that could be environmental.
KeePassX won't prompt you at all and silently drops all those changes, whereas KeePassXC will ask what to do.
KeePassXC also seems to immediately save changes upon adding new entries whereas KeePassX requires an explicit <ctrl-s>.
The android app is great too. I use rclone to sync my keepass file to Google Drive which means it is always up to date on my phone too
There's so many different Keepasses...
I'd like to use the same db file between Windows, Linux and Android, and I'd like to be able to autoenter without a browser plugin, at least on Windows.
