[ANSWERED] Should i use KeePass* instead of Proton Pass, for privacy?
11mon 9d ago by lemmy.dbzer0.com/u/somerandomperson in privacy@lemmy.ml
One downside is that i'll have no more passkeys. The vault syncing, i can do via SyncThing.
I have used KeePassXC for years. I also use Syncthing which syncs files via my wifi for all devices, including KeePass.
recently set mine up exactly like this, can vouch
yep, thats the way
Yes, me too. This also solves 2 problems in 1 shot, since I often want to sync / backup other contents between devices too, so it's perfect, specially for those of us with a NAS at home.
this is the correct answer
It really depend on your threat model, Proton Pass is fine. Of course a self-hosted or local solution will be more privacy friendly but at the cost of being responsable for security and good backups (3,2 1 rule).
There is no black or white regarding privacy. You want to ask yourself what you want to protect from and is the investment worth being sovereign ?
There have been too many data breaches from cloud-based services to trust another one. I have a Proton account for email and online storage, but I won't use their password service because it's cloud based.
https://blog.lastpass.com/posts/notice-of-recent-security-incident
Lastpass leaked their password database in 2022, and bad actors are still using it to access peoples files, stealing passwords and hundreds of thousands of dollars in crypto.
DON'T trust anything important to cloud-based storage or services. Use Keepass. Use Syncthing if you need to keep the database on multiple devices.
(I see other comments using Dropbox. Dropbox = cloud. Don't store anything security related in the cloud.)
So was LastPass. But when they're source code leaked, turned out their encryption method was crappy. Just because something is encrypted doesn't mean that it's safe.
The key is that proton pass and bit warden and keypass are open source and have all passed independent security audits.
What is this fight club? /s
You could totally talk about E2EE if the client was SA/Electron. If the blob is just getting transferred and stored and the passphrase is never transferred, that's E2EE.
Come to think of it, if they throw in extra keys when you make your blob, it's still E2EE, even if they have a key for it. Perhaps we need to think differently about E2EE being then end all.
I know I can probably google this. But where are the passwords from Keepass stored? Or what makes it harder to hack?
I still use 1Password because the subscription is still running and I was planning to switch to Proton Pass once that is over. I know 1Password is harder to crack due to their 2nd master key password (or whatever they call it)
Keepass just uses a (local) file, but it expects and can handle if the file is modified externally. That's important because it means you can store it on a network share, or in some sort of synchronized storage, self hosted or not (next cloud, sync thing, Google drive, whatever). It's just up to you. If you have it open on your PC and you add an entry on your phone, your PC won't "overwrite" it, but integrates any changes you're making there at the same time.
For example the android client has direct support for a long list on storage services for this exact reason.
They are are stored encrypted on your computer if I'm not mistaken
Why not Bitwarden?
Look I love fully offline concepts just as much as the next person. But what Bitwarden offers me that those other solutions don't, is to offload some of the mental load long-term. I like privacy but something are exhausting. Pick and choose your battles.
Less hands on maintenance and mental overhead to keep things synced and all services / files up to date. We bitwarden users have other stuff to do. Different priorities.
This is one of the things I decided to keep to the people who do this far more and deeper than I ever could. Their job. Their liability.
All my accounts are encrypted, cloud accessible, or offline accessible. Protected by a giant hash of a master password. It allows me to feel safe and provides the convenience of copy and pasting insane credentials needed in today's times. Hassle free. Great features. The end.
*potentially even under free account if you choose.
Here's the beauty. You can self host it. They give you the option to choose your method. You don't have to pay they offer free accounts.
I like KeepAss.
I know it's not your question, but have you checked out Bitwarden or the alternative Selfhosted Vaultwarden. Bitwarden supports passkeys and vault syncing, and if you are offline you can still access your vault.
https://bitwarden.com/passwordless-passkeys/
Bitwarden also released a AIO selfhosted docker image, but last I checked it's still not in "official release" status.
Ooh an AIO docker image you say? I may have to look into that.
Its called Bitwarden Unified. Its still in beta at the moment. I have been running this along side Vaultwarden myself.
There's also vaultwarden which is a super lightweight single container bitwarden server.
I use KeepassXC on my computer and Keepass2Android on my phone. Passkeys work fine and are synchronized across my Synology.
Same here, it works well, and the Firefox plugin works well for auto fill, too.
Just make sure KeepassXC is set to Automatically save after every change & Automatically reload the database when modified externally, on the General > Basic Settings screen.
Do both local and cloud backup using keepass or keepassxc, use dropbox or g drive, or private cloud. The .kdbx file is already encrypted when at rest.
I can't daily drive both.
What do you mean daily drive both? You can just upload the keepass file to Dropbox and gdrive, its encrypted in the unlikely event of a security breach
you should own your data. So yes
I think I’ve done the opposite of most. After using keepassx for the last 4 or 5 years I switched to ProtonPass.
Me three.
I think proton is the most blocked by governments group of services in the entire world. To have a backup in .kbdx file sounds at least like a good idea.
i use keepassxc and from protonpass and its great its a lot lot more manuel work but in theory its worth it anything with a internet connection can be hacked
I like that I'm able to use keepassxc as a keyring on Linux. I like that there is a prompt on access so no rogue script can real my whole keyring.
personally I use keepass for important things and don't sue extension or anything that would pull from it and I use bitwarden for unimportant passwords. not that bitwarden is necessarilly unsafe but im a person who ultimately thinks its best I completely control the important things.
AFAIK, no; keepass does NOT support passkeys. TOTP's are still fine though.
It will always be safer to store sensitive information in a system that you control than in a system that someone else controls. KeePass is easy to setup, it's easy to use, and it provides excellent protection.
Any specific reason that makes Proton Pass less secure? I am curious since I am using both pass and bitwarden at the moment. bitwarden for all my logins and pass for alias + their logins.
At least KeePassium also supports passkeys.
I’ve been using Strongbox since 1Password switched to subscription only and it’s been good. It’s based on Keepass and supports all the normal password manager stuff (TOTP, passkeys, etc):
https://strongboxsafe.com/personal/
I use the desktop and mobile apps, and keep my vault stored in my iCloud account so everything is always synced real time without relying on a third party cloud (yes, I know I’m still relying on Apple for that).
Why not just use Apple Passwords app since you’re using iCloud for sync anyway?
I tried it and just couldn’t get on board with it. Severely lacking in features that I use often. Would have been my preference but it came up short.
Or use vaultwarden to have the convenience of syncing your data to a personal server or computer and have passkeys.
Yikes I need to get off lastpass. I'm paying for it too, since years ago they made it so you had to pay to use it on multiple devices.
I wouldn't recommend it. Losing your keys will be an absolute nightmare.
You're no more likely to lose keys with KeePass or KeePassXC than with an online password manager, as long as you keep good backups, and maybe sync KeePass to cloud storage.
as long as you keep good backups, and maybe sync KeePass to cloud storage.
Yes, that's the caveat. You're paying for a managed solution so you don't have to worry about that.
It's not difficult or time-consuming. No need to worry or pay.
Disagree
All your info is stored in one file, which is automatically encrypted and can be opened by any KeePass-compatible program. If you want to access it on another device, you can use whatever sync/file transfer software you normally use to sync/send it to whatever storage provider you use, or directly to your other device(s). No need to do anything outside your usual routine.
Never self host critical things
Never say never.