Recommended setup for synced password manager
Dear list crowd, I'm looking for a synced password manager solution that connects my Arch PC with my android phone, and a Windows PC. I'd like to use my arch server as the nexus, and want to avoid commercial services by all means. One option I heard is using one or more keepass databases and keeping them in sync via syncthing. Another option seems to be bitwarden. Are there more good options? What do people use, that works well and painfree? What other options for automatic syncing of the keepass database would there be? I'd prefer short and on point answers without too much detail, but just a conceptual sketch. Thanks in advance, and maybe this benefits someone else as well. Georg
KeePassXC on desktops, editable, autosynced. KeePassDX on phone, read-only, syncing that fast enough without conflicts was more trouble than what was worth. Database synced via self-hosted Nextcloud (pick your poison for the syncing method). Non-bruteforceable password for the database file, database file "regenerated" yearly to catch up with hashing methods and newer formats and whatnot. 3-2-1 backed up. DB files have the advantage of being able to send them to (un)trusted parties too on top, as they can't be opened. Martin On Sun, Sep 22, 2024 at 5:15 PM Georg <g.schlisio@dukun.de> wrote:
Dear list crowd,
I'm looking for a synced password manager solution that connects my Arch PC with my android phone, and a Windows PC. I'd like to use my arch server as the nexus, and want to avoid commercial services by all means. One option I heard is using one or more keepass databases and keeping them in sync via syncthing. Another option seems to be bitwarden.
Are there more good options? What do people use, that works well and painfree? What other options for automatic syncing of the keepass database would there be?
I'd prefer short and on point answers without too much detail, but just a conceptual sketch. Thanks in advance, and maybe this benefits someone else as well.
Georg
On Sunday, September 22, 2024 8:15:16 AM PDT Georg wrote:
Dear list crowd,
I'm looking for a synced password manager solution that connects my Arch PC with my android phone, and a Windows PC. I'd like to use my arch server as the nexus, and want to avoid commercial services by all means. One option I heard is using one or more keepass databases and keeping them in sync via syncthing. Another option seems to be bitwarden.
Are there more good options? What do people use, that works well and painfree? What other options for automatic syncing of the keepass database would there be?
I'd prefer short and on point answers without too much detail, but just a conceptual sketch. Thanks in advance, and maybe this benefits someone else as well.
Georg
My go to is Bitwarden. Especially as it functions as a passkey and has browser integration with Chrome and Firefox. Other than, 'pass' from the Extra repository, but I think it won't help with Windows, though there is a nice Android app. Eric
There are some options for pass on Windows.
On Sun, Sep 22, 2024 at 08:31:27AM -0700, Eric Waller wrote:
Other than, 'pass' from the Extra repository, but I think it won't help with Windows, though there is a nice Android app.
pass also has a decent iOS app, too. Merell -- You must include all income you receive in the form of money, property and services if it is not specifically exempt. Report property (goods) and services at their fair market values. Examples include income from bartering or swapping transactions, side commissions, kickbacks, rent paid in services, illegal activities (such as stealing, drugs, etc.), cash skimming by proprietors and tradesmen, "moonlighting" services, gambling, prizes and awards. Not reporting such income can lead to prosecution for perjury and fraud. -- Excerpt from Taxachussetts income tax forms
I use KeepassXC on Linux & Windows. For Android, I use Keepass2Android. I sync my database file with google drive. In addition to a secure password, I use a key file that I sync manual on my devices.
Hi, I like vaultwarden, which has been running for a couple of years on my raspberry pi 4 with zero issues. It's a compatible implementation of the server component of bitwarden. Works great with all the clients and the web component of bitwarden. https://archlinux.org/packages/extra/x86_64/vaultwarden/ Max On 22 September 2024 16:15:16 BST, Georg <g.schlisio@dukun.de> wrote:
Dear list crowd,
I'm looking for a synced password manager solution that connects my Arch PC with my android phone, and a Windows PC. I'd like to use my arch server as the nexus, and want to avoid commercial services by all means. One option I heard is using one or more keepass databases and keeping them in sync via syncthing. Another option seems to be bitwarden.
Are there more good options? What do people use, that works well and painfree? What other options for automatic syncing of the keepass database would there be?
I'd prefer short and on point answers without too much detail, but just a conceptual sketch. Thanks in advance, and maybe this benefits someone else as well.
Georg
I use bitwarden. Works great. We even pay their $10 year upgrade. It is not self hosted. But my wife and I can share passwords this way. a self hosted version is vaultwarden via docker. On Sun, 2024-09-22 at 17:15 +0200, Georg wrote:
Dear list crowd,
I'm looking for a synced password manager solution that connects my Arch PC with my android phone, and a Windows PC. I'd like to use my arch server as the nexus, and want to avoid commercial services by all means. One option I heard is using one or more keepass databases and keeping them in sync via syncthing. Another option seems to be bitwarden.
Are there more good options? What do people use, that works well and painfree? What other options for automatic syncing of the keepass database would there be?
I'd prefer short and on point answers without too much detail, but just a conceptual sketch. Thanks in advance, and maybe this benefits someone else as well.
Georg
Am 22.09.24 um 23:54 schrieb Keith Bozin:
I use bitwarden. Works great. We even pay their $10 year upgrade. It is not self hosted. But my wife and I can share passwords this way. a self hosted version is vaultwarden via docker.
vaultwarden is also available in extra, so no need for Docker if you want to host it yourself. Sharing with the Bitwarden App / Browser Extension etc. also works fine with Vaultwarden. Regards Bjoern
Hello On Sun, 22 Sept 2024 at 16:15, Georg <g.schlisio@dukun.de> wrote:
Dear list crowd,
I'm looking for a synced password manager solution that connects my Arch PC with my android phone, and a Windows PC. I'd like to use my arch server as the nexus, and want to avoid commercial services by all means. One option I heard is using one or more keepass databases and keeping them in sync via syncthing. Another option seems to be bitwarden.
Are there more good options? What do people use, that works well and painfree? What other options for automatic syncing of the keepass database would there be?
I used to be a commercial user of LastPass and I was pretty happy with it. However, when they started charging disgusting amounts (70+ a year, to be paid annually) I told them where the /dev/null was and changed to bitwarden. I paid the 10 pounds one-off fee, and now I have the bitwarden on my android phone (in a knox [secure folder]), and on my Linux daily driver, and My Linux workstation and my Linux/Windows laptop (both oses). I'm pretty happy about it all. I use multiple authentication factors, such as OTP (on-time-password) and hardware keys (fido,yubi,...) Bitwarden *CAN* also act as authenticator for the OTP but I strongly encourage people NOT to use that because it would combine your extra factor with your password. I also highly recommend that you DO NOT automatically fill out your forms with bitwarden, or *ANY* password manager, as it can expose you without you even realising it. What I do instead is, visit a website, when I want to login and have a password for it, bitwarden will show me that with an icon in the toolbar, I can then click to fill out the form. Remember, your mfa can fail, so best to set up multiple so that you can still log in if you accidentally drive over your fido e.g.
Le lun. 23 sept. 2024 à 13:08, Andy Pieters <arch-general@andypieters.me.uk> a écrit :
Hello
On Sun, 22 Sept 2024 at 16:15, Georg <g.schlisio@dukun.de> wrote:
Dear list crowd,
I'm looking for a synced password manager solution that connects my Arch PC with my android phone, and a Windows PC. I'd like to use my arch server as the nexus, and want to avoid commercial services by all means. One option I heard is using one or more keepass databases and keeping them in sync via syncthing. Another option seems to be bitwarden.
Are there more good options? What do people use, that works well and painfree? What other options for automatic syncing of the keepass database would there be?
I used to be a commercial user of LastPass and I was pretty happy with it. However, when they started charging disgusting amounts (70+ a year, to be paid annually) I told them where the /dev/null was and changed to bitwarden.
I paid the 10 pounds one-off fee, and now I have the bitwarden on my android phone (in a knox [secure folder]), and on my Linux daily driver, and My Linux workstation and my Linux/Windows laptop (both oses).
I'm pretty happy about it all. I use multiple authentication factors, such as OTP (on-time-password) and hardware keys (fido,yubi,...)
Bitwarden *CAN* also act as authenticator for the OTP but I strongly encourage people NOT to use that because it would combine your extra factor with your password. I also highly recommend that you DO NOT automatically fill out your forms with bitwarden, or *ANY* password manager, as it can expose you without you even realising it.
What I do instead is, visit a website, when I want to login and have a password for it, bitwarden will show me that with an icon in the toolbar, I can then click to fill out the form.
Remember, your mfa can fail, so best to set up multiple so that you can still log in if you accidentally drive over your fido e.g.
hi, what do you think of https://github.com/lesspass/lesspass ? the principle seems interesting : it consists in reconstructing the password from a piece of information (which can be synchronized easily/simply) and a secret (master password)... regards.
On Sun, 22 Sept 2024 at 16:15, Georg <g.schlisio@dukun.de> wrote:
I'm looking for a synced password manager solution that connects my Arch PC with my android phone, and a Windows PC. I'd like to use my arch server as the nexus, and want to avoid commercial services by all means. One option I heard is using one or more keepass databases and keeping them in sync via syncthing. Another option seems to be bitwarden.
Are there more good options? What do people use, that works well and painfree? What other options for automatic syncing of the keepass database would there be?
I self-host NextCloud for syncing. It has good clients for Linux, Windows, and Android. For passwords I use KeePassX for Linux and Keepass2Android. I'm sure there is a Windows version too. The db format is generally well supported. The main database file is available from any of my devices (or via the NextCloud web interface), but I keep a separate keyfile that I copy manually to devices that I was to access the password db from. This setup has worked really well for me for years. All of these components are open-source. The only thing I pay for is S3-compatible online storage, which I use for automatic encrypted backup using restic. All the best! Paul
lacsaP Patatetom,
what do you think of https://github.com/lesspass/lesspass ? the principle seems interesting : it consists in reconstructing the password from a piece of information (which can be synchronized easily/simply) and a secret (master password)... regards.
i'm not an expert. it's a very nice idea. (probably a lot of us, in the old days, used to have some sort of algorithmic way of contorting a URL to generate a password; but, this is much more sophisticated, and certainly much more secure.) let's say the only vulnerability were for Alice to crack Bob's master password. presumably the difficulty of doing this is the same as cracking Bob's GPG password (that one he uses to encrypt his password store). with lesspass, Alice can now go anywhere Bob has gone and log on. not so good. with, e.g., password-store, Alice also needs to access Bob's encrypted files. (i.e., if Alice over Bob's shoulder as Bob types his password, in lesspass, "she's in"; but not so, with password-store; she still has to find out where he stores his password store, and gain access, which may likely *not* be via Bob's master password.) so, there's a bit of, maybe a lot of (should one be very careful with one's encrypted password store), an advantage there to password-store. the second thing that occurs to me is that the world of multi-dimensional random number spaces can *very seldomly* have very bad properties. (there's a famous 1970'ish paper, something like "The rain in Spain falls mainly on the planes"; for some then-current algorithm, if you rotated the space appropriately and projected "down", you ended up with a discrete set of lower-dimensional points, something like that.) GPG encryption can also suffer from this. but, the level of scrutiny has been very high. again, i'm no expert. just those two random :) thoughts. still, it's a nice idea. and, in practice, i would guess very secure. cheers, Greg
On Tue, 2024-09-24 at 19:37 +0300, Greg Minshall wrote:
...
let's say the only vulnerability were for Alice to crack Bob's master ... with lesspass, Alice can now go anywhere Bob has gone and log on. \
...
... password-store, Alice also needs to access Bob's encrypted files
the second thing that occurs to me is that the world of multi-dimensional random number spaces can *very seldomly* have very bad
While the idea is nice in some ways there are some drawbacks. To add a little bit to Greg's security comments. lesspass is using "pbkdf2_sha256" for hashing. This is okay, but the state of the practice changes. The current preference is now argon2id. At some point you may prefer a different hash algo to create the pass. When that happens there is currently no nice way for app to generate old and new ones. This is in my mind another drawback to the generate/dont store approach. Worse what if the code stops working for some reason like pbkdf2 becomes deprecated (you know it will eventually). I think it would be better if there it had a way to update together with a mechanism to associate each generated password with the algorithm or application version that is used. lesspass is stateless, so it has no idea which version was used for any particular website. So it could be as simple as lesspass-v2 for the next algo - but that still burdens the user with knowing which version and doesn't deal with the case that your lovely v1 password not being generated due to hash deprecation. So I think the stateless aspect needs to be removed - in which case, maybe just choose one of the standard password 'vault' apps. -- Gene
Hey everyone, I think KeePass is one of the best solutions. It supports the best possible algorithms for encryption and authentications; It has many clients for GNU/Linux, Android, Windows, Mac, and even offline and online web apps so that you can carry it with your USB flash memory or SD card; just plug and open it with a browser. The Windows ones also have portable versions which one can carry on his/her external storage and use on any Windows. About lesspass, I think it's very convenient and intuitive. It's much better than many online Password manager solutions. However, as other mentioned, it reduces one layer of your security; If you use KeePass with both a key file and a master pass, you got three level of barrier; one has to get your key file, know your master password and also have your passwords' database file (kdbx). However, I know people that store all three in a same place! That defeats the whole purpose! If you can't have the burden of syncing your kdb file(s), lesspass isn't a bad idea. -- Best Regards, Abraham Sent with Tutanota; https://tuta.com
On Thu, 26 Sept 2024 at 01:10, Abraham S.A.H. <arash.sah@tuta.io> wrote:
I think KeePass is one of the best solutions.
The downside of solutions like that, though, is that the site identity is completely handled by a human, so if you had previously saved a password for example.com and someone tricked you into thinking that example.com.uk is example.com, then you will be manually copying over the username and password. If you use a browser-based manager, however, and had previously saved a password for example.com, then if you were tricked into thinking that example.com.uk is the real site, your password manager would recognise that this is not the same website (bitwarden even warns you if you try to override that)
On 2024-09-26 13:15, Andy Pieters wrote:
The downside of solutions like that, though, is that the site identity is completely handled by a human, so if you had previously saved a password for example.com <http://example.com> and someone tricked you into thinking that example.com.uk <http://example.com.uk> is example.com <http://example.com>, then you will be manually copying over the username and password.
If you use a browser-based manager, however, and had previously saved a password for example.com <http://example.com>, then if you were tricked into thinking that example.com.uk <http://example.com.uk> is the real site, your password manager would recognise that this is not the same website (bitwarden even warns you if you try to override that)
That is solved with the KeePassXC browser extension for KeePassXC, and there seem to be a few browser extensions for KeePass. -- tippfehlr
On 9/24/24 3:07 AM, lacsaP Patatetom wrote:
hi, what do you think of https://github.com/lesspass/lesspass <https://github.com/lesspass/lesspass> ? the principle seems interesting : it consists in reconstructing the password from a piece of information (which can be synchronized easily/simply) and a secret (master password)... regards.
I used to use something similar. The problem comes when sites make you change your password. When that happens, you would need to change some seed value that you use to help compute that site's password - say from "v1" to "v2". And then you need to *store* that seed value somewhere, so you'll remember to use it next time. And then you need to sync that seed value out to your devices. And at that point, you might as well just be storing and synching the passwords, rather than just the seed value. DR
Thanks everyone for the very wide variety of recommendations. I'll investigate in detail which one fits my use-case best. I hope this collection also helps somebody else. Cheers Georg
participants (17)
-
Abraham S.A.H.
-
Andy Pieters
-
Bjoern Franke
-
David Rosenstrauch
-
Eric Waller
-
funny0facer
-
Genes Lists
-
Georg
-
Greg Minshall
-
Keith Bozin
-
Kusoneko
-
lacsaP Patatetom
-
Martin Rys
-
Maximilian Friedersdorff
-
Merell L. Matlock, Jr.
-
Paul Dann
-
tippfehlr