Bitwarden and it’s fully cross-platform. I like that it auto copies the 2FA pin to clipboard after filling in login - cuts out extra clicks and copy movements.
“Authenticator key (TOTP) storage is available to all accounts. TOTP code generation requires premium or membership to a paid organization (families, teams, or enterprise).”
I’m aware. So is Bitwarden if you don’t use their web vault, which KeepassXC does not have. Keepass can use a cloud drive to sync multiple devices whereas Bitwarden requires a self hosted instance to sync. Personally I would rather trust my own hosted instance over that of a cloud provider. But that all depends on your threat model and who you’re willing to trust. Having used both I personally prefer self hosted Bitwarden.
I know they exist. I think you’re missing what I’m saying.
Bitwarden is fully free and self hostable. That is how I use it. Bitwarden needs a self hosted webserver. KeePass can use only a cloud provider or self hosted cloud storage and also set up a web vault.
With Bitwarden, if you don’t want that hassle you can use their webvault they host. You cannot do that with keepass. That is what costs the $10/year.
Point is, both are good software that do things a bit differently. I liked KeePass, but I found Bitwarden to do what I wanted better, which was easily sync my passwords across devices without the hassle of self hosting something like Nextcloud. A quick docker container and I’m good.
Maybe some people are fine with keepass and something like Dropbox for sync. And maybe others don’t want to use a public cloud server but also don’t know how or want to host their own instance of a a password manager or cloud server. So they can use something like Bitwarden’s webvault instead, which is free except for TOTP.
I think it is more about passwords being accessible after hacks etc. What you are referring to, is if Bitwarden were to be hacked, both are accessible. Online Bitwarden has securely hashed all the data, so that is pretty useless if anyone gets it. On my devices I use biometric login, and on desktop a Yubiky as 2FA into Bitwarden. I also have it set to request login every time the browser is restarted, just in case someone were to steal the session data from the browser.
But your point is very valid if a user were to have a weak password for their Bitwarden, or not to have a good 2FA for their Bitwarden login. You want to keep that basket of eggs as safe as you can.
But if the access to the combination of the two requires a separate 2FA (my Yubikey), then it is virtually separated. It is not just one password and you inside Bitwarden. One could argue otherwise, that having a 2FA app on the same phone as your password manager, is also not separate, if the same PIN/biometric gives access to that phone with the two apps on.
Bitwarden and it’s fully cross-platform. I like that it auto copies the 2FA pin to clipboard after filling in login - cuts out extra clicks and copy movements.
Vaultwarden is also a great and simple to self-host backend written in Go that runs in Docker.
Isn’t it written in Rust?
deleted by creator
That’s literally what the comment I reacted to is about. Are there two vaultwardens? Did you misread?
And very easy to set up and run without docker! For, you know, us folks with a BSD server 🙂
“Authenticator key (TOTP) storage is available to all accounts. TOTP code generation requires premium or membership to a paid organization (families, teams, or enterprise).”
It’s $10/y and a steal for that excellent software. I pay it and self host it just to support them.
deleted by creator
This!
Keepassxc is cross-platform, free and open-source. It has also options for iOS and Android.
Bitwarden is all of those things. Unless you use their web vault, then it’s $10/year. Which keepassxc does not have.
deleted by creator
I’m aware. So is Bitwarden if you don’t use their web vault, which KeepassXC does not have. Keepass can use a cloud drive to sync multiple devices whereas Bitwarden requires a self hosted instance to sync. Personally I would rather trust my own hosted instance over that of a cloud provider. But that all depends on your threat model and who you’re willing to trust. Having used both I personally prefer self hosted Bitwarden.
deleted by creator
I know they exist. I think you’re missing what I’m saying.
Bitwarden is fully free and self hostable. That is how I use it. Bitwarden needs a self hosted webserver. KeePass can use only a cloud provider or self hosted cloud storage and also set up a web vault.
With Bitwarden, if you don’t want that hassle you can use their webvault they host. You cannot do that with keepass. That is what costs the $10/year.
Point is, both are good software that do things a bit differently. I liked KeePass, but I found Bitwarden to do what I wanted better, which was easily sync my passwords across devices without the hassle of self hosting something like Nextcloud. A quick docker container and I’m good.
Maybe some people are fine with keepass and something like Dropbox for sync. And maybe others don’t want to use a public cloud server but also don’t know how or want to host their own instance of a a password manager or cloud server. So they can use something like Bitwarden’s webvault instead, which is free except for TOTP.
deleted by creator
Kinda makes two factor authentication useless as they are both stored in the same place.
I think it is more about passwords being accessible after hacks etc. What you are referring to, is if Bitwarden were to be hacked, both are accessible. Online Bitwarden has securely hashed all the data, so that is pretty useless if anyone gets it. On my devices I use biometric login, and on desktop a Yubiky as 2FA into Bitwarden. I also have it set to request login every time the browser is restarted, just in case someone were to steal the session data from the browser.
But your point is very valid if a user were to have a weak password for their Bitwarden, or not to have a good 2FA for their Bitwarden login. You want to keep that basket of eggs as safe as you can.
The whole point of 2FA is for them to be completely separate.
But if the access to the combination of the two requires a separate 2FA (my Yubikey), then it is virtually separated. It is not just one password and you inside Bitwarden. One could argue otherwise, that having a 2FA app on the same phone as your password manager, is also not separate, if the same PIN/biometric gives access to that phone with the two apps on.
Do you use your Yubikey for 2FA or do you use it instead of a password?
If it’s the former then I guess it’s fine.
Yes, just for 2FA into Bitwarden’s login as it’s 2FA after password.