Proton pass Vs keepass

[deleted]

N1b If you put your keepassdx files on a drive, they become online.

[deleted]

Vote for KeePass.
Much to like about Proton, but its growth does make me uneasy. Eggs in a basket and all. Also, not great considering possibilty of MAGFA gaining a letter in the future. After all, we've known others who stood for no evil in the past (controversial).

Please conaider that If your setup can't get traction with .kdbx, perhaps it's too complex and in a need of streamlining? (This is also controversial, but I have been there and resolced to clean up my bits and would encourage others to undertake this journey. It's been freeing).

leoLela

N1b

not long ago there was a bug which compromised the keyfile of some users who then lost access to all their passwords. It was quickly fixed, but this can happen anytime to any password manager, which is why you always need at least one offline backup of all your passwords and 2fa seeds no matter which software you use.

What do you suggest? Is it enough to have backups of your keepass files, or should we also have a different database format? The second option sounds would be a maintenance nightmare.

DeletedUser115

leoLela keeping multiple backups of .kdbx database taken at different points in time should be enough. If database get corrupted for whatever reason you can go back to the latest non-corrupted version.

Exporting the passwords and encrypting them with different tool is better for redundancy but arguably worse for security.

N1b

leoLela What do you suggest? Is it enough to have backups of your keepass files, or should we also have a different database format? The second option sounds would be a maintenance nightmare.

A simple and up to date backup of your keyfile in 2 different places should be enough, if your threat model doesn't include protection against targeted attacks from 3 letter agencies that is. Better be safe than sorry though, I have 4 encrypted offline backups in different locations of my recovery files (Bitwarden, Aegis, Crypto Seeds, etc).

Graphite Can you give details pls?

Wish I could point you directly to it. I've heard it on the Michael Bazzell podcast and maybe read it in his book Extreme Privacy 4th edition sometime last year, but I can't find it right now. If I remember correctly, he used KeePassXC on MacOS and after an update his keyfile was irreversibly corrupted, so he lost access to all his passwords. The bug was patched within hours, but hundreds of people were affected. He had a hidden backup at a friends house (hollow coin with micro SD card behind a power outlet) so he could restore them after the patch. Maybe someone else can confirm or link the story, he does delete his old podcast episodes so it might be already gone. Couldn't find specifics about it in the KeePassXC patchnotes either...

Edit: Typos

[deleted]

frankly, your way of doing things is complicated. i've lived for the last two years with all my data disconnected, and i call it survival... save your contacts, calendar and passwords every day... and if you're unlucky enough to make a backup of your passwords, but the version on which you've saved new passwords and deleted them is corrupted, well that's just crap! what i can tell you from my own experience is this: password manager connected, period. that way, everything's always synchronized. then it's up to you to choose the open source or close source company that's going to manage it all. i chose google for its extreme simplicity and security. i've never heard of any password hacking at google.

GrapheneLover

KeePass is the way to go if you're serious about your online security. Always make sure to make multiple backups of your vault file.

[deleted]

KeePass has been around since 2003 whereas Proton Pass has only been around for a few months. A fair comparison is not really possible at the moment.

Graphite

N1b KeePassXC/DX is the best offline Password Manager, but not long ago there was a bug which compromised the keyfile

Can you give details pls?

Oggyo

Graphite
They might be talking about this - https://www.cve.org/CVERecord?id=CVE-2023-24055

[deleted]

Graphite If it's possible on grapheneos that an attacker has write access to your device, then your keepass database is insecure.

Graphite

Oggyo They might be talking about this - https://www.cve.org/CVERecord?id=CVE-2023-24055

That's for keepass2 which only runs on Windows (or with mono) and it was the config file, not the keyfile. I was very involved with the effort to get the devs to recognize this problem and fix it. But they were quite stubborn in their philosophy of "it's game over if someone has write access", which IMO is BS. The dev added a halfassed fix, but still disputes the CVE.
I switched to KeePassXC which does not have such weird features like silent export on open or allows insecure 3rd party plugins.

On mobile, there are Keepass2Android and KeePassDX (not to be confused with XC) which does not operate the same way as the desktop variants. Write access doesn't compromise anything. With Storage Scopes, other apps can't even see the files from your keepass app. I go even further by having the KeePass database in a separate profile, and then sharing read only access to the main profile via sFTP. That way, if my phone is stolen whilst unlocked on the main profile, the database residing on the separate user profile is further protected by a long password which encrypts that profile's entrie file system.

[deleted]

[deleted] KeePassDX requires a passphrase, a key file and/or a hardware key. Your assumption is untrue.

[deleted]

This kind of attack is impossible on the Google password manager because an attacker would need my passphrase and my fido key, which I don't even have on me. So there you have it, you've got to be very careful with this kind of so-called privacy-friendly software, and you can count on me to mention this, as I'm sure others will, like it or not.

[deleted]

[deleted] or proton, it's the same capitalists at their head

Oggyo

Graphite
Oh yeah, now I remember the saga with the devs, too. :)
Thanks for clarifying that.

L8437

Graphite hi thanks everyone for the helpful replies.i think I'll stick with keepassdx for now

Can you please point me in the right direction regarding the sFTP? I don't know what this is, but your method sounds useful

Graphite

L8437

sFTP is only going to work using Keepass2Android. It is a secure (encrypted) File Transfer Protocol that works over a network. I keep it isolated to the local loopback so only apps on the device can actually connect. It's a way to transfer files between user profiles. You can use Syncthing, to keep a synced copy in each profile, but will defeat the purpose of protecting the database file in it's own encrypted file system. Which is why I disable caching of the database file too.
KeepassDX, I believe, cannot load database files directly from remote storage locations like WebDAV, sFTP, Google Drive, etc. But KP2A can.
My method just adds another layer of at rest encryption, for the common threat scenario of a lost/stolen phone while the main profile is open. Even without this additional layer, the encryption for your database is already very strong and you can even choose to increase it's strength in exchange for a few extra seconds to open the database.

Relaks

N1b If I remember correctly, he used KeePassXC on MacOS and after an update his keyfile was irreversibly corrupted, so he lost access to all his passwords.

I listened to this same podcast episode. I believe Bazzel explained that the bug seemed to only affect macOS users who stored their database file within a Veracrypt container, and then unlocking the database file from within that container.

[deleted]

I've just tested proton passe since everyone's talking about it, it's a far cry from the fluidity of google's manager... it automatically fills in the fields every other time and I have to rename all my mdp's. I don't keep it, it's not usable for the use I have in mind.

« Previous Page Next Page »