KeePass was my first choice password manager, but as time went by, I noticed that it has some persistent issues. Its time to look for a replacement!
Issues with KeePass
Firstly, it is worth mentioning that KeePass does a lot of things well. It is free and open-source. You can store all your passwords in a secure database, which is locked with a master key. So, you only have to remember the master key to unlock the database. It has integrations with browsers, and a decent feature set. However, it has some issues that set me off on a path to explore alternatives.
KeePass is written in C# (.NET framework). It officially supports macOS and Linux operating systems through the use of Mono, which is an open source implementation of Microsoft’s .NET Framework. Therefore, it has the native look-and-feel of a Windows program. This can be a bit weird on Linux and MacOS, but not that big deal!
You can install KeePass on Ubuntu using the
keepass2 package. And this works, but maybe not as you may expect.
A plugin is required for communicating with the browser extensions to perform functions such as autofilling fields. You have to download the plugin yourself and drop it into a particular folder wherever you installed it to. Then, you need to install the accompanying browser extension for them to interact in kind of a client-server way.
The plugin I used was not maintained by the core project. It was recommended (as much as I can remember) to use the KeePassHttp-Connector for Firefox at the time, which was developed independently by Andy Brandt (kudos to him). This project has now been archived and is no longer maintained.
It is a concern to have this functionality outside of the remit of the core project. Relying on plugins for browser integration in this manner is not a good setup in my opinion.
I had issues keeping the plugin up-to-date with the accompanying extension. Occasionally, it would just stop working if the extension required a particular version of the plugin. Then, I would need to update the plugin myself,ensuring that they are compatible.
A personal peev was not being able to use common keyboard shortcuts such as Ctrl + C to copy text of the fields from the app. When this plugin-extension version issue occured, I had to: open KeePass, track down the entry, and copy the password field manually. Having to select the text with the mouse and then right-click to copy the text via a context menu was an extra nuisance.
What are the alternatives?
There are some projects that are forks of KeePass, namely KeePassX and KeePassXC.
KeePassX has discontinued development. I would skip it.
KeePassXC is actively developed and looks promising. Let’s look into it further, for sure!
If a KeePass relative is not quite your speed, you can consider Spectre. It takes a drastically different approach to KeePass, it is a “password app that contains no passwords”! Whaat?
Spectre uses a password cipher algorithm to hash and store your credentials for websites as a single value, if I am understanding it correctly. I don’t fully get how it works end-to-end. It does not appear to have an import feature if you have an existing database/dataset of passwords, which is a deal-breaker for me.
If you want something that follows the Unix philosophy. You can try
pass. Your passwords live inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities.
One downside to this approach is that you have to backup the password files and the gpg key (could be done by using paperkey).
There are some compatible clients that you can use with
pass. It appears that a plugin is required for browser integration, and that chrome and firefox are the supported browsers.
For example, to get set-up for Firefox, you must install:
zx2c4 pass repository This extension requires zx2c4 pass to be installed and set up with a password repository. Make sure you can execute pass show some-password-name in a terminal before continuing.
Host application For the extension to communicate with your system’s pass script, you need to install what’s called the host application from the official GitHub repository. The host application allows the extension to communicate with pass on your system.
PassFF extension Install the current release of PassFF for your browser:
This looks like the plugin-extension combination, which I am trying to get away from!
If you prefer to use an online service, you can try LastPass (Freemium proprietary), 1Password (Paid proprietary), or Bitwarden (Freemium open source). I don’t want someone to host my passwords, however airtight everything is. No deal for me.
If you want to run your own secure password server, you can do this with Bitwarden, or vaultwarden (an unofficial Bitwarden compatible server written in Rust). You could run one of these on a raspberry pi and use it in your home network, and expose it externally if you wish. This is a bit too heavy-duty for my needs.
Fast forwarding, I tried and liked KeePassXC. So, I did not dig deeper. Read on if you want to find out more about KeePassXC.
If you want to explore more alternatives, look through this list on AlternativeTo.net.
Tell me more about KeePassXC
KeePassXC is an open source project written in C++. It is compiled to platform-specific exectuables, so it has the native look-and-feel of the OS it is running on.
KeePassXC uses the KeePass 2.x (.kdbx) password database format as the native format. So, you should be able to switch to it from KeePass without any issue.
KeePassXC has a similar feature set to KeePass. The important one for me is that browser integration is a core feature.
The core features are:
- Create, open, and save databases in the KDBX format (KeePass compatible to KDBX4 and KDBX3)
- Store sensitive information in entries that are organized by groups
- Search for entries
- Password generator
- Auto-Type passwords into applications
- Browser integration with Google Chrome, Mozilla Firefox, Microsoft Edge, Chromium, Vivaldi, Brave, and Tor-Browser
- Entry icon download
- Import databases from CSV, 1Password, and KeePass1 formats
There are more advanced features too that you can review.
The tech collective PrivacyTools has included KeePassXC in their list of recommended password manager software because of its active development.
It ticks all of the boxes for me.
Let’s get it set up and see how it goes!
Installing and configuring KeePassXC on Ubuntu
KeePassXC is available as a package in many Linux package managers.
I will install it for Ubuntu using the official PPA:
sudo add-apt-repository ppa:phoerious/keepassxc
sudo apt update
sudo apt install keepassxc
The latest version at the moment is 2.7.1. You can
keepassxc --version to check the version installed.
And indeed, this has installed the latest version! Yay!
Now, open the application and this is what you see.
Now, you can open an existing database. This worked as expected for me. Or you can create a new database.
To configure it with your browser of choice, go the main menu and choose Tools, then choose Settings from the dropdown. Then, go to the Browser Integrations tab, as below.
Now, you can select the browsers you want to use. There are links to download the KeePassXC-Browser extension for all of the major browsers. Very handy!
I opened the “Google Chrome / Chromium / Vivaldi / Brave” link in Brave. It opens the page for the KeePassXC-Browser in the chrome web store. There is a blue “Add to Brave” button. I clicked it to install the extension.
Once you install an extension, you may be prompted to pin it to the menu bar for quick access. In this case, it does not happen, and it is convenient to have available so that you to see if you are connected to your database.
We can pin the extension to the menu bar ourselves by clicking the extensions settings button (a jigsaw piece) and click the pin next to the extension name, as per screenshot below.
Now, click on the pinned KeePassXC icon to reveal the connection status. If your database is open, you will see a “Connect” button, as below.
Click this and you will prompted to enter a key association for the browser. Enter one (I entered “brave”) and click the “Save” button. You should now be connected, as below.
Now, when you open a website that has an entry in your database, it should give you options to fill the credentials in for you.
For example, I have the following entry for GitHub. You can use “https://github.com” for the URL field, no need to give the URL for the actual signin page, KeePassXC will recognize the login page when you open it for websites.
Now, when you go to the “Sign in” page on GitHub, you will see the KeePassXC icon in the Username or email address text field.
Click on this icon and it will fill in your username and password!
It also offers to fill the fields as a quick suggestion when the Username or email address field gets focus and you press the down key.
There are further options that be accessed in a context menu when you right-click inside one of the fields, as below.
Want to know more?
Dive into the Getting Started Guide.
Syncing across devices
If you want to sync the database file across devices, you can use any syncing method you like. You can use a service like DropBox if you wish. Or instead you can use ssh in KeePassXC, so you can securely access your database file remotely!
If you do choose to sync the file, look into the File Management settings to ensure there is no conflict with your sync process. It is probably a good idea to disable the settings “Automatically save after every change”. There is an option to specifically address this issue called “Use alternative saving method (may solve problems with Dropbox, Google Drive, GVFS, etc.)”
You can turn on periodic backups too, with the “Backup database file before saving” option. Better safe than sorry, right?
It is quite quick to get set-up with KeePassXC. I found it easier to use than KeePass, albeit I have experience with KeePass. Importantly, it resolves the issue I had with browser integration., and there is no friction with switching from KeePass. I can recommend using it.
Is it the best password manager?
It is always good to extend the idea of “best” to “best for your needs”. For the features I use, it does everything I need admirably. I didn’t feel the need to try out the competitors. I will leave that up to you. Lazy, I know! 🦥😀
I hope this has shone some light on how to manage your own passwords securely!
What is your favourite password manager?