Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Which password manager would you choose: Keepass2 or KeepassXC? Please note I do not mention KeepassX, which has not been actively developed (and, as a result, KeypassXC emerged).
Keepass2 was originally available only for Windows, and then they created a version for Linux written in C# and using mono, which seems to be problematic and regarded as a security risk because it uses Microsoft .NET platform (please see links below). https://www.fsf.org/news/dont-depend-on-mono https://lwn.net/Articles/339314/
As I don't understand anything about the codebase to properly assess which one (potentially) offers more security, what are your views on these two password managers in terms of security?
I choose Keepass2. I have been using it for a very long time, and for silly reasons I like its UI better than KeepassXC's. I know nothing about the various codebases, however.
Additionally: The mono dependency means that Keepass2 does not fully integrate into your desktop environment. And something must have borked up my mono setup because the fonts and UI have gotten slightly messed up, and long entries get truncated in weird ways. But that's a local implementation issue, I hope.
Login to the KeePass2 application (i.e. to unlock the database) using a combination of 1. and 2. below:
1. Something only you know. Use a master password (this does not need to be terribly complicated. It just needs to be easily memorised, in this case by HAT e.g. hertz**anxiety**toblerone**).
2. Something you only possess. Use a key-file (“HP LaserJet problems” which is stored innocuously within one of many documents (see below for example) on a USB drive. {see attached file}. A copy of this file can be backed up to your computer amongst several thousand files.
EDIT A simple alternative is to use an image (.jpg) file.
The key-file can be used as a two factor authentication (2FA) for your KeePass2 database.
To open KeePass2, you normally only need a master password.
This is where the key-file comes into play. If someone steals your master password and password database, the database is still secure because the attacker also needs to steal your key-file to be able to unlock KeePass2.
Distribution: openSUSE, Raspbian, Slackware. Previous: MacOS, Red Hat, Coherent, Consensys SVR4.2, Tru64, Solaris
Posts: 2,795
Rep:
Quote:
Originally Posted by bgstack15
I choose Keepass2. I have been using it for a very long time, and for silly reasons I like its UI better than KeepassXC's. I know nothing about the various codebases, however.
The databases are compatible and the only user interface I care about is 1.) click on site and 2.) right-click and select 'Copy password'. Not sure what else one would care about but different strokes, I guess.
My only beef about KeepassXC is the nondescript icon that came with it. Luckily I still have the source tree for an old version and can use the old, familiar icon.
Distribution: Ubuntu based stuff for the most part
Posts: 1,172
Rep:
Just to toss out another open source option; Bitwarden.
They have a free cloud sync that works with phones and desktops, or you can run your own server. I am using their cloud with the family plan for $1 a month so my wife and I can get access to each others vaults if needed. https://help.bitwarden.com/article/w...ust-bitwarden/
Not only has been audited, but also has a bug bounty on HackerOne.
As I don't understand anything about the codebase to properly assess which one (potentially) offers more security, what are your views on these two password managers in terms of security?
As long as you use it locally and on Linux only I think it does not matter much.
IMO, the encryption mechanism of both is sufficiently secure, but keepassxc might have a stronger one (it supports a newer keepass database format).
Quote:
Originally Posted by rnturn
My only beef about KeepassXC is the nondescript icon that came with it.
My version 2.5.0 integrates nicely with the chosen icon theme.
I choose Keepass2. I have been using it for a very long time, and for silly reasons I like its UI better than KeepassXC's. I know nothing about the various codebases, however.
Additionally: The mono dependency means that Keepass2 does not fully integrate into your desktop environment. And something must have borked up my mono setup because the fonts and UI have gotten slightly messed up, and long entries get truncated in weird ways. But that's a local implementation issue, I hope.
Thank you, bgstack15. I would not worry about how it looks like on your computer as long as Keepass2 does a great job (and it does).
Login to the KeePass2 application (i.e. to unlock the database) using a combination of 1. and 2. below:
1. Something only you know. Use a master password (this does not need to be terribly complicated. It just needs to be easily memorised, in this case by HAT e.g. hertz**anxiety**toblerone**).
2. Something you only possess. Use a key-file (“HP LaserJet problems” which is stored innocuously within one of many documents (see below for example) on a USB drive. {see attached file}. A copy of this file can be backed up to your computer amongst several thousand files.
EDIT A simple alternative is to use an image (.jpg) file.
The key-file can be used as a two factor authentication (2FA) for your KeePass2 database.
To open KeePass2, you normally only need a master password.
This is where the key-file comes into play. If someone steals your master password and password database, the database is still secure because the attacker also needs to steal your key-file to be able to unlock KeePass2.
Thank you, beachboy2, for all the information and the links. I actually use 2F2 by combining a long master password and a keyfile stored in another USB flash drive to unlock my database.
"It is free, open source, and very easy to use" - That also applies to KeepassXC.
My concern is more about whether the two points below may have any influence on the level of security:
1. the language is written (C# for Keepass2 and C++ for Keepass XC); and
2. the fact that Keepass2 uses mono (and therefore Microsoft .NET to adapt it to Linux) as oppossed to KeepassXC that has explicitly created a Linux-based version.
Thanks.
Last edited by lisamint; 11-16-2019 at 07:00 AM.
Reason: Forgot to mention something else
As long as you use it locally and on Linux only I think it does not matter much.
IMO, the encryption mechanism of both is sufficiently secure, but keepassxc might have a stronger one (it supports a newer keepass database format).
My version 2.5.0 integrates nicely with the chosen icon theme.
Thanks, ondoho. Of course, the database should always be stored locally rather than on a thrird-party service. However, I was more concerned about whether the two points below may have any influence on the level of security:
1. the language is written (C# for Keepass2 and C++ for Keepass XC); and
2. the fact that Keepass2 uses mono (and therefore Microsoft .NET to be able to use it in Linux) as oppossed to KeepassXC that has explicitly created a Linux-based version.
Distribution: Ubuntu based stuff for the most part
Posts: 1,172
Rep:
If the password manager does auto fill for usernames and passwords, a malicious site could try and use an i-frame or the like to prompt an automatic fill and steal it.
And things like this can be done in such a way you don't see the page, and it is done fast so don't count on spotting it. So turn that off to be secure, but it is convenient.
Of course, the database should always be stored locally rather than on a thrird-party service. However, I was more concerned about whether the two points below may have any influence on the level of security:
1. the language is written (C# for Keepass2 and C++ for Keepass XC); and
2. the fact that Keepass2 uses mono (and therefore Microsoft .NET to be able to use it in Linux) as oppossed to KeepassXC that has explicitly created a Linux-based version.
doesn't matter
Hmm. I certainly try to avoid this sort of stuff. So essentially you're asking "what if mono is vulnerable to remote attacks"? I don't know tbh.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.