Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
drnick1 3 days ago

This is interesting for CLI lovers, but I feel KeepassXC on desktop + KeepassDX on Android (with the password DB stored on my own machine and accessed remotely via Wireguard) is a better solution for normies.

4k93n2 3 days ago | parent | next [-]

keepass has a very underrated feature i never see much talk about where you can have multiple vaults and have them open and search both at the same time (or at least the two apps you mentioned support that anyway).

most password managers are based around the idea of one single vault which creates the problem of having to treat every password like it needs the maximum amount of security. in my own case i would guess maybe 70% of my passwords are for unimportant sites where it wouldnt be a huge issue if someone else got the credentials, but every time i need to log into one of those sites i need to enter my long master password.

with keepass i can put that 70% into a separate vault and use a shorter master password that is quicker to type, and i dont need to worry as much if im opening that vault on a computer where i might not be sure its completely secure

briHass 3 days ago | parent | next [-]

Also, KeepassXC and OG KeePass with a plugin can auto-open another vault from an entry in the primary vault. This works well if you have the more secure vault open a less secure vault, or in my case open a shared vault used for common passwords off a network share at work.

I also preach the tiered password security model. For the common, frequently used passwords that don't need max security, I just use the browser store (with a copy in KP).

TheCraiggers 3 days ago | parent | prev | next [-]

Pass actually has a similar feature: different directories in your git repo can have different gpg keys, effectively doing the same thing you like.

brewdad 2 days ago | parent | prev [-]

I keep a Keepass vault with my 2FA secrets and a separate one with my passwords. This reduces the biggest fear I have where one compromise reveals everything.

These are both offline backups of my Bitwarden, which is my daily driver. Bitwarden doesn't store any of my 2FA info though.

laszlojamf 3 days ago | parent | prev | next [-]

"Normies"? Everything is relative, I guess. I use 1Password and just hope for the best.

usr1106 3 days ago | parent [-]

Right. Having an own machine 24/7 online and setting up wireguard to it does not sound very typical.

I use pass myself and I don't care about mobile. But I really don't know what to recommend family members.

bramgn 3 days ago | parent | next [-]

I use pass also on my phone in combination with Termux. I keep the passwords stores in sync using git. pass on android also supports copying your password directly into the clipboard, which is especially nice on a mobile device.

wltr 3 days ago | parent | prev [-]

My family members are all with iPhones, and their Passwords is very good. I only backup a couple of sensitive passwords to my pass store just in case. The rest of the passwords are basically disposable.

elevation 3 days ago | parent | prev | next [-]

Don't forget keepassxc.cli, which allows you to programmatically set and retrieve secrets. The interface is significantly more user friendly arcane. I used it when I needed to build an encrypted secrets bundle (so that one long password could temporarily unlock some API keys required for a disaster-recovery situation.) I was able to generate a single file plus a "Makefile" to unlock it and pass the keys into the appropriate environments.

I had attempted to use GNU `pass' first, but sadly, it requires me to manage gnupg, which is a well known minefield of poor default options, and assumes it should be integrated into your shell by storing things in your user profile directory (instead of using the directory relative to where you call it.) This jeopardized my copy-one-file workflow, so despite its ubiquity I had to abandon it.

mid-kid 3 days ago | parent | prev | next [-]

The only use case of mine that's not solved by keepass is creating passwords on two separate machines without a direct connection, and merging them later.

ticoombs 3 days ago | parent [-]

I solve this by Syncthing running on all clients. Very rarely do I ever have a problem with conflicts. Only if I add a new pass while my phone is offline and then make another edit on my computer would there be an issue. I think it only happened once, and that was because I did it on purpose to see what happened.

Turns out syncthing creates a .conflict file and then I tell keepassxc to do a merge on the two files and then we are back to normal.

hyperpl 3 days ago | parent | prev | next [-]

Any particular reason for remote access via wg and not via syncthing? I'm also curious how you access it via wg on Android?

drnick1 3 days ago | parent [-]

I already use WG to access other services running on my LAN. The DB is on a Samba share, and I use KeePassDX as a client on my phone (GrapheneOS).

6ak74rfy 3 days ago | parent | prev | next [-]

I would love to use KeepassXC but it doesn't make it easy to share credentials with the wife. I _could_ use a dedicated vault, but we'll then need to cut-paste things for sharing existing credentials.

So, for now, I've settled on Vaultwarden and it has been surprisingly stable so far.

shikaan 3 days ago | parent | prev | next [-]

Shameless plug. I built a tool[1] to manage Keepass archives in the terminal which might scratch some of the itches I am reading here: it has a TUI, but can be piped into other commands too.

[1]: https://github.com/shikaan/keydex

PhilipRoman 3 days ago | parent | prev | next [-]

FYI for desktop there is a "passmenu" script that you can bind to a key in your DE/WM.

InMice 3 days ago | parent | prev [-]

Im thinking of trying this, I just used local files until now with keepass. in my case a synology nas to hold the file, a two bay equipped with 2.5" ssd that i already use for notes, music, and other stuff + wg