Hi everyone! For… I guess over a year now? I’ve been observing and trying out lots of software recommended by the privacy community and internet as a whole. With that time, I’ve been able to slowly put together a list of all the software I personally believe to be the best for their own various reasons. I finally have enough to be able to share it with all of you!
I’m also looking for feedback. I haven’t tried all the software on that list, and I’m sure there’s software I’ve never heard of that needs added. I’m looking for your feedback on what you think should be added, removed, or changed. That includes the list itself, if you think there are any design improvements.
Do note: Any software marked with a ⭐️ I am not looking for feedback on. This is software that I firmly believe is the best of the best in its category, and likely will not be changed. However, if there is a major issue with the software that you can provide direct proof of, then there is a chance it will be changed in the next release. There are no grantees.
The sections marked with ℹ️ are lacking, and can use your help! Some software there may not be the best one, or may have many software or sections missing. I am absolutely looking for help and feedback here, and would love your help!
My goal with this project is to help people find the best software from many standpoints, and to prove that there really are good open source alternatives for almost anything! I hope this helps someone, and I look forward to your feedback!
Thank you all for reading and taking the time to look through my list!
Edit: This project has moved to GitLab!
Agree on the versioning issue. In fact I mentioned that the issue is convenience here. It is also data corruption, but you probably are aware of that if you setup something like this. Manually merging changes is extremely annoying and eventually you end up forgetting it to do it, and you will discover it when you need to login sometime in the future (I used keepass for years in the past, this was constantly an issue for me). With any natively sync’d application this is not a problem at all. Hence +1 for convenience to bitwarden.
However KeePassXC’s sync feature does sync the vault.
How does it work though? From this I see you need to store the database in a cloud storage basically.
For mobile I just give syncthing full permission to run in the background and have never had issues with the syncing on the folders I designate.
I use this method for my notes (logseq). Never had synchronization problem, but a lot of battery drain if I let syncthing running in the background.
Nothing else passes through it unless you opt into using relaying in case you have NAT issues.
I guess this can be very common or even always the case for people using some ISPs. In general though, you are right. There is of course still the overall risk of compromise/CVEs etc. that can lead to your (encrypted) data being sent elsewhere, but if all your devices can establish direct connections between each other, your (encrypted) data is less exposed than using a fixed server.
If you are paranoid, the software is open source and you can host your own relays privately,
This would also defeat basically all the advantages of using keepass (and family) vs bitwarden. You would still have your data in an external server, you still need to manage a service (comparable to vaultwarden), and you don’t get all the extra benefits on bitwarden (like multi-user support etc.).
To be honest I don’t personally think that the disclosure of a password manager encrypted data is a big deal. As long as a proper password is used, and modern ciphers are used, even offline decryption is not going to be feasible, especially for the kind of people going after my passwords. Besides, for most people the risk of their client device(s) being compromised and their vault being accessible (encrypted) is in my opinion way higher than -say- Bitwarden cloud being compromised (the managed one). This means that for me there are no serious reasons to use something like keepass (anymore) and lose all the convenience that bitwarden gives. However, risk perception is personal ultimately.
KeePassXC you would put the sync-file itself into syncthing or something, and then KPXC would resolve changes between the sync file back to the main vault. I don’t use this method directly so I might be incorrect on the details, but it is possible to setup in a device to device manner.
You keep saying external server for syncthing, but again: syncthing does direct data transfers, encrypted end to end, between devices. It does not use cloud hosting or servers. It has the equivalent of a 90s FPS matchmaking lobby, so you can find your own devices latest IP.
You register the devices with each other with their generated ID codes. Then you ask the matchmaking server when it last saw that alias. It gives you the last IP that checked in with that unique alias. It then contacts that OP, and performs a handshake. If it passes, your two devices can now sync directly. The matchmaking relay has 0 data of yours, and 0 ability to associate your unique ID with a name, hardware, or anything other than a last seen IP. When on the same LAN, devices don’t even query the matchmaking relay if you don’t want. It’s totally offline.
If you elect to, you can allow relays to let you tunnel of you have NAT issues, and your end to end encrypted data can be synced through a relay. In those cases then yes, you are extending a bare minimum trust, and you fully encrypted data would temporarily pass on the relay’s RAM. If this makes you paranoid, you can easily add a password to the sync folder itself, encrypting it unless another user inputs the password on the other end. Adding another layer if you wanted.
I just get nothing from Bitwarden that syncthing and KeePass don’t offer more easily. Syncthing works for tons of devices and other purposes as well, preventing to host a password sharing only tool, and just letting you use a direvy device to device sync tool. I don’t know how or why you would have vault conflicts, but it really does sound like something fixable. Running this for years and I’ve never run into it.
Looking at keepassXC doc I couldn’t find such setup. Maybe it’s possible, but maybe it also leads to trouble down the road. The “official way” seems to use cloud storage.
You keep saying external server for syncthing, but again: syncthing does direct data transfers, encrypted end to end, between devices.
I mention that but with a specific context.
- people with certain ISPs will need to use the relay transfer feature because direct connections can’t be established. Similarly, if you work in an office and you use the corporate network, you usually can’t have device-to-device working (can be both from a technical POV and from a policy POV).
- even with 0 data transfers, servers still have some trust in establishing your direct connections. I know that syncthing uses keys to establish connections, but that’s why I mentioned CVEs. If there is one, your sync connection could be hijacked and sent elsewhere. It’s a theoretical case, I don’t think it’s very likely, but it’s possible. The moment you have a server doing anything, you are extending trust.
In those cases then yes, you are extending a bare minimum trust, and you fully encrypted data would temporarily pass on the relay’s RAM
And from my (consumer) PoV this is functionally equivalent to have the data stored on a server. It might not be all the data (at once), it might be that nobody dumps the memory, but I still need to assume that the encrypted data can be disclosed. Exactly the same assumption that should be made if you use bitwarden server.
If this makes you paranoid
Personally it doesn’t. As I said earlier, it’s way more likely that your entire vault can be taken away by compromising your end device, than a sophisticated attack that captures encrypted data. Even in this case, these tools are built to resist to that exact risk, so I am not really worried. However, if someone is worried about this in the case of bitwarden (there is a server, hence your data can be disclosed), then they should be worried also of these corner cases.
I just get nothing from Bitwarden that syncthing and KeePass don’t offer more easily.
You can say many things, but that keepass + syncthing is easier is not one of them. It’s a bespoke configuration that needs to be repeated for each device, involving two tools. bitwarden (especially if you use the managed service) works out of the box, for all your devices with 0 setup + offers all features that keepass doesn’t have (I mentioned a few, maybe you don’t need them, but they exist).
I don’t know how or why you would have vault conflicts, but it really does sound like something fixable
At the time I did not use syncthing, I just used Drive (2014-2017 I think), and it was extremely annoying. The thing is, I don’t want to think about how to sync my password across devices, and since I moved to bitwarden I don’t have to. This way I don’t need to think about it, and also my whole family doesn’t have to. Win-win.
That said, if you are happy with your setup, more power to you. I like keepass, I love syncthing, I have nothing against either of them. I just came here to say that sometimes people overblow the risk of a server when it comes to a password manager. Good, audited code + good crypto standards means that the added risk is mininal. If you get convenience/features, it’s a win.