2something@transfem.social
@2something@transfem.social  ·  activity timestamp 2 months ago

Hi Fedi,
I have been using @bitwarden@fosstodon.org since 2019, and been a premium subscriber for most of that time. Due to their recent hyping of AI, I am interested in switching away.

$[x3 Update 2025-07-14]
So far I am liking Gnome Secrets (desktop) and Keepass2Android (Phone). However, there does not seem to be a way to get Secrets to autofill on websites.
https://gitlab.gnome.org/World/secrets/-/issues/34

I'll give Bitwarden a few weeks to see if they can resolve their AI issues. If not, I'll probably suck it up and lose autofill.

Options I am currently considering are Nextcloud Passwords , KWalletManager, and a Keepass-based password manager synced using Nextcloud. I have questions and concerns about each, and I'm hoping you can address my concerns for at least one of these three options, or suggest something else.

Before getting into those, I'll just say I also considered and rejected Proton Pass, on the grounds that
a) The server software is proprietary,
b) Logging in requires a Captcha. I can pass the captcha, but I'm always afraid that I will fail it.
c) The CEO has said and done bad things,
d) The company is also into AI.

So, what are the options I am considering?

$[x3 Keypass with Nextcloud for syncing]
This is the recommendation I see the most. I have three concerns: two regarding use on Android and the other on desktop.

First, on Android, one Bitwarden feature I use heavily is "unlock with pin." Downloading my Bitwarden vault from the server requires entering my very long Bitwarden password plus 2fa. Unlocking my vault on my device to which I am already logged in only requires entering a short password. That's good, since entering my full password on my phone takes a long time.

Keepass doesn't seem to have a native feature like this, but I can sort of replicate it by having a strong password for my Nextcloud account and a weak password for my keepass file.

The concern I have with doing this is that it would mean the folks who run my Nextcloud server, or anyone who hacks them, would have access to my password vault encrypted with a fairly weak password. Is this something I should be worried about? Is there a way to use a strong password for my Keepass vault without needing to take a long time to type it every time I need to log in to anything?

Note that I don't think I can use biometrics. I don't have clear fingerprints, and my phone (Pixel 6a) doesn't AFAIK support face ID.

Next up is the question of which Keepass-compatible apps to use, on both desktop and Android. There seem to be a lot of choices on Android and I have no idea how to narrow it down.

EDIT: The two that people seem to like are Keepass2Android (only on Google Play) and KeepassDX (on F-Droid). Both seem very nice.

On desktop, there seem to be fewer options. I see @keepassxc@fosstodon.org recommended a lot, but their Github says they allow AI-generated code contributions, so I don't think I can trust them not to lose my passwords.
https://github.com/keepassxreboot/keepassxc?tab=readme-ov-file#generative-ai

Then there's Gnome Secrets
https://flathub.org/apps/org.gnome.World.Secrets
Which looks a lot better. However, it doesn't have a way to autofill on websites, and this issue has been open for a long time.
https://gitlab.gnome.org/World/secrets/-/issues/34

$[x3 Nextcloud Passwords]

Aside from using Nextcloud to sync a Keepass valut, there is also Nextcloud's native password manager. There appear to be three Android apps:

  1. https://f-droid.org/en/packages/com.hegocre.nextcloudpasswords/

I am able to log in to this one with my Disroot Nextcloud account. However, I see a red banner at the bottom of the app saying "Cannot connect to server. Tap to retry." (Retrying regenerates the same banner).

  1. https://f-droid.org/en/packages/es.wolfi.app.passman/

In this case I cannot even log in: entering my username and password produces
>Network error: HTTP request failed with http status-code: 404
3) https://f-droid.org/en/packages/de.jbservices.nc_passwords_app/

This one I also can't log in, but there is no error message, I just get sent back to the login screen.

I also tried logging into the desktop flatpak and I am seeing white text on white background.

$[x3 KWalletManager]
I have a rule that if I want to use my computer to do X, and there's a KDE app which does X, then I will give the KDE app a fair try. KDE has a password manager, so I have to at least consider it.

The issue here is I can't figure out any way to sync it with Android. Can this be done?

$[x3 Passky]
I took a look at Passky.
https://passky.org/download

It's a service like Bitwarden: one company provides a desktop app, a mobile app, a browser extension, and a service to sync all of them. One thing to note is that it seems like all of their repositories have very little activity: The Android repository has had no commits for close to three years, the web vault has had no commits for close to two years, and the desktop repository (which is Electron) has had no commits since April 2024. That might not be a bad thing if it's working, but I don't think I'm qualified to assess the difference between "this software has unpatched security issues we aren't fixing" and "This software is working perfectly so we don't need updates."

Their website has a broken link to Google Play, as the app seems to be delisted, but the do have an f-droid app.
https://f-droid.org/en/packages/com.rabbitcompany.passky/
Their website has a broken link to Google Play, but it seems they do have an f-droid app
https://f-droid.org/en/packages/com.rabbitcompany.passky/
In addition to a verified flatpak.

$[x3 Pwsafe]
Then there's Password Safe
https://pwsafe.org/

Much like Keepass, it stores all passwords as a single encrypted file and expects you to use another program to sync. There are iOS and Android apps that are compatible.

The trouble here, as with Keepass, is getting the desktop app to autofill on websites. It does nominally have an "autofill" feature, but it can't detect when the site you are viewing corresponds to an entry: you have to open the desktop app, search for the relevant entry, open it, and then click "autofill." It's a lot less convenient than clicking the icon for Bitwarden's browser extension.

#PasswordManager #AppRecommendation #Bitwarden #Keepass #KWalletManager #Nextcloud #passky #pwsafe