What do you use for syncing your password manager between your Android phone and your PC? Apparently Nextcloud doesn’t support two-way syncing on Android for some reason, and Syncthing-Fork is still untrustworthy since the disastrous handover. The AI generated profile picture of researchxxl doesn’t exactly inspire confidence either, neither does his GitHub bio:
Hi! My name is Jonas and I like to use my coding skills from games and modding to continue work on the Syncthing for Android wrapper.
Everything about this person screams vibe coder.
Bitwarden is an alternative, but I don’t like how non-standard it is. It’s cumbersome to manage and backup, meanwhile the KeePass format is just a file that I can backup wherever and however I want and there are many frontends to choose from.
Have you solved this?
Vaultwarden with the Bitwarden Android app and browser extension for my desktop. I already have a solid system for backing up the important data for all my docker containers. As soon as I added it, it was automatically added to that process.
My spouse has an account so if I side she can gain access to my passwords with a simple request. That’s function is important to me.
I use proton and it seems to work just fine for me
I’m looking for a selfhosted alternative, I’m not really to keen to place all of my password eggs into one company basket so to speak. But yes, other than that, Proton is a good choice (but I’d probably go with Bitwarden personally). Thank you.
Understandable why you would want to selfhost. I also use proton and for me it is something that I would rather pay for so I don’t have to administer it. I also hope they’ll keep improving the auto-fill experience.
On Android I use KeePassDx Syncthing-Fork. The handover was rough but the maintainer of the Play version joined researchxxl’s team. Many on the Syncthing forum seem to have accepted research which is good enough for me. Also, KeePass’s database in encrypted so no danger there.
Do you store TOTP in a seperate KeePass?
For me swappog between two Keepass DBs is annoying. I can’t find anything that will sync my 2FAs.
I don’t. Kinda seems silly to me.
To access a keepass file you already need 2 factors: the master password and access to the file.
Its not really 2 factors if it’s stored in the same DB though.
I came from Bitwarden where the community recommendation was to not store passwords and 2FA together in the cloud. If a beach orccurs and you lose both then there wasn’t a point in having the 2FA.
Less of a risk with a local solution but still not sure.
Yes, it is two factor, it’s just that there is no additional factors required to get the TOTP.
If you don’t use a password manager then you just remember your passwords. In this case the second factor is having access to a device that has your TOTP generator.
If you use keepass then you remember the password for your password db, and to access your passwords or TOTP you need access to a device with your keepass db.
If u have 2fa in the same database u can login on devices you don’t trust. E.g. a coworkers computer/public computer in library.
Yeah. So that seems to remove the 2 from 2FA…
I use keepass2android and “sync” via its native WebDAV support with my nextcloud instance as the source. Been working great forever.
Paid bitwarden.
I use Bitwarden too. I now use the paid version (which is incredibly cheap) but I was able to sync between Android and PC without the paid for version iirc
The only (known to me) perk of the paid version is the encrypted storage (and probably the org feature).
So yeah. I see it more of a donation/appreciation than a service fee.
But the recent peice increase stung a bit.
Personally, I use Keepass with syncthing and it works fine enough. If you don’t really trust the new person behind Syncthing-Fork, you could always install the older version before the handover (I think before v3.4?).
If you really don’t trust syncthing at all, you could just manually back it up. New passwords aren’t made every day, so you could just copy the passwords database over between your devices whenever there’s a change. That’s what I did before I heard about syncthing, and is what I do with my music still, since I don’t regularly update what music I listen to.
Keypass with the vault loaded onto a free OneDrive account.
Just back it up occasionally.
Nextcloud and favorite the file. It’s worked reliably forms for years. I don’t need to create new passwords on my phone, though.
Syncthing-Fork is still untrustworthy since the disastrous handover
Maybe I’m OOTL on this?
I thought everyone concluded that it was poorly communicated but ultimately no indication of any foul play.
Correct.
That conversation has finished, the dust has settled and syncthing-fork is fine.
If you’re using a keepass database, Keepass2Android can natively sync with many cloud options including self hosted and generic ones, even without specific “companion” apps. That’s what I use. In my case, it’s backed by my NextCloud, but it used to be Google drive before.
Just also sync the file on your PC, merging changes from different clients is part of the keepass database format and “just works”.
Also VaultWarden works great if your can self host it, but I prefer keepass for a variety of features and integrations.
KeePass2Android is a fantastic project. I’ve been using it for 10+ years on my Android devices. Every once in a while I’ll try a different variant, like KeePassDX, but I always return to the spartan look of KP2A. It “just works”, with no extra fluff.
merging changes from different clients is part of the keepass database format and “just works”.
This is the best thing about KeePass in general.
I use passwordstore.org which is basically a bash script that wraps GPG; but there is an Android client as well.
Everything is stored in encrypted files tracked by git. Files are synchronized by git/SSH to a server I run.
Are there mechanisms for fully automatic synchronization on every file change and every initialization in the Android and console apps for password-store out of the box these days? Using Syncthing with password-store at the moment to get a user experience as close to that as possible. Had to switch from the Android app to Termux and the CLI because the app no longer supports usage with Syncthing.
There has to be, the PasswordStore app for Android can keep the GPG files in a storage location where other apps can read & write them. All you need is something to handle the synchronization.
I’m a control freak and prefer to do things like that manually, so I just use the built-in git & SSH based method it provides.
I actually used
passmany years ago and I quite enjoyed it, except for the fact that the entry names are presented in clear text. You’d also have to manage your GPG secret which I’m not a fan of (in fact, my password manager is how I usually manage GPG and SSH keys in the first place). On the other hand, I guess you should keep a key file on each device on top of a passphrase even if you use a KeePass database, so I guess that point is moot. There are also no good way to include attachments. At that point Vaultwarden feels more convenient, but the more I’m thinking about it, the more I’m warming up to the idea. We’ll see, maybe I’ll give it a shot again.Thanks for sharing your thoughts!
Edit: I did some quick research and I found this video:
https://www.youtube.com/watch?v=j-qBChKG15Y
It brings up some pretty important security concern that still seem to be relevant.
Vaultwarden handles the syncing for me.
However I do export backups on both my phone and laptop just in case.
Do you do it manually into e.g. protected json, or to a normal zip (the former doesn’t support attachments as far as I know)? Or have you found a way to do it automatically? One con that I’ve read about this is that backups from one version is not guaranteed to work on another version. Thanks.
Well with Vaultwarden any synced device is a complete backup. So you don’t need to worry about version issues.
In the event of a server fail, can you export from any device?
Yes, but do not log out. If you do, you can’t log back in, and you can’t export. I’m paranoid so I still back up my encrypted db to cloud on a schedule.
I just switched back to vaultwarden. My vaultwarden data is backed up as part of my nightly backups. Desktop and android use bitwarden clients. Seeing as https://codeberg.org/small-hack/open-slopware/src/branch/main states keepassxc is using AI to create PRs. Otherwise you could see how seafile might work for you to sync your keepass db. If you are on android with termux you can run syncthing in termux which also works and avoids the issue with the syncthing fork
i self host, and back up, vaultwarden, and use bitwarden in browser and android.
Vaultwarden
I’ve been using KeePass for almost 20 years now, used to host the database on Google Drive. I started using Syncthing about a year or so ago, including Syncthing-Fork on my Android devices. It’s nearly flawless - I sync the database across 6 devices (two phones, two laptops, gaming PC, NAS [which is backed up regularly]), so there is the occasional conflict maybe once every few months, but I think that’s more user error than anything else. It’s fairly easy to resolve since Syncthing clearly labels the affected file.
It’s very important to remember that “Syncthing-Fork” IS NOT the official Syncthing project. Syncthing-Fork uses Syncthing under the hood while providing a mobile-friendly wrapper.
Edit - Re: Syncthing Fork “drama”:
Catfriend1 (the original maintainer of Syncthing-fork) recently put in their 2 cents.
TL;DR - The new dev is fine.
For me personally, the fact that 1) devs from both F-Droid and Syncthing itself have reviewed and confirmed that the code is safe, and 2) the original maintainer vouched for the new guy, is good enough for me. There will always be those who refuse to trust anything, even from the original developer, and they are often the most vocal about it - i.e. the “vocal minority”. Whether or not you want to listen to their criticisms is up to you. IMO, they’re just beating a dead horse.
