Is it good?

>If you for some reason need your database to be online, you could just sync it with whatever cloud storage you use.

If the cloud storage servers aren't encrypted to keep the owner from reading your passwords, and your password list isn't encrypted, then you may as well use LastPass.

I use it out of convenience. The ability to auto generate passwords and save them means I can have semi-secure passwords and forget them for sites I don't frequent.

Anyway get this

tindie.com/products/Russtopia/pss-mark-ii-password-generatorrecall-key-fob/

>storing your passwords in the cloud botnet

Holy fuck that's a clever idea

True, it should not be done, I just wanted to state that KeePass databases can be equivalent to LastPass.

>The ability to auto generate passwords and save them means I can have semi-secure passwords and forget them for sites I don't frequent.
Well, any password manager should be able to do that.

I also used LastPass for about a year. I dropped it after one day when I changed all my passwords due to a new security breach and exactly during that hour LastPass had syncing problems. The next time I opened my browser, all my newly generated passwords were gone and I was locked out of every account I owned.

meant for

This is why its best to keep your passwords out of the cloud. If you're using Linux, if you keep your keepass out of your downloads folder, there shouldn't really be a way for a hacker to access them via a firejailed web browser. Furthermore, you can still secure it by doing something like having an image or file not located on your computer, and instead on a flash drive or the like) as a 2nd verification to get into your keepass document.

>Well, any password manager should be able to do that.

Yeah I guess so, but the added convenience of doing it in a browser / in the text field I'm already in and across multiple devices is nice.

Obviously LP isn't the only service do this, but any service that does would be an equal botnet on Sup Forums

Well, yeah. You're trusting a cloud based browser to auto-insert passwords. This means that the server itself has the ability to read them, otherwise they wouldn't be able to insert them.

As with most things, you have to find your own balance between security and convenience.

No lol.

But I use it anyway because I'm lazy tbqh

wtf is this autism? someone give me a quick rundown please.

also I just had to solve 25 captchas to post this.

wtf is google doing now?

>If the cloud storage servers aren't encrypted to keep the owner from reading your passwords, and your password list isn't encrypted, then you may as well use LastPass.
No.
It's not the same boat.
You always have to assume that "cloud storage servers" (aka: someone else' computer HDD) aren't "encrypted". Still, storing your .kdbx in plain sight, even in a publicly available location, is NOT comparable to using services like LastPass or BitWarden. The .kdbx itself can be stored in NSA' servers, it doesn't matter. What matters is ****how**** you get the password from the database, i.e. if you're decrypting the database with javascript in your browser, or with a closed source app, or with an open source app running locally. What is the best security-wise solution among these options is left as an exercise for the reader.

Don't tell me don't use legacy captcha.
If you don't, get Sup Forums X.

+ you*

>This means that the server itself has the ability to read them, otherwise they wouldn't be able to insert them.
not technically correct
>added convenience of doing it in a browser / in the text field I'm already in and across multiple devices is nice.
you can have that "added convenience" with KeepassXC and passifox or equivalent extension.

I think I worded this poorly. What I meant to say was that "if the servers aren't encrypted from the server owners," OR "the password file isn't encrypted itself (like keepass is)," that uploading your password list to a server was a bad idea.

Only use it for sites you don't care about and want easy access too.
Use local password manager or memorize for important stuff.

>What I meant to say was that "if the servers aren't encrypted from the server owners," OR "the password file isn't encrypted itself (like keepass is)," that uploading your password list to a server was a bad idea.
And I'm challenging this opinion of yours. You should assume that the servers aren't encrypted and the fact that the servers aren't encrypted should NOT matter.

to add on this,
>OR "the password file isn't encrypted itself (like keepass is),"
this OR is all you need.

Meh, well tested, open sourced encrypted clients should be fine. If you wanted to send yourself your password list unencrypted on, say Protonmail's servers, you'll probably be fine.

That said, its best just to keep it off-line altogether.

Any ideas how to migrate?

I use 4chanx but I use that image selection captchas. Legacy is the one with nigger text right? Legacy doesn't always work on 4chanx.

Anything more complex than Pass is bloat.
passwordstore.org/

qwant.com/?q=migrate lastpass$20to keepass&t=web

Do you have that many passwords? I've done it manually.
Also, if you really want to switch to an offline database, you should change all passwords you had on LastPass anyway.

>If you wanted to send yourself your password list unencrypted on, say Protonmail's servers, you'll probably be fine.
You're deciding to trust BOTH protonmail's storage/internal policies AND protonmail's protocol used to deliver the unencrypted password. It would be bad even if you decided to serve your _unencrypted_ password database from your own server in your own basement, since you're relying on TLS quirks & bugs---err, I meant, features. The security layer used to deliver the message does not and shall not inherently *add* security or privacy to the message. What matters is message security, not transport layer security. I could digress on how TLS means shit nowadays, thanks to professional MITM services like Cloudflare, but that would be quite a different topic.

Why are there like 5 differeent keepass versions in the repository

ree which to install

the community version. KeepassXC. It's the currently maintained one and improves on KeepassX v.2 ; keepass0 opens just .kdb, the other keepassx use .kdbx format and can import from .kdb just fine.
keepass (without x) is the original windows package, built with .NET. It requires mono. You do not want it.

I can also recommend KeePassXC.

Check out the Arch wiki if you want to know the differences.

I'm still not sure there's a good alternative.

Every autistic "I use a local keepass database I never sync to the cloud" is clearly written by someone with multiple computers. I need to save shit at home and get it from my work computer.

As soon as you say "I use keepass and Botnet Drive to sync" you might as well just use Lastpass.

How do you share Keepass files across platforms? I assume it's not an online thing, so changes to one machine wouldn't sync, right?

>As soon as you say "I use keepass and Botnet Drive to sync" you might as well just use Lastpass.
No. They are not comparable. See >What matters is ****how**** you get the password from the database, i.e. if you're decrypting the database with javascript in your browser, or with a closed source app, or with an open source app running locally. What is the best security-wise solution among these options is left as an exercise for the reader.

Don't you carry a flash drive around?

Botnet

Yes, it's good.

But like anything else that you don't have control over, you run the risk of exposure.

So I don't want the one from keepass.info?

No. Its not even the best of the cloud based password managers. It has been vulnerable in the past etc.

If you want the best one, use Encryptr . Sure, its still cloud based (run by SpiderOak, which is the best, client open source, so-called "zero knowledge" hosted dropbox alternative of its kind. Only things better right now are NextCloud installs etc).

Otherwise, use a database password manager, like Keepass / KeepassX and store the database itself online. But yeah. No LastPass, Dashlane or other shit.

That site is kinda shit.

It should at least have references to why they shouldn't use something instead of "HEY don't you use that.. Use these instead, just trust us.."

>It has been vulnerable in the past etc.
Except this is a good thing for a couple reasons
1. they fixed the issues
2. they were open enough to discuss the issues

You DO NOT want to trust the smaller password managers that still use the cloud because it's much harder to secure them when they just don't have funding to do so.

recently switched to firefox pass manager. don't give a shit anymore

As long as it has a password generator you're fine.

Since I use duckduckgo I just type in the search bar 'password average 15' and use that. don't need another pass generator

That also works just fine.

Exact.

keepass is better

There is no way to have a encrypted Keepass databass on a cloud server? Say you were to host your own cloud server using something like ownCloud wouldn't that be fine?

sure it is possible, what kind of dumb question this is?