Here’s why I decided to move my passwords to a KeePass database file instead of using Bitwarden with a self-hosted server. It comes down to keeping my passwords out of the browser, and my setup simple and manageable.
For years, I was (and still am) unwilling to trust hosted password manager services. I eventually got with the time and started using LastPass. Three years ago, I migrated to Bitwarden as LastPass just kept cutting features and platform support.
Bitwarden is an open-source alternative to the proprietary LastPass password manager. Bitwarden offers browser extensions and apps for all common operating systems. Even the server-side synchronization component is open source. You could, theoretically, host the backend infrastructure yourself.
LastPass recently restricted its free service to a tough choice: pay up, or be restricted to using it with either computers or mobile devices. Being limited to just one category of devices puts a serious dent in the service’s usefulness. To make matters worse, the service didn’t let you choose a device type; it arbitrarily picked one for you!
The change was another blow for the whole idea of free services. In the last couple of years, many popular and formerly free services have bait-and-switched in limitations as LastPass did. It turns out that not charging for your service isn’t profitable. Who knew‽ LastPass isn’t a common good; it’s a business.
Bitwarden is definitely more community-oriented than LastPass. It’s still a for-profit company, but it also has to appease its community of users or risk them taking its source code and spin up competitors. Regardless, I’m not entirely comfortable relying on anyone for my password. I decided to finally look into self-hosting Bitwarden. At least, it would make for something interesting for my blog, right?
My password store is the crown jewel of all my digital assets. All 300 of my passwords need to be kept securely under crypt and key. I don’t doubt my ability to do an adequate job at configuring, backing up, and maintaining a Bitwarden server. However, I’d never be entirely sure that the configuration was secure. Bitwarden stores everything encrypted; it should be fine even if someone broke into my server.
However, I decided against self-hosting a password manager after evaluating this approach for some time. It’s enormously complex and a pain to maintain. I’d need to commit to regularly evaluating server logs and proactively detecting intrusions. It would be a lot of extra work just for a password manager. I don’t need groupware, multiple users, or to share passwords. I’ve got too many other projects going on, and this would consume too much time and effort on an ongoing basis. This simply wasn’t the right tool for the job for me.
I’ve recently had a change of heart regarding having my password manager available for auto-fill in my web browser. Password manager extensions and password managers built into web browsers are very convenient. Web browser-integrated password managers — both the built-in ones and extensions — have suffered from many auto-fill leaks and vulnerabilities over the years. It’s an attack surface I can do without.
I’ve never really considered using a local password manager as a stand-alone app. The idea of using something like KeePass has seemed like an outdated and old-fashioned way of doing things. I must admit, that this impression was mostly influenced by the design of the original KeePass project website. The pinstriped page background and icon-heavy sidebar just scream 2005s webdesign to me. The program itself also looks like it was made for Windows 98.
I don’t need to use KeePass, though. There are over a dozen different forks of the KeePass project to choose from. I decided on KeePassXC for my Mac, Linux, and Windows computers; and KeePass2Android Offline for my Android phone. I decided on these two because they feel more modern and I’ve confirmed that they won’t easily suffer from synchronization conflicts.
Unlike a hosted password manager, a local password manager stores passwords in a secure vault on your local device. A “secure vault” is a fancy way of saying it’s stored in an encrypted file protected by a master password. It’s all just in a file. Your passwords are stuck on one device unless you can arrange to sync the database to other devices, keep it in sync over time, and resolve eventual sync conflicts. You also need a reliable strategy for backups.
Luckily, Syncthing can handle all my file synchronization needs directly between my devices. Syncthing doesn’t need a hosted file synchronization and storage provider to act as an intermediary. This means I won’t have to rely on or trust a third-party storage provider. It also handles file versioning for me; enabling me to recover from any potential overwritten data or other sync mishaps.
I already use Syncthing on all my devices, so it didn’t require anything extra to set it up for use with my password manager. This setup is much simpler and leaner than what I was about to set up with Bitwarden. It can still work on my home network even if the entire global internet stops working one day. (I’m not sure what I’d need all my passwords for in such an event, but I’m covered nevertheless.)
A KeePass database file also simplifies the backup and eventual restoration process. You do backup your cloud-hosted password manager, don’t you? It’s just a file, after all. I can use my existing backup processes for files residing on my various devices to back up the password database. I also have multiple copies available since it’s continuously synced to all my devices. This article was written during a [false] fire alarm in my apartment complex. I just put my phone in my pocket and went out the door with a complete copy of my password database.
The same simplicity argument can’t be said about a self-hosted Bitwarden server. In everyday operation, I’d only have one master copy on my home server. I’d need to carefully export copies of the database and regularly verify that the backups worked. It would have introduced much unnecessary extra work.
So, what about security? My main worry wasn’t about the security of the KeePass database or the forks I decided on using. I assume and trust that they’re secure — we all have to place our trust in something. Properly evaluating any of them would take years of effort. However, I was mostly concerned about the security of my clipboard. I have to copy passwords in plain text from my password manager and into programs like web browsers.
The whole “clipboard thing” is a big topic, and I ended up writing a separate 2300-word article on clipboard security. In summary: it’s a mostly unsolved issue on desktop, and it can be an issue on mobile. Ideally, I’d like to see desktop operating systems add a safer auto-fill feature like what we have on Android and iOS. Until we get that, you either have to be super careful about device security or switch to Qubes OS.
Anyhow, KeePassXC does what it can to help prevent your copied passwords from leaking. It discourages clipboard history managers from saving it, and instructs the Windows Cloud Clipboard not to share it with Microsoft. KeePassXC doesn’t stop macOS from syncing with Apple’s Universal Clipboard, though. Apple’s solution is end-to-end encrypted on your local network. I don't need to worry about it the same way as with Windows Cloud Clipboard. (Learn more about these features in the article linked above.)
KeePassXC feels like the right solution for me with the tools and devices I use every day. It’s definitely not for everyone, but it only costs a little bit of time to try it out for yourself. Migrating to it is easy as it supports importing and exporting from many other password managers. Make sure you store those unencrypted password exports safely and delete them afterward!