LastPass has been getting quite a bit of media attention lately. Security researchers have been uncovering not one but multiple serious security issues: The most recent one rendering 2-factor authentication useless, others allowing third parties to execute code on your computer or simply stealing the passwords you’ve saved.
They’ve been really great in responding to these problems: publishing more than enough information on their website and fixing the issues blazingly fast. However, the number of issues we’re currently seeing shows that they’ve done no independent security audit. (Or maybe they have, but in that case they seem to have paid monkeys instead of security experts.)
Another reason to leave LastPass is the issues I’ve had with synchronisation lately. Changing data in your vault, only to see it disappear after you’ve restarted the application is horrible. I’ve had to reset quite a lot of passwords in the last few months.
Back to KeePass
Before LastPass I had been using KeePassX for a while, which is a Qt port of the well known KeePass password manager. The problem with that piece of software is that filling passwords automatically didn’t really work on all platforms. As I had to use macOS at work, this really wasn’t an option anymore. Having to manually copy and paste passwords makes for a horrible experience, especially in time criticial situations.
During my two years with Lastpass, however, an alternative popped up!
KeePassXC is a fork of KeePassX, and they’ve added more than a letter! Development on their Github page is going fast. The currently released version is pretty good, the next one has new goodies such as OTP code generation with autofill. Most important: it supports autofill in both browser and other applications on Windows, Linux and MacOS.
Let’s be honest: when it comes to browser support, LastPass is amazing. However, combined with third-party browser plugins (over the KeePassHTTP protocol) using KeePassXC in browsers is just fine. The browser plugin does not access your password database directly, but has to ask for every password it wants to use. At this point, the desktop client asks for your permission before even sending the password to your browser.
Keeping things in sync
As with the other KeePass-apps, there is no built-in synchronisation. The password database is stored as a single encrypted file and it’s up to you to make sure this file is available whereever you’ll need your passwords. KeePassXC is able to merge databases, and does so automatically when the open database file is modified by another process. This makes it slightly easier to use KeePassXC with apps like Syncthing or Dropbox.