Password manager in browser is it safe? Keepass vs Bitwarden?

your both arguments (“+1 for KeePassXC” and “…security there is by far inferior” are somewhat contrary.
cause the DB’s of KeepassXYZ are secure and namely everywhere or they are not (independantly how much passwords they contain)

deal ? :innocent:

1 Like

I meant that security on mobile devices is worse than on linux PC/laptop. At rest passwords are secure, but anything can happen when you open it on a device with known vulnerabilities.

1 Like

If having a command line interface like pass appeals to you but you also like KeePassXC, note that KeePassXC includes keepass-cli (which also has an interactive mode). If you’re on macOS and using rather than installing via homebrew, or similar, you can find it at /Applications/ .

1 Like

FWIW, and going back to OP’s question, I think some prefer a password manager like Bitwarden—as I do—because there have been third-party audits of it and it is open source; AFAIK, the built-in Firefox manager has neither been audited nor is it open source.

All the previous posters make very good points about where the password db is housed and comment clearly on the benefits of not having it in the cloud; however, for my purposes, I prefer saving hashed and salted in the cloud with a developer I trust.


So would you trust Bitwarden I have trusted them as they are open source. I guess I trust that other users audit there code from time to time say every quarter or semi annually.

So trusting the firefox password manager is not advised would you say? I’m a bit worried about all the trust I put in my browser, I have a lot of passwords and if there is a breach I could be compromised… The convenience of the browser remembering all my logins is so very helpful as I run CalyxOS on my smartphone and each time I login I need to unlock bitwarden and paste in the password and it happens many times a day and slows me down a lot as I login and out of many user interfaces.

No password-only authentication is safe, independent of what password manager you use. What you need is Two Factor Authentication, including for your online banking site.


My trust isn’t absolute, but it’s more for a developer who is willing to open source their code and submit to third-party audits.

Additionally, I second @augenauf’s comments about 2FA.

Great, thanks I’ll contact the banks and get that setup, thanks a lot. So for other non-2 factor authentication for important access, would you not save passwords to the browser ?

  • Use long, unique, randomly generated passwords.
  • Where possible, use some second factor of authentication: one time password (e.g. andOTP) or some hardware key (Solo key, Nitrokey, Yubikey).
  • There are add-ons that integrate KeePassXC with browsers, making it almost as easy to use as built-in password managers: KeePassXC: Getting Started Guide

If you want to use browser’s password manager, at least enable master password (Firefox), which has to be entered to unlock saved passwords.


A post was split to a new topic: KeePassXC browser integration

let’s start new topics for specific errors, otherwise this already long topic will become even harder to follow :slight_smile:


Actually I thought this is on topic since its related to the very thing I posted, perhaps I’m wrong

No, this topic is about general discussion on Keepass/bitwarden/etc. Your new query is a specific question related to keepassx. The solution of this topic will not be the same as the solution for your new query.

I have a hard time with browser-supplied password stores. Especially Googly ones. Yes they’re usually world class. I’d give Firefox’s a second thought if I weren’t already deep into password-store and Bitwarden. Why Both? There wasn’t a good plugin for password-store at the time and I needed a way to help my wife and family browse more safely as I lived in a clan of repeatedly-used passwords :upside_down_face:

As as @bryanmoore has already stated, Bitwarden is audited. I’ve had a cursory glance at the source and I feel the end-to-end nature of the encrypted store looks pretty good. To be fair I’m not a security expert, but if people can trust ProtonMail, they should be able to trust Bitwarden

When it comes down to it, there isn’t a password manager for the browser and Android/iOS that works as intuitively and as consistently as Bitwarden for auto-store, update and auto filling passwords that is also open source. It’s so dang easy to use my 60 year old mother-in-law is on board.

BTW, thanks for the tips @hhlp, I will be taking a hard look at these extensions. They seem to have come a long way. I would much rather trust GPG + my own storage solutions.

If you use the master password, make certain it is something you can remember. I recently had a friend that forgot his master password (senility creeping in) and even 6 months running jack the ripper on his firefox password file with a 6 core 12 thread machine failed to crack the password for that file.

Same goes for other solutions. If access without password was possible, that would be a major flaw :wink:
Any password manager should be susceptible only to such brute force attacks, where good cryptography and long passwords are supposed to make cracking it too expensive and/or time consuming.


Yes. Of course, cloud bad. bad cloud.

So. How do you keep all of your instances of KeepassXC synchronized with one-another?

I have multiple computers and multiple phones, and more often than not they’re on separate networks. I doubt I’m all that unique.

1 Like

This is really up to personal preference. I know some of us use Syncthing for example:

Folks, this discussion is now completely lost—it is no longer about the topic at all and is for example going into “how to keep things in sync without using the cloud”. So I’m going to close it now. I hope everyone learned something new here, and please do open fresh topics for specific issues/discussion.

1 Like