As opposed to self-hosting Bitwarden, KeePass is more secure

As opposed to self-hosting Bitwarden, KeePass is more secure

This is why I decided to use KeePass rather than BitWadden with a self-hosted server for my passwords. Passwords should not be in the browser and my setup must be simple and manageable.

I used to be reluctant to trust hosted password managers (and still am). But eventually I switched to LastPass. I switched to Bitwarden three years ago as LastPass kept cutting features and platform support.

The open-source Bitwarden password manager replaces LastPass. Extensions and apps are available for most common operating systems. Server-side synchronization is also open source. The backend infrastructure could be hosted on your own server.

LastPass recently made its free service tough to use: either pay up or be restricted to using it only on computers or mobile devices. The service's limitations severely diminish its usefulness. To make matters worse, the service didn't allow you to choose your device type; it randomly selected one!

It was yet another blow to free services. Several popular and formerly free services have imposed limitations in recent years, including LastPass. Not charging for your service turns out not to be profitable. I had no idea LastPass was a business; it's a common good.

I would definitely compare Bitwarden to LastPass in terms of community involvement. In addition to being a for-profit company, it also needs to appease its community of users otherwise competitors will steal its source code. Still, I don't completely trust anyone with my password. Therefore, I decided to look into self-hosting Bitwarden. It would surely make for an interesting blog post, wouldn't it?

My password store is the jewel in the crown of my digital assets. I need to keep all 300 of my passwords under crypt and key. In my opinion, I am capable of configuring, backing up, and maintaining a Bitwarden server. I won't be completely sure, however, that it will be secure. With Bitwarden, everything is encrypted, so even if my server is hacked, I shouldn't have any problems.

After examining this approach for a while, I decided not to self-host a password manager. Keeping it up to date is a hassle. I must commit to regularly reviewing server logs and to proactively detecting intrusions. Adding a password manager would be an additional burden. I don't need groupware, multiple users, or password sharing. There are too many other projects on my plate, and I don't have the time to work on this on an ongoing basis. I simply do not have the skills to complete this task.

I've recently changed my mind about auto-filling my password manager in my web browser. Extensions for password managers and password managers built into web browsers are very useful. There have been many auto-fill leaks and vulnerabilities in browser-integrated password managers - both built-in and extensions over the years. I would like to avoid this attack surface.


I've never used a password manager as a standalone app. Using something like KeePass seems outdated and out-of-date. The impression I had was heavily influenced by the design of the original KeePass project website. Pinstriped page backgrounds and icon-heavy sidebars just scream 2005s webdesign to me. Additionally, it looks like a Windows 98 program.

KeePass is not necessary, however. There are more than a dozen forks of the KeePass project. KeePassXC was chosen for my Mac, Linux, and Windows computers; and KeePass2Android Offline for my Android phone. The two I chose feel more modern, and there shouldn't be any synchronization conflicts between them.

As opposed to a hosted password manager, a local password manager stores passwords in a secure vault on your computer. It's stored in an encrypted file protected by a master password, which is called a "secure vault." Everything is just stored in a file. If you do not sync the database to other devices, keep it in sync over time, and resolve eventual conflicts, your passwords will remain on one device. Backing up is also crucial.

I am thankful that Syncthing can handle all my file synchronization needs directly between my devices. As an intermediary, Syncthing does not require a hosted file synchronization and storage provider. As a result, I won't need to rely on or trust a third-party storage provider. Moreover, it handles file versioning for me, allowing me to recover from overwritten data or other sync errors.

Because I already use Syncthing on all my devices, I didn't need to do anything special to set it up with my password manager. Compared to Bitwarden, this setup is much simpler and leaner. Even if the entire global internet stops working one day, it will still work on my home network. The passwords I have won't be needed in such an event, but I have them anyway.

In addition, a KeePass database file simplifies backups and eventual restorations. Backups of your cloud-based password manager are performed, aren't they? It's just a file, isn't it? To backup the password database, I can use my existing backup processes for files that reside on my various devices. Due to it being continuously synced across all my devices, I also have multiple copies available. The article was written when my apartment complex's fire alarm went off [falsely]. When I put my phone in my pocket, I had my password database in my pocket.

A self-hosted Bitwarden server cannot be compared to the same simplicity argument. I would only have one master copy on my home server in everyday operations. Backups would need to be carefully exported and verified regularly. That would have been a lot of work.

Is security an issue? KeePass's security or the forks I chose to use were not my main concerns. Since we all rely on something, I assume that they're safe. Evaluating them all would take years. But I was most worried about my clipboard. My password manager requires me to copy plain text passwords into programs like web browsers and into my password manager.

Clipboard security is a big topic, and I ended up writing a separate 2300-word article on the subject. This is a mostly unresolved issue on desktop, and can also be a problem on mobile. Ideally, desktop operating systems should add a safer auto-fill feature like we have on Android and iOS. We have to be extra careful about device security until we get that, or we have to switch to Qubes OS.

However, KeePassXC does what it can to prevent your copied passwords from being leaked. Windows Cloud Clipboard is instructed not to share it with Microsoft, and clipboard history managers are discouraged from saving it. KeePassXC doesn't block Apple's Universal Clipboard from syncing with MacOS, however. Using Apple's solution, your local network is encrypted end-to-end. This is not the same as Windows Cloud Clipboard. Click on the link above to learn more.

With the tools and devices I use every day, KeePassXC seems to be the perfect solution for me. It's probably not for everyone, but you can try it out for yourself if you want. You can migrate from many other password managers to it as it supports importing and exporting. Ensure you store those unencrypted password exports safely and delete them afterward.