I mostly agree! However, I plan on posting an article on HN soon discussing some of the issues with the .kdbx file format that KeePass and derivatives use within the next couple of days. KeePass has such great potential, but falls short compared to some of its (local) competitors.
I don’t recommend any of them. Some of them have critical metadata leakage issues (Pass and derivatives, which leak the number of accounts & their names) and most others are not open source—an immediate disqualification for a local password manager. KeePassXC is my choice on desktop. Keepassium on iOS.
I recently orchestrated this, although in my case I've chosen to use 1password's cloud based store as my primary secret store, so I'm accepting some exposure right off the bat that you might not be comfortable with.
Basically, I have a borg backup job which runs every day, in a 3-2-1 replication strategy with the backups being sent both to a locally encrypted NAS (backups themselves have an additional layer of encryption via borg) as well as off-site with BorgBase. Those backups scoop up an export of 1password that I have a reminder to kick off manually about once a month via this script: https://github.com/eblume/blumeops/blob/main/mise-tasks/op-b...
The password that decrypts the key (along with the password that decrypts the backup) is stored on a piece of paper in a fireproof safe in my house. I've got a reminder to practice the entire DR process every six months, although I've only done it once so far as this is all pretty new.
Thanks, it's also available via my 1password cloud account, so it'd have to be a joint fire at my home and the 1password data center (and my phone, for that matter). Pretty bad day I feel.
Unrelated note: this was the first time I've linked to my static generated docs for this project and it was really fun watching the grafana dash of my fly.io nginx proxy pick up all the scraping traffic. Thanks for warming my cache :) I work with this tech all the time at my day job but this is the first time I've hosted something from my home, it's genuinely made my afternoon to see it light up.
I sync the database to my phone, and a couple of other devices too with syncthing. I need it on my phone anyway to log into accounts while I'm out and about.
What clients are you using ? Trying syncthing with synctrayzor with my windows boxes and Synctrain on my iPhone and it’s mostly alright but still a little spotty.
I'm also using Synctrayzor on my Windows 10 machine. I'm on Android using the official Syncthing app there as well as on Linux. It sometimes takes a while for them to discover each other, and it of course works better when all the devices are on my home network. The only real problem I've encountered is when filenames have special characters another OS doesn't like.
Well, the same issue exists for your BitWarden recovery keys or 2fa method. You need to have proper and redundant off site backups for anything valuable.
How often do your change your passwords? Assuming they are decently long and all that, why would you change them at all other than when a site gets breached?
The only reason my Keepass database changes is because I make new accounts on sites every now and then, and that's a fairly rare thing these days. And if I get so ungodly unlucky that my house burns down before my off-site database is updated to have that new account listed, I'll still have access to the email that account is associated with, so I can still recover the account either way.
Every time I add an account, for one. And there's still plenty of (dumb) sites which force me to change my password and sometimes username periodically.
Keeping an offsite database in sync is tedious, especially if it's delivered via sneakernet.
I add an account to that database maybe twice a year, probably less. Do you make a lot more accounts than that?
The off-site solution I have updates a lot more often than that, although that's only because only the really important stuff is backed up in that way; the stuff I truly need to survive my house burning down.
I'm almost done with that aspect of my life now, but every school year it feels like there's a new slate of apps, parent communication portals, etc. I need to manage these as well.
It's way more often than twice a year for me. And it's accelerating.
Fair enough, but it’s genuinely super easy to have a regular copy of your password manager saved in the cloud. You can also have a less frequently updated version stored somewhere physical that isn’t your house. My house burning down has never been a concern for me, as I’ve taken the proper precautions for my data.
One of the things the article touches on is encouraging these vendors to migrate their customers to more secure/modern security standards. How is this handled with KeePass with it being, by its very nature, decoupled?
Not the parent, but a heavy user of Keepass. When you unlock your database, you can re-key it with several options for encryption algorithm, key derivation, and the transform rounds. I also have it set up with my Yubikeys as a kinda-sorta two factor for an added layer of security.
To keep the encryption modern regular updates are made to the program, and any migration would happen when re-encrypting the database. Checking my earliest entry, I've used it for 15 years without a hiccup.
It's not centralized, of course; you still have to download the entire database, and then potentially upload the entire database again for any changes; but it doesn't have these vulnerabilities.
Haha this was a powermove. It is genuinely great that since it’s just a file you can host it anywhere you want. S3, WebDAV, your own site. I personally use copyparty and WireGuard for my kdbx file. I find it better than syncthing because there’s an obvious master copy (edited in place), and there’s no good way to keep syncthing running all the time on iOS, which can lead to sync conflicts.
Hello. I use copyparty on my LAN hosting the kdbx file. It is exposed via webdav for my phone's client (keepassium). It is always available for KeePassXC (you can use rclone or just webdav in the file explorer). This is backed up to b2 every hour. I use WireGuard to access the LAN when I am not home. My phone autoconnects to WireGuard as soon as it is on any network that is not my home network.
I sometimes casually include tokens in my comments (changing a few characters here and there) to make people gasp but parent is taking it to a different level.
I take your point, and usually you're right, but in this case "modern features" includes things like having an "extract" button show up when you right click an archive file in Explorer.
You can have that, and in an even better way: Simply disable the blight that is Windows 11 context menus and go back to real context menus.
I’m not even joking, they are basically superior in every way. They open faster, they have only one visual axis and they support all the shell extensions you remember. (Too many shell extensions could make them just as slow though.)
> it intensifies work, and shortens time to burnout
This is most likely correct. Everyone talks how AI makes it possible to "do multiple tasks at the same time", but noone seems to care that the cognitive (over)load is very real.
IME you don't even have to do multiple things at the same time to reach that cognitive fatigue. The pace alone, which is now much higher, could be enough to saturate your cognitive capabilities.
For me one unexpected factor is how much it strains my executive function to try and maintain attention on the task at hand while I’m letting the agent spin away for 5-10 minutes at a stretch. It’s even worse than the bad old days of long compile times because at least then I could work on tests or something like that while I wait. But with coding agents I feel like I need to be completely hands off because they might decide to touch literally any file in the repository.
It reminds me a bit of how à while back people were finding that operating a level 3 autonomous vehicle is actually more fatiguing than driving a vehicle that doesn’t even have cruise control.
For me it's the volume of things that I am now capable of doing in so much shorter amount of time - this leaves almost no space for resting but incurs much more strain on my cognitive limits.
"It reminds me a bit of how à while back people were finding that operating a level 3 autonomous vehicle is actually more fatiguing than driving a vehicle that doesn’t even have cruise control."
this is huge insight and very philosophical in relation to the question of "which skills shall we retain still, and is this a general threat (perhaps not) to majority of traditional skills?"
If I’m writing tests and implementation for the same problem, there isn’t so much context switch. Same business domain, same domain model, same API, same contract and invariants. I’m just switching between taking the measurements and making the cuts. Which is a smart thing to do anyway because you can accumulate a lot of need for rework very quickly if you make a bunch of cuts in a row without stopping to confirm you’re making them correctly.
The goalposts have been on wheels basically since the field was born. Look up "AI effect". I've stopped caring what HN comments have to say about whether something is or isn't AI. If its useful to me, I'm gonna use it.
reply