Comment by jillesvangurp
6 hours ago
I got my parents using bitwarden a few years ago. This was a massive improvement over them writing passwords in a little notebook in a drawer (yes, really!).
But Keepass is a bridge too far for them. I'm not that enthusiastic about it myself to be honest. The UX is a bit meh (for the clients/extensions I've tried) and file syncing and handling is not something I can in good conscience push to a non technical user. It's just too many moving parts and you just have to do this, that, and the other thing. It's not really fit for purpose with normal users as far as I can see. Like much OSS stuff, UX for normal people seems to be a bit of an afterthought with Keepass.
The key selling point of Bitwarden was that it is free-ish and it is easy enough to work with for somebody that is not too technical. My father is an Android user and my mother has an iphone and ipad. They need access to each other's passwords so they share the same password manager. They are both in their seventies and I need something that is similarly useful and ideally without me self hosting a lot of stuff on their behalf. I don't want to be their system administrator. And I don't want to have to sit them down to migrate their passwords every few years either.
Right now the best move to me seems to be to stick with Bitwarden. I don't really gain anything from moving them over to some other solution and there isn't really anything out there that is materially better as far as I can see.
Passwords in a notebook are arguably the most secure option. The notebook exists in exactly one place, behind locked doors, and cannot be leaked or hacked externally.
Notionally a password manager is more secure, but is there anything stopping Bitwarden from updating the app to silently send your master password up to the mothership and selling your unencrypted vault? Even supposing they stay open source and get caught, they will still have thousands of user's data ready to sell before the rug is pulled and the game collapses.
(And besides, where do you keep your recovery codes? If some cabinet or drawer in your house is safe enough for that, it's safe enough for your book of passwords.)
How did we as an industry go from "Passwords in notebooks are insecure, use a password manager" full circle back to "Password managers are insecure, write your passwords in notebooks"?
There has always been more nuance. The notebook is basically air gapped, but since using it is painful, most will rely on shorter, simpler, passwords and reuse them. That practice is highly insecure and was even more problematic in the days before widespread 2FA on the more crucial online services. As a teen I could have had for instance blizzard get breached and collaterally lose all of my csgo skins.
KeepassXC is much better than older keepass clients. Syncthing runs quietly in the background. It's really not much harder to use that other password managers once you set it up
Ehh.. much as I love syncthing, I wouldn't recommend it to nontechnical people. I mean, here the dad has android the mom iphone amd they want to sync a keepass file? Maybe with a browser addon on a desktop as well? And the most popular third party android app is discontinued (I use the nerdily named syncthing-fork) and the ios apps i never managed to get to work for my family (maybe sushitrain works now?). But if you live close to parents I guess it can work. This kind of software can be good for social cohesion and less isolation =P
I switched from KeepassXC and KeepassDX to Vaultwarden, primarily to make it easier to get family members to transition to using password managers.