For many many years my password management looked like this:

For the majority of passwords I used a stateless password management system. It takes the domain name of the site I want to login at and my master password and creates a new password to be used for that site. Simple and does not require storing or syncing anything. I blogged about it a long time ago.

But it has it's disadvantages. When sites have special password requirements that may not work or requires non-standard hashing options which again requires you to remember that you used them. It's also inconvenient because you need to retype your master password for each login instead of just “unlocking” once per browser session.

So in recent years, I often just let my Chrome browser store passwords for me. Thanks to Google's syncing mechanisms I magically had them available on all my devices and the autofill mechanisms are really handy. Of course this locks me tightly into using Chrome. Switching to a different browser is a huge pain.

In addition I had about two dozen passwords stored in a Keepass database that I synced via Dropbox and that I primarily accessed on my Android phone via Keepass2Android. It contains rarely needed passwords that are not necessarily web related (like my sim card pin).

At work we're using 1Password. It's a bit clunky sometimes but works fine. So I was thinking to maybe consolidate my password management in a similar system.

Bitwarden seems to be the most popular suggestion…

Unfortunately it's not so easy. It turns out my requirements are a bit peculiar:

1. I want to selfhost the password database
2. I want good integration (autofill, create, edit) in all common desktop browsers (at least Chrome and Firefox)
3. I want good integration into Android browsers and applications
4. Ideally I also want a web based interface
5. I do not want to host the password database on the open internet. I want it hosted inside my local network and have clients sync with it when home.

Number 5 is of course the one thing that makes my requirements tricky.

On first look, it seemed that Bitwarden (and it's lightweight API server clone Vaultwarden) would fit all those requirements - afterall, the browser extensions and the Android app keep their own encrypted copy of the vault. Once synced, you can access your passwords even when completely offline. However where it falls short, is when you want to create a new entry. This is only possible when the central server is reachable. The Bitwarden protocol is simply not a two-way sync protocol.

People on Mastodon suggested to use Keepass instead. As said above, I am familiar with that solution. It's one of those typical OpenSource experiences: Nearly there, but a convoluted mess on closer look.

Keepass is not a network API, but a file format. So syncing your passwords is not really in scope. At least the file format has been built robust enough to make file system based syncing easy. As mentioned, I used Dropbox in the past, many people suggest Syncthing as a good alternative.

On Android, the keepass2android app can actually take care of talking to different network providers. However, I am not sure how I would get the app to integrate as password manager into Android browsers like Chrome. The app is not listed as an available password manager in the Android Settings. There's something in the plugin list that suggest integrating via Android Accessibility Services but that link is a 404.

Update: turns out the app can be registered as autofill application in Settings → App → Password Entry → AutoFill Service

On the desktop there are various available applications. keepass, keepassxc and secrets are in Arch's official repos and there are a few more options in AUR. KeepassXC seems to be the recommended solution here. The app seems okay, though the way how additional attributes are shown on a different tab than the actual entry is a bit annoying.

There is also a web interface called keeweb. This one seems to integrate with storage providers (at least Dropbox) and seems also to be available as a PWA. I am not 100% sure what the difference is between the PWA version and the full install, yet. It's an option at least.

Finally there's the desktop browser integration. Again there's at least two chrome extensions, one from keepass and one from KeypassXC. But both seem to work the same: they do not implement keypass file handling themselves. Instead they require you to install the desktop application and have it running, then the extension talks to the desktop application (I think via HTTP??). I really don't want to install and run an additional application next to my browser on all my machines.

I don't know. I find the whole thing extremely fiddly.

I don't really know. Currently I see the following options:

1. Continue to use the Chrome password manager and if I ever want to switch ecosystems buy into whatever the next browser offers
2. Set up Vaultwarden on my internet reachable server
3. Spend more time fiddling with the Keepass ecosystem

But maybe I overlooked another solution in this space?

Similar posts:

• Lollipop Lockscreen Woes
• Please don't port philosophy with code!
• I wanna love the Poken (but I can't)