I’m reasonably certain Keepassium was previously listed somewhere on the Guides. The reason being, I hadn’t heard about it before coming across the app in recommendations and adding it to my notes. But I failed to find mention of it in Internet Archive snaps of the Password Manager page.
I don’t see Keepassium in recommendations now. Is there new information to factor in, when considering using this app?
context
Shortlisting options for my transition from Authy where I currently manage some TOTP.
Other TOTP also managed in a .KBDX.
Authy has, until now, housed those TOTP which I could use on-the-go (thus needing client on mobile), or for those services which only display QR codes during TOTP setup (not giving me a secret key which can be plugged straight into KeepassXC )
main criteria to be improved
make data portable: Authy data is not portable
candidates
Bitwarden
already use it
supports TOTP
reluctant to break some MFA by including TOTP alongside their passwords. Risk may be mitigated by protecting Bitwarden with hardware key.
Keepassium:
can combine TOTP from Authy into existing TOTP/recovery key storage .KBDX file
syncing will need infra that wouldn’t be necessary using Bitwarden.
We compared Strongbox and Keepasium and decided that Strongbox offered more features both in the free and paid versions (such as not being restricted to one database).
At this point, I think Strongbox is enough, as it fits the niche that we wanted to cover (KeePass compatible app for iOS).
I can’t comment on that as I haven’t used those apps.
Thanks for finding and sharing this I was not aware Github’s Discussions were also used as a channel by this project.
I find that, especially when few options exist which satisfy privacy and security criteria, exclusions are implied to not be trusted.
From the above discussion, I understand that options aside from Strongbox are not listed because Strongbox was deemed more feature-complete compared to alternatives on the iOS platform.
But, once a minimum privacy and security criteria is satisfied, I would prefer to choose my own user experience. I see this preference reflected in another thread about Mullvad Browser:
At this point, I’ve used neither Keepassium nor Strongbox. I have usecases and am using privacyguides.org to find trustworthy candidates that may satisfy these requirements. If Keepassium is known to be privacy-friendly, then I’ll be able to consider it a potential alternative to Strongbox Zero. Otherwise, my candidates are just Strongbox and Strongbox Zero.
We don’t review every app with privacy marketing, because time is a finite resource. Exclusions are weakly implied to not be trustworthy, unless you can prove it is. Inclusions are strongly implied to be trustworthy.
Following the earlier conversation on this thread, I chose Strongbox. Though, I continued collecting data on KeePassium. I found more ongoing positive signals from the KeePassium developer, and eventually swapped out Strongbox for KeePassium.
Yeah fuctionality is pretty much the same apart from using multiple databases.
Unfortunately only one database for the free version is a huge turn down for me.
Use cases vary, though it’s worth noting, the limitation of 1 database on free becomes less noticeable if, for example, only 1 database needs to be on the mobile device with Keepassium and the rest are fine being used only elsewhere.
Hey everyone, just wanted to mention that KeePassium has successfully passed an independent code audit, and remains committed to open source.
In the meanwhile, it’s been months since Strongbox was caught lying about being open source. Yet this site still endorses Strongbox and keeps KeePassium delisted. By now, this weakly implies more about PrivacyGuides than about KeePassium.
This is indeed unfortunate. There is an open thread here about removing Strongbox, but it seems to have stalled until the thread on requiring open-source password managers here is resolved.
While I do appriciate the heads up and agree that we should move forward(Welcome to the forum btw!), I must say that I dislike that the first message of a project joining up on our forum has to carry such a negative tone.
PrivacyGuides is a big project with many things that need to be maintained by many people, sometimes stuff can slip between the cracks and take longer then we would want.
How much would the audit results apply to the MacOS version? Also, will the MacOS version be released on the mac app store at some point? Last I checked, it’s a beta release distributed over github.
I must say that I dislike that the first message of a project joining up on our forum has to carry such a negative tone.
That’s unfortunate, but my sentiment only reflects the official PG comment above, which implied KeePassium to be not trustworthy — without any reason or fault on our side.
A few users asked me why KeePassium is not listed on PG, so I took some time to track the history:
Sep 2022: Strongbox is selected by PG on the basis of “more features” and “is enough”. (By the way, “features” are not among PG’s evaluation criteria.)
[Time unclear]: Apparently, KeePassium gets delisted as redundant. (Bitwarden and 1Password remain side-by-side on the same page.)
Apr 2023: This thread starts
Jonah confirms that “Strongbox is enough” was the entire extent of how deeply PG looked into KeePassium.
Jonah: We could look into KeePassium if you show what’s wrong with Strongbox. (Try reading this as: “We’ll could look into Proton if you show what’s wrong with Tuta.”)
Jonah weakly implies KeePassium is not trustworthy, unless proven otherwise. (Guilty unless proven innocent, anyone?) But PG won’t spend the time to review it.
Jul 2023: Someone defends KeePassium in the original evaluation post. At the time, GitHub discussions are being phased out, so Jonah redirects the user to the new forum and they never follow up.
Jul 2024: Strongbox is caught lying about being open source.
I ask Jonah if this qualifies for “what’s wrong with Strongbox”. No response.
Strongbox remains recommended.
Aug 2024: The vote to remove Strongbox fizzles out after 3 weeks, without any comments or actions from PG team.
Nov 2024: PG still declares it prefers open-source projects. Still recommends the proprietary one.
PrivacyGuides is a big project with many things that need to be maintained by many people, sometimes stuff can slip between the cracks and take longer then we would want.
A two-year history of accidentally falling through the cracks, time after time, against all the odds. Let’s hope this is just an isolated case and no other projects have to explain PrivacyGuides’ oddly-shaped cracks.
As I said, by now this tells more about PG than about KeePassium.
In addition to @KeePassium 's post, I thought I would link to the below thread. Users requesting the addition of KeePassium on the basis of it being open source may also find this thread interesting as well.
I am curious - with Apple’s release of its own password manager - would it be preferable to use the Apple application? One less party to trust, but I don’t think it would meet the cross-platform criteria.
There is no consensus on open source needing to be a requirement. Please leave that discussion in that thread.
To quickly answer @KeePassium pushy posts. No this does not affect the listing of StrongBox as open source is not a criteria at this time. I also remind you of our community guidelines. We do not allow competing projects to bring other recommendations in discredit.