Now that it has come to light that Strongbox is not an open source password manager, even though they misleadingly claim so, I suggest that we stop recommending it and instead take a closer look at KeePassium, and if we want to recommend it over Strongbox. Here is also a relevant thread where a user and the Strongbox developer discuss this matter, which @Jonah has already called: “informative, and unfortunate”. I don’t think it would be wise to continue recommending Strongbox because it’s developed by a single developer, and if we can’t fully audit the code, we have to take his word that he’s not doing anything malicious.
I don’t think this is necessary to remove Strongbox. The way I see it, if Privacy Guides is going to recommend only one iOS KeePass client, it should be the open source one. Not the one that lies about being open source.
Nothing to deal there, 1Password at least doesn’t advertise itself as open source. Can be suggested through its reputation but not recommended as long as we have good open source alternatives.
For Strongbox i believe is a big foul to promote itself as open source but in reality not following the open source principles. Password managers are one of the sensitive topics to require transparency.
We should really be looking for KeePassium for iOS and perhaps list it as the recommended option.
Strongbox can still be listed but fall under the 1Password category, suggested but not recommended.
Given that Strongbox is the recommended application for iOS and macOS, I believe we should defer transitioning to KeePassium until the latter’s macOS application exits its beta phase. Additionally, I concur that open-source status is not currently a requirement.
PrivacyGuides already recommends KeePassXC, which also has a client for macOS, so this shouldn’t prevent us from recommending KeePassium.
Also, the general criteria already states that “Open-source projects are generally preferred over equivalent proprietary alternatives,” so this should be enough to change the recommendation from Strongbox to KeePassium.
However, the reason for changing the recommendation in this case has less to do with Strongbox not being open source and more with the fact that they claim to be open source when they are not. So, there is now a clear trust issue, which we should take seriously, considering that we are talking about products that store sensitive data.
When PrivacyGuides chose to recommend Strongbox over Keepassium, the choice could have probably gone either way since they both were good password managers at that point. However, the current situation is drastically different, which is why we can and should change the recommendation if we notice that the alternative has become a better product than our current recommendation.
Also, just because Strongbox technically meets the requirements shouldn’t mean we must recommend it. After all, PrivacyGuides also used to recommend KeePassium before removing it to simplify the recommendations.
I acknowledge that my previous statement may have lacked precision. I have no objections to the removal of Strongbox from the list of recommended applications, nor to the inclusion of KeePassium. I lack personal experience with either application, as neither functions cross-platform. Indeed, I was unaware that KeePassium had previously been recommended. To my understanding, one of Strongbox’s advantages over KeePassium is its ability to synchronize between iOS and macOS, a feature that many users likely consider essential, particularly when compared to cloud-based password managers.
Nevertheless, I understand the concerns regarding Strongbox’s purported open-source status, which appears to be misleading. This discrepancy has understandably led to a degree of distrust towards the developer. Such kind of misinformation does justify the removal of Strongbox from the recommendation list. I would appreciate a more definitive statement from the developer on this issue, beyond what is available on GitHub, particularly regarding his stance on not fully open-sourcing the application in future.
I completely agree, it should be removed or at very least a banner warning about the fact that you can be mislead and that it’s not actually open source
Don’t know, i believe the community needs to step up and put pressure to good projects like Strongbox, making them better by “forcing” them to be transparent.
If we remove it, or not recommend it and just have it as honorable mention, maybe we could achieve something like that.
But sometimes it feels that this community is sponsored, by projects like Proton or Brave, and even Strongbox now.
As far as I know, none of the services mentioned have ever provided financial funding to Privacy Guides, either now or at any point in the past. Please correct me if I’m wrong.
I understand why it might seem like certain projects could have sponsors, but let’s clarify the situation, especially considering that a representative from MAGIC Grants, who plays a key role in supporting PrivacyGuides, is a Verified User
PrivacyGuides has partnership with MAGIC Grants, a Public 501(c)(3) charity. This structure was intentionally chosen to minimize administrative overhead and allow the project to focus on its core mission—creating educational materials and providing security and privacy recommendations. MAGIC Grants exists to support projects that truly make a difference in the community and protect privacy rights, without any commercial interests.
The presence of a MAGIC Grants representative on the forum, such as Justin Ehrenhofer, serves as evidence that PrivacyGuides maintains its independence and works in the community’s interest, not for sponsors. There is transparency.
Instead of assuming there’s sponsor influence, let’s discuss how we can continue to support projects that deserve our trust and how we can make them even better.
Agreed, @mentalfoss said “feels like” to indicate that they don’t actually think those project sponsor PG, but rather to convey their feeling that PG is overly supportive of those projects
I understand why it might seem like certain projects could have sponsors, but let’s clarify the situation, especially considering that a representative from 
PrivacyGuides has 
The presence of a MAGIC Grants representative on the forum, such as 
Instead of assuming there’s sponsor influence, let’s discuss how we can continue to support projects that deserve our trust and how we can make them even better.