 One of the most important things you can do to protect yourself online is to ensure that your passwords are not the same on every single service. Same thing with your user names. It's really hard for a hacker or whatever to get your personal information across all of your services if your password is different across every site. Unfortunately, it is really hard for you to have truly secure passwords that are different on every single site and actually remember them. Now, in the olden days, you would just write these things down on a piece of paper. And while that is probably something you could still do, I know a lot of people still do this. It's not the most secure, obviously. And it has the potential of getting lost, right? It's really damaged or any number of things can happen to your passwords on a piece of paper. Plus, if you're anything like me in back in the day, you probably wrote all these things down in a notebook. And over time, that notebook probably got a little bit disorganized. So the whole manual way of using a password manager isn't the best way of doing it. Fortunately, there are many different software password managers out there. Now, we've obviously heard a lot about last past in the last couple of months because of the data breach and stuff like that. And I am not going to recommend last pass to anyone ever again. I don't think it's a good service. I don't think that they have really good security protocols in place to protect users data. I think overall, no one should ever use last past. Luckily, there are some open source alternatives to last pass and one password and stuff like that that I do that I can recommend. So today, we're going to compare two of them. Now, these are the most popular ones as far as I'm aware. One of them has been recommended to me over and over again. The other one I've actually been using for two years. And those applications are called KeyPass XC and Bitward. So today, we're going to do a little bit of a versus. We're going to compare and contrast these two very popular password managers and see if you can determine between them which one is right for you. So before we start off and get into the details, the first thing that I want to talk about is the major differences between these two password managers. And that is that KeyPass XC is 100% local, meaning that there is no synchronization service. There is no server somewhere on the internet where all of your passwords are stored. None of that stuff. Everything is stored in a database that you have complete control over that is stored on your computer or wherever you want to store it. Now, this gives you a lot of flexibility, but it also has some drawbacks which we'll talk about later. Bitward on the other hand is a service. And what I mean by that is that it is by default, it will take your passwords from an account that you sign up for and synchronize them to the cloud where you can then access them from any device. And obviously, the elephant in the room here is that you do not have control over that service. Now, Bitward is 100% open source. They do have independent audits on all of their software. So out of all of the password manager services out there, this is the one that I trust the most. So I don't see it as a downside that you sync your passwords to a cloud server. Now, like I said, obviously there are pros and cons to both of these approaches and we'll talk more about them as we go along here. But I wanted to take that and put that difference right up here at the top because I think it's probably the most important thing. Now, let's go ahead and jump into KeyPass XC. And I'm gonna spell this out for you because I'm for sure going to have a problem saying this. I'm having a really hard time talking today. Words are just not my forte for whatever reason. So KeyPass is spelled key K. See, this is what I'm talking about. K-E-E-P-A-S-S-X-C is in the letter C. You'll probably hear me say KeyPass XE because apparently C and E are exactly the same letters in my little brain. So if I say that, just know that I made a mistake. It's KeyPass XC. Now, KeyPass is an interesting application in that it is just one of many different versions of KeyPass out there. KeyPass XC is one there's KeyPass X, there's KeyPass XD or something like that. There's probably six or seven different versions of KeyPass. From what I can tell, KeyPass XC is the most popular of all the KeyPass forks. Whether or not that's actually true, I don't know. It's just been the one that's been most recommended to me. So that's the reason why I'm comparing this version instead of one of the others. So when it comes to availability, KeyPass XC is available on Mac, Windows, and Linux. It is not available on mobile devices. So in terms of availability, it's a little bit constrained. Now, that being said, there are KeyPass alternatives on mobile devices. At least there is on Android. And you should be able to find some application that will read a KeyPass database and get your passwords on mobile. It shouldn't be that hard. They should be intercompatible. And I say should be knowing that I didn't test that. So that's kind of your mileage may vary. But for sure, it's available on Mac, Linux, and Windows. Now, in terms of synchronization, this is where it's going to be a little bit different than BitWarn in that, like I said, this is 100% local. So any synchronization is completely done on your end. So if you wanted to have your database available on multiple devices, you can actually take your database directory or file and move it from one computer to another computer if you want to do that. And that's the way you'd synchronize it. Obviously, you could also put your database in like a pCloud or Google Drive or Dropbox or something and have it synchronized that way. Of course, then you're going to be relying on the security of your Dropbox or whatever to protect those passwords. Now, the database itself is encrypted and you can play around with what type of encryption that is. By default, I believe it offers 256-bit encryption. So it is highly encrypted. During the initial setup, it's fairly simple. You enter an email and a password and this is your master password. This is the one password that you have to remember, obviously, because in order to actually get into your vault, you have to be able to remember that password. Now, the one thing that is different here compared to BitWarn, as you'll see, is that KeyPass lets you use any password that you want. It does warn you if you use a weak password, but it allows you to use whatever password. So I was able to use a three-letter password, all of it lower case, very simple. And that's not obviously the best master password out there, but it allowed me to do it. So the initial setup is very, very easy. The other thing that you'll obviously have to do is choose where to put your directory or your database directory. And it brings up a file picker. You can choose wherever you want to put it, whether it's on your local drive or in a cloud drive or whatever. You can store it anywhere you want. Obviously, you want to keep track of it. So let's get into a little bit of the password creation and some of the features that KeyPass XE has. So it does offer TOTP support. So if you want to set up any of your accounts for two-factor authentication, you can do so. I'm not sure how well that's supported outside of KeyPass. So for example, I know BitWarn also supports this and you're able to use it on a lot of different services. It works fairly well, but there are some services with BitWarn that it doesn't work with for whatever reason. Those services are usually ones that prefer using Google Authenticator. I'm assuming, this is an assumption here, that KeyPass has the same issues. It will probably work for most services, but you'll probably find that there'll be some services where the two-factor TOTP functionality just doesn't work. But again, it's nice that that feature is there. Another thing that it obviously allows you to do is import and export from other password managers. So if you have a CSV from like LastPass or something like say you're leaving LastPass and wanting to come to this password manager, you can import a CSV file or in several other different types of files into KeyPass XC and therefore you don't have to enter your passwords one by one into a new database. It should input them along with all the fields that you'd normally expected a password manager right into your database. So that is nice as well. So let me show you some of the other features. So I'll enter my password here and it has group support. So that you want to organize your passwords and sites in whatever way you want, you can do so via groups. Bitwarden has this functionality as well. Only they don't call it groups, they call them folders. So this is basically just folders for your passwords. And that way you can store like all your banking information sites and passwords in one folder, all of your social media stuff, another folder and stuff. It just enables you to organize your stuff a little bit better. During password creation and entry creation, you can obviously enter a title, username and password. For KeyPass XC, you're 100% on your own when it comes to the username. With Bitwarden, it will generate a username for you if you wanted to have it do that. On KeyPass XC, it does give you the option to generate a password, which I highly recommend you do. Basically what this allows you to do is set a length and what kind of characters you would want in your password. I just select everything and then it will generate a password. And that's obviously a password that you would not ever want to have to type in on your own. So it's really kind of impossible to be. And you don't have to have extended ASCII support or whatever, a lot of different sites won't actually support that. So probably just keeping these buttons here clicked will make you the safest or safe enough I should say. It does have some different options so that if you wanted to choose what kind of characters are in your password, you could do so. And you can obviously, if you wanted to have something specific in your password, you could put that in these fields here as well. You also obviously would enter the URL. You can sort these by tags if you wanted to. You can set an expiry date for the password so that if your password expires, you can set that date. And then there's a notes field so that you can kind of explain what's going on there. And then you can get fancy and stuff like that and add icons and several different attributes. If you wanted to do that, you could add attachments. So let's say for example, if you had some recovery codes or whatever, you could actually add those right here. And then you could edit the properties like when it's created and stuff like that as well. You can also get to the password generator outside of the creation tool. So if you wanted to just generate a password, maybe it's like a one-time password, you could do that by clicking this button up here. Now there is browser integration. So if you want to not have to open up the actual application, you can get browser integration working. If you do so, you can do that by going to the settings, going to browser integration. You do have to enable it by default. It does link to the extensions. It's available for Firefox and any Google Chrome based browser. So you'd enable it. You tell it what browser that you wanted to do and then press okay. I have not personally used the browser integration for KeyPass XC. I prefer using the application when I was using it. So I don't really need to have both. The fewer extensions that I have that I don't use in the browser, probably the better. So if I have the application, I use the application. But if you want to have the browser extension, you can. It does require you to have the application installed on your system and set up. So if you are on another person's system and you have the browser extension installed, but you don't have the database or you don't have the application up and running and set up, it's not going to work for you. That browser integration integrates with the application, not with any some remote server like Bitwarden does. In terms of other settings, it does have a dark mode. So if you wanted to go to dark mode, you could do that. One thing it doesn't do is recognize your GTK theme. So if you're worried about that, it just doesn't do that for whatever reason. There are other settings that we can go through. So it will allow you to ensure that you only have one instance of KeyPass XC. This is important so that if you already have it open, you don't open up another one and have one unlocked, one locked and leave yourself open to vulnerability is there. You can set it to launch automatically a startup and as a minimal application as startup and it does have some settings for your managing your database as well. So things like automatically saving your database after every change, backing up your database after before savings and automatically backing up every time it's modified externally. So I'm not sure if I changed those settings or not. So you'll have to forgive me there. I think that's all those things are the default. So if you do make a change to your database, it will back it up automatically. One thing that I don't see is an automated backup like based on a time. So if you wanted to have your database backed up on a certain timeframe, I don't see that functionality but you can set it so that you have two different places for your database. One of them can be a backup in a different place like on a server somewhere or like a cod file or whatever, that way you always have a backup your database. Because remember, if you lose your database you lose all of your passwords and that can be devastating. So ensure that your database directory or file or whatever is always backed up. Honestly, that feature there should be default but it's not. You have to select it yourself. In terms of security, here's a couple of things that I noticed. So it does have clear clipboard after a certain amount of time. It does not work on XFCE for whatever reason. So if you copy a password to the clipboard it just stays there forever. So don't show people your password. So right here I have clipman. I'm not gonna show you because I have passwords in there probably but it does have a clipboard history. So don't show people your clipboard history unless you know for sure that this is working. So for whatever reason the clipboard management of KeePass XC does not work. Also by default the application just stays unlocked. Okay, there's no time out of the vault or the database over a certain period of time by default. You can turn that on if you want but by default it's just once you unlock it it stays unlocked. So that is a security flaw I would say it should definitely be after 30 seconds of inactivity or whatever it is it should lock itself but it doesn't. You can set it up obviously. Another feature that it has is a SSH integration. I'm not exactly sure how this works. I'm thinking that it allows you to SSH into your database so that you can use your database on other devices. I'm not sure how well or how secure that actually is but it does have that functionality. Another cool major feature of KeePass XC is that it allows you to have multiple databases. So you could have two different databases on your device for certain like one for work one for personal if you wanted to do it that way. You know, one for social media, one for you know, you're more sensitive that banking accounts and stuff like that if you wanted to separate your passwords that way you can have as many databases as you want and you can merge them and unmerge them however you wanna do or you can just log into one log out, log into the other one however you wanna manage it. That's one of the coolest features of KeePass that BitWarn does not have as far as I'm aware. You have full control over your databases and because of that you can have multiple and that just really works out very well. One feature that I didn't get a chance to try is something called auto type. Basically what that does is when you have a username and password field selected, you can use this auto type and it will try to close this window, go to the previous window that you were on and auto fill the username and the password. Again, I didn't get a chance to actually try this out but if it works it'd be similar to what you'd expect with a browser integration if you don't want to use the browser integration so that is another feature as well. So I'm gonna talk a little bit now about some of the missing features. Some of the, or missing things that I noticed while I was using this and some of them I've already talked about. So obviously the big missing thing here is cloud integration and synchronization functionality. If you wanna synchronize this to other devices you have to do it all manually. Again, that's both a feature and a downside. It's a feature and obviously that you have the security of knowing that you have complete control of your database. It's a downside in that you lack the convenience of being able to access your passwords from multiple devices unless you have set that functionality up yourself. So both sides of the coin there really does depend on how much you value having complete local control. I mentioned the lack of GTK support. I'm not sure what this is actually written in but it's obviously not a GTK application. So if, you know, look and feel bothers you that's something to keep in mind. I talked about the availability of the mobile application earlier. So if you wanna have an actual KeePass XC mobile application that doesn't exist. It does have other KeePass variants on there so you should be able to use it. Again, should being the word there because I'm not actually sure. If you're using the snap version of KeePass XC the browser integration does not work as of at the moment. And I talked about the keyboard exploration not working on XFC. I'm not sure if that works on other desktop environments. It just didn't work on XFC. And then I also talked about the default of the application not locking after a certain period of time. By default, it just stays open but there is an option to set it to lock. I'm pretty sure I would argue that by default it should lock after a certain period of time. That should be default, but it's not. So that is KeePass XC. And overall it is a very good password manager if you want to have full local control over your passwords. This is a good one to try. Some of the, for me personally I prefer to have my passwords on multiple devices and I'm a lazy SOB. So having it synchronized automatically like Bitworn does is a boon for me, not a downside. So as I said at the beginning the biggest difference between these two is one is local, 100% local. The other one is by default set up to use the cloud. So that major difference is probably the thing that's going to be the biggest decider for most people. Whether or not you want the local aspect of it or whether or not you want the cloud sync. Those two or that one feature is probably the biggest thing for most people. So let's go ahead and move on to Bitworn. Okay, so let's first talk about availability. Bitworn is available on every platform and by every platform I mean every platform because it also has a web version. So native applications are available for Mac, Linux and Windows if you want to use a native client you can obviously get it for Android and iOS as well. Like I said there's a web interface which we'll talk about a little bit later. There's browser extensions as well so they'll have browser integrations. We'll again talk about that here in a few minutes. So in terms of availability Bitworn is much more available across multiple devices than Key Passes. Also because you're signing up for an account that's going to synchronize all of your data to a server your data is available on every single platform that you can sign in on. So if I have say Bitworn on this computer here and on my computer there and on my laptop all I have to do is sign in and I have access to all of my passwords. As I said in the Key Pass XC part of it this is both a boon and a downside. So it's a boon in that it's very convenient. It means that you don't have to worry about synchronizing any of that stuff yourself but you are relying on someone else's server to secure your data. Now obviously all of the vault information and stuff like that is highly encrypted so the chances of a hacker actually getting into your vault is pretty slim. Also Bitworn is 100% open source and they perform outside audits or independent audits on their data. So they hire a firm to audit all of their source code and stuff like that to ensure that it's as secure as possible. Now obviously no software is 100% bug free so it's a weighing of convenience versus security obviously so you wanna kind of keep that in mind if you choose to use Bitworn. For me personally I trust Bitworn quite a bit mostly because it's open source and I've read a lot of their security documentation and I've read the audit so I know that they've put a lot of effort into making this as secure as possible and like I said I trust them more than a closed source application like LastPass where they obviously have some security problems because they continue to lose user data. So again it's one of those things where you kind of have to weigh your options. Do you prefer to use that local options of KeyPass or do you prefer the convenience of Bitworn? So the availability and synchronization features are the two things that I wanted to talk about up front. So next let's go ahead and talk about initial setups and this is a little bit different than KeyPass in that because it has a lot of online functionality they require you to have a certain level of password. Now they don't require you to have like certain characters or whatever in your password but they do require a certain length so you'll notice in the B-roll that I'm showing right now there were several passwords that it just didn't accept. So unlike with KeyPass where it took the three letter password for your master password for me I had to find an eight character password and it does not like the fact that I used a really weak password and you can tell that by the fact that it showed me CAPTCHA twice. Now I can tell you from having used Bitworn for over two years that's not normal. It just does not like that you're using weak password. It's assuming that I'm some kind of bot and that I've created just a very weak master password because it's easier to type or whatever so the CAPTCHA thing that you see in the B-roll here is not normal. That's just because I have a weak password. The stronger your password is the less likely you are to see that CAPTCHA. You will see it from time to time but it's not nearly as often as you see in the B-roll there. So just create a strong master password. Obviously do that for any password manager you're using that should go without saying but just know that Bitworn is a little bit more strict when it comes to what your master password is. So let me show you Bitworn now. This is what Bitworn looks like and let me see if I can remember that password that they actually fortunately use which I can. So this is what Bitworn looks like. Again, no GTK support here so it doesn't really pull in a lot of your GTK stuff. It does have its own dark theme and stuff so it's not gonna fit in. I know I point that out but when it comes to look and feel stuff that's the first thing that I always notice for whatever reason. So like with KeyPass XC obviously you can import and export from other password managers. It supports multiple different file formats. So if you have a CSV or whatever you can import that and it has the standard fields you have. So if we take a look at the password creation or the item creation here you can choose a different type. So it does support different types whereas KeyPass XC you could probably use KeyPass to store like credit cards or whatever. It just doesn't have that functionality built in whereas Bitworn does. Bitworn also allows you to create secure notes. So if you wanted to have some kind of encrypted note you could do that. In terms of the actual storage of login information and stuff like that you name the site or whatever that you're going to be storing it for. You can generate a username or you can type in your own username. You can generate a password just like you can with KeyPass XC and it also allows you to create different passwords based on different options like length and the number and type of characters that are there. So you have a lot of control over what the password actually looks like just like you do with KeyPass XC. Also like KeyPass XC this does have TOTP functionality. So if you use or you want to use Bitworn as your two factor authenticator you can do so. The one thing that I will note for you is that Bitworn also supports 2FA login to Bitworn. And that's something that KeyPass does not support. So if you want to have 2FA on your master password for Bitworn you can do that. Obviously you'll have to use a different authenticator to do that. So if you want to use a Google authenticator or Authy or whatever you can do that just for Bitworn so that you have two factor authentication enabled on your Bitworn account. That adds an extra layer of security that you don't have with KeyPass XC. So just to keep that in mind it's really, really nice that that's able. I do think it's more important to have on Bitworn because all of your stuff is online because it's online it obviously has more exposure to threats. So having two factor authentication enabled for your actual Bitworn account is something that is much more needed on Bitworn than it is on KeyPass which is all local. Similar to KeyPass it does have quote unquote group functionality they call them types. You can, you have login card identity security note but you can also create folders for those items. So the folder functionality here is similar to the groups functionality in KeyPass XC. So if you wanna have all of your stuff organized by type you can do so also unlike KeyPass XC Bitworn supports biometric information. So if your computer has a touch or a fingerprint reader you can use that. And if you have a fingerprint reader or you have face unlock or whatever on your phone you can use your fingerprint or your face to unlock Bitworn. You do have to set that up it's obviously not by default. So if you wanna that adds an extra layer of functionality but also it enables an added level of convenience that you can enter your vault without having to enter your master password. It also has browser integration just like KeyPass XC but unlike KeyPass that browser integration can work on its own. So you don't have to have the application local for your browser integration to work because it's not accessing your database from your computer it's accessing it from the server side. So you can log in on a friend's computer if you wanted to do so or at a whatever on some other device and you wouldn't have to worry about having your database locally it finds it all from the server side. So that means that the browser integration the browser extensions can work on their own. In terms of settings there's not nearly as many settings here as with KeyPass XC but that's because most of the settings are actually on the online account. So if you have more security concerns in terms of setting actual security settings most of that stuff is online instead of in the application itself. So basically these are just application specific settings most of your main account settings are through a web interface which I'll show you here in a minute. So the settings here you can set how it or what it does when your vault times out so you can either set it to lock which is just basically just to put a lock screen on it or it can log you out completely. Also like KeyPass XC by default the vault timeout is on restart of the application not on a time. Again I would argue that every password manager should set this to some period of time by default at least this has vault timeout on by default the other one did not. So if you do use the desktop application I would say come in here and change it to some one of these time periods it doesn't really matter what you just wanna make sure that your vault is locked if you should walk away from your computer. Most people just closed the application so this default is probably at least a little bit better than KeyPass XC. It also has an option to clear the clipboard just like KeyPass XC it does not work in XFCE. So if you copy a password to your clipboard it just stays there. I'm not sure why it does that maybe that's probably just an XFCE or a clipman bug or whatever but for whatever reason it does just stay there. You can minimize the application to the tray if you wanted to keep running all the time. I don't do that. You can also start it automatically on login. If we go to a browser and go to bitwarden.com we can actually log in here with our username and password. So the email at thelinuxcast.org is the email that I used. It's gonna show me CAPTCHA again cause it's a really weak password so it wants me to anything with sunflowers. So there's sunflowers those are all sunflowers. You really gotta know your flowers cause that's the second one that I've seen with flowers. It's gonna make me do it again. That's excellent. So this now you gotta know your daisies. Gotta know what a daisy looks like. I think that's a daisy. And I think that's a daisy. Okay. Verify again. There we go. Now we should be able to log in. So the reason why I wanted to show you this is because if you don't have access to the application you can get access to your entire vault here on the online. And it does obviously email you that somebody logged in and then you can see your account settings as well. This is where most of your security stuff is if you wanted to change your master password this is where you would do it. Whereas with KeePass XC you would change your master password inside of the application. You can also set up 2FA here. So if you wanted to use a YubiKey or anything like that you could use all that stuff and all that stuff is set up here. There are several other settings here. These are the settings that you see in the applications. So those are basically the same. And this is where something's a little bit different. Now by default basically everything that you'd want with a password manager is free but they do have a yearly $10 subscription. Basically what it does is just adds a amount of storage to your account where you can store secure notes. It also enables the TOTP verification generator for login. So by default the TOTP stuff is hidden behind the paywall. So that is a downside. It also enables YubiKey and FIDO support. So some of the stuff that I've talked about is behind the paywall but the thing is that it's $10 a year. So it really, really is very cheap. I pay the $10 a year for the TOTP support. That's really the only feature that I care about and it is open source. So by paying them I do support an open source project but I understand that not everybody wants to pay for this. So this is probably one of the biggest downsides of Bitworn is that some of the stuff that they offer you like the TOTP, the YubiKey stuff is hidden behind that paywall. One thing that we should talk about next and that I can't show you because I don't have it set up is that Bitworn has an option to host everything locally. So if you wanna have something similar to Kepads XC you could do so with Bitworn. There are options out there. There's Bitworn CLI. There's Vaultwarden which is a self-hosted version of Bitworn. I believe it's written in Rust so it's supposed to be faster. So you could theoretically if you wanted to host everything that Bitworn does in their servers on your own server that way it gives you complete control. And this is enabled because it is open source. So that's definitely an option if that's something that you want to do. So just wrapping up, I've already talked about the downsides throughout this whole thing but I'll recap a couple of them. The clipboard expiration does not work. The default timeout is set to restart and not at time. And it does have fewer app settings than Kepads XC does. Also, I'm gonna put the paywall thing there as a downside too because that two-factor authentication stuff is hidden behind the paywall that does take one of the big reasons why I like Bitworn kind of off the table for people who don't want to pay. So that is something that is kind of a downside but again, it's $10 a month or $10 a year I should say. And if you need that functionality I think it's well worth it. So that's Kepads and Bitworn. Now the question is which one of these two is best for you? And you probably can already guess my answer to this. For me personally, I like Bitworn better because of the convenience of having it online and I can access it from any device that I want. Also, I think the two-factor authentication stuff is really, really good. So I use that extensively for all of my 2FA stuff online. I will say that for you out there making this decision, it's really going to depend on which one of those things that you want. Do you want the local functionality of Kepads or do you want the more convenient cloud synchronization of Bitworn? That feature is like I said before the deciding factor for most people. All the other stuff is just kind of superfluous. Honestly, most of those features are available in both applications and it's just really how those features are implemented. So the features themselves really don't matter nearly as much as deciding which you'd rather have. Would you want the local support or the local control or do you want the convenience of the cloud integration? So that's this video. If you have thoughts on Kepads XC or Bitworn you can leave those in the comment section below. I'd love to hear from you. You can follow me on Mastodon or Odyssey. Those links will be in the video description. You can support me on patreon.patreon.com slash Linuxcast. Links for YouTube and Liberapay will be in the video description. Thanks to everybody who does support me on Patreon and YouTube. You guys are all absolutely amazing without you. The challenge is not being anywhere near where it is right now. So thank you so very much for your support. I truly do appreciate it. Thanks to everyone for watching. I'll see you next time.