Password managers for Nextcloud

Originally published at: https://nextcloud.com/blog/password-managers-for-nextcloud/

Password managers for Nextcloud

Recently some of our users pointed us to password manager Enpass, which recently added Nextcloud support to their choice of cloud hosting solutions. As some of our users are probably aware, for the popular Keepass password manager there is an integration app named Keeweb and Nextcloud also features two native password managers: Passwords and Passman. The tweet provided a trigger – so here’s a quick overview of what is available right now for Nextcloud. If things are missing, let me know in the comments and I’ll update the blog!

Also note that if YOU want to write a blog like this about another subject, say, different mail clients, note taking options, music players, you name it – we’d be very happy to post it here!

keepass icon

Keepass

Keepass is an open source password safe with a long feature list:

  • Multiple User Keys
  • Portable and No Installation Required, Accessibility
  • Export To TXT, HTML, XML and CSV Files
  • Import From Many File Formats
  • Easy Database Transfer
  • Support of Password Groups
  • Time Fields and Entry Attachments
  • Auto-Type, Global Auto-Type Hot Key and Drag&Drop
  • Intuitive and Secure Clipboard Handling
  • Searching and Sorting
  • Multi-Language Support
  • Strong Random Password Generator
  • Plugin Architecture

There is a large number of extensions available, as well as a series of apps for Android, iOS, Windows, Linux, Mac and so on. A variety of browser plugins is available as well. The chrome integration seems to be read-only, while for Firefox passwords can be generated as well. Keepass is a bit cumbersome to use, but has a wide range of features and integrations available.

enpass logo and text

Enpass

Enpass is an offline password manager where users can keep and sync their data using their trusted cloud accounts which they feel are more secure and safe (with 2FA enabled on them). It offers all the key features as compared to other password managers available in market. The desktop version (windows, mac and Linux) is very easy to use. It is free though it requires registration to be unlocked. The iOS and Android apps also have a great user interface but cost money beyond 25 managed passwords.

Enpass can store its passwords on various clouds, like iCloud, Google Drive, OneDrive, Dropbox, Box and any WebDAV based one. And, of course, Nextcloud!

A quick feature list:

  • Password generator & auditor
  • Can generate OTP codes
  • Multiple vaults
  • Secure password sharing
  • Can securily store documents
  • Can fill in forms
  • Import and export capabilities

Enpass is easy to use and the ability to fill in forms, store documents and generate OTP codes make it kind of a one-for-all tool.


The screenshot comes from a review on Lifewire!
passman icon

Passman

Passman is the oldest Nextcloud password manager. It is quite featurefull and has had contributions from 26 people, though lately things seem to be quiet on github. Still, it works with Nextcloud 18, the last release was just in October and the ability to share passwords is very cool! Sadly, there is no iOS app at the moment, a discontinued project exists if somebody wants to pick this up.

  • Multiple accounts
  • Multiple vaults
  • Vault key is never sent to the server
  • Credentials are stored with 256 bit AES
  • Ability to add custom fields to credentials
  • Built-in OTP(One Time Password) generator
  • Password analyzer
  • Share passwords internally and via link in a secure manner
  • Import from various password managers:
    • KeePass
    • LastPass
    • DashLane
    • ZOHO
    • Clipperz.is

The app has:

  • 26 contributors, 2 quite active
  • ~2K Chrome & Firefox users
  • 5K+ Android app users


Passwords

Passwords is also a native Nextcloud app, getting updated regularly and with active chat and forums. Its feature list is a bit shorter than Passman and includes:

  • password security monitor
  • Secure encryption
  • Folders & tags
  • Sharing
  • API for apps
  • Extensive handbook
  • Import & Export
  • Browser extensions

There is a well maintained Android app, iOS integration is sadly still missing. The app is currently a bit more basic than the others, not offering groups and folders for example. But this is on the roadmap! The app is not in the Nextcloud repo, though, and mostly relies on a single developer with a total of 6 contributors, plus one (different) person doing the Android app. The app has:

  • 6 contributors + 1 android
  • ~ 3K users on each Chrome and Firefox
  • 5K+ Android app users
  • app installations unclear

8 Likes

Someone should do a Bitwarden opensource integration, looks to be well supported for alot of OSs, also has auto fill if I recall correctly. https://bitwarden.com/
Passman is nice because it is not saved local so if device is lost your passwords are not lost with it, but passman app is not very good. Keepass is ok but you have to open the file from a folder, so someone could easily copy your vault, if they got access to files, unlike passman where it is stored in the database. Keepass you can’t share passwords with others in Nextcloud. There are pros and cons to the ones listed. That’s why it would be nice to use somthing like Bitwarden and just create a integrate into nextcloud for it :wink:

5 Likes

I am using Enpass for years now and am very happy with its functionality. I also linked it with my Nextcloud account, so the vault is being saved in my Nextcloud account and can be retrieved from any machine and any OS, I am working on.

Loving it :slight_smile:

3 Likes

I’m using the Passwords app - mostly because it is very user friendly, has a low entry barrier (my whole family uses it by now) and the developer @mdw is incredibly responsive and helpful.

Also, there is a completely reworked Firefox/Chrome extension in the pipeline… Looking forward to that! :slight_smile:

2 Likes

Keeweb is decent, but totally unnecessary for daily usage. Consider syncing your private database from device to device and accessing via fully open source apps on the client side only:

KeepassXC - Desktop that replaces KeepassX , Keepass, etc.
Keepassium - iOS
Keepass2Android
Kee - browser extension, etc.

Password Store, or Pass, is rock solid.

Hope this helps.

4 Likes

I’m using bitwarden because the Passwords and Passman android app has no password autofill

1 Like

I thought this was the only choice. I guess I have to look in the store more than once a quarter.

I use Buttercup
It’s the same thing as Keepass.
Really happy with it.

I last tested Buttercup a couple years ago and immediately found it unusable. You must access your passwords from webdav with every access, making it “online only.” Very strange.

Give it another try
You have now the local vault file that you can use on iOS and Android as on macOS Windows and Linux.
You can pair it with Firefox Chrome and Safari.
You can go full webdav or full local (then sync into a Nextcloud folder) really useful

Long time user of KeePass, although I don’t really like the KeeWeb interface. I use the normal client.

I tried Passwords when I first got into Nextcloud, but was immediately put off by the inability to lock it. If your NC is signed in, anyone can walk up and open your passwords. Wish they would change it where you had to re-authenticate to open the Passwords app each time.

1 Like

I used for a couple of years Keepass with my .kdbx files stored on Nextcloud and synchronised to the desktop (using the Nextcloud client) and to Android mobile devices (using FolderSync Pro). Synchronisation was not always smooth (apparently mostly due the KeepassX Linux client not actually closing the database when closing the client) and it did not quite do all what I needed.

So a couple of months ago I reviewed the Passman and Passwords options against my requirements and implemented a solution using Passman. Not perfect but works so far.

The feature that would really be useful for my needs would be being able to share a folder of credential records with a given Nextcloud group, choosing between read-only or full view-edit-create, and each other user then seeing that folder along its own set of credentials. But I suppose that many would find that useful and that if none of the available apps has done it, it is probably that it is not possible to do - or very difficult to do with a good level of security.

Requirements
My minimum requirements were:

  • import and export credential records from/to keepass and other password managers
  • share a set of credential records with a group of users
    • without having to share individual records one by one
    • without having to make manipulations within the password manager when group membership changes
    • without having to give others your personal Nextcloud user account’s credentials
  • access (view, create and/or update) your own credential records, as well as all those that have been shared with you by others, from the desktop via a Firefox plugin
  • access (view) your own credential records, as well as all those that have been shared with you by others, from a mobile device via an Android app

Optional, desirable functionalities were:

  • natively share credential vaults or folders with Nextcloud groups (each member of the group then automatically has access to shared credentials directly from her/his personal Nextcloud account - at least between users of the same Nextcloud instance, and possibly across several instances via federated sharing).
  • one-click credential fill-in (autofill) of login forms on the desktop with Firefox
  • one-click credential fill-in (autofill) of login forms on an Android mobile device

Solution implemented with Passman

  • One dedicated Nextcloud user account (e.g. “PassMaster”) used only for credential records.
  • In PassMaster account, in Passman app, create one vault for each group (e.g. Group1, Group2, etc.), each with a different password.
  • In each vault, put the credentials that you want members of the corresponding group to have access to.
  • Give each person that is member of a group
    • the username and password of the PassMaster account, and
    • the name and password of the vault of each group s/he is member of.
  • Each person has then the ability to:
    • log into the Nexcloud instance as user “PassMaster” and view, edit and create credentials in the vault of each group s/he is a member of
    • on the desktop, install the Firefox Passman plugin, connect it concurrently to all her/his group vaults (as well as to any other Passman vaults s/he has access to), and from there use autofill as well as view, edit and/orcreate credential records
    • on an Android mobile device, install the Passman app and connect, one at a time, to any of the vaults s/he has access to, and use to view credentials

Pros

  • Fulfils our minimum requirements, plus one-click credential fill-in of login forms in Firefox on the desktop
  • Can share credential records with a range of persons without the need to give each of them a personal user account on our cloud (but that complicates the communication of information on new vaults or modified passwords)
  • If all have a personal user account on our cloud, we can map groups to vaults and use group folders and/or Nextcloud Talk’s group conversations to communicate information on new vaults or modified passwords.

Cons

  • Can become a bit cumbersome for users if we want a high level of granularity in access rights (high number of groups in total and potentially for most users)
  • No option to provide read-only access to credential records, so risks that clumsy users erase credential records by mistake (Need to find a good way to backup regularly)
  • Have to give everyone full access to the PassMaster user account (assess and mitigate the risks?)

The full report of my review is available at https://cloud.latitude.aq/index.php/s/cCRdQ4Jd853m7zr (it is a hybrid pdf with the original odt embedded, if anyone wants to build on it). I still need to update and expand that review and attach a user guide for the solution implemented, and provide feedback via github. It is on my todo list…

1 Like

@antoine Fantastic work!

I know teams, such as Jupiter Broadcasting, who are using Bitwarden and actively encourage it. You can easily spin it up, or quickly create an account to try it out. I have not been personally testing it, but it might well fit some of your unfulfilled needs.

fyi: It would be cool for you to re-post the full report into the forum as a new topic; an admin could transform it into a wiki page so other forum users with Trust LvL 1+ can continue expanding it if you wish.

I second the Bitwarden suggestion!

1 Like

I’m not using KeePassX, but I had a quick look. There are two settings which are disabled by default

  • Automatically save on exit
  • Automatically save after every change

I use Keepass2. It integrates nicely with the Firefox and Chrome extension Kee through a plugin.

I strongly recommend migrating to KeepassXC. It was created by the community to fix glitches & lack of development in both KeepassX and Keepass2.

7 Likes

Although I never had problems with KeePass2, I installed KeepassXC and the Firefox extension and I’m impressed so far. Responds much quicker in Firefox. Thanks for the tip, never heard of it before.

2 Likes

Ditto, probably going to be a permanent switch to XC (from Keepass2 mind you)

Get rid of KeepassX rather now because it is unmaintained for a few years already (not something good for storing passwords). KeepassXC is really nice nowadays with the browser integration and all the other fixes.

Can I use KeepassXC also in Android?

1 Like