1Password Refugee’s Guide to KeePass

Introduction

Passwords are the gateway to our digital identities. I have been relying on 1Password to manage my passwords in local vaults for a few years. But as you may know from the recent news, the company is moving in a controversal direction, which I do not support. You can find more discussion on this topic in the links [1], [2]. As a 1Password refugee, I have been on the quest of finding a reliable and trustworthy alternative since then.

I will talk about the reasoning behind my choice, the migration process, choices of client apps on both desktop and mobile, and the setup of one-time passwords.

As a disclaimer, I am in no way affiliated with any software or developer mentioned in this article.

KeePass

I have examined many alternative systems, including BitWarden, Secrets, and Enpass. But in the end I settled on KeePass, which is a free and open source password manager operating on its open standard database format, kdbx. The are several reasons for this choice.

  • Firstly, I will not be locked-in by the original software itself. There exist many excellent clients across all platforms that read and write the same database format. If one of them is going in a direction I dislike, I can always switch apps while keeping the same database.
  • Secondly, the open source nature means the code and standard can be freely reviewed. There have been many independent audits for KeePass, making it more trustworthy than a typical proprietary software.
  • Lastly, the database is a single encrypted document ending in .kdbx, which can be stored anywhere. I can choose to sync it via any standard cloud storage, without needing to subscribe to any additional services, nor setting up my own server.

Migration

The migration process from 1Password to KeePass is not exactly straightforward. It has to be done on a desktop computer, as 1Password only exports data from their desktop clients. It also seems that 1Password does not want you to export your data too easily. Their support article guides to export to 1pif format or plain text csv format, both of which are less than ideal. The 1pif format is not documented well [3], while the csv requires extensive manual calibration to properly transfer all data. So the best solution is to import from the 1Password local vault format opvault directly.

This requires an extra step for 1Password account users, because their data is not stored in opvault. To obtain the local opvault database, one needs to create a local vault and copy all items in the 1Password account to the new local vault. This requires enabling “Allow creation of vaults outside of 1Password accounts” in the 1Password settings, and sync it to a local folder to expose the database.

Once the opvault database is prepared and located, the conversion to kdbx format of KeePass can be done the most easily by using the KeePassXC client, which is a modernised port of the original KeePass. The import option “1Password Vault” in KeePassXC directly opens the opvault database and converts it to kdbx. Although KeePass can also import it with the help of the OneVault plug-in.

Now all data should have been migrated from 1Password to the kdbx database. You can choose to store it anywhere, or sync it with any cloud storage. But as a pre-caution, you should still keep the 1Password database in the rare case of data loss during conversion.

Clients

Desktop

The best desktop client is probably KeePassXC, which runs natively across Windows, macOS, and Linux. It supports time-based one-time password (TOTP), and integrates with browsers (Chromium, Firefox) out of the box. The original KeePass client only runs natively on Windows, requiring extra setup to run on macOS and Linux. But it is more extensible with plug-ins. For most use cases, I would recommend KeePassXC over KeePass.

iOS/iPadOS

There are two actively maintained KeePass apps on iOS, namely KeePassium by Andrei Popleteev, and Strongbox by Mark McGuill. Both are commercial apps in the App store, but with a dual GPL license as open source projects. They both offer a generous free version, and a more convenient premium version that can be accessed with either a subscription or a one-off license. KeePassium also offers a so-called “perpetual fallback license” for annual subscribers, which means those who subscribe for more a year get to keep access to all previous premium features, forever. Roughly speaking, KeePassium is more minimalist and polished; while Strongbox has more features and options, e.g., checking compromised passwords with “haveibeenpwned.com” (HIBP), fetching favicons automatically.

One major difference is that KeePassium is a completely offline app without any networking code, while Strongbox directly connects to the internet to integrate with Dropbox, Google Drive, and haveibeenpwned. These convinient features in Strongbox do come with some risks. It is more secure if the app that can read my secret cannot communicate with the internet. While I use and like both of them, I prefer KeePassium slightly for the above reasons.

Android

Although I am not an avid user of Android anymore, a quick search shows that there is no shortage of good KeePass apps on Android, like KeePassDX.

One-Time Password

One-time password requires a bit more attention in KeePass. The standard practice is to create two additional attributes: “TOTP Seed”, and “TOTP Settings”. The “TOTP Seed” field holds the secret key, while the “TOTP Settings” field usually holds “30;6” which means “generating 6 digits every 30 seconds”.

As a bonus, this can also be used to generate TOTP for Steam, by filling in the Steam Authenticator key in “TOTP Seed”, and “30;S” in “TOTP Settings”. It is a little tricky to get the secret key. But with some patience and caution, this can be obtained following [4] using the Steam Desktop Autheticator, which is an open source port of the Steam Mobile Authenticator running on Windows. When the encryption passphrase is set to empty, the secret key can be found in the .maFile as the string following otpauth://totp/Steam:<username>?secret= before the next & symbol.
As a bonus, this can also be used to generate TOTP for Steam, by filling in the Steam Authenticator key in “TOTP Seed”, and “30;S” in “TOTP Settings”. It is a little tricky to get the secret key. But with some patience and caution, this can be obtained using the Steam Desktop Autheticator, which is an open source port of the Steam Mobile Authenticator running on Windows. When the encryption passphrase is set to empty, the secret key can be found in the .maFile as the string following otpauth://totp/Steam:<username>?secret= before the next & symbol.

Conclusion

It is sad to see 1Password to become increasingly more money-driven and customer-hostile. But fortunately, there are excellent open source alternatives like KeePass and BitWarden. So far I have been very satisfied with my adoption of KeePass.

In terms of features, KeePass has both advantages and disadvantages compared to 1Password. For example, KeePass supports additional security with key file, and hardware authentication like YubiKey. There is also attachment support on the mobile KeePass apps. But the lack of group sharing features in KeePass might be a dealbreaker for some, in which case BitWarden should be considered instead.

As a lesson learnt, I shall always try to keep important long-term data in some open standard format.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s