Password managers for Nextcloud
Recently some of our users pointed us to password manager Enpass, which recently added Nextcloud support to their choice of cloud hosting solutions. As some of our users are probably aware, for the popular Keepass password manager there is an integration app named Keeweb and Nextcloud also features two native password managers: Passwords and Passman. The tweet provided a trigger – so here’s a quick overview of what is available right now for Nextcloud. If things are missing, let me know in the comments and I’ll update the blog!
Also note that if YOU want to write a blog like this about another subject, say, different mail clients, note taking options, music players, you name it – we’d be very happy to post it here!
Keepass
Keepass is an open source password safe with a long feature list:
- Multiple User Keys
- Portable and No Installation Required, Accessibility
- Export To TXT, HTML, XML and CSV Files
- Import From Many File Formats
- Easy Database Transfer
- Support of Password Groups
- Time Fields and Entry Attachments
- Auto-Type, Global Auto-Type Hot Key and Drag&Drop
- Intuitive and Secure Clipboard Handling
- Searching and Sorting
- Multi-Language Support
- Strong Random Password Generator
- Plugin Architecture
There is a large number of extensions available, as well as a series of apps for Android, iOS, Windows, Linux, Mac and so on. A variety of browser plugins is available as well. The chrome integration seems to be read-only, while for Firefox passwords can be generated as well. Keepass is a bit cumbersome to use, but has a wide range of features and integrations available.
Enpass
Enpass is an offline password manager where users can keep and sync their data using their trusted cloud accounts which they feel are more secure and safe (with 2FA enabled on them). It offers all the key features as compared to other password managers available in market. The desktop version (windows, mac and Linux) is very easy to use. It is free though it requires registration to be unlocked. The iOS and Android apps also have a great user interface but cost money beyond 25 managed passwords.
Enpass can store its passwords on various clouds, like iCloud, Google Drive, OneDrive, Dropbox, Box and any WebDAV based one. And, of course, Nextcloud!
A quick feature list:
- Password generator & auditor
- Can generate OTP codes
- Multiple vaults
- Secure password sharing
- Can securily store documents
- Can fill in forms
- Import and export capabilities
Enpass is easy to use and the ability to fill in forms, store documents and generate OTP codes make it kind of a one-for-all tool.
The screenshot comes from a review on Lifewire!
Passman
Passman is the oldest Nextcloud password manager. It is quite featurefull and has had contributions from 26 people, though lately things seem to be quiet on github. Still, it works with Nextcloud 18, the last release was just in October and the ability to share passwords is very cool! Sadly, there is no iOS app at the moment, a discontinued project exists if somebody wants to pick this up.
- Multiple accounts
- Multiple vaults
- Vault key is never sent to the server
- Credentials are stored with 256 bit AES
- Ability to add custom fields to credentials
- Built-in OTP(One Time Password) generator
- Password analyzer
- Share passwords internally and via link in a secure manner
- Import from various password managers:
- KeePass
- LastPass
- DashLane
- ZOHO
- Clipperz.is
The app has:
- 26 contributors, 2 quite active
- ~2K Chrome & Firefox users
- 5K+ Android app users
- Brand new iOS app
Passwords
Passwords is also a native Nextcloud app, getting updated regularly and with active chat and forums. Its feature list is a bit shorter than Passman and includes:
- password security monitor
- Secure encryption
- Folders & tags
- Sharing
- API for apps
- Extensive handbook
- Import & Export
- Browser extensions
There is a well maintained Android app, iOS integration is sadly still missing. The app is currently a bit more basic than the others, not offering groups and folders for example. But this is on the roadmap! The app is not in the Nextcloud repo, though, and mostly relies on a single developer with a total of 6 contributors, plus one (different) person doing the Android app. The app has:
- 6 contributors + 1 android
- ~ 3K users on each Chrome and Firefox
- 5K+ Android app users
- app installations unclear
Someone should do a Bitwarden opensource integration, looks to be well supported for alot of OSs, also has auto fill if I recall correctly. https://bitwarden.com/
Passman is nice because it is not saved local so if device is lost your passwords are not lost with it, but passman app is not very good. Keepass is ok but you have to open the file from a folder, so someone could easily copy your vault, if they got access to files, unlike passman where it is stored in the database. Keepass you can’t share passwords with others in Nextcloud. There are pros and cons to the ones listed. That’s why it would be nice to use somthing like Bitwarden and just create a integrate into nextcloud for it
I am using Enpass for years now and am very happy with its functionality. I also linked it with my Nextcloud account, so the vault is being saved in my Nextcloud account and can be retrieved from any machine and any OS, I am working on.
Loving it
I’m using the Passwords app - mostly because it is very user friendly, has a low entry barrier (my whole family uses it by now) and the developer @mdw is incredibly responsive and helpful.
Also, there is a completely reworked Firefox/Chrome extension in the pipeline… Looking forward to that!
Keeweb is decent, but totally unnecessary for daily usage. Consider syncing your private database from device to device and accessing via fully open source apps on the client side only:
KeepassXC - Desktop that replaces KeepassX , Keepass, etc.
Keepassium - iOS
Keepass2Android
Kee - browser extension, etc.
Password Store, or Pass, is rock solid.
Hope this helps.
I used for a couple of years Keepass with my .kdbx files stored on Nextcloud and synchronised to the desktop (using the Nextcloud client) and to Android mobile devices (using FolderSync Pro). Synchronisation was not always smooth (apparently mostly due the KeepassX Linux client not actually closing the database when closing the client) and it did not quite do all what I needed.
So a couple of months ago I reviewed the Passman and Passwords options against my requirements and implemented a solution using Passman. Not perfect but works so far.
The feature that would really be useful for my needs would be being able to share a folder of credential records with a given Nextcloud group, choosing between read-only or full view-edit-create, and each other user then seeing that folder along its own set of credentials. But I suppose that many would find that useful and that if none of the available apps has done it, it is probably that it is not possible to do - or very difficult to do with a good level of security.
Requirements
My minimum requirements were:
Optional, desirable functionalities were:
Solution implemented with Passman
Pros
Cons
The full report of my review is available at https://cloud.latitude.aq/index.php/s/cCRdQ4Jd853m7zr (it is a hybrid pdf with the original odt embedded, if anyone wants to build on it). I still need to update and expand that review and attach a user guide for the solution implemented, and provide feedback via github. It is on my todo list…
Although I never had problems with KeePass2, I installed KeepassXC and the Firefox extension and I’m impressed so far. Responds much quicker in Firefox. Thanks for the tip, never heard of it before.
Belated thanks @just!
I am back on line
I have experimented with Bitwarden and have adopted it, at least for now as Passman is showing as not compatible with NC19. Also, my Passman firefox plugin was starting behaving a bit strangely, not always loading all vaults I was connecting to.
I am quite impressed with Bitwarden’s functionality both in terms of sharing and in terms of access from different platforms (web interface, firefox plugin and android app), although some parts of the web interface workflow could possibly be a bit more intuitive.
It does not solve the issue of sharing passwords through Nexctloud groups though.
As soon as I can, I will update and expand my report and post it as a new topic as you suggest