What are the benefits of using a "real" password manager, such as this one, compared to a plain encrypted file in vim? I thought that benefit was syncing across devices but it turns out the http feature of keepass wasn't implemented in all clients.
How well specified is the kdbx format? Is there a console client? Is the code readable? Keepass seems to have spawned an entire ecosystem of tools and clients, so I'm curious which of these tools are actualy usable.
If you want to stay with a solution any moderately experienced developer can audit themselves without investing too much time, but would like to add a bit of user friendliness, have a look at pass¹.
It is nothing more than a script that calls the GnuPG binary and the tree command line utility for displaying a tree of files. It uses your GPG-keypair to encrypt text files. You can add as much info as you like, but by convention the first line of each file is assumed to be the password:
# Generate a 32-character random password.
pass generate sites/news.ycombinator.com 32
# Copy the password to the clipboard; this will ask you to unlock your GPG-key.
pass -c sites/news.ycombinator.com 32
# Find stuff.
pass find news
# Edit the file (e.g., add the username).
pass edit sites/news.ycombinator.com 32
All files are GPG-encrypted plain text files in a directory on disk. Easy to backup as well.
There is a rather sweet feature you can use to share some passwords with someone. You can add a list of GPG key IDs in a file called .gpg-id in any of the subdirectories of your password store, and share that subdirectory using a syncing tool such as SyncThing². My partner and I each have our own password store, but share a directory called 'together' via SyncThing. All passwords stored there are encrypted using both our GPG-keys by pass, whilst our private entries remain encrypted just for our own respective keys.
> What are the benefits of using a "real" password manager, such as this one, compared to a plain encrypted file in vim?
• You get a proper password generator out of the box.
• Vim's encryption is awful: The current default method is documented to be feasible brute-forceable on a Pentium 133 MHz, and the optional "strong" setting is Blowfish (with an undocumented key-derivation function which is presumably awful as well), which Schneier wanted to have phased out 10 years ago – and by now we're seeing an increasing amount of successful attacks. Do not use VimCrypt if you want your data safe. (If you happen to have GPG set up on all your devices anyway, it can be a decent alternative.)
• Never underestimate convenience when it comes to security. Anything that makes it harder for someone to use their password manager increases the risk of password reuse.
Can you share your encrypted vim file with others? (Honest question). Keepass can also enable browser autocompletion. Kbdx is actually very much underspecified, but it's not terribly difficult to reverse engineer apparently. The main problem (iirc) is that the most recent format version has extensions that very few clients understand.
It's popular because it's the least common denominator for "cross-platform portable encrypted key-value local storage". The sync support missing is actually a feature for most users. There are much better alternatives when you trust a third-party server.
I can't speak to security, but from a functional standpoint the tree and key-value structure of password managers allows easier third party integration into browsers etc, compared to a flat file.
Also you have search and don't expose the other passwords as you would in a textfile. There is pretty good apps for Keepass, which offer a Keepass Keyboard so you don't need to use the clipboard (which can be read by any app on Android for instance).
KeePass uses an encrypted database file to store your passwords, which allows you to store custom fields for each entry, search by field contents, have protected fields, attach files to entries, or keep a revision history of changes made to an entry which enables easy syncing of the same database stored on multiple devices.
You could do almost all of that with a plain text encrypted file, but KeePass keeps it all neat and sorted.
How well specified is the kdbx format? Is there a console client? Is the code readable? Keepass seems to have spawned an entire ecosystem of tools and clients, so I'm curious which of these tools are actualy usable.