Which free Android KeePass kdbx-compatible password database manager do you recommend?

[arlen holder]

While iOS comes native with a password manager, Android does not (AFAIK).

Installing a KeePass-compatible password manager is easy though.
*The question, always, is "which one" is a good password manager?*

I don't know (yet) which is a good password manager to recommend.

(Yes, I know Poutnik recommends "KeePass2Android", but even that
recommendation has issues because multiple KP2A variants exist.)

As you're likely aware, we can easily copy the master Windows-based
encrypted kdbx file from a Windows share using an SMB client over WiFi on
the home LAN, as per this method:
o Do you know of a free Android SMBv2 (or SMBv3) client?
<https://groups.google.com/forum/#!topic/comp.mobile.android/tl3Q05QGyAw>
<https://comp.mobile.android.narkive.com/VME2QHVh/do-you-know-of-a-free-android-smbv2-or-smbv3-client>

Hence, it's now time to test the next step, that of an Android passwd
manager that reads the encrypted Windows KDBX file format.

Today I briefly tested 8 freeware kdbx-compatible password managers.
(Did I miss any?)

Here is my first-pass ordering, from best to worst, but the order below is
very preliminary because the evaluation is simply based on a single read of
a Windows encrypted kdbx file on Android Nougat 7.0 today.

o *KeePass DX*
- <https://www.f-droid.org/en/packages/com.kunzisoft.keepass.libre/>
- <https://github.com/Kunzisoft/KeePassDX>
- <https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free>
o Passed the test of reading the Windows encrypted kdbx file.

o *Keepass2Android Password Safe*
- <https://www.f-droid.org/forums/topic/keepass2android/>
- <https://play.google.com/store/apps/details?id=keepass2android.keepass2android>
o Passed the test of reading the Windows encrypted kdbx file.

o *KeePassDroid*
- <https://f-droid.org/en/packages/com.android.keepass/>
- <https://play.google.com/store/apps/details?id=com.android.keepass>
o Passed the test of reading the Windows encrypted kdbx file.

o *TinyKeePass*
- <https://f-droid.org/en/packages/org.sorz.lab.tinykeepass/>
o Passed the test of reading the Windows encrypted kdbx file.

o *Keepass2Android Offline*
- <https://play.google.com/store/apps/details?id=keepass2android.keepass2android_nonet>
o Passed the test of reading the Windows encrypted kdbx file.

o *Password Safe - Secure Password Manager*
- <https://play.google.com/store/apps/details?id=com.reneph.passwordsafe>
o Failed as it would only import plaintext CSV but not encrypted KDBX files.

o *Kaspersky Password Manager & Secure Data Vault*
- <https://play.google.com/store/apps/details?id=com.kaspersky.passwordmanager>
o This asks for too many permissions (e.g., to make phone calls)
o Failed as it apparently required a login account - so it was deleted.

o *LastPass Password Manager*
- <https://play.google.com/store/apps/details?id=com.lastpass.lpandroid>
o Failed as it required a log in so it was not tested (and was deleted)

Note: There is also a Windows/Linux/Mac KeePassX & KeyPassXC
o <https://www.keepassx.org/downloads>
o <https://github.com/keepassxreboot/keepassxc>
o Not tested on Android (dunno if an Android port exists).

I don't have _any_ experience with password managers on Android.
Do you?

If you have experience with any of these password managers,
please impart your wisdom for us to benefit from.

For example:
a. Did I miss any major players?
b. What distinguishes the best from the standard?
c. Which, in your experience, serves your needs best (and why?)

As always, this thread is written to learn from others, and to disseminate
what I've learned, and hence to combine our tribal knowledge so that we all
benefit from every thread by purposefully helping each other.

[Libor Striz]

arlen holder <ar...@arlen.com> Wrote in message:

> (Yes, I know Poutnik recommends "KeePass2Android", but even that
> recommendation has issues because multiple KP2A variants exist.)

What issues ? :-)
There are 2 variants by Crocodile Apps.
Offline only with blue icon and the one with online storage
capabilities with green icon.

I guess there will be very few compatible apps,
not mentioned at keepass.info site,
and if they are missing,
there could be a good reason for it.


--
Libor Striz aka Poutnik ( a pilgrim/wanderer/wayfarer)

"Humour is the only effective weapon against stupidity."
Miloš Forman


----Android NewsGroup Reader----
http://usenet.sinaapp.com/

[Libor Striz]

arlen holder <ar...@arlen.com> Wrote in message:

> For example:
> a. Did I miss any major players?

I think major players are already listed in the compatible app list
at http://keepass.info

> b. What distinguishes the best from the standard?

The question is not what, but who ? You. Or me. Or others.
The only person who can answer this question
is the person who asks. :-)

SW features do not put SW among the best ones.
It is done by the attitude of the user to these features,
combined with the user experience with the SW.

> c. Which, in your experience, serves your needs best (and why?)

One has to be careful
to honour own priorities
and not going with the crowd.

One of important features for me the K2A has,
is its own keyboard, what makes entering the master DB Little more
secure.
And, the full, record level DB sync,
similar as Keepass2 for Win has.
Very handy is the fast unlock feature ( once dB is open by full
password, then if locked, just last 3 characters are enough, with
3 attempts to full PW request). This fast unlock can have
alternative as finger print reading.

[Joe Beanfish]

On Wed, 23 Jan 2019 02:21:24 +0000, arlen holder wrote:

> While iOS comes native with a password manager, Android does not (AFAIK).
>
> Installing a KeePass-compatible password manager is easy though.
> *The question, always, is "which one" is a good password manager?*
>
> I don't know (yet) which is a good password manager to recommend.
>
> (Yes, I know Poutnik recommends "KeePass2Android", but even that
> recommendation has issues because multiple KP2A variants exist.)

I use
https://play.google.com/store/apps/details?id=keepass2android.keepass2android

It works well for me and I haven't tried any others (that I recall
several years later now) on android. I've not had any interoperability
problems between that and both windows and linux programs.

[arlen holder]

On Wed, 23 Jan 2019 09:38:53 +0100 (GMT+01:00), Libor Striz wrote:

> I think major players are already listed in the compatible app list
> at http://keepass.info

I did NOT see the list you speak of there, but I think these are the main:
1. KeePass2Android Offline (ad free, open source, offline only)
2. KeePassDroid (ad free, open source, offline only)
3. KeePass DX (ad free, open source, fingerprint unlock)

In this early stage, I don't see any major distinction between them.

>
>> b. What distinguishes the best from the standard?
>
> The question is not what, but who ? You. Or me. Or others.
> The only person who can answer this question
> is the person who asks. :-)

I UNDERSTAND why you say that, Poutnik, but it is still HELPFUL
to know what OTHERs like.

For example, maybe the "fingerprint unlock" is of use to some.
Maybe the offline-only is of use to some.
Maybe the fast-unlock is of use to some.
etc.

It's always good to ASK what people like, particularly since I've never
used any Android kdbx managers before.

> SW features do not put SW among the best ones.
> It is done by the attitude of the user to these features,
> combined with the user experience with the SW.

Hi Poutnik,
When talking PHILOSOPHY, I agree that a LOT of things matter.

For example, how quickly the developers update bugs
Or, for example, the database format versions that are supported.
Or, for example, the speed of the GUI, or the ease of use, etc.

That's why I ASKED which passwd manager people like.
It seems that the two votes, to date, go to KP2A, which is fine.

>
>> c. Which, in your experience, serves your needs best (and why?)
>
> One has to be careful
> to honour own priorities
> and not going with the crowd.

Hi Poutnik,
Don't worry about me "falling" for the "herd mentality".
Rest assured that I make my own decisions.
But I don't make them in vacuum.

I ask for advice from others.
Especially when I've _never_ used Android passwd managers before.

> One of important features for me the K2A has,
> is its own keyboard, what makes entering the master DB Little more
> secure.

Hmmm... I just tested these three for which "keyboard" they use:
1. KeePass2Android Offline (ad free, open source, offline only)
2. KeePassDroid (ad free, open source, offline only)
3. KeePass DX (ad free, open source, fingerprint unlock)

All seem to use the _same_ (i.e., default) keyboard.
At least by default they do.

Is the problem that Google (or whomever) can be reading
our keyboard keystrokes?

> And, the full, record level DB sync,
> similar as Keepass2 for Win has.

By DB sync, I assume you mean "merge"?

> Very handy is the fast unlock feature ( once dB is open by full
> password, then if locked, just last 3 characters are enough, with
> 3 attempts to full PW request). This fast unlock can have
> alternative as finger print reading.

I think the top 3 have that, don't they?
1. KeePass2Android Offline <https://play.google.com/store/apps/details?id=keepass2android.keepass2android>
2. KeePassDroid <https://play.google.com/store/apps/details?id=com.android.keepass>
3. KeePass DX <https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free>

I'm asking the group (comp.mobile.android) which they prefer
to help us decide on which of the three to keep & which two to delete.

[arlen holder]

On Wed, 23 Jan 2019 07:31:51 +0100 (GMT+01:00), Libor Striz wrote:

> There are 2 variants by Crocodile Apps.
> Offline only with blue icon and the one with online storage
> capabilities with green icon.

Thanks for that clarification Poutnik.

It was me who was confused - I didn't realize they're both from the same
developer as I only tested each app a single time for that report.

I just _deleted_ the "green" KP2A since the use model here is OFFLINE.

The three that seem "best" are:

[arlen holder]

On Wed, 23 Jan 2019 16:17:41 -0000 (UTC), Joe Beanfish wrote:

> I use
> https://play.google.com/store/apps/details?id=keepass2android.keepass2android
>
> It works well for me and I haven't tried any others (that I recall
> several years later now) on android. I've not had any interoperability
> problems between that and both windows and linux programs.

Hi Joe Beanfish,

Thanks for letting us know the passwd manager you use and like.
I appreciate your taking the time to do so, especially as there are a few.

I think the one you like is the same one Poutnik uses also.
It's nice you provided the URL as there seems to be two of "similar" name.
o *Keepass2Android Offline*
o *Keepass2Android Password Safe*

I admit I only skimmed them in my tests, where I note what Poutnik says
which is that they're both from the same developer, which makes them
essentially the same thing (one is offline only).

It's an open-source tool whose user interface is apparently based on
KeePassDroid. It's too early for me to tell yet how it differs from the
other major contenders, namely KeePass DX (which is also open source and ad
free), and KeepPass Droid (which is also offline only).

One interesting feature is that KP2A works with WebDAV servers, which may
be a useful way for the Windows machine to host the master kdbx file.

[arlen holder]

On Wed, 23 Jan 2019 07:31:51 +0100 (GMT+01:00), Libor Striz wrote:

> There are 2 variants by Crocodile Apps.
> Offline only with blue icon and the one with online storage
> capabilities with green icon.

[Libor Striz]

arlen holder <ar...@arlen.com> Wrote in message:

>

> I just _deleted_ the "green" KP2A since the use model here is OFFLINE.
>

It means also OFF-LAN, even if I am not sure
if LAN access capability is included in ONLINE version.

Both can work Offline.

[arlen holder]

On Thu, 24 Jan 2019 06:47:59 +0100 (GMT+01:00), Libor Striz wrote:

> Both can work Offline.

Yes. I tested _all_ the password managers, and both of these worked
on a passwd.kdbx file which was *copied* from Windows to Android.

> It means also OFF-LAN, even if I am not sure
> if LAN access capability is included in ONLINE version.

I'm not yet sure what this means since SMBv2/v3 is the "LAN" access.
That is, I *first* copy the passwd.kdbx from Windows to Android.
Then (and only *after* I copy it), do I load the passwd.kdbx into KP2A.

Can "KeePass2Android Password Safe" read the passwd.kdbx file
located on the Windows share all by itself (i.e., without the SMB client?)?

How?

When I start KeePass2Android Password Safe (green), and then press the
button named "Open File", it says "Select the Storage Type", where
all I see are the following options in KP2A Password Safe
(none of which seem to be an SMB share on the home LAN):
1. System File Picker (i.e., the Android file system)
2. Dropbox (i.e., the Internet)
3. Dropbox (KP2A folder) (i.e., the Internet)
4. Google Drive (i.e., the Internet)
5. OneDrive (i.e., the Internet)
6. SFTP (SSH File Transfer) ... well OK ... but then we need an FTP server
7. FTP (again, we then need to set up a Windows FTP server)
8. HTTP (WebDAV) ... well OK ... that's a different way than SMB shares
9. HTTPS (WebDAV) ... same as above conceptually
10. OwnCloud (try to set it up on Windows)
11. Get from third party app (I have no idea what this means)

Without setting up a separate server on Windows, I don't see *how* KP2APS
(KeePass2 Android Password Safe) can access the passwd.kdbx
file which resides in a Windows SMB share.

Do you?

[Libor Striz]

arlen holder <ar...@arlen.com> Wrote in message:

> I UNDERSTAND why you say that, Poutnik, but it is still HELPFUL
> to know what OTHERs like.

I do agree.

What they like,
or what *they* consider the best.

"What *is* the best"
is often forbidden question on moderated SW discussion forums
for a good reason to avoid flame wars.

The best attribute never involves the evaluated SW alone,
but includes people opinion,
so asking which one is best does not make sense.

> That's why I ASKED which passwd manager people like.

You asked which one is best,
but with probable intention
which one they like. :-)
You may wonder what different personal reactions
may be caused by different formulation of the question.

>
>> One of important features for me the K2A has,
>> is its own keyboard, what makes entering the master DB Little more
>> secure.
>
> Hmmm... I just tested these three for which "keyboard" they use:
> 1. KeePass2Android Offline (ad free, open source, offline only)
> 2. KeePassDroid (ad free, open source, offline only)
> 3. KeePass DX (ad free, open source, fingerprint unlock)
>
> All seem to use the _same_ (i.e., default) keyboard.
> At least by default they do.

You may have do too shallow tests.

They use the same default keyboard,
as there is the Android limitation for them to change it on their own.

The *user* has to switch the keyboard himself for security
reasons. It us often possible from Android notification
field
when a user is at text input fields.

>
> Is the problem that Google (or whomever) can be reading
> our keyboard keystrokes?

With your privacy concerns, I expected yourself to be more
concerned then me.
It does read our keystrokes to improve typing suggestions.

But there is another reason, as K2A kbd contains K2A specific
features.

>
>> And, the full, record level DB sync,
>> similar as Keepass2 for Win has.
>
> By DB sync, I assume you mean "merge"?

I agree terminology is confusing.

The generic term sync means getting the same content on both sides
with the latest items(PW records in KDBX context)

The generic term merge means to combine the latest items from both
sides into a single output.

Therefore Keepass2 for Win and K2A perform a sync, while KeePass
XC performs a merge.

The sync in KDBX context means
Both KDBX files exchange latest PW records.

>
>> Very handy is the fast unlock feature ( once dB is open by full
>> password, then if locked, just last 3 characters are enough, with
>> 3 attempts to full PW request). This fast unlock can have
>> alternative as finger print reading.
>
> I think the top 3 have that, don't they?

Good to know, I do not know the other 2 ones.
I just said what I like on K2A.
I use it for multiple years,
so I do not remember why I have chosen it.

I think searching for a good software is like searching for a
future wife.
One should stick at the one that is good enough for him,
instead of longing for the Holy Graal of finding the best one.

>
> I'm asking the group (comp.mobile.android) which they prefer
> to help us decide on which of the three to keep & which two to delete.

This is what I have originally meant by following the horde.

Result of your priority evaluation
should not depend on what product or features others prefer.

It should help mainly just in awareness of existence of a product
or presence of a feature.

[Libor Striz]

arlen holder <ar...@arlen.com> Wrote in message:

>

> It's an open-source tool whose user interface is apparently based on
> KeePassDroid.

Are you sure ?
Or, rather they share similar appearance?

[Libor Striz]

arlen holder <ar...@arlen.com> Wrote in message:

.
>
>> It means also OFF-LAN, even if I am not sure
>> if LAN access capability is included in ONLINE version.
>
> I'm not yet sure what this means since SMBv2/v3 is the "LAN" access.

>

> Can "KeePass2Android Password Safe" read the passwd.kdbx file
> located on the Windows share all by itself (i.e., without the SMB client?)?
>
> How?

You overlooked my "if". As I was not sure. From What you gave posted,
I can see now it is not possible.
so for your use case, online version does not bring any advantage
for now.

But if you change you mind later...

[arlen holder]

On Thu, 24 Jan 2019 07:38:30 +0100 (GMT+01:00), Libor Striz wrote:

>> It's an open-source tool whose user interface is apparently based on
>> KeePassDroid.
>
> Are you sure ?
> Or, rather they share similar appearance?

Hi Poutnik,

*FACTS.*

One thing you need to know about me is that I'm far better at facts than
almost anyone who posts here to Usenet since I am an adult.

Facts.

In fact, I would say I'm _never_ wrong - simply because I validate "most"
facts, but, since I'm human, I _must_ have been wrong once or twice out of
the thousands upon thousands of facts I've stated over the years.

Facts.

But essentially, while you may be used to children like nospam who just
make everything up, I don't say things UNLESS they're facts.

My belief system is underlain by facts.*

Hence, if I say it - then you can rest assured it's a fact (unless I tell
you somehow that I'm guessing - which I do - but I don't present that as
fact).

Facts.

If I'm guessing, I will say I'm guessing.
And, what happens, sometimes, is I could "misinterpret" the facts, which,
since I'm human, can happen.

Facts.

But there's always a REFERENCE for my facts, so you can look at what I used
to make that statement, which is this web site:
<https://play.google.com/store/apps/details?id=keepass2android.keepass2android>

And this sentence:
"*The user interface is based on Keepassdroid*, ported from Java to Mono*"

Facts.

We can discuss an "interpretation" of that fact, but that fact is the fact
that I based my statement of fact since I don't state a fact unless I have
reason to believe it is a fact.

Facts.

--
NOTE 1: I'm only human, so out of thousands upon thousands of facts, I
_must_ have gotten one or two wrong - but it's so rare that it won't
realistically happen - simply because I only speak facts. My belief system
is underlain by facts.

[arlen holder]

On Thu, 24 Jan 2019 07:44:55 +0100 (GMT+01:00), Libor Striz wrote:

> You overlooked my "if". As I was not sure. From What you gave posted,
> I can see now it is not possible.
> so for your use case, online version does not bring any advantage
> for now.

Hi Poutnik,
Thanks for that clarification.

To give you an update...

I tested ten iOS SMBv2 clients yesterday, so there really is only one set
of tests left that has any risk of failure (e.g., Linux is never a
problem), which is iOS, when I tackle their passwd.kdbx managers.
o Do you know of a free iOS SMBv2 (or SMBv3) client?
<https://groups.google.com/forum/#!topic/comp.mobile.ipad/1OY2fExXxaM>

I found _one_ smbv2 client which (barely) worked, and it was crippleware -
but it is the best there is on iOS (sadly, free functionality is almost
always, if not always worse on iOS), so now all I have to do is find a good
iOS passed.kdbx tool to complete the process.
o Which free iOS KeePass kdbx-compatible password database manager do you recommend?
<https://groups.google.com/forum/#!topic/comp.mobile.ipad/nG8xHOzPp08>

So I'm almost done with the cross-platform passwd management setup which
doesn't put _anything_ on the Internet!

As usual, I'll write it up when I'm done so that everyone benefits from the
effort.

[Libor Striz]

arlen holder <ar...@arlen.com> Wrote in message:

> On Thu, 24 Jan 2019 07:38:30 +0100 (GMT+01:00), Libor Striz wrote:
>
>>> It's an open-source tool whose user interface is apparently based on
>>> KeePassDroid.
>>
>> Are you sure ?
>> Or, rather they share similar appearance?
>

>

> And this sentence:
> "*The user interface is based on Keepassdroid*, ported from Java to Mono*"

This would be enough. :-)
I missed this info, or rather forgot it, using K2A for years.

The rest is a kind of overreaction :-)

[arlen holder]

On Thu, 24 Jan 2019 07:34:06 +0100 (GMT+01:00), Libor Striz wrote:

> You may have do too shallow tests.

Hi Poutnik,
I agree with you!
I do NOT know how to test keyboards.
I admit when I'm out of my league.

They all looked the same to me in my "shallow" tests.

If there was a good "yes/no" test for a custom keyboard,
that would be GREAT.

Right now, I'm testing iOS apps so I haven't gotten back
to the keyboard issue.

However, I do AGREE with you that avoiding keyloggers
for a password database is IMPORTANT!

> They use the same default keyboard,
> as there is the Android limitation for them to change it on their own.

Thanks for clarifying their keyboards "look" like the defaults.

It would be nice if we can figure out a GOOD TEST to prove
whether we're using a default keyboard or a custom keyboard.

> The *user* has to switch the keyboard himself for security
> reasons. It us often possible from Android notification
> field when a user is at text input fields.

My keyboard on my phone is the default keyboard.
I have, in the past, switched keyboards.
I did that mostly to get "bigger buttons" for my fat fingers.
I also tried, and failed, to find an AUDIO-default keyboard.

But those are topics for another day.

What we need now is a FOOLPROOF way to tell whether the password
manager is using the DEFAULT keyboard or a CUSTOM keyboard.

[arlen holder]

On Thu, 24 Jan 2019 23:05:21 +0100 (GMT+01:00), Libor Striz wrote:
> The rest is a kind of overreaction :-)

Hi Poutnik,

Mea culpa!
I apologize for coming down hard on your question of facts.
Nolo contendere.

Yours was a valid question since you don't know where I get my facts, and,

I didn't "say" where I got them when I had said:
"It's an open-source tool whose user interface is
apparently based on KeePassDroid"

I agree I over-reacted since YOU are an adult & you act like one.
I'm just so used to _others_ making everything up all the time.
And then they accuse me of not being correct on my facts.

As you are aware, I value my credibility very much.
If I say something is a fact - then I want you to _know_ it's a fact.

So I apologize for over-reacting to you.
I'm just so used to morons like nospam calling all facts, lies.

> This would be enough. :-)
> I missed this info, or rather forgot it, using K2A for years.

Thanks for understanding Poutnik.
I apologize again for overreacting to a question of reference.

I'm so used to idiots like Alan Baker calling all facts, lies.

I should be _glad_ to reference my facts for someone like you.
I over reacted.

I value my credibility.
I don't say something is a fact unless I have reason to believe so.
My credibility is important to me.

Back on topic to your question, here are more references to back
up where I got the idea that there is some cross pollination of UI code:
o <https://play.google.com/store/apps/details?id=keepass2android.keepass2android>
"The user interface is based on Keepassdroid, ported from Java..."

o <https://play.google.com/store/apps/details?id=keepass2android.keepass2android_nonet>
"The user interface is based on Keepassdroid (by Brian Pellin), ported
from Java to Mono for Android. The backend uses the original KeePass
libraries to handle file access to ensure file format compatibility."

I don't know how much code was re-used, but it seems that portions of KP2A
is based on that of the open source code from Brian Pellin:
o KeePassDroid
o <https://play.google.com/store/apps/details?id=com.android.keepass>

What's more important is for us to _recommend_ for others a good app.
At the moment, they seem equivalent, to me - but I haven't finished testing.
Hence I'm inclined to recommend multiple apps (which is a "good thing").
:)

[Libor Striz]

arlen holder <ar...@arlen.com> Wrote in message:
>
>

> What we need now is a FOOLPROOF way to tell whether the password
> manager is using the DEFAULT keyboard or a CUSTOM keyboard.
>

It is very easy.
Whenever you are at the text input field,
if you have multiple keyboard options Available,
( e.g. if you have the K2A installed),
trigger by swipe down the system notification list .
One of the item will be the keyboard choice.
It is always on the user (on non rooted phones) ,
which keyboard will be used.

K2A kbd is very different to the standard keyboard.

[Libor Striz]

arlen holder <ar...@arlen.com> Wrote in message:

Apology accepted. :-)

I may got previously confused by your usage of "apparently",
what I had misinterpreted as it could be just your impression.

> "The user interface is based on Keepassdroid (by Brian Pellin), ported
> from Java to Mono for Android. The backend uses the original KeePass
> libraries to handle file access to ensure file format compatibility."
>

It is quite possible I used to KeepassDroid in past,
when I was using java based KeePass compatible app
on Symbian phone Nokia E52
some 6-7 years ago.

I do not remember anymore what exact application it was.