What happens when there's more than you who uses the Keepass file and how do you store new passwords to the file when you create new accounts on the web (for various services)?
What's the usage flow? Is there browser extension that allows you to interact with it without opening Keepass program?
Maintenance you described is easy, but what about the actual usage and sharing passwords?
Good questions and I think they show some of the blind spots I have.
I don't share my passwords database. Right now my wife and I do have a very limited number of shared accounts but I set up the same system for her and we simply duplicate the few shared logins we have in our two databases. This could be an issue if we need to share more.
Creating new accounts is easy. Both my windows and iOS Keepass clients open the file directly from cloud storage. They can save changes and reload the database on startup. Once in a while I've had conflicting writes but it's rare, and I stopped getting them when I got better about saving and closing after changes.
Usage flow on PC (I'm sure I could install a browser extension, but haven't bothered yet):
1. oh I need a password. windows+s, type keepass, open keepass, type master password.
2. ctrl+e look for the website I'm on
3. ctrl+b copy username, paste
4. ctrl+c copy password, paste
Usage flow on iOS:
1. oh I need a password. iOS magically knows, gives me options of iCloud keychain or Keepass client. Select Keepass client
2. Sometimes it's not smart enough to detect which password entry to use. In this case, type in the website/app name and select it
3. Usually it's smart enough to fill out the username & password fields automatically
Oh, that's neat. What iOS app do you use? I've been using minikeepass but it has been no longer supported for a while now (I've got a copy of the .kdbx for my phone elsewhere, so when it eventually self-destructs I'll still have that at least).
I use Strongbox, with Keepass databases stored in iCloud. One for me, one for wife, and one for both of us for mutual accounts. Periodically they are backed up to a USB drive to store with important documents. And Time Machine backs them up regularly to NAS.
We also use macOS/iOS keychain for convenience, but the TOTP and other notes about the account are stored in Keepass database.
Not OP. I add only from my laptop, I share with Syncthing to my other devices. Nobody else use my passwords. If a customer has a per team password they either never change it or in the very rare cases they do, they tell me the new password when I ask why the old one doesn't work anymore. They don't let me in their shared password manager anyway (only one customer has one.)
I have a personal Nextcloud instance set up on a VPN. We have a "shared" keepass file that is shared between the two of us, and individual one for each of us, which is not shared via Nextcloud but still syncs to Nextcloud to have available on our computers/phones.
This has worked great for us for a number of years.
We have been encrypting the key file with our SSH keys and share it along the database in a private GitHub repo. Additionally we have a single memorable password as preshared key. Works well for our small admin group.
What's the use case for sharing passwords? I've never had the need to share one in 20+ years of being a power user. If I end up dead, my master password will be shared in my will with appropriate parties.
> Is there browser extension that allows you to interact with it without opening Keepass program?
My wife and I have a number of accounts we share a single credential for. There are a surprising number of services we access as parents that don't have the concept of shared ownership of content on the server side.
I'd bet there are other use cases as well. Off the top of my head, Hello Fresh also doesn't allow more than one login to manage the same subscription.
Unless you live alone and have no family, there are all sorts of scenarios for sharing passwords.
Fedex/UPS only lets one account get detailed tracking numbers for an address, so I need to share my Fedex account. To check and pay my freeway tolls I'm only allowed a single account - so it gets shared. Plenty of people share all sorts of subscriptions, be they to Netflix, the New Yorker, or more. I need to share access to my insurance, to the utility bills, to sporting event tickets, to grocery store and pet food orders. On and on and on.
Also, for many of my accounts today, I use "Sign in with Google" so it's not even possible for me to share a password or credentials unless I share my whole Google account shebang.
For personal use: none for me. Instructions for deriving/obtaining my master password and physical key will be made available in any will or power of attorney documentation I get around to drawing up.
In DayJob there are several, though they are usually only temporary needs, such as:
1. We often get sent password-protected documents by clients, that more than one of us needs to read. It pains me how often I see an attached document on an email containing the password needed to open it… A shared password manager where someone can record the credential and mark who should be able to access it (or better have all credentials encrypted by the public keys of those who should be able to access them rather than just trusting a flag) would be less daftly insecure.
2. Distributing initial credentials for new assets or to new people, where those assets are not integrated with single-sign-on so nothing needs to be distributed anyway.
There are other ways to manage such situations of course, but a password management arrangement with a well-defined way of sharing credentials may encourage behaviour more secure than some of the ad-hoc solutions people regularly use.
Internally I do something very similar: drop the information to a share on my machine with read permissions set to the right people.
As you say, things can be more complicated for externals. I often don't have write access to much that they can read from, without putting in a request through infrastructure, for obvious separation-of-concerns reasons, because things we host/manage directly for them are well locked down, anything at their end is too, and most of our clients have white-list-only access to other resources.
Others have mentioned shared family accounts, I could also imagine storing shared wifi keys, or the admin password for the router. In the case of a business/project, there is also storing API keys, and maybe also admin passwords for devices. There could also be non-digital secrets stored in the vault, like bank accounts and social security numbers. The easy solution is just to have a separate keepass file that is meant to be shared, and/or have everyone maintain a separate vault with some of the data duplicated, and manually tell everyone when its time to update their info.
At work we use hashicorp vault, ansible vault, and cyberark for different things, but I still store my stuff in keepass. For personal use, I use keepass on dropbox, and it's worked incredibly well for almost 15 years now.
Why? I'm not suggesting to have an extension that has access to your file system. Bitwarden has browser extension that communicates to Bitwarden vault via HTTP and it's easy to autofill passwords or generate new credentials.
For throwaway accounts or demo accounts or any kind of new web service/app accounts, it's easy to memorize username and autogenerate a strong, safe password which are saved to vault.
You have the access to that same vault from a different device (smartphone etc), it makes interacting with passwords and its storage extremely easy and without mistakes.
A use case isn't hard to imagine. You have a significant other whom you want to share credentials to some website with.
I have quite a few shared passwords in my "family" vault in Bitwarden. Utility websites (electric, gas, water, internet, etc), streaming services, banking, credit cards, mortgage, car payments, car insurance, Chewey (manage pet food auto ship), probably others.
What's the usage flow? Is there browser extension that allows you to interact with it without opening Keepass program?
Maintenance you described is easy, but what about the actual usage and sharing passwords?