FLOSS password manager's data storage

✍️ Written on 2021-12-13 in 509 words.
Part of cs software-development IT-security

Motivation

A bachelor student of mine looked into password managers. We only looked at free/libro open source software (FLOSS) password managers since we wanted to interface them. As a result, we collected a list of password managers and their metadata. In particular, I listed where the password manager stored its passwords.

The table

Password manager initial release license data storage user interface

Bitwarden

2016

AGPL-3.0-only (server) GPL-3.0-only (client)

Encrypted JSON

GUI or web

GNOME Keyring

2018

GPL-2.0-or-later

Custom binary format (keyring)

GUI

KeePass

2003

GPL-2.0-or-later

KDBX 4

GUI

KeePassX

2013

GPL-2.0-only or GPL-3.0-only

KDBX 2

GUI

KeePassXC

2017

GPL-2.0-only or GPL-3.0-only

KDBX 4

GUI

KeeWeb

2015

MIT

KDBX 4

web

Keychain

1999

APSL-2.0

Custom binary format (keychain)

GUI

KWallet

2014

LGPL

Custom binary format (kwl)

GUI

pass

2012

GPL-2.0-or-later

GnuPG encrypted files

CLI

Password Safe

2002

Artistic-2.0

Custom binary file (pwsafe V4)

GUI

Seahorse is only a GUI frontend for (e.g.) GNOME Keyring and not a password manager on its own.

Conclusion

KDBX is the most established file format among FLOSS password managers. It does not surprise since it is very versatile (allows to add arbitrary attributes) and avoids unpopular infrastructure like GnuPG.