I was thinking about how all of my passwords are compromised if I have malware on my system. It made me wonder, does Vaultwarden or KeePassXC/KeePassDX offer better protection on a malware infected system?
Vaultwarden
- Only accessed locally via LAN/VPN
- Set up for 2 factor authentication using WebAuthn (FIDO)
KeePasssXC/KeePassDX
- Synced locally via syncthing
- Set up for 2 factor authentication using HMAC-SHA1 Challenge-Response
- All clients blocked from internet access
I don’t use browser extensions and I manually copy/paste my passwords to fill in entries.
KeePass has good memory protection, but the 2FA can be read from USB and doesn’t change every time the database is decrypted. Vaultwarden enables the more secure FIDO2 2FA, but to my knowledge has less secure memory management as the entire entire database is decrypted on unlock.
For the most part I think both systems are pretty even to protecting the passwords that are on your actual machine. One pro that I can think of for vaultwarden is its less likely that malware would be able to find it since it runs on the browser. One con of this is however you have an additional attack vector that is the server vaultwarden is running on. Should an attacker gain access to that server they could easily replace vaultwarden with a malicious version and grab your password that way.