‘‘Private, Secure Management for Crypto, Passwords & More.’’
An open source, fully transparent and extremely secure password manager
This quote from their GitHub page reads like self-promotion, especially the “extremely secure” part. What is “extremely secure”? It is nothing but a marketing term like “military-grade encryption” or “battle-proofed something”. Then, they talk about “Optional two factor encryption”. This looks also like self-promotion and no additional benefit since the “second factor” here means that you print out a QR code that you have to scan in order to unlock your password storage. You can print out any password as a QR code and scan it. This isn’t a unique feature.
Since Qvault is based on the Electron framework, there are likely security vulnerabilities in it that originate from the framework. We all know this from Signal Desktop or Keybase. This requires good code maintenance, frequent security updates and – of course – this implies that it isn’t more or less “secure” than most other password managers. If you look at this page, you see that this tool is mainly maintained by two people. There seems to be no independent security audit and the “it’s open source, everybody can verify the code part” is nice in theory but mostly impossible in reality.
The basic advice here is: Stay with password managers that exist for years and are maintained, like KeePass 2 or KeePassXC. (Of course, this is only our opinion, and we always have an open mind about other opinions.)
encrypted cloud backups
I don’t know about other people, but I wouldn’t trust my passwords and other confidential info on the cloud even if it it encrypted.
EDIT: Oops, i’m reading too quickly, cloud backups are optional. I still would just recommend Keepass, as it’s audited and known more then Qvault.
And yes, it’s optional (cloud backups).