In terms of "trust factor", which is probably among the main concern in choosing a password manager, they seem equivalent, as far as I can see. But KeepassX or KeepassXC is visually better integrated on non-Windows systems. But it's a deal breaker for me until KDBX4 format support is completed for KeepassXC.
Making it into a .net standard library would make it more usable. Could more easily embed it into other apps, or hook up various front-ends, and they could keep their existing front-end and just have it link to the new library.
If keepass were a .net standard library, you could have different front-ends for various platforms. Making the front-end crossplatform is a good goal too. I'm sure you could use bindings to Qt or gtk. There's various native crossplatform front-ends in the works too. See my comments below.
The .NET stack inside UWP is .NET Core (for the most part), but the UI stack of UWP is WinRT controls [you can read that as modern COM controls] implemented mostly in C/C++ and directly a part of Windows.
So .NET Core doesn't benefit from UWP UI library, but UWP typically benefits from .NET Core upgrades.
I came here hoping that the emergency sheet feature was an implementation of Shamir Secret Sharing. That would allow you to give a few sheets to trusted people, which they could combine to reveal your password.
Does proper version control mean using github or just a git repo or something of that sort? I guess the developer wants to keep it a single dev project (old fashioned but the small project size means it doesn't make a big difference).[1]
A while back I asked HN if there was any way I could trust an iOS keepass client. The answer was no, on the basis that you have no way of auditing whether the open source code built what’s in the App Store. Nor is there a way of preventing a rogue keepass client app from accessing the internet and exfiltrating your database and password.
So how do you do this in practice? Do you just send some guy (that you trust!) hashes of all the files on your system and hope that he spots the backdoored binary soon enough?
Perhaps there's some false assumption there that the "app store" will serve everyone a backdoored binary, instead of performing almost undetectable targeted attacks.
Ostensibly because then you'd have to deploy it yourself to the iOS device - which is fine for your iPhone but not so easy for your parents' iPads across the country/world.
I was just given a mac at work and haven't figured out how to integrate KeePass with Firefox on OSX. On Windows I was using KeeFox, but I can't find a mac client that include KeePassRPC and the mono instructions didn't make sense. For now I'm using KeeWeb and manually copying entries. Suggestions?
Suggestion: don't use integration. The whole idea has a high risk of security compromise and the plugins I've seen were not implemented well. I use copy/paste or Autotype and don't find it slow to use at all.
So now all anyone needs to do is watch your clipboard? I'm not arguing your approach as I use Keepass in the same way, but I also know it'd be pretty straightforward to snarf my creds if you were able to watch my clipboard.
Not exactly - KeePassXC (and many of the other clients) do try to unset the clipboard. I think this is as much to save you from accidentally pasting a password into your browser's search box or a chat, but at least on OSX / macOS, it prevents a malicious script from using pbpaste to grab the last entry off the clipboard.
KeePass does the same thing by default, but all you've done is create a race condition. Clipboard changes can be picked up by any application that cares to listen.
KeePass is the perfect example of simplicity over complexity. It does exactly what it sets out to do and it does it well. Unlike online services, I trust it wholeheartedly, because it is free software, well-built, simple, and basically a fancy XML parser with encryption.
The less it does, the fewer ways it can break or be broken. The attack surface is tiny compared to, say, LastPass.
You choose your own sync solution, unlike LastPass/the like.
What's the new standard for AES passes? Patch notes mention it but not the number.
45 comments
[ 3.0 ms ] story [ 86.5 ms ] threadLooks like Xamarin is building full cross-platform support via XAML
https://blog.xamarin.com/glimpse-future-xamarin-forms-3-0/
Avalonia seems like a straightforward reimplementation of WPF that is already usable.
https://github.com/AvaloniaUI/Avalonia
DotVVM is working on electron support, and I work with it already. I like it.
https://github.com/riganti/dotvvm-electron
https://blogs.msdn.microsoft.com/dotnet/2017/10/10/announcin...
If keepass were a .net standard library, you could have different front-ends for various platforms. Making the front-end crossplatform is a good goal too. I'm sure you could use bindings to Qt or gtk. There's various native crossplatform front-ends in the works too. See my comments below.
So .NET Core doesn't benefit from UWP UI library, but UWP typically benefits from .NET Core upgrades.
The same parameters input into two online SSSS generators: 3 parts( 2 reqd), secret=hackernews yield different parts.
I want to make it easy to recover. Using the same tool to store the passwords and recover the keys simplifies the process.
[1]: http://point-at-infinity.org/ssss/ [2]: https://iancoleman.github.io/shamir/
[1]: https://sourceforge.net/p/keepass/discussion/329220/thread/0...
"Having no source code repository (version control system) doesn't mean that KeePass isn't open source."
--Dominik Reichl
Has any of that changed recently?
Debian is trying to get reproducible builds for their packages.
I don't know enough about iOS to say anything about that.
Perhaps there's some false assumption there that the "app store" will serve everyone a backdoored binary, instead of performing almost undetectable targeted attacks.
Great job!
This person should sell this...
https://keepassxc.org/
https://github.com/keepassxreboot/keepassxc
HN discussion about it: https://news.ycombinator.com/item?id=13468261
source: https://github.com/smorks/keepasshttp-connector
It's way below similarly aged articles with ~5x fewer points.
The less it does, the fewer ways it can break or be broken. The attack surface is tiny compared to, say, LastPass.
You choose your own sync solution, unlike LastPass/the like.
What's the new standard for AES passes? Patch notes mention it but not the number.