37 comments

[ 3.4 ms ] story [ 89.9 ms ] thread
Does anyone here feel more confident about a security software when it has a team page with real humans behind it? That was one of the things that always made me uncomfortable about TrueCrypt for example.

Sure there is code. But I can't go through the code..

I’ve been fine with KeePassXC, mainly because the file format is just AES encrypted xml. Sure, they could have still done something nonstandard and potentially dangerous, but with all the other clients people make I would expect that to get exposed reasonably quick.
"Just AES encrypted" is a pretty limited way of looking at things. AES offers plenty of ways to screw things up, off the top of my head with my limited cryptographic knowledge: how do you do random number generation? How do you deal with password-based key derivation? Is it resistant to GPU bruteforcing? Did you pick a good mode of operation for the use case and are you properly managing IVs? Do you authenticate encrypted data?

As far as I'm aware the newest KeePass format seems to do these things well (they switched from a custom AES-based KDF to using Argon2 recently), but I'm not sure if KeePass XC does the same and I'm certainly not qualified to review these things perfectly myself.

KeepassXC has availability of Argon2id and Argon2. It's very decent software IMO that improves over standard Keepass.
There is real humans behind every software, I don't understand the logic here.
>Original release of TrueCrypt was made by anonymous developers called "the TrueCrypt Team".
I don't agree with you but the developers disclose their real names in the about dialog in KeePassXC.
I do understand the sentiment but I can imagine that depending on who the real humans behind TrueCrypt were, their presence on a team page could have just as easily decreased confidence.
Actually, I do, with any software. I'm aware you may as well use it to fool me with some stock profiles, but seeing the humans behind the code increases my comfort of using it. You wouldn't show your face if you're 'selling' me crap, would you?
There are a lot of people who show you their face (or a face) to gain trust and sell you crap. Inversely, there's also a lot of people producing really good software who wouldn't wanna show you their face.

Also, I'm not accusing you of anything but I have the feeling real name/face/whatever policies are one of those things that disproportionately affect minorities (people who are subject to harassment online or otherwise uncomfortable sharing their identity) while doing almost nothing to ensure trustworthiness.

I'm not sure this is a good signal for trustworthiness. For example, how do you know the humans are real? In this new age of deepfakes, it's easier than ever to generate profiles of non-existent people.
irl identities are attack surfaces
I wish they could integrate Windows Hello into it. It's the only thing holding me back from KeePass.
Then it may excite you to see this: https://github.com/keepassxreboot/keepassxc/pull/6029
wow, I did not expect them to do this after reading issues that they couldn't work with the Windows API for some reason since it didin't have a C++ API.
You can use WRL or C++/WinRT (current recommended way) to access the WinRT API from C++.
The problem isn't so much the language as the fact that it's very tedious if you only have access to the old Win32 API as a result of toolchain constraints. It is much easier with the VCpp toolchain.
I love KeePass (proper; I don't use XC), but it would be nice if they had better support for hardware keys[0]. What I want is to keep my existing password and add in the hardware support -- just plug in the key, press the button, and be done with it.

[0] https://keepass.info/help/kb/yubikey.html

It's not exactly what you are asking for, but KeepassXC supports OnlyKey [0], and OnlyKeys can enter a password just pressing a button, plus they have HMAC support, so the KeepassXC experience can be:

1. Plug in Onlykey and unlock if necessary.

2. Open database in KeepassXC.

3. Press button in Onlykey with the KeepassXC password.

4. Press any button again when it asks for HMAC challenge.

[0] https://onlykey.io/

Sounds like you should switch to KeePassXC if that's what you need.
the update is already available for updating via #MacUpdater
How many letters are we going to get behind KeePass? I use KeePassX and have for years. Having 14 forks seems... odd to me.

Yeah consumer choice but I'd rather one or two tested solid products than 14 flavors of the month.

What's the difference between KeePassXC and KeePass? They both seem to be recently updated.

Currently using BitWarden and I like the sync, the browser integration, and availability on Android.

Keepass is made with .NET. It’s native for Windows. It works with other OS using Mono, but it’s not as native, I guess.

KeepassXC written with C++ and crossplatform GUI, so it’s better fit with Linux and macOS. Also, AFAIK, KeepassXC has more features.

I’m using Keepass because I trust C# more than I trust C++ when it comes to security. But it’s nice to have options.

KeePass uses .Net/mono to run on all platforms, while KeePassXC has a more "native" feel.

KeePass has many plugins available, which allow extending its behavior. KeePassXC doesn't have plugins, but has many quality of live things built-in.

I used both, but currently use KeePassXC. I really love its ssh key integration.

Keepass's website uses http because switching to https may hurt advertising revenue.
https://keepass.info/

Looks like it uses HTTPS to me.

What you're referring to is an old (fixed roughly six years ago), and highly misrepresented situation discussed here:

https://keepass.info/help/kb/sec_issues.html#updsig

What you linked isn't talking about the entire site. It literally says that the signature page is secure. But they don't mention the entire site being secure. I wonder why...

Here it is 3.5 years ago being hosted over http and not redirecting to https. It looks like they changed in 2018.

https://web.archive.org/web/20170907194943/http://keepass.in...

The "security issue" you're talking about was that the URL used to determine if there is a new version available was HTTP-only. People felt like this was a security concern because it was susceptible to a MitM attack. The author felt like this was a none-issue because Keepass did not self-update at all, the URL was only used to inform the user of a new version. So a successful MitM attack would merely inform the user of a new version.

New version of the software were served via mirrors and digital signatures for all versions were made available. Standard security practice for the era was to verify the digital signatures of software before installing it because so much software was served by third parties.

Also, this all happened before HTTPS was ubiquitous (the patch to force version checks to use HTTPS came in 2016). Most sites still served traffic over regular HTTP, with only logins and purchase pages using encryption.

I'm a big fan of KeePassXC.

One thing I'd like to see is one file being able to be unlocked via multiple keys so for example my desktop could use a password+keyfile whereas my laptop would need password+hardware key, but they both backup to the same file. Do any other managers enable this?

the merge two kdbx files is not fixed. It shows a "merged" notification but on the shell I see a merge conflict nothing changed error. :(
I use keepassxc on windows and linux machines, but on macos I prefer macpass which uses same kdbx format but has ui that feels home on macos