Does anyone here feel more confident about a security software when it has a team page with real humans behind it? That was one of the things that always made me uncomfortable about TrueCrypt for example.
Sure there is code. But I can't go through the code..
I’ve been fine with KeePassXC, mainly because the file format is just AES encrypted xml. Sure, they could have still done something nonstandard and potentially dangerous, but with all the other clients people make I would expect that to get exposed reasonably quick.
"Just AES encrypted" is a pretty limited way of looking at things. AES offers plenty of ways to screw things up, off the top of my head with my limited cryptographic knowledge: how do you do random number generation? How do you deal with password-based key derivation? Is it resistant to GPU bruteforcing? Did you pick a good mode of operation for the use case and are you properly managing IVs? Do you authenticate encrypted data?
As far as I'm aware the newest KeePass format seems to do these things well (they switched from a custom AES-based KDF to using Argon2 recently), but I'm not sure if KeePass XC does the same and I'm certainly not qualified to review these things perfectly myself.
I do understand the sentiment but I can imagine that depending on who the real humans behind TrueCrypt were, their presence on a team page could have just as easily decreased confidence.
Actually, I do, with any software. I'm aware you may as well use it to fool me with some stock profiles, but seeing the humans behind the code increases my comfort of using it. You wouldn't show your face if you're 'selling' me crap, would you?
There are a lot of people who show you their face (or a face) to gain trust and sell you crap. Inversely, there's also a lot of people producing really good software who wouldn't wanna show you their face.
Also, I'm not accusing you of anything but I have the feeling real name/face/whatever policies are one of those things that disproportionately affect minorities (people who are subject to harassment online or otherwise uncomfortable sharing their identity) while doing almost nothing to ensure trustworthiness.
I'm not sure this is a good signal for trustworthiness. For example, how do you know the humans are real? In this new age of deepfakes, it's easier than ever to generate profiles of non-existent people.
wow, I did not expect them to do this after reading issues that they couldn't work with the Windows API for some reason since it didin't have a C++ API.
The problem isn't so much the language as the fact that it's very tedious if you only have access to the old Win32 API as a result of toolchain constraints. It is much easier with the VCpp toolchain.
I love KeePass (proper; I don't use XC), but it would be nice if they had better support for hardware keys[0]. What I want is to keep my existing password and add in the hardware support -- just plug in the key, press the button, and be done with it.
It's not exactly what you are asking for, but KeepassXC supports OnlyKey [0], and OnlyKeys can enter a password just pressing a button, plus they have HMAC support, so the KeepassXC experience can be:
1. Plug in Onlykey and unlock if necessary.
2. Open database in KeepassXC.
3. Press button in Onlykey with the KeepassXC password.
4. Press any button again when it asks for HMAC challenge.
What support exactly? Years ago I added Yubikey support[0] to KeePassXC. You'd have to migrate your database to KeePassXC and you could use any combination of keyfile, password, and YubiKey.
What you linked isn't talking about the entire site. It literally says that the signature page is secure. But they don't mention the entire site being secure. I wonder why...
Here it is 3.5 years ago being hosted over http and not redirecting to https. It looks like they changed in 2018.
The "security issue" you're talking about was that the URL used to determine if there is a new version available was HTTP-only. People felt like this was a security concern because it was susceptible to a MitM attack. The author felt like this was a none-issue because Keepass did not self-update at all, the URL was only used to inform the user of a new version. So a successful MitM attack would merely inform the user of a new version.
New version of the software were served via mirrors and digital signatures for all versions were made available.
Standard security practice for the era was to verify the digital signatures of software before installing it because so much software was served by third parties.
Also, this all happened before HTTPS was ubiquitous (the patch to force version checks to use HTTPS came in 2016). Most sites still served traffic over regular HTTP, with only logins and purchase pages using encryption.
One thing I'd like to see is one file being able to be unlocked via multiple keys so for example my desktop could use a password+keyfile whereas my laptop would need password+hardware key, but they both backup to the same file. Do any other managers enable this?
Hmm... you could probably construct this yourself. Make a new database for the new auth method, then set it up to automatically open the 'core' database (which essentially just saves the decryption key in the new database): https://keepassxc.org/docs/KeePassXC_UserGuide.html#_automat...
37 comments
[ 3.4 ms ] story [ 89.9 ms ] threadSure there is code. But I can't go through the code..
As far as I'm aware the newest KeePass format seems to do these things well (they switched from a custom AES-based KDF to using Argon2 recently), but I'm not sure if KeePass XC does the same and I'm certainly not qualified to review these things perfectly myself.
Also, I'm not accusing you of anything but I have the feeling real name/face/whatever policies are one of those things that disproportionately affect minorities (people who are subject to harassment online or otherwise uncomfortable sharing their identity) while doing almost nothing to ensure trustworthiness.
[0] https://keepass.info/help/kb/yubikey.html
1. Plug in Onlykey and unlock if necessary.
2. Open database in KeepassXC.
3. Press button in Onlykey with the KeepassXC password.
4. Press any button again when it asks for HMAC challenge.
[0] https://onlykey.io/
[0] https://github.com/keepassxreboot/keepassxc/pull/127
Yeah consumer choice but I'd rather one or two tested solid products than 14 flavors of the month.
Currently using BitWarden and I like the sync, the browser integration, and availability on Android.
KeepassXC written with C++ and crossplatform GUI, so it’s better fit with Linux and macOS. Also, AFAIK, KeepassXC has more features.
I’m using Keepass because I trust C# more than I trust C++ when it comes to security. But it’s nice to have options.
https://keepassxc.org/docs/#faq-keepassx
tldr is : C# (canonical project) -- vs -- C++ (older project) -- vs -- C++ (newer project)
KeePass has many plugins available, which allow extending its behavior. KeePassXC doesn't have plugins, but has many quality of live things built-in.
I used both, but currently use KeePassXC. I really love its ssh key integration.
Looks like it uses HTTPS to me.
What you're referring to is an old (fixed roughly six years ago), and highly misrepresented situation discussed here:
https://keepass.info/help/kb/sec_issues.html#updsig
Here it is 3.5 years ago being hosted over http and not redirecting to https. It looks like they changed in 2018.
https://web.archive.org/web/20170907194943/http://keepass.in...
New version of the software were served via mirrors and digital signatures for all versions were made available. Standard security practice for the era was to verify the digital signatures of software before installing it because so much software was served by third parties.
Also, this all happened before HTTPS was ubiquitous (the patch to force version checks to use HTTPS came in 2016). Most sites still served traffic over regular HTTP, with only logins and purchase pages using encryption.
One thing I'd like to see is one file being able to be unlocked via multiple keys so for example my desktop could use a password+keyfile whereas my laptop would need password+hardware key, but they both backup to the same file. Do any other managers enable this?