KeePassXC 2.5
keepassxc.orgAnyone here have opinions on or pointers to the KeePassXC team's rep, creds or track record? I've been using KeePassX partly because Tavis Ormandy said it "looked sane" in a tweet once. How careful is the XC team when adding features?
What kinds of issues are you expecting? Short of actively writing malicious code, I feel like it's hard to get things terribly wrong in an offline password manager when adding a new feature? There are various mitigations you can put in against some potential attacks, but they're generally secondary lines of defense that require other breaches to occur first.
I don't know, that's why I'm asking the question.
I've seen enough security bugs that I don't want to trust the gut feelings of a non-expert, such as myself. One example I can think of is another password manager that used random numbers incorrectly putting a bias in the random passwords it was generating.
Well something like that is core to the password manager, and already introduced into the product since the beginning. If the maintainer has been competent enough to use (say) a secure RNG until now, he's not going to suddenly mess it up when adding a new feature.
Which is not to say it's a bad idea to get expert vetting for something like this (it's obviously an ultra-safe approach), but it helps to try to put things in context yourself, so that you don't have to find an expert every time you need to make a security decision. In the context of a desktop password manager, there isn't a terrible lot that can go wrong by accident and suddenly result in password exposure once the core product is formed and secure. If it happens, it'd be almost certainly due to a new maintainer coming along and somehow checking in unsafe code, rather than the current maintainers (say) suddenly forgetting they shouldn't call rand() or accidentally saving plaintext passwords on a disk.
> If the maintainer has been competent enough to use ...
In security you are considered incompetent until proven otherwise.
I don't want some random dude to protect my passwords just to realize a year later that he did a "little mistake"
>> If the maintainer has been competent enough to use ...
> In security you are considered incompetent until proven otherwise.
And didn't my quote literally say "if the maintainer has been competent enough"?
I was only familiar with Keepass. What are the differences between all the different products? KeypassXC, KeepassX and Keepass?
Keepass uses .NET, so is dependant on the mono framework etc on non-Windows.
KeepassX is no longer maintained.
KeepassXC is maintained and more featured, it's also not dependant on .NET.
For mac users, there's also MacPass (https://macpassapp.org), which is Keepass compatible.
Seeing the issue for Yubikey still open after 6 years, it doesn't inspire any confidence https://github.com/MacPass/MacPass/issues/90
Wouldn't this sort of software be better written in a safe language like C# as opposed to C++?
It runs locally, and if the attacker has that much access, in most scenarios there isn't anything stopping your adversary from just logging your keystrokes and curling the keystore to a remote server.
Yes and no. In a language like C++ you might have more control on encrypting and zeroing out sensitive memory.
no how else would we get your passwords?
Keypass is written in C#, so requires a .NET runtime.
KeypassX is a rewrite in C++, using QT. KeypassXC is a fork of KeypassX, as KeypassX was felt to be unmaintained.
> KeypassX was felt to be unmaintained
KeypassX was abandoned 3 years ago
Actually it's still receiving commits, the maintainer just doesn't have a lot of time for it. https://github.com/keepassx/keepassx/commits/master
Hey bscphil, if you'll recall you made a comment about 5 months ago saying that you were playing around with augmenting CarpalX to allow moving around the symbol keys in the model. I am interested in breaking down the model. Is there a place I'd be able to contact you?
Not sure if a single commit of two includes in the last two years really counts.
The “backup to paper” option is intriguing and I thought at first this would be as a series of QR codes instead of plain text. Will definitely be looking into the CLI options as well.
It's just a HTML export, nothing particularly special.
What sort of CLI interface does XC have? Can I finally replace keepassc?
Right now the best doc about the CLI would be the manpage I think https://github.com/keepassxreboot/keepassxc/blob/develop/sha...
I wrote an interface that takes inspiration from pass: https://github.com/evidlo/passhole
There is also keepassxc-cli and kpcli.
I used the keepass format for years up until a few months ago. I switched over to bitwarden, mostly for the sharing.
Important accounts are sharedd between my wife and I, and I back everything up to my NAS regularly.
For work, we're looking in to vault by hashicorp.
If I can't use it on my phone I need to run two different password managers, which is awkward at best. Seems like iOS/Android versions could help a lot with traction.
There are many keepass compatible apps available on F-Droid. I'm using KeePass DX, it has a clean ui, autofill support and fingerprint auth.
That app looks good, thanks for sharing!
KeePassXC is just a GUI for a particular password database format. There are mobile apps supporting the same format: https://keepassxc.org/docs/#faq-platform-mobile
Does this one have auto-saving of the key store after adding an entry?
I've lost a lot from KeepPassX by being spoiled by other auto-saving managers over the majority of this century.
AFAIK, that feature has been available for some time (I've been using it, and can confirm that it works flawlessly). You can find it under Tools -> Settings -> General -> File Management -> Automatically save after every change.
and why is it not default? whats the use case here assuming there actually is a rationale
I think it actually might be the default. I can't remember changing that setting at least and for me it's on.
Xc does have that feature. Definitely a good thing
yea theres an option to save after every change
I'll definitely use the monospace option. Does anyone know how to use the CLI version?, is it a separate app?
At least in Debian-based distros, the CLI version ships with the ``keepassxc`` package. I've used it on the odd occasion for password retrieval, and I can confirm it worked for my needs. You can find the manpage to give you some indication of what's possible: http://manpages.ubuntu.com/manpages/eoan/man1/keepassxc-cli....
Should I be concerned that upon installing 2.5 on MacOS it requested permission to Screen Recording?
That's needed for the Auto-Type to find windows.
Can it auto-fill passwords on mobile apps?
I've been happy with Keepass2Android, which would be compatible with KeePass XC files.
Is this better than pass?
Theoretically, you could consider it better.
KeePass saves passwords in a single encrypted file by default. This means that an attacker has no idea about the structure of your entries and usernames.
Plus, it's easier to setup on multiple machines, as you don't need to export/import your PGP keys from your initial machine.
Features and ease of use are subjective to each user.
That, of course, depends on your requirements and how you define "better".