KeePass Password Manager

195 readers

1 users here now

Everything about KeePass password manager and its forks.

Only two simple rules:

Keep a respectful tone.
No spam/scam.

founded 1 year ago

MODERATORS

ScaNtuRd

CVE-2023–35866 (keepassxc.org)

submitted 1 year ago by [email protected] to c/keepass

6 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 5 points 1 year ago* (last edited 1 year ago) (1 children)

There has been a lot of discussion in the infosec community about "keepass being insecure" because of CVE-2023–35866

In this official statement by the devs, they basically explain the criticality of the CVE is basically overblown:

You need local access
You need an application which was authorized to access your database

That's a lot of ifs, even though, theorically, this application with local access and which was previously authorized could change the master password of your database.

A lot of people in the infosec community recommend 1Password, but IMHO, 1Password is the new LastPass.

For context lastpass has suffered heavy hacks recently, and it was insecure from the bottom up. Lastpass then lied about the gravity of the hack

1Password (like LastPass) is closed source and run by a for profit company. My advice:

Use KeepassXC
If you need sync use Bitwarden
If you're ready to self host, use Bitwarden with Vaultwarden (preferably only accessible behind a wireguard VPN)

[–] ScaNtuRd 3 points 1 year ago

Completely agree. If you can't secure your machine properly, everything is at risk. I don't care when the infosec community says. KeePass is by far the most secure solution in my opinion. Also, Syncthing works quite well for syncing KeePass databases. It's FOSS as well, and provides E2E encryption.