Stay away from KeePass

[th3rEsa]

ROFL:

 

Quote

8.2.2016 @ 15:45: Received response from Dominik Reichl: The vulnerability will not be fixed. The indirect costs of switching to HTTPS (like lost advertisement revenue) make it a inviable solution.

The author of KeePass does not want you to have your passwords stored securely because of lost advertisement revenue...

[Danielx64]

This needs to go on the front page now.

[+Gary7 Subscriber²]

I keep my own passwords in a lock box.

[Draconian Guppy]

but does keepass have any disclaimer for the described situation?

[+Raze Subscriber²]

I use KeePass, but never used the update feature.  I just check for updates through MajorGeeks every day for most of my programs.

[DeusProto]

KeePass was always crap anyway. Doesn't automatically populate forms like good ol LastPass does. 

[th3rEsa]

Yes, it does. You just need the appropriate plug-in.

[SuperKid]

HTTPS, isn't KeePass all stored locally?

 

EDIT: Oh the update checker.. 

[xendrome]

Lastpass FTW

[th3rEsa]

LastPass had security issues in the past, intruders were able to grab their database; which was one of the reasons I switched over to a self-hosted solution.

[xendrome]

3 minutes ago, th3rEsa said:

LastPass had security issues in the past, intruders were able to grab their database; which was one of the reasons I switched over to a self-hosted solution.

I'd rather have them get a local and server side encrypted database using 256Bit AES and one-way salted hashes that they will never be able to crack vs inject something via HTTP and replace the client with a non-official one to steal my passwords as I decrypt them locally.

[th3rEsa]

The thing with KeePass is that I know who has my database and how it is built and how secure it is.

[+LogicalApex MVC]

This appears to be getting blown very much out of proportion to me... But I haven't had time to dig deeply into this yet...

 

The problem is limited to the update checker which may suggest an issue on the developer being very web development savvy. There are no ads in KeePass, but the developer may be concerned that enabling HTTPS on KeePass site will push everything over HTTPS and leave users with the ads being blocked due to them not being served over HTTPS. Obviously, it is possible to serve ads over HTTPS depending on who serves ads on the website AND the update checker can be on HTTPS and the website on HTTP just fine.

 

The recommendation suggested to the developer suggests the move to HTTPS only:

 

Quote

Hence, I strongly recommend that all requests should be switch to encrypted HTTPS communication – especially version checks and updates! This should be fairly easy to implement and should not introduce any compatibility issues. Furthermore a valid certificate should be used for https://keepass.info and all unencrypted HTTP requests should be redirected to the encrypted version of the site. To provide even more security it is recommended to add the HTTP Strict Transport Security (HSTS) headers. As an alternative the update check feature could be removed.

Nothing in this suggests that KeePass itself is insecure or that there are ads built into the app or some nefarious ad hooks...

 

It just says that a guy building an app for free that runs on the Desktop isn't a web developer or server admin... Not too surprising... The situation should be fixed, but this isn't a reason to run away from the app entirely unless I'm missing something major.

[xendrome]

1 minute ago, th3rEsa said:

The thing with KeePass is that I know who has my database and how it is built and how secure it is.

If someone replaces the updater app, replaces your client in the background via it, you may never know it has happened until it is too late.

 

If someone breaks into the LastPass data, it's usually such a widespread issue that you will know about it in a short period of time and you can change your passwords if you choose to do so, long before they can decrypt the database they have stolen. I'll take my chances with LastPass

[Draconian Guppy]

somewhat unrelated, whats wrong with browser built in key managers?

[th3rEsa]

I built KeePass into my browsers because - at least - Vivaldi (as all Chrome-based browsers) has a hideous password database, it is somehow bound to your Windows logon. I don't trust Google enough.

3 minutes ago, xendrome said:

and you can change your passwords if you choose to do so, long before they can decrypt the database they have stolen.

I wish I only had 3 passwords so this would be easy.

[+LogicalApex MVC]

Just now, xendrome said:

If someone replaces the updater app, replaces your client in the background via it, you may never know it has happened until it is too late.

 

If someone breaks into the LastPass data, it's usually such a widespread issue that you will know about it in a short period of time and you can change your passwords if you choose to do so, long before they can decrypt the database they have stolen. I'll take my chances with LastPass

KeePass doesn't automatically update itself. The update checker simply pops up a dialog telling you a new version exists and you can then click a link to go to the site and download the update. Which is again, why I think this is overblown. Even HTTPS is subject to a MITM attack and what you're really at the root of here is the complexity in trusting software you download on the Internet period.

 

For example, how do you know the TLS Certificate used to serve the site you're viewing over HTTPS hasn't been MITM replaced? Well you could check the cert has and compare it to a known good hash. Except, how do you know that has is good? You read the web page on the site telling you what the hash is? How do you know that hasn't been MITM intercepted and replaced? You don't.

 

The model itself is fundamentally broken.

[T3X4S]

I use a mutating cipher with quantum tunneling.  Salted with the Schrodinger rainbow table - if anyone looks @ the key db - it gets changed to porn.


.... or was it always porn ??    hmmmmm   damn cat !

Sorry - I love physics jokes

[Circaflex]

I use password card, http://www.passwordcard.org/en. I have one printed and laminated that I keep in my safe, I also have the application on my phone.

[+BudMan MVC]

13 hours ago, th3rEsa said:

LastPass had security issues in the past, intruders were able to grab their database; which was one of the reasons I switched over to a self-hosted solution.

Don't spread fud please... They grabbed hashed copy of your email, not the passwords..  Be clear in what you state..  The actual vault of passwords was not gotten.

 

https://blog.lastpass.com/2015/06/lastpass-security-notice.html/

The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.

We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.

 

Were passwords or other data stored in my vault exposed?
No, your data is safe. Encrypted user vaults were not compromised, so no data stored in your vault is at risk (including form fill profiles, secure notes, site usernames and passwords). However if you used your master password for any other website, we do advise changing it – on LastPass as well as on the other websites. Note that you should never reuse passwords – especially your LastPass master password!

 

 

[Breach]

This is lacking context. The issue concerns updates and does not compromise the inner workings of KeePass. The same risk applies to the download via the web site since it's HTTP only. Publishing hashes at least would help.

 

Edit: In fact this is the case:
"Hash sums and OpenPGP signatures for integrity checking are available, and program binaries are digitally signed (Authenticode). New translations are available, too."

 

Not much help if the hashes are available over the same HTTP server, but users who download manually can check the signature on the package. I agree that this is an issue, but I wouldn't stay away from KeePass just because of this.

Edited June 3, 2016 by Breach

[Danielx64]

Why is this not on the front page?

[UnclePritchard]

why fight over this.. at some point in time or another there is a slight chance your passwords get hacked either via pass manager account hijacking or the most basic of stealing this kind of info.. nobody is 100% safe when plugging in the internets cable.

[Danielx64]

3 minutes ago, UnclePritchard said:

why fight over this.. at some point in time or another there is a slight chance your passwords get hacked either via pass manager account hijacking or the most basic of stealing this kind of info.. nobody is 100% safe when plugging in the internets cable.

Wouldn't you think that a site like keepass have https on everything? IMO keepass can't be trusted due to this basic mistake.

[th3rEsa]

29 minutes ago, Danielx64 said:

Why is this not on the front page?

Because I didn't think people would care so I didn't submit it as news.