KeePass Reviews

Comment by olegsobakin
about KeePass · Jun 2017 ·

The best password manager for me. It's also possible to use it online. LastPass is great too though I don't trust any extension in chrome to save my passwords. Pretty much google chrome itself has the features LastPass has. But KeePass is very safe.

Reply
Comment by karlblass
about KeePass · Mar 2017 ·

Really nice software. For me it could be a bit more stable though.

Reply

KeePass have security flaw in update mechanism, developer refuse to fix

about KeePass · · 1 Helpful

KeePass have MitM security flaw in update check. KeePass uses, in all versions up to the current 2.33, unencrypted HTTP requests to check for new software versions. An attacker can abuse this automatic update check – if enabled – to “release” a new version and redirect the user to a malicious download page.
https://bogner.sh/2016/03/mitm-attack-against-keepass-2s-update-check/

KeePass 2 developer Dominik Reichl has declined to patch a flaw in the password manager's update check as the "indirect costs" of the upgrade (which would encrypt web traffic) are too high -- namely, it'd lose ad revenue. Yes, the implication is that profit is more important than protecting users.
https://sourceforge.net/p/keepass/discussion/329220/thread/e430cc12/?limit=25#6b69

[Edited by Distortion, October 15]

That's why users must verify the hashsums!
- but most of them never do.
- THEIR fault if they download something fake
- at least he published it
(The checksum in a stupid form though, he says it is readable, good luck with it Dom, read it, i won't!)

The developer has said that this issue was patched:

"In order to prevent a man in the middle from making KeePass display incorrect version information (even though this does not imply a successful attack, see above), the version information file is now digitally signed (using RSA-4096 and SHA-512). KeePass 2.34 and higher only accept such a digitally signed version information file. Furthermore, the version information file is now downloaded over HTTPS"

http://keepass.info/help/kb/sec_issues.html#updsig

Reply

Possibly the best password/account/license/data/whatever manager there ever was!

about KeePass and KeePassDroid · · 1 Helpful

I'm using it for everything that needs extra protection; passwords, passcodes, accounts (shops, banks etc), license keys, credit cards and much more.

The auto-type functionality is extremely handy, allowing me to conveniently use unique login/pass for everything (as an example it even works with the login screen in Elder Scrolls Online). There are special cases where it doesn't work by default, but they are very few and since KeePass offers flexible auto-type customization, there's usually a way to get it to work anyway if you need it (e.g. by targeting a specific window/process and altering the keys that are being sent to it). Or you don't have to use auto-type of course. :)

I've never come across a better piece of software for this purpose, and being both free and open source makes it a no-brainer.

I had a few minor problems with it a while ago, but the author fixed them very quickly as soon as I reported them! Dominik Reichl is both very dedicated and highly skilled!

I run it stand-alone and don't use any kind of browser integration since I consider that very insecure. I do however use the simplistic DB Backup plugin to create a new backup every time I save (yes, the more backups with minor changes, the easier it probably is for an adversary to crack the encryption, but I don't have anything incriminating or of national security interest so I don't worry if somebody would decide to do a serious targeted attack on my data - it's good enough for me to keep regular criminals and other idiots away). I place the database + backups in my Dropbox account for off-site backup and painless synchronization between all my devices where I use KeePass (i.e. my Windows workstations, Windows laptop, Android tablet and Android phone - the latter two using KeePassDroid).

Just a tip though: if you're using Dropbox (or any other off-site storage) as off-site backup, don't have the Dropbox login/pass only in KeePass. Why? Let's say your on-site backup and all devices you have KeePass installed on are destroyed (e.g. by fire) or stolen, how are you going to fetch your KeePass backup from Dropbox if you don't remember the Dropbox login/pass? That's a catch-22 you don't want; you'd need the Dropbox login/pass to get the KeePass backup, but you'd need the KeePass backup to get the Dropbox login/pass. Whoops!

Anyway, KeePass is a project well worth donating to, which I of course have done. I sincerely hope everybody else loving it also donates; KeePass deserves to be kept alive! :)

[Edited by alterkenji, February 17]

Reply

Best open source password manager

about KeePass and LastPass · ·

Best OSI certified piece of software. Very transparent, functional, and with lot of extensions - KeeFox, KeePassDroid, KeePass2Android... if you are on MAC/LINUX, there is a Small KeePassX iconKeePassX Most important factor is that your database is always stored on your drive, and you have absolute control over your passwords, unlike alternativeto.net/software/lastpass/ . Don't get me wrong, lastpass is overall good software, but it is still proprietary.

Reply