• Ronon Dex@mlem.a-smol-cat.frOP
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 year ago

    There has been a lot of discussion in the infosec community about “keepass being insecure” because of CVE-2023–35866

    In this official statement by the devs, they basically explain the criticality of the CVE is basically overblown:

    • You need local access
    • You need an application which was authorized to access your database

    That’s a lot of ifs, even though, theorically, this application with local access and which was previously authorized could change the master password of your database.

    A lot of people in the infosec community recommend 1Password, but IMHO, 1Password is the new LastPass.

    For context lastpass has suffered heavy hacks recently, and it was insecure from the bottom up. Lastpass then lied about the gravity of the hack

    1Password (like LastPass) is closed source and run by a for profit company. My advice:

    • Use KeepassXC
    • If you need sync use Bitwarden
    • If you’re ready to self host, use Bitwarden with Vaultwarden (preferably only accessible behind a wireguard VPN)
    • ScaNtuRd@lemmy.worldM
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Completely agree. If you can’t secure your machine properly, everything is at risk. I don’t care when the infosec community says. KeePass is by far the most secure solution in my opinion. Also, Syncthing works quite well for syncing KeePass databases. It’s FOSS as well, and provides E2E encryption.

  • henfredemars@infosec.pub
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    I have to agree with the reasoning. As a very interested user of KeePass, a CVE took my attention, and I do a lot of security research as part of my job.

    I don’t think this should qualify as a CVE because it’s so close to assuming the conclusion that it’s effectively not a vulnerability. If you have a local attacker with arbitrary memory access, your password is in all likelyhood already owned.

    It’s nearly the argument that a locally authenticated user could modify my bash.rc to alias sudo and steal my password. Of course, I know him; he’s me!

  • ScaNtuRd@lemmy.worldM
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    As far as I remember, this same issue was also brought up with Original KeePass. I agree with the developers on this one - KeePass databases are nothing more than encrypted files (which is why it’s awesome). The same “vulnerability” applies to my computer - the hard disk is encrypted with Bitlocker, however when I turn the computer on and decrypt it, it is open to attacks, just like any unencrypted hard drive.