• Ronon Dex@mlem.a-smol-cat.frOP
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 year ago

    There has been a lot of discussion in the infosec community about “keepass being insecure” because of CVE-2023–35866

    In this official statement by the devs, they basically explain the criticality of the CVE is basically overblown:

    • You need local access
    • You need an application which was authorized to access your database

    That’s a lot of ifs, even though, theorically, this application with local access and which was previously authorized could change the master password of your database.

    A lot of people in the infosec community recommend 1Password, but IMHO, 1Password is the new LastPass.

    For context lastpass has suffered heavy hacks recently, and it was insecure from the bottom up. Lastpass then lied about the gravity of the hack

    1Password (like LastPass) is closed source and run by a for profit company. My advice:

    • Use KeepassXC
    • If you need sync use Bitwarden
    • If you’re ready to self host, use Bitwarden with Vaultwarden (preferably only accessible behind a wireguard VPN)
    • ScaNtuRd@lemmy.worldM
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Completely agree. If you can’t secure your machine properly, everything is at risk. I don’t care when the infosec community says. KeePass is by far the most secure solution in my opinion. Also, Syncthing works quite well for syncing KeePass databases. It’s FOSS as well, and provides E2E encryption.