Email or username:

Password:

Forgot your password?
Top-level
Julian Andres Klode 🏳️‍🌈

@ubernostrum

4. If I could step down from maintaining it I would. My KeePass database stores a handful of high value passwords and the password to my Bitwarden where the majority of day to day password lives so I can use it on all devices.

People just are acting very suspicious, trying to push new features or new upstream releases in without giving it any review or thought.

*This* would be breaking the trust implied in my relationship with my users.

2/3

@tuxwise @keepassxc

15 comments
Julian Andres Klode 🏳️‍🌈

@ubernostrum

5. Checking against online password databases can be nice to have but sadly we can't have everything and it's misaligned with being a local database password manager.

We are talking about a tool where you have to manually synchronise your password databases over your myriad of devices. Only die hard security fanatics would use such a contraption in the first place.

3/4

@tuxwise @keepassxc

Julian Andres Klode 🏳️‍🌈

@ubernostrum

6. This did not happen in an instant but you can clearly see it took over a year to reach this point where the plan could be finalised and executed.

The upstream developments have been very concerning, I can't be the only one feeling that way.

In fact I know I'm not the only one feeling that way because I've had users tell me. Actually security engineers too.

@tuxwise @keepassxc

varjolintu

@juliank
"People just are acting very suspicious, trying to push new features or new upstream releases in without giving it any review or thought."

"The upstream developments have been very concerning, I can't be the only one feeling that way."

Could you elaborate these a bit?

Julian Andres Klode 🏳️‍🌈

@varjolintu What happens with keepassxc packaging is exactly the same thing what happened with xz-utils.

People demand new upstream releases getting merged quickly, some with upload rights threaten to upload them themselves, people "helpfully" package new upstream versions for you. I employ a 0 trust model, so I need to redo it all anyway to make sure it was not tampered with.

Now they may be honest, but after being burned out by time_t and then xz-utils you can understand I'm very cautious

Julian Andres Klode 🏳️‍🌈

@varjolintu On the upstream side, I think there's some misalignment between various fractions.

I need my password manager to manage my passwords. In fact I use keepaasxc only for high value targets, like my backup encryption keys, or the key to my day-to-day bitwarden account (as I need the sync to Chromebooks, family account sharing, etc, I do self host a vaultwarden for it).

Julian Andres Klode 🏳️‍🌈

@varjolintu There are several people like this, and what they are looking for is not a constant influx of new features or large changes to fix bugs.

And that to me is the most logical choice. You went to all that trouble to pick the hardest to use (across devices) password management solution in the world, you're paranoid and trust nobody, you don't suddenly want to poke holes in it for convenience like browser extensions, just use the clipboard, it's much more secure.

varjolintu

@juliank As far as I know, clipboard can be accessed by any application, especially in Windows. Encouraging to use it instead of more secure alternatives might not be the way to promote any "secure defaults". Speaking of password managers in general, as a Bitwarden user, do you think their browser extension and Vaultwarden is more secure than KeePassXC's browser integration that works only locally? Or are you using only clipboard with Bitwarden too?

Julian Andres Klode 🏳️‍🌈 replied to varjolintu

@varjolintu No I do not think Bitwarden is more secure. I only trust it with 2nd tier passwords, most web accounts.

It is more secure in the context that I don't need to keep my high security KeePass database open. But then one could have two databases.

But I wouldn't trust my backup encryption keys, to it, or my Google account 2 factor code.

Julian Andres Klode 🏳️‍🌈 replied to Julian Andres Klode 🏳️‍🌈

@varjolintu The clipboard thing is a bit annoying, as far as I understand it's privileged in Wayland to some extent, and the autotype doesn't work there.

But having one password in there for 15s, that a malicious software would need to correlate with what you are doing to find out what it's for is very much a better choice than exposing APIs to query any password IMO.

varjolintu replied to Julian Andres Klode 🏳️‍🌈

@juliank There's an API but it isn't exposed in a way that anyone could query something from it without user knowing about it. Plus it only works locally and is not exposed to outside world. Is these one of the features that are insecure in your opinion?

Julian Andres Klode 🏳️‍🌈 replied to varjolintu

@varjolintu I understand there are some access controls, but they can be buggy. A bug in the browser extension IPC access control could reveal your entire database to your browser.

If you don't have the means to query the database from other processes the entire attack vector goes away.

i.e. keepassxc-light or whatnot could only ever have critical CVEs if it messed up the database encryption.

Julian Andres Klode 🏳️‍🌈 replied to Julian Andres Klode 🏳️‍🌈

@varjolintu Optimally I'd go a step further:

- make keepassxc open files using portals (it might already, I don't know)
- write an AppArmor profile that only allows r/w configuration files, and read access to /usr

Then you can select databases, key files, and work with them and rest assured that even if keepassxc core is compromised (whether that's a new malicious maintainer sneaking in, or a gcc backdoor 😄) it can't talk anywhere else.

varjolintu replied to Julian Andres Klode 🏳️‍🌈

@juliank There are already a few PR's waiting for 2.8.0 that will reduce the possibility of such attacks. One is storing access related settings directly to a database instead of a config file. Another one allows restricting processes that can access the database. Revealing the entire database without user knowing it would be very difficult even now.

Are you concerned about the possible attack vectors on Bitwarden? With multiple dependencies, and as an Electron application it has its downsides.

Ian Douglas Scott replied to Julian Andres Klode 🏳️‍🌈

@juliank @varjolintu In theory access to the clipboard on Wayland is limited to the focused window, though in practice this isn't really secure (on most compositors), since compositors tend to give focus to windows when they are created. Something like wl-copy/wl-paste exploits this with a small temporary window.

varjolintu replied to Julian Andres Klode 🏳️‍🌈

@juliank Are there some memory issues with keeping KeePass database open we are not aware of? It should be much more protected than a browser's memory.

Go Up