Email or username:

Password:

Forgot your password?
Team KeePassXC

Today we are announcing the release of our first Audit Report conducted by an independent security consultant: keepassxc.org/blog/2023-04-15-

17 comments
jackson

@keepassxc the audit report links seems to be linked to localhost, implying the site was probably generated in development mode

gnom :nonbinary_flag:

@keepassxc the download link for the audit report links to 127.0.0.1 - could you please update the blog post?

Ligniform

@keepassxc great to see this! I'll keep recommendeding KeepassXC to people (after i read the report ofc)

jfmblinux :verified:

@keepassxc
Cheer
I've been using it for more than a year and have converted family and friends.
I recommend it around me.

When will there be a mobile app on F-Droid?

Stefan

@IzzyOnDroid was genau ist denn der Unterschied zwischen der erwähnten App von dir und Keepass2Android?
( play.google.com/store/apps/det )

Oder gibt's da keinen nennenswerten Unterschied?

@jfmblinux @keepassxc

IzzyOnDroid ✅

@kranzkrone Musst Du Dir anschauen; da ich die von Dir genannte nicht selbst nutze oder genutzt habe, kann ich das nicht sagen (müsste also genau so die Beschreibungen vergleichen). @jfmblinux @keepassxc

Aaron Toponce ⚛️:debian:

@keepassxc Unfortunate the report is tainted with Steve Gibson's name.

Yellow Flag

@keepassxc Unfortunately, it’s a very limited review. It also makes some incorrect claims:

> [The new KeePass 4 KDBX file format] is more secure than its predecessor, as it adds protected stream functionality and authentication to the
database encryption

No, protected stream functionality was already present in KDBX 3, merely with its parameters being specified in plain text rather than encrypted. Given that this functionality is obfuscation and not actual protection, this shouldn’t matter.

Encryption authentication was also present in KDBX 3 already, merely implemented in a different way.

Whether any of this improves the security of the database is questionable. But the Argon2 KDF introduced with KDBX 4 definitely does, and that clearly is a reason to migrate.

*Edit*: I do agree with the suggestions however. KeePassXC should not silently accept insecure databases – be it outdated database versions, bad KDF parameters or anything else. Ideally, users should be warned in understandable terms and offered an automatic upgrade.

@keepassxc Unfortunately, it’s a very limited review. It also makes some incorrect claims:

> [The new KeePass 4 KDBX file format] is more secure than its predecessor, as it adds protected stream functionality and authentication to the
database encryption

No, protected stream functionality was already present in KDBX 3, merely with its parameters being specified in plain text rather than encrypted. Given that this functionality is obfuscation and not actual protection, this shouldn’t matter.

bbhtt

@keepassxc

> select at least 2048 MiB
memory usage

The memory recommendation is a bit too high, imo. I've tried previously with 2048 MiB (threads ~2, transform round was higher) on my laptop with 8 gigs of ram/dual core. It takes a significant amount of time to open and the application freezes. On mobile (4gb/octa core) it just times out. These aren't very old or low spec-ed devices.

bbhtt

@keepassxc As these numbers are going to be different for everyone according to their specs, I think it is better to mention the formula that keepass recommends min(M/2, 1 GiB). The thread count will also vary, similarly.

Too high parameters can lead to an issue where the application freezes while unlocking but you need to unlock the database to reduce them.

Go Up