@keepassxc Unfortunately, it’s a very limited review....

@keepassxc Unfortunately, it’s a very limited review. It also makes some incorrect claims:

> [The new KeePass 4 KDBX file format] is more secure than its predecessor, as it adds protected stream functionality and authentication to the
database encryption

No, protected stream functionality was already present in KDBX 3, merely with its parameters being specified in plain text rather than encrypted. Given that this functionality is obfuscation and not actual protection, this shouldn’t matter.

Encryption authentication was also present in KDBX 3 already, merely implemented in a different way.

Whether any of this improves the security of the database is questionable. But the Argon2 KDF introduced with KDBX 4 definitely does, and that clearly is a reason to migrate.

*Edit*: I do agree with the suggestions however. KeePassXC should not silently accept insecure databases – be it outdated database versions, bad KDF parameters or anything else. Ideally, users should be warned in understandable terms and offered an automatic upgrade.

Like 15 Apr 2023 at 17:02 | Wall-to-wall | Open on infosec.exchange