
EC to audit Apache HTTP Server and Keepass - the_duke
https://joinup.ec.europa.eu/node/153614
======
ryanlol
Keepass seems like a questionable choice, seeing as it's very unlikely to be
affected by any particularly interesting bugs.

Besides the crypto, there's not much to break and breaking the crypto requires
access that would in almost all cases allow for far easier attacks against it
(i.e. wait for user to decrypt the passwords).

~~~
brokenmachine
That's why you do an audit, to determine if there is "much to break" or not.

Maybe it's caching passwords in a tempfile somewhere, or it uses "4" as it's
random seed every time, or any one of a million other things that could go
wrong. Nobody knows until they read the code.

I'd rather use an audited Password saver program, everything else being
equal...

~~~
ryanlol
There's absolutely value in auditing Keepass, I'm not denying that. It's just
a strange place to start.

