
KeePassXC 2.2.0 released with YubiKey and TOTP support - weslly
https://keepassxc.org/blog/2017-06-26-2.2.0-released/
======
finchisko
Really good timing for me to self promote. :-) I'm working on improved
keepassxc browser extension. Communication between browser and KeePassXC is
via NativeClient. You need varjolintu fork of KeePassXC, but eventually it
will also support KeePassHTTP protocol too.

My goals currently are: internalization, nicer UI, clean and extensible code
base. I already did options page with material-ui and react. Currently working
on replacing jquery popup implentation for hyperapp, which appeared here on HN
yesterday.

If interested I can send instruction how you can build extentions. I would
like to see this as official part of KeePassXC and willing to donate for free.
What you guys think?

You can try options UI on [https://mauron85.github.io/keepassxc-
browser/preview/](https://mauron85.github.io/keepassxc-browser/preview/)

~~~
Quiark
A few things to be wary of:

* KeePassHTTP doesn't use authenticated encryption for its protocol and thus is insecure (decrypt password level insecure). Please make sure you don't have this issue.

* Browser integration means there is only some JS code between my unlocked password vault and random websites. Please study findings from Tavis Ormandy and others who found such vulnerabilities in LastPass et al

~~~
varjolintu
keepassxc-browser uses libsodium's box method for encrypting the messages.
Only public keys are transferred between the extension and KeePassXC. You
still need a valid private keys and a nonce for decrypting and encrypting the
replies. You can read a more detailed description from the github page.

I have been keeping eye on the vulnerabilities and going to be very careful
when it is time for a final release. Currently if there's any vulnerabilities,
these are almost identical to chromeIPass' possible vulnerabilities.

~~~
gaia
chromeIPass' possible vulnerabilities being?

~~~
varjolintu
KeePassXC restricts chromeIPass to localhost, so data should be safe. Still,
chromeIPass exchanges encryption keys in base64. Basically that's plain text.
These are the only keys used, so technically it's possible to steal those keys
(if not localhost). But if someone has permission to read your loopback or
local packet traffic, your info is gone..

Other than that, chromeIPass uses quite old libraries and depricated API
functions. Those haven't been updated in ages. keepassxc-browser should fix
all issues mentioned above :)

------
problems
Still no KDBX 4 support though?

Please consider making it a priority - it looks like someone tried to pull
request it but that failed? The older format uses a custom AES-based KDF - and
while I don't personally see any major issues with it, I'm much more
comfortable with the modern, heavily reviewed Argon2 design used in the KDBX4.

[https://github.com/keepassxreboot/keepassxc/issues/148](https://github.com/keepassxreboot/keepassxc/issues/148)

~~~
angelsl
That would be me.

I wrote the patch against the original KeePassX which seems to be no longer
maintained (?). One of the KeePassXC guys asked me to rebase it over so I did.
Then we (they) spent a week or two debating on how to support libargon2 and
the newer libgcrypt required for ChaCha20, coming to no resolution, and I just
lost any motivation to push for them to merge my patch.

They also disagreed with the way I implemented KDBX 4 (by adding conditionals
to the KDBX reader/writer instead of just creating a whole new class — I did
this because KeePass did it this way). I agree that it should be separated,
but at that point I already gave up on getting them to accept my patch.

The PR is
[here]([https://github.com/keepassxreboot/keepassxc/pull/399](https://github.com/keepassxreboot/keepassxc/pull/399)),
you can read it, I know I sound rather impatient here. The other PR on
updating their Docker to get newer libraries (libargon2 and libgcrypt) is
[here]([https://github.com/keepassxreboot/keepassxc/pull/419](https://github.com/keepassxreboot/keepassxc/pull/419)).

I honestly thought someone else would take it up after I gave up to get it in
by 2.2 (it's not even a very big patch), but.. I guess not.

Someone with more experience/patience/persistence, please, you can take the
patch and rebase it and clean it up to what they want. You'll also need to
wait for them to figure out how they want to use the libraries required with
their packaging system.

~~~
phoerious
KDBX4 is a priority indeed, but we only have limited resources. We hoped to
get it into 2.2.0, but it just wasn't possible. We really appreciate your
patch and will make sure it lands in 2.3.0. It's not forgotten.

~~~
angelsl
> we only have limited resources

I understand, but I'm still disappointed. You all only needed to come to a
decision on how you wanted to proceed with supporting the newer libraries
required and I would have taken it from there. I'm not sure if you guys have
even now come to a decision on that.

And it took a month before someone mentioned they would prefer if the KDBX 4
functionality was separated (and I do agree that it should be).

You could probably merge a similarly-sized patch into the kernel in less
time...

~~~
phoerious
I thought we settled on the PPA approach.

------
sillysaurus3
So there's KeePass, KeePassX, and now KeePassXC? (And two different variants
of KeePass that have nothing to do with each other.)

Not that there's anything wrong with that. I'm just curious if KeePassXC is
yet another fork, or if it's from the same people who did KeePassX. KeePassX
has an excellent security reputation, so it'd suck if an unrelated fork ruined
that.

~~~
grawlinson
There doesn't seem to be active development on KeePass/KeePassX, hence the
KeePassXC fork.

The C in the fork title apparently stands for 'community'. It has a lot of
support behind it.

~~~
mook
KeePass (the original C# version) appears to actively developed. KeePassX (the
C++ rewrite) appears to have slowed down. KeePassXC (the fork of the C++
rewrite) is the one under discussion here.

~~~
sillysaurus3
There are two different variants of KeePass: the Windows version, and a
KeePassX precursor.

------
interfixus
This is by far the best of the KeePassX* lot, incorporating loads of
enhancements which, disappointingly after years of development, never made it
into KeePassX 2.x proper, and some 1.x features which simply disappeared in
the upgrade.

[Edit: missing word]

~~~
droidmonkey
Wow thank you for the kind words! Appreciate the support.

~~~
interfixus
You're welcome, it's a very decent effort. And now I'm sort of shamed into
actually contributing. Reporting back as soon as time allows.

~~~
secfirstmd
Yep we are now switching to advising its use for the human rights defenders
and journalists that we work with.

------
tomlong
I really like KeePassXC, it's the only password manager I use (excluding
mobile) but my one major bugbear still exists in this release.

The 'lock database' and 'copy password to clipboard' icons are nearly
identical (both essentially a padlock) and still adjacent but one in the UI.

I accidentally lock the database far more often than I would like. I know I'm
a bit clumsy and a slow to catch on but this one simple change would really
make application a _lot_ more useable for us divs.

[https://image.ibb.co/k1amA5/kxpc.png](https://image.ibb.co/k1amA5/kxpc.png)

~~~
sillysaurus3
I use Command-L to lock, for what it's worth.

------
shmerl
I'm still waiting for it to arrive in Debian: [https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=855173](https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=855173)

------
desdiv
You guys rock! Thank you for your hard work.

BTW the Windows portable version link on your download page is 404ing:

Incorrect URL:
[https://github.com/keepassxreboot/keepassxc/releases/downloa...](https://github.com/keepassxreboot/keepassxc/releases/download/2.2.0/KeePassXC-2.2.0-Win64.zip)

Correct URL:
[https://github.com/keepassxreboot/keepassxc/releases/downloa...](https://github.com/keepassxreboot/keepassxc/releases/download/2.2.0/KeePassXC-2.2.0-Win64-Portable.zip)

~~~
droidmonkey
corrected thank you! I also added links to the 32-bit variants.

------
ktta
Notable features:

1\. Unlock using Yubikey

2\. TOTP 2FA

3\. Diceware password generator

4\. ASLR for in-memory security (didn't expect this!)

5\. Portable and Single instance mode (I'll have to check this one in detail)

Thanks for your work team!

~~~
problems
For anyone wondering - the TOTP 2FA is _not_ on the password wallet itself,
but that the wallet is able to store the TOTP key, authenticating TOTP
involves knowing the key, by which point there's really no value in using it
to authenticate the wallet, it'd be a UI-only protection.

However I think storing TOTP keys in your wallet is a bad idea for security -
now if someone hacks your machine they get both your password and your TOTP
key at the same time. The main advantage of TOTP is that it puts your second
form of auth on a separate device, preventing a single point of compromise.

not much malware will exploit this as not many people will use it, but a
targeted attack might greatly benefit from something like this.

~~~
th3zero
Just to make sure no one gets the wrong impression: You should store your TOTP
keys in a different KDBX file, locked with a different master password, and
maybe even used on a different device/PC.

We all know that you shouldn't store your password along with TOTP secrets, or
should I make a blog post explaining this?

~~~
tscs37
I store them in the same password safe for quite a simple reason; more
convenient and less complexity.

I personally see TOTP only as a security against phishing and password
stealing attacks. I don't see how a separate database for TOTP secrets
improves on that in any way.

The thing is; a Keepass Password is (usually, looking at your password
requirements Paypal) fairly secure in of itself, long, random and contains all
the good characters.

TOTP is mainly useful when you have weak passwords and enter them into the
wrong place, something that Keepass (especially with the Browser Extension)
fully prevents. It's just for show and some extra padding.

Though I _do_ use U2F anywhere I can.

------
niksakl
An official ppa repository for Ubuntu would be great! There is a link to an
unofficial one in your page, but since this is a security app, installing it
from some random repo just feels wrong... Thank you for the great work!

~~~
melicerte
Have you tried the snap install ?

~~~
StavrosK
It makes me kind of sad that we're moving to a world where a 500 KB program
gets installed in a 80 MB container :(

EDIT: Wait, now it's downloading a second 80 MB container :(

~~~
devcpp
Yeah, what's up with that? Is it going to download one of these every time?
That's awful!

------
FT_intern
Has anyone thought of a good redundancy scheme for yubikey?

Physical object authentication is great except physical objects are less
durable than brain memory (or at least, if my brain memory is gone then I
probably would have no use for the password anyway).

~~~
tedd4u
Keep 1 key on your keychain, one in a fire vault in the house, and one in the
safety-deposit box at the local branch bank office. Most U2F-enabled sites let
you register multiple keys. Add new sites with keychain during the day, in the
evening add the fire-vault key at home. Once a quarter add the third key from
the safety-deposit box.

~~~
davchana
Why specifically during day/evening/quarter? Why not all three at same time?
Just asking. Thanks..

~~~
rajivm
Because you need the key with you to register it with a site, and if they are
being stored in separate locations, you need to do it when you have access.

------
gregwebs
This release looks great. Unfortunately I had to switch to LastPass to get
sharing, real sync support rather than blob syncing in, and also easy usage on
mobile.

~~~
woodsier
Decent mobile support is the only thing holding me back from switching. The
current 3rd party options are underwhelming.

~~~
underlines
I just wait for Android O Autofill Framework to arrive. Then mobile password
managers will finally be useful.

~~~
scott_karana
Really?... The syncing and conflict resolution (or lack thereof) is the true
problem for me.

~~~
Semaphor
Keepass2Android works great for me syncing over OwnCloud (they have several
cloud sync options)

~~~
ViViDboarder
Could be a problem with a shared database though as the entire thing is one
blob, changes can't be merged.

------
atomlib
I see it supports Linux, Windows, and macOS, but are there any Android and iOS
apps to open and modifty KeePassXC databases?

~~~
mynegation
If you feel like keeping your kdbx file in Dropbox you may use ikeepass[1] on
iOS to load and modify it. For Android there is keepassdroid [2]

[1]
[https://itunes.apple.com/us/app/ikeepass/id299697688?mt=8](https://itunes.apple.com/us/app/ikeepass/id299697688?mt=8)
[2] [http://www.keepassdroid.com/](http://www.keepassdroid.com/)

~~~
nerflad
I have had a good experience with Keepass2Android. It has support for
databases on Google Drive.

------
TokenDiversity
As someone using Keepass2 (mono on Linux), can someone knowledgeable briefly
tell me (and probably others) why should and why should not I switch to
KeePassX?

I'm getting the feeling that this uses the older protocol?

I got a good answer to the above question from desdiv so I'm adding an edit:

Is there a reason to use this (and not use this) in place of KeePass2 on
Windows?

~~~
desdiv
1\. Unlocking the database takes much longer than it should. Linux Keepass2 is
much slower at unlocking than Windows Keepass2 on the same machine.

2\. On Linux, after entering the password the windows disappears, giving no UI
feedback during the lengthy unlocking process. When you type the password
wrong, it takes even longer for some reason, and there's no tray icon when you
type the password wrong, so you'd have to minimize all your windows to find
the dialog box all the way in the back.

3\. Lacking Unicode support in 2017 is simply unacceptable:
[https://i.imgur.com/X0T46bY.png](https://i.imgur.com/X0T46bY.png)

None of this is the fault of the Keepass developers, since all three problems
are absent in the Windows build. As far as I can tell the problem lies with
Mono.

~~~
TokenDiversity
Yeah I just downloaded. This seems like a good native drop-in replacement.
Even the menus et all seem to be in the same place.

And Unicode works, yeah!

I have a really old computer and keepass2 opens stuff instantly so I'm
guessing I'm probably not using good enough security.

------
svdb_
One thing I like about the KeePassX interface is the ability to search with a
hotkey (CTRL+F). Also, this could be done without having the menu bar visible,
hitting the hotkey just pulls up the input field.

~~~
phoerious
Would you be so kind to file a feature request for that on GitHub? Thanks!

~~~
svdb_
Done (#680).

------
lifty
I use MacPass, which is a good native Mac alternative for KeePass. It supports
KeePassHTTP and judging by their github wiki they have recently implemented
support for the KDBX4 format.

------
crb
Docs are.. sparse. The website says go to the GitHub wiki, and that only
really talks about how to build and develop the app, not how to use it.

Can anyone tell me how to enable Yubikey?

~~~
phoerious
Just plug it in. ;-)

------
Chaebixi
Can someone explain how the YubiKey and TOTP support is supposed to work? I
can't think of a way those could work with a local password manager like
KeePass.

~~~
danjoc
Reading it, it sounds like they use HMAC challenge response for the password
to the vault. For that to work, you'd insert yubikey, enter a password, and
the password is passed through the yubikey and hashed. The hash is then used
as the password to open/lock the vault. That gives you a reasonably strong
password for the vault. It does not prevent phishing. Therefore, anyone with
the hash and access to the vault can still access all passwords without your
knowledge. The TOTP thing sounds like a google authenticator sort of feature.

I'm sticking with zx2c4 pass. It is an assembly of gnupg, git, and pwgen.
Trusted open source components. Works with a Yubikey (opensc and gpg-agent) to
prevent private key theft via software. QTPass is a nice cross platform gui
client. PassFF extension provides excellent browser integration. Android
Password Store and OpenKeychain allow pass and yubikey to work on my mobile.
Strong 2 factor password storage everywhere I need it.

My biggest problem these days is dealing with sites that don't allow 30+ char
passwords with full range of special characters. Almost exclusively, banks.

~~~
ConfucianNardin
pass no longer uses pwgen as of version 1.7, by the way (changed in
639c46a342466209e9b0600c2b3574bb44a0ff31).

------
TokenDiversity
Features I like:

1) Download website favicon (no clue how though, tried entering website but
didn't see an option to download favicon)

2) Command line interface, no clue again how to use.

~~~
pacomerh
Indeed, wish there was more documentation on how to use the CLI

~~~
barbs
Same here. I was hoping to run this completely headlessly but any attempt to
run even `keepassxc --help` or `keepassxc --version` results in:

    
    
      QXcbConnection: Could not connect to display 
      Aborted

~~~
th3zero
Can you open an issue on Github? Thanks

~~~
barbs
EDIT: I originally created an issue for the wrong repository, and it looks
like someone has already made an issue for me:
[https://github.com/keepassxreboot/keepassxc/issues/668](https://github.com/keepassxreboot/keepassxc/issues/668)

Thanks for your attention

------
cyphar
It also now has CSV importing so you can now import your passwords from
LastPass (though you'll have to manually recreate the folder structure).

------
cmcginty
Doesn't work for my DB ... "Unable to open the database. Duplicate custom
attribute found". Gonna stick with MacPass I guess.

~~~
th3zero
Can you open an issue on Github?

------
binaryanomaly
Well done! It's great to see some progress with open source in this particular
area.

At the moment I'm still stuck with
[insert_name_of_commercial_proprietary_solution] but would love to switch to a
true open source solution with good user experience and reliable mobile
support.

I will make a small donation as soon as I get through the flattr waitlist as a
small token of appreciation.

------
sowbug
This is really cool. Here are more feature requests (and for all I know
they're already there):

* Optionally display a secret as a QR code

* Generate and validate BIP39-compatible seeds (like Diceware but with a checksum. Many Bitcoin wallets these days accept them)

* Get this into Tails

~~~
phoerious
Would you be so kind to file a feature request on GitHub? Here it gets lost.
Thanks!

~~~
sowbug
Done!

[https://github.com/keepassxreboot/keepassxc/issues/675](https://github.com/keepassxreboot/keepassxc/issues/675)

[https://github.com/keepassxreboot/keepassxc/issues/676](https://github.com/keepassxreboot/keepassxc/issues/676)

[https://github.com/keepassxreboot/keepassxc/issues/677](https://github.com/keepassxreboot/keepassxc/issues/677)

------
can3p
Great release!

Is kdbx format supported by any iPhone app? I'm stuck with KeepassX for that
reason.

~~~
2citizen
Try MiniKeePass.

It works well but has some actions flow to sync your kdbx backups with updated
data from the phone and vise versa.

[https://itunes.apple.com/us/app/minikeepass-secure-
password-...](https://itunes.apple.com/us/app/minikeepass-secure-password-
manager/id451661808)

------
jsfitzsimmons
I'm trying the snap package, but I don't think the cli is available this way.
I can find the binary in /snap/keepassxc/current/bin, but it has library
loading problems.

------
TokenDiversity
Anyone knows how should I change the font? I know this seems a minor thing but
I'd like this thing to be readable :-).

The font-size is too small. And I'd prefer a font of my own choice.

------
Slurpee99
How well does it work for teams? Is there issues for syncing the database if
two or more people are using it at the same time?

~~~
rkv
Works OK for small teams. If a user forgets to close the database then other
team members are only able to open it as read-only. My biggest gripe is that
you don't know who is holding the write lock. We work around this by using a
setting in our keepass client to close the db after a certain amount of time.

------
otachack
Nice! Excited for future development of this. I'll have to get a Neo soon to
try out these new features.

------
wst_
I'd love to be able to decide which characters to use when generating a
password.

~~~
th3zero
You can already select a char-set. Do you mean selecting only a few chars and
use them to generate the password?

~~~
wst_
Yes. Single special characters.

------
angelsl
No KDBX 4 support unfortunately.

------
sayright
Storing password and TOTP seed in a single storage goes against the concept of
2FA.

~~~
th3zero
You should store your TOTP keys in a different KDBX file, locked with a
different master password, and maybe even used on a different device/PC.

We all know that you shouldn't store your password along with TOTP secrets, or
should I make a blog post explaining this?

------
dfabulich
Is there a KeePass fork with support for the new MacBook touch bar?

------
Cardiologist
How is KeePassXC comparing in verification/testing vs the original KeePass2?

I was not able to find information on that process on eithers project homepage

