
KeePassXC 2.5 - phoerious
https://keepassxc.org/blog/2019-10-26-2.5.0-released/
======
ta0987
Anyone here have opinions on or pointers to the KeePassXC team's rep, creds or
track record? I've been using KeePassX partly because Tavis Ormandy said it
"looked sane" in a tweet once. How careful is the XC team when adding
features?

~~~
mehrdadn
What kinds of issues are you expecting? Short of actively writing malicious
code, I feel like it's hard to get things terribly wrong in an offline
password manager when adding a new feature? There are various mitigations you
can put in against some potential attacks, but they're generally secondary
lines of defense that require other breaches to occur first.

~~~
ta0987
I don't know, that's why I'm asking the question.

I've seen enough security bugs that I don't want to trust the gut feelings of
a non-expert, such as myself. One example I can think of is another password
manager that used random numbers incorrectly putting a bias in the random
passwords it was generating.

~~~
mehrdadn
Well something like that is core to the password manager, and already
introduced into the product since the beginning. If the maintainer has been
competent enough to use (say) a secure RNG until now, he's not going to
suddenly mess it up when adding a new feature.

Which is not to say it's a _bad_ idea to get expert vetting for something like
this (it's obviously an ultra-safe approach), but it helps to try to put
things in context yourself, so that you don't have to find an expert every
time you need to make a security decision. In the context of a desktop
password manager, there isn't a terrible lot that can go wrong by accident and
suddenly result in password exposure once the core product is formed and
secure. If it happens, it'd be almost certainly due to a new maintainer coming
along and somehow checking in unsafe code, rather than the current maintainers
(say) suddenly forgetting they shouldn't call rand() or accidentally saving
plaintext passwords on a disk.

~~~
panpanna
> If the maintainer has been competent enough to use ...

In security you are considered incompetent until proven otherwise.

I don't want some random dude to protect my passwords just to realize a year
later that he did a "little mistake"

~~~
mehrdadn
>> If the maintainer has been competent enough to use ...

> In security you are considered incompetent until proven otherwise.

And didn't my quote literally say " _if_ the maintainer _has_ been competent
enough"?

------
breadandcrumbel
I was only familiar with Keepass. What are the differences between all the
different products? KeypassXC, KeepassX and Keepass?

~~~
AdamGibbins
Keepass uses .NET, so is dependant on the mono framework etc on non-Windows.

KeepassX is no longer maintained.

KeepassXC is maintained and more featured, it's also not dependant on .NET.

~~~
apta
Wouldn't this sort of software be better written in a safe language like C# as
opposed to C++?

~~~
sha666sum
It runs locally, and if the attacker has that much access, in most scenarios
there isn't anything stopping your adversary from just logging your keystrokes
and curling the keystore to a remote server.

------
mikece
The “backup to paper” option is intriguing and I thought at first this would
be as a series of QR codes instead of plain text. Will definitely be looking
into the CLI options as well.

~~~
AdamGibbins
It's just a HTML export, nothing particularly special.

------
jumelles
What sort of CLI interface does XC have? Can I finally replace keepassc?

~~~
louib
Right now the best doc about the CLI would be the manpage I think
[https://github.com/keepassxreboot/keepassxc/blob/develop/sha...](https://github.com/keepassxreboot/keepassxc/blob/develop/share/docs/man/keepassxc-
cli.1)

------
nichos
I used the keepass format for years up until a few months ago. I switched over
to bitwarden, mostly for the sharing.

Important accounts are sharedd between my wife and I, and I back everything up
to my NAS regularly.

For work, we're looking in to vault by hashicorp.

------
hirundo
If I can't use it on my phone I need to run two different password managers,
which is awkward at best. Seems like iOS/Android versions could help a lot
with traction.

~~~
rex_lupi
There are many keepass compatible apps available on F-Droid. I'm using KeePass
DX, it has a clean ui, autofill support and fingerprint auth.

[https://f-droid.org/app/com.kunzisoft.keepass.libre](https://f-droid.org/app/com.kunzisoft.keepass.libre)

~~~
panpanna
That app looks good, thanks for sharing!

------
rolltiide
Does this one have auto-saving of the key store after adding an entry?

I've lost a lot from KeepPassX by being spoiled by other auto-saving managers
over the majority of this century.

~~~
maheart
AFAIK, that feature has been available for some time (I've been using it, and
can confirm that it works flawlessly). You can find it under Tools -> Settings
-> General -> File Management -> Automatically save after every change.

~~~
rolltiide
and why is it not default? whats the use case here assuming there actually is
a rationale

~~~
JelteF
I think it actually might be the default. I can't remember changing that
setting at least and for me it's on.

------
pacomerh
I'll definitely use the monospace option. Does anyone know how to use the CLI
version?, is it a separate app?

~~~
maheart
At least in Debian-based distros, the CLI version ships with the ``keepassxc``
package. I've used it on the odd occasion for password retrieval, and I can
confirm it worked for my needs. You can find the manpage to give you some
indication of what's possible:
[http://manpages.ubuntu.com/manpages/eoan/man1/keepassxc-
cli....](http://manpages.ubuntu.com/manpages/eoan/man1/keepassxc-cli.1.html)

------
keepassxcoddity
Should I be concerned that upon installing 2.5 on MacOS it requested
permission to Screen Recording?

~~~
Nerada
That's needed for the Auto-Type to find windows.

[https://github.com/keepassxreboot/keepassxc/issues/3675](https://github.com/keepassxreboot/keepassxc/issues/3675)

------
all_blue_chucks
Can it auto-fill passwords on mobile apps?

~~~
aaronax
I've been happy with Keepass2Android, which would be compatible with KeePass
XC files.

------
sdan
Is this better than pass?

~~~
Tajnymag
Theoretically, you could consider it better.

KeePass saves passwords in a single encrypted file by default. This means that
an attacker has no idea about the structure of your entries and usernames.

Plus, it's easier to setup on multiple machines, as you don't need to
export/import your PGP keys from your initial machine.

Features and ease of use are subjective to each user.

