KeePassX is an open source c++ application. It was one of the cross platform applications to manage KeePass databases. It has not been under very active development for a while.
KeePassXC is a fork of KeePassX which is under active developement. They have added many features and improvements and has stayed up to date with kdbx updates.
It hasn't: https://keepassxc.org/docs/#faq-audit
Thr original Keepass was at first a Windows only app, so KeepassX was created as a cross platform reimplementation using Qt. Nowadays Keepass uses .Net and also is cross platform but Linux users prefer Qt because it feels more "native" than .Net.
KeepassXC is a more recent fork of KeepassX, which added a bunch of extra features. Notably, it added support for version 4 of the keepass database format, and it also allows you to use a browser extension to enter passwords inside web browser forms without needing to cut and paste.
In fact, KeePassXC has shown to have better memory protection than KeePass: https://keepassxc.org/blog/2019-02-21-memory-security/ (note the article is from February, some things have changed since then, see below).
The only thing we do not have at the moment is in-memory encryption. We do, however implement the following security measures on all platforms:
- prevent swapping of master key hashes (using gcry_malloc_secure)
- prevent non-root / admin access to our process memory (KeePass does NOT have this)
- overwrite all dynamically allocated memory with zeros on free
- disable any kind of coredump or crash reporting
A patch for in-memory encryption is being worked on, but needs further testing before it can be merged: https://github.com/keepassxreboot/keepassxc/pull/3055
Please note that this still cannot fully prevent swapping out of secrets. As soon as things are to be displayed somewhere in the GUI, they are basically out of our hands. We also cannot fully protect everything while the database is being loaded or written. However, the same applies to KeePass. There is just too much going on with memory management on modern operating systems.
Edit: Also, see this PR: https://github.com/keepassxreboot/keepassxc/pull/371
I'd guess it's this one:
> KeePassXC also cannot prevent data extraction from a hibernation file which stores your computer's memory to disk when going to sleep.
KeePass uses DPAPI so password-storage memory is not written to swap (and I guess hibernatefile) in cleartext. Note that this doesn't protect against reading the memory directly.
Though (on unices) it doesn't mention mlock(2) either.
 https://www.securityevaluators.com/casestudies/password-mana... subsection "Exposure of Cleartext Entries in Memory" of the Keepass section
> there are 1000 other possible exploits that are cheaper / easier to perform (ie. keylog, screen capture, etc).
Keepass has mitigations for those as well.
Apparently it doesn't even do that: https://www.securityevaluators.com/casestudies/password-mana... (section Keepass)
Possibly because keepass uses the wrong flag? https://docs.microsoft.com/en-us/dotnet/api/system.security.... seems to say that the memory segment can be decrypted by either:
* all processes running on the box
* all processes owned by the same user
* only this process
Alternatively, might be because C# and the memory protection primitives don't prevent the GC from copying its data out of the protected area? IDK
edit: ah, or they might be using ProtectedData rather than ProtectedMemory, that only has the "same machine" and "same user" levels of protection: https://docs.microsoft.com/en-us/dotnet/api/system.security....
Of the process in question, not the entire system. A Firefox crash dump can potentially still include credentials and private keys, of course.
Process command lines are world-readable on various operating systems, so passing passwords over them is generally not a good idea.
Another thing I like about keepassxc is that it has lots of features. It comes with a flexible passwird generator, has a friendly GUI UI, can be integrated to the web browser using an extension, and there are compatible android apps you can use on your phone.
Most other issues are covered with pass, like a good android app etc etc.
It also really bugs me that an important security feature like this one is not the default.