Feeds

back to article Open-source password keeper to get 'minor' weekend security fix

The developer of KeePass, the popular open-source password management utility, has promised an update this weekend following the discovery of a "minor" security bug in the tool. KeePass Password Safe is a free-of-charge and open-source tool that offers consumers the ability to manage multiple passwords from a central vault. …

COMMENTS

This topic is closed for new posts.
Thumb Up

Good news really

If that's the worst security flaw that the researcher can come up with, it means I can happily carry on using it safe in the knowlage that it's generally a reliable bit of software.

In addition it is encouraging that the developer is patching this, either in 3days or as originally planned given the difficulty to exploit the bug.

7
1
Silver badge

Minor is a bit of an understatement

You mean you have to decrypt or use the password on an existing keepass database, open an entry and paste or type a malicious URL without realising it. That's pushing things a bit far.

Ok, you could import an existing database but then it means you are importing from an "untrusted" source anyway. I dont know many people that habitually exchange password databases.

I agree it's excellent that the dev acknowledges and will repair the "very extremely minor, almost unfeasible error". Kudos to the dev.

2
0
FAIL

Uncrackable p455w0rd

Who the fuck would be stupid enough to entrust their entire archive of intarwebs passwords to a third party, via an online database?

Any password manager which adopts that policy, as opposed to local storage, is about as secure as a Post-It note stuck to your monitor.

2
3
Thumb Up

It is local storage

It is stored on your PC, not in the 'cloud' or anywhere else, unless you want it to be. If you are going to comment then at least get your facts right,

2
1
Thumb Up

Re: It is local storage

If I was the kind of person who worries about getting my facts right, what the hell would I be hanging around El Reg's comments section for?

0
0
WTF?

Seems a bit of a stretch...

I mean - is it a vulnerability in Notepad that you can paste a malicious url wrapped in html tags into it, and save it as an html file?

2
0
Thumb Up

Use 2.xx branch

This very minor vulnerability is only exploitable in the legacy (and .NET-free) KeePass 1.xx branch. Since all of my computers I use have .NET installed, I have no problems using KeePass 2.xx. It's a wee bit slower but a lot more secure and modern. Unless someone has an old OS or philosophical objections to .NET, I suggest everyone to migrate to the 2.xx branch.

0
0
Unhappy

Compatibility

@Danny Jr. - I use KeePassDroid on my Android phone and sync it with my PC. Unfortunately KeePassDroid has currently only got read-only support for the 2.x database format, so I'm stuck with 1.x for now.

Also - despite the July 1st date for the update, V1.22 doesn't know about updates yet, and V1.23 is still listed as pre-release when you install it.

0
0
This topic is closed for new posts.