The developer of KeePass, the popular open-source password management utility, has promised an update this weekend following the discovery of a "minor" security bug in the tool. KeePass Password Safe is a free-of-charge and open-source tool that offers consumers the ability to manage multiple passwords from a central vault. …
Good news really
If that's the worst security flaw that the researcher can come up with, it means I can happily carry on using it safe in the knowlage that it's generally a reliable bit of software.
In addition it is encouraging that the developer is patching this, either in 3days or as originally planned given the difficulty to exploit the bug.
Minor is a bit of an understatement
You mean you have to decrypt or use the password on an existing keepass database, open an entry and paste or type a malicious URL without realising it. That's pushing things a bit far.
Ok, you could import an existing database but then it means you are importing from an "untrusted" source anyway. I dont know many people that habitually exchange password databases.
I agree it's excellent that the dev acknowledges and will repair the "very extremely minor, almost unfeasible error". Kudos to the dev.
Who the fuck would be stupid enough to entrust their entire archive of intarwebs passwords to a third party, via an online database?
Any password manager which adopts that policy, as opposed to local storage, is about as secure as a Post-It note stuck to your monitor.
It is local storage
It is stored on your PC, not in the 'cloud' or anywhere else, unless you want it to be. If you are going to comment then at least get your facts right,
Re: It is local storage
If I was the kind of person who worries about getting my facts right, what the hell would I be hanging around El Reg's comments section for?
Seems a bit of a stretch...
I mean - is it a vulnerability in Notepad that you can paste a malicious url wrapped in html tags into it, and save it as an html file?
Use 2.xx branch
This very minor vulnerability is only exploitable in the legacy (and .NET-free) KeePass 1.xx branch. Since all of my computers I use have .NET installed, I have no problems using KeePass 2.xx. It's a wee bit slower but a lot more secure and modern. Unless someone has an old OS or philosophical objections to .NET, I suggest everyone to migrate to the 2.xx branch.
@Danny Jr. - I use KeePassDroid on my Android phone and sync it with my PC. Unfortunately KeePassDroid has currently only got read-only support for the 2.x database format, so I'm stuck with 1.x for now.
Also - despite the July 1st date for the update, V1.22 doesn't know about updates yet, and V1.23 is still listed as pre-release when you install it.
- Analysis Oh no, Joe: WinPhone users already griping over 8.1 mega-update
- Leaked pics show EMBIGGENED iPhone 6 screen
- Opportunity selfie: Martian winds have given the spunky ol' rover a spring cleaning
- OK, we get the message, Microsoft: Windows Defender splats 1000s of WinXP, Server 2k3 PCs
- Episode 4 BOFH: Oh DO tell us what you think. *CLICK*