The developer of KeePass, the popular open-source password management utility, has promised an update this weekend following the discovery of a "minor" security bug in the tool. KeePass Password Safe is a free-of-charge and open-source tool that offers consumers the ability to manage multiple passwords from a central vault. …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Friday 29th June 2012 10:59 GMT Bluewhelk

Good news really

If that's the worst security flaw that the researcher can come up with, it means I can happily carry on using it safe in the knowlage that it's generally a reliable bit of software.

In addition it is encouraging that the developer is patching this, either in 3days or as originally planned given the difficulty to exploit the bug.

7 1
Friday 29th June 2012 12:08 GMT Khaptain

Minor is a bit of an understatement

You mean you have to decrypt or use the password on an existing keepass database, open an entry and paste or type a malicious URL without realising it. That's pushing things a bit far.

Ok, you could import an existing database but then it means you are importing from an "untrusted" source anyway. I dont know many people that habitually exchange password databases.

I agree it's excellent that the dev acknowledges and will repair the "very extremely minor, almost unfeasible error". Kudos to the dev.

2 0
Friday 29th June 2012 22:05 GMT Anonymous Coward

Uncrackable p455w0rd

Who the fuck would be stupid enough to entrust their entire archive of intarwebs passwords to a third party, via an online database?

Any password manager which adopts that policy, as opposed to local storage, is about as secure as a Post-It note stuck to your monitor.

2 3
Friday 29th June 2012 23:10 GMT Anonymous Coward

It is local storage

It is stored on your PC, not in the 'cloud' or anywhere else, unless you want it to be. If you are going to comment then at least get your facts right,

2 1
1. Monday 2nd July 2012 12:56 GMT Anonymous Coward
  
  Re: It is local storage
  
  If I was the kind of person who worries about getting my facts right, what the hell would I be hanging around El Reg's comments section for?
  
  0 0
Saturday 30th June 2012 08:34 GMT AlexV

Seems a bit of a stretch...

I mean - is it a vulnerability in Notepad that you can paste a malicious url wrapped in html tags into it, and save it as an html file?

2 0
Sunday 1st July 2012 00:36 GMT DannyJr

Use 2.xx branch

This very minor vulnerability is only exploitable in the legacy (and .NET-free) KeePass 1.xx branch. Since all of my computers I use have .NET installed, I have no problems using KeePass 2.xx. It's a wee bit slower but a lot more secure and modern. Unless someone has an old OS or philosophical objections to .NET, I suggest everyone to migrate to the 2.xx branch.

0 0
Tuesday 3rd July 2012 22:11 GMT RFC822

Compatibility

@Danny Jr. - I use KeePassDroid on my Android phone and sync it with my PC. Unfortunately KeePassDroid has currently only got read-only support for the 2.x database format, so I'm stuck with 1.x for now.

Also - despite the July 1st date for the update, V1.22 doesn't know about updates yet, and V1.23 is still listed as pre-release when you install it.

0 0