"Should I use KeePass 2, KeePassX, or KeePassXC?"

✔️ Use KeePass 2 – this is the original KeePass, primarily developed for Windows. However, it can be used on Linux, too.

✔️ Use KeePassXC – this password manager indirectly originates from KeePass 2. Most features are similar to KeePass 2.

❌ Don't use KeePassX – development ceased in 2016.

@infosechandbook i think keepassxc is the Vetter Option. The community is just bigger now than keepass

@MaSven @infosechandbook
Only original KeePass support secure desktop, plugins like for using Windows Hello and it has a Audit.

@MaSven @infosechandbook KeePassXC connects to a #CloudFlare site (#HaveIbeenPwned) to check for breaches. It tells both HIBP & CloudFlare your IP address, that you are using #KeePassXC & how many different passwords you use as well as how many of them are alike.

@infosechandbook @MaSven If a user is foolish enough to create an account on any CloudFlare site, CF already has their full pw and can use it see whether you reuse that pass on other sites.

@aktivismoEstasMiaLuo @bojkotiMalbona @MaSven @infosechandbook I'd be interested to read more on this subject, seems it can be built without networking
What are the current alternative suggestions to use instead (with browser integration and server client options ideally)

@bojkotiMalbona @infosechandbook but this is only while creating a new password and they can only track that iam using the hibp api. Also is the api served over CF? Also you are not sending the password in clear it is a cryptographic hash. Also it is TLS encrypted so no CF can not steal the clear text password here.

@MaSven is a #CloudFlare site. It wouldn't make any sense to do the #HIBP check on a new pw.

CloudFlare sees *unhashed* passwords because the hashing is done on the server side. The passwords are not in-the-clear, but CF still sees them of course b/c CF is where the tunnel terminates. It's CF's tunnel & CF's SSL keys.


I should clarify that CF sees unhashed passwords when you access a CF website that requires a login. Specifically in the case of the HIBP API, #keepass sends the 1st 5 chars of a hashed pw (maybe that's what you were referring to). In that case, the list of PWs is not seen, but CloudFlare & HIBP can see how many PWs are reused. CF can also hash the raw PW of one of their sites and compare it to your list, and know if that particular PW is reused.


@MaSven @infosechandbook

Yet another threat from the same vuln: if a #Tor user doesn't think to put #KeePass on Tor, CF could denonimize them by hashing their PW on a CF site and comparing the 1st five chars to what #KeePassXC sends.

@bojkotiMalbona @infosechandbook no u are sending are hash range. You can also send it with padding so no one can do anything with this. Also it is only the first five hash chars

I mentioned that. The 5 chars from #KeePass can be compared to the 1st five chars of the same hash done on a PW submitted to a CF login site. A match links a single account to that same person's list of hashed PWs along with their IP. The fallout is denonymization. Also if someone reuses their PW, CF can see how many places it's reused.


@marlon @infosechandbook
The challenge response feature isn't so safe as you might think

@older @infosechandbook because there simply is no version of keepassxc or Keepass2 for Android.

The developers of keepassxc suggest to use keepassdx if you want to use keepass on android (it's an independent project, but they work together like a cXross platform charm)

Sign in to participate in the conversation – a Fediverse instance for & by the Chaos community