"Should I use KeePass 2, KeePassX, or KeePassXC?"
✔️ Use KeePass 2 – this is the original KeePass, primarily developed for Windows. However, it can be used on Linux, too.
✔️ Use KeePassXC – this password manager indirectly originates from KeePass 2. Most features are similar to KeePass 2.
❌ Don't use KeePassX – development ceased in 2016.
@infosechandbook i think keepassxc is the Vetter Option. The community is just bigger now than keepass
@aktivismoEstasMiaLuo @bojkotiMalbona @MaSven @infosechandbook I'd be interested to read more on this subject, seems it can be built without networking https://keepassxc.org/docs/#faq-security-network
What are the current alternative suggestions to use instead (with browser integration and server client options ideally)
@bojkotiMalbona @infosechandbook but this is only while creating a new password and they can only track that iam using the hibp api. Also is the api served over CF? Also you are not sending the password in clear it is a cryptographic hash. Also it is TLS encrypted so no CF can not steal the clear text password here.
CloudFlare sees *unhashed* passwords because the hashing is done on the server side. The passwords are not in-the-clear, but CF still sees them of course b/c CF is where the tunnel terminates. It's CF's tunnel & CF's SSL keys.
I should clarify that CF sees unhashed passwords when you access a CF website that requires a login. Specifically in the case of the HIBP API, #keepass sends the 1st 5 chars of a hashed pw (maybe that's what you were referring to). In that case, the list of PWs is not seen, but CloudFlare & HIBP can see how many PWs are reused. CF can also hash the raw PW of one of their sites and compare it to your list, and know if that particular PW is reused.
I mentioned that. The 5 chars from #KeePass can be compared to the 1st five chars of the same hash done on a PW submitted to a CF login site. A match links a single account to that same person's list of hashed PWs along with their IP. The fallout is denonymization. Also if someone reuses their PW, CF can see how many places it's reused.
@infosechandbook On android use KeepassDX
I use KeePassDroid from f-droid
chaos.social – a Fediverse instance for & by the Chaos community