>8.2.2016 @ 15:45: Received response from Dominik Reichl: The vulnerability will not be fixed. The indirect costs of switching to HTTPS (like lost advertisement revenue) make it a inviable solution.
https://bogner.sh/2016/03/mitm-attack-against-keepass-2s-update-check/
What password manager should we switch to now?
>An attacker can abuse this automatic update check – if enabled – to “release” a new version and redirect the user to a malicious download page.
wowitsfuckingnothing.jpg
>>54869465
That's why you use KeePassX.
>>54869494
Hi NSA.
>>54869465
KeePassers on suicid watch!
Or just use keypassX.
>>54869465
Is keepass1 safe from this mitm attack?
>>54871383
Just turn off automatic updates.
Pay some fucking attention will you? This attack is about pretending to be an automatic update.
It's pretty disgraceful to not fix this though.
Are there any advantages of keepassx compared to keepass?
>>54869646
>>54871383
It's not even really an attack. Who updates keepass outside their repo... Oh, Wintards don't have repos. Nvm.
>>54871491
Firstly it's FOSS. that should be reason enough if you aren't retarded.
>>54871596
Both keepass and keepassx are under GPL. Is there any advantage of using kpx over regular kp?
I'm kind of tempted to write my own password manager. Keep things very very simple- an SQLite schema with encrypted passwords, use AES, write multiple UIs (CLI, Cocoa, web-based?), follow best security practices.
Could this be a /g/ project? It's both feasible (if we could keep back feature creep) and actually useful.
Password managers not even once
>>54871628
I tested both and didn't notice any difference.
>>54871587
>vulnerability present
>it doesn't affect me!
Lmao Freetards
>>54871681
Use keypassX dude.
It's a solid program.
>>54871596
Time to fork
>>54871860
It works, but it's fucking dog ugly and unintuitive on OS X. It also seems to use a proprietary database format, so a) I can't access it if needed using standard tools and b) I can't trust it not to get corrupted.
>>54869465
>ads impede security
Gee, what else is new.
keepassx is a keepass ripoff
p a s s
>>54872128
>seems to use a proprietary database format
IT'S FUCKING ENCRYPTED, IDIOT
>>54872178
Calm your rage, anon.
It is not necessary to use a proprietary format in order to store encrypted data. Instead, you simply use a standard SQL-compatible DB.
Store values, not in plain text, but as BLOBs containing AES-encrypted data. Or, if you prefer, store foreign keys to an "EncryptedValues" table. Each row of that would contain both the BLOB with the data, and metadata about the encryption scheme (to allow for flexibility).
This has the distinct advantage that anyone, without access to the program, could extract their data from the file in a pinch- provided they have a little SQL knowledge and, of course, the password/keyfile. With a custom scheme, this is completely impossible.
>>54869465
Automatic updates is the first thing I disable on any software.
>>54872170
this, so much this
I just created a python script to auto find latest release of my windows software and update it in silent mode. Maybe should I add something like checksum or scanning with online AVs?
>>54872250
Well it's GPLv3 so it's literally not proprietary
>>54872318
As long as it uses solely 100% HTTPS and doesn't skip checking certificate validity, you're fine.
>>54871832
So you care about a Freetard program though?
>>54872329
That doesn't help you get data out of it, though.
>SHIT SHIT SHIT SHIT SHIT
SHIT ON SUICIDE WATCH!
this is so retard
must be some american tv show
>>54871681
There is already a command-line one, but I haven't tried it yet https://www.passwordstore.org/
>>54869465
>letting your users get infected so you don't lose ad revenue
idk mang I think you're going to lose more ad revenue if all your users leave but okay
>>54871491
Browser autocomplete!
Brain dead morons who use these "password managers" don't belong on /g/.
Fuck off and/or kys.
>>54877969
Fuck off NSA.
>>54869465
>password manager
>>54878309
>memeing this hard
Fuck off NSA.
>>54878835
>memeing
>>54877997
How is that NSA?
What are they going to do, brute force your neurons?
Why do you need a fucking password manager? Just store it in an encrypted text file.
>>54878980
autocompletion, syncing, password generation, other blah blah blah
>>54872128
>It also seems to use a proprietary database format
It's literally using the same format keypass2 uses, with the ability to import from keypass1
>>54869465
KeyPass2 doesn't even have an auto-update, it's one of its most annoying issues. All it does it bug you to go to the KeePass website and download the new version.
>like lost advertisement revenue
'free' software goyim
/g/ now has to back to lastpass
>>54874899
The entire database is encrypted end to end, whereas your SQLite database idea only encrypts the contents. Meaning the schema is still game for intrusion.
Furthermore there are plenty of implementations of kbdx readers and writers. You could build recovery tools on top of that.
Just because you could readily query your SQLite solution does not mean it is any more recoverable than a standard kbdx database. All it does is provide unnecessary access to hopefully properly encrypted contents. The only "recovery" scenario I could see that applies is you lost the encryption keys and need to run the database against a dictionary of keys. You can do the same to a kbdx database.
>>54880948
>kbdx
I mean kdbx, ofc.
>>54869465
Told you kids bout them password managers.
Upgrade your brain and learn your passwords
This is basically like posting a link on facebook with a keylogger disguised as something else and calling it a vulnerability.
>2002 + 14
>Using a password manager
Holy shit /g/ has become a fucking reddit-tier shitplace.
I don't use automatic update and I've blocked Keepass on my firewall
>>54869465
>tfw automatic updates disabled since you started using keepass2
I knew this would happen
>mfw I'm not retarded enough to click on malicious download pages
So whats the best way to encrypt text files if password managers are shit? ( im using windows btw )
>>54882373
GPG
There's a cool password manager called Masterpassword that does not save your passwords so you can use it on any device.
Just the username and master password needs to be the same because they both generate a masterkey. Then the masterkey is used to generate passwords for multiple user accounts. Its passwords aren't saved
>>54882373
They are not all shit, only LastPass and Keepass2.
Use KeePassX and don't let the NSA niggers tell you what to do.
>inb4 use common sense 2016
Also this, but also a password manager.
How the fuck am I supposed to use password managers on anything but my desktop computer? It's not like I can open the encrypted file on my cellphone.
>>54883233
>being this ignorant
>>54883233
Except you can, idiot.
damn
I don't see the point of password managers. Just write your damn passwords down. Notepad + works well and I have never had problems
>>54869465
And this is why I use keepassx instead of that .NET garbage.
