From the text it looks like one of the selling points is integration with apps like browsers so you don't have to copy/paste passwords, as with KeePassX.
Personally, to me that sort of integration has always seemed like a bad idea. I'm glad that my password database can't talk to my browser programmatically. One less thing to go wrong.
If assuming competent development is bad, as you claim, why would it be a better idea to use a closed source password manager like LastPass instead of an open source fork of KeepassX? If this program can accomplish everything that LastPass can accomplish, while also being open source, surely that's more trust worthy then a closed source implementation that you could not audit.
I'm not interested in the closed- or open- source aspects of the issue. I'm interested in allowing other browser extensions to access my passwords. The issue is whether or not passwords should be stored in a browser extension, not about access to the source code.
If you have a keylogger on your system, you're screwed.
Anyway, it doesn't necessarily protect from keyloggers for a couple of reasons:
1 - The password to the password database will be recorded by the keylogger. The password database can then be copied by the intruder and then opened using the logged password.
2 - Any password you type in to the password management app can be logged by the keylogger, so browser integration does not help.
1. KeePass has an option to allow entering the master password on a [secure desktop][1].
2. You usually don't type passwords into the password management app, you generate them.
But yes, generally it's best if you don't get your computer infected with malware in the first place. Obviously if your computer is compromised there'll always be some way for sufficiently advanced malware to steal your password database.
1. That doesn't matter if the computer has a physical keylogger installed (for example, between the keyboard and the port the keyboard plugs in to, or inside the keyboard itself, etc).
2. Generating passwords would help protect them from keyloggers and is a reason to do so. But as far as I know no password manager prevents people from typing in passwords, and I'm sure a lot of people do for a variety of reasons (from importing old passwords or passwords generated on another device to creating memorable passwords or because the password generation mechanism of the password manager is inadequate in some way, etc).
I love browser integration but am not willing to go to lastpass, therefore have to stay with the ugly, but well functioning .NET keepass2 client on desktop and with the nice keepass2android.
> From the text it looks like one of the selling points is integration with apps like browsers so you don't have to copy/paste passwords, as with KeePassX.
Can you provide source please? thank you.
This [1] says the opposite: (quoting from the github issue):
"I removed the milestone for now since we are not sure if we actually want our users to expose their passwords over a network protocol with questionable security record. The security of both KeePassHTTP and KeePassRPC is doubtable and in their current state we would prefer not to have them as part of the main KeePassXC product.
This doesn't mean KeePassXC will never support it, it only means that at the moment we don't have immediate plans and an implementation needs further discussion."
Mono's WinForms shim is... less than stellar, sadly.
Occasionally, text goes some unreadable colour. And it crashes when I click while holding down Super. And it only follows the GTK colour scheme sometimes; enabling night mode ended up with a beautiful mix of black-on-black-with-white-stripes.
Oh, and widgets like buttons look like a poor man's copy of Windows 95.
Though, to be fair, I now seem to be unable to trigger the above bugs in the latest build, so I guess it's no longer quite as much of an issue.
>Occasionally, text goes some unreadable colour. And it crashes when I click while holding down Super. And it only follows the GTK colour scheme sometimes; enabling night mode ended up with a beautiful mix of black-on-black-with-white-stripes.
Yes, all of the above. Plus having several hundreds of mono libs installed for just one app. That app runs 100% of time, but still...
Yes, i just found it, thanks!
Unfortunately, the on Firefox side, i can only use PassIFox extension, which has been too barebone to fit my needs. KeeFox has been excellent - especially if you have multiple accounts associated with single domain or even subdomains. What i use a lot is to open up a website with particular credentials (search in KeeFox by Ctrl-1) or to generate passwords (Ctrl-4) (good if you are the one making logins for other people).
Yea, lastpass got burned by it with their chrome extension. After that, I switched from a web password manager to desktop password manager. Less attack surface area.
You don't have to use it. Also, a recently landed change allows you to exclude that feature entirely from the compiled binary if you want to build it yourself.
Personally the best feature I'm using KeePassXC for is the auto-reload feature. I sync my kdbx file with Tresorit across couple computers, and the auto-reload feature ensures that I'm always modifying the latest version.
This is something lacking in the original KeePassX.
This isn't a great idea for a few reasons, but if you're looking for something like this, its possible to do it with a few lines of bash - Shitty Password Manager (https://github.com/nindalf/shitty-password-manager)
It is manipulating the clipboard and inserting keystrokes (to switch between text fields in the login box). Unfortunately any running X app can do that. I would like more isolation too. QubesOS is the only thing I know of that does it.
Personally, to me that sort of integration has always seemed like a bad idea. I'm glad that my password database can't talk to my browser programmatically. One less thing to go wrong.