KeePass Password Manager is getting a code audit - gHacks Tech News

KeePass Password Manager is getting a code audit

The European Union just announced that it will give the source code of the password manager KeePass and Apache Web Server a security audit.

The idea to audit open source software came to live back in December 2014 when two members of the European Parliament suggested an audit for free software used by EU institutions.

The European Parliament allocated one million Euro for a pilot project. It took another 18 month to get started, in the last two months, users were asked to pick two free software programs from a list of open source solutions in use by the European Parliament or the Commission.

The selection list included several well-known open source solutions including Firefox, Apache Web Server, WinSCP, 7-Zip, NotePad++, VLC Media Player, and even Linux (or a component thereof).

The results are in, and the two projects with the most votes are the password manager KeePass and the Apache Web Server.

KeePass is a popular password manager for various operating systems, Apache a widely used HTTP server on the Internet.

KeePass Password Manager is getting a code audit

keepass 2.21 screenshot

While I'm happy that KeePass received nearly one quarter of all votes (23.1%), it is surprising that it and Apache HTTP Server were favored in the survey over Linux or Firefox.

Here is the top ten list:

  1. KeePass (23.1%)
  2. Apache HTTP Server (18.7%)
  3. VLC Media Player (8.8%)
  4. Linux (8.6%)
  5. MySQL (4.3%)
  6. 7-Zip (4.2%)
  7. Git client (4.1%)
  8. Tomcat (2.6%)
  9. BouncyCastle (2.6%)
  10. Drupal (2.2%)

While KeePass and Apache HTTP Server were picked, the pilot project started work on documents that benefit future code audits as well. The pilot project ends in December, and the EC and EP are looking for funds currently to continue the project.

You can check the methodology page on EU-FOSSA for planned and already available documents. There you will also find published the results of the sample code audit of the two selected open source solutions.

The EU-FOSSA team responsible for the code audit plans to work closely with the owners of the two selected open source solutions.

The EU-FOSSA pilot is to result in a systematic approach for the EU institutions to make sure that widely-used key open source components can be trusted. The project will should also allow the EU institutions to contribute to the integrity and security of key open source software. The EC and the EP are looking for funds to continue the project after December, when the pilot will end.

As a user, I would probably have picked Firefox and KeePass as those are the two programs I use the most throughout the day. The list does include more than ten programs that I use regularly though, and I'd like the project to continue to give them all a code code audit.

Now You: Which open source solutions would you have picked?

Summary
KeePass Password Manager is getting a code audit
Article Name
KeePass Password Manager is getting a code audit
Description
The European Union just announced that it will give the source code of the password manager KeePass and Apache Web Server a security audit.
Author
Publisher
Ghacks Technology News
Logo




  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. Pants said on July 22, 2016 at 7:42 am
      Reply

      I wouldn’t have picked FF, as I think it’s already well funded and scrutinized, and it’s such a dynamic area, that an audit would probably quickly fall out of date (but could well pick up something useful). It’s just too big. A narrow linux aspect could have been feasible, but again, I think it’s well scrutinized at this point, but I’m not an expert.

      I like the idea of back-end applications getting an audit, as this will directly benefit more people. I probably definitely have pumped for Apache. And probably MySQL as second pick.

      1. Pants said on July 22, 2016 at 8:29 am
        Reply

        “probably definitely” … I think I need to drink more beer .. what a(n) (oxy)moron I am

    2. Shiro said on July 22, 2016 at 9:28 am
      Reply

      Linux? How would that work? By the time the audit is finished, we’d be two full kernel versions further along the line.

      1. Martin Brinkmann said on July 22, 2016 at 10:50 am
        Reply

        Probably by concentrating on important parts.

    3. DhulK said on July 22, 2016 at 1:06 pm
      Reply

      KeePass v1 or v2?

      1. Martin Brinkmann said on July 22, 2016 at 3:08 pm
        Reply

        My guess is version 2, but I don’t know for sure.

    4. Anonymous said on July 22, 2016 at 1:50 pm
      Reply

      The word “euro” as a currency should not be capitalized in English.

    5. ansar said on July 22, 2016 at 5:40 pm
      Reply

      Hmm, I wonder if they will look at any plugin’s for Keepass.

    6. Wayfarer said on July 22, 2016 at 6:51 pm
      Reply

      I’ve used KeePass for years – portable edition with a password as long as my arm. Does everything I need and (so far) admirably unbloated. To the point I’ve yet to find anything that remotely approaches it for both efficiency and simplicity.
      As with any security app – an audit always welcome, just for peace of mind.

    7. Visitor said on July 22, 2016 at 8:52 pm
      Reply

      For unknown reason, I’ve been served with mobile version of the site on my desktop.

      1. Martin Brinkmann said on July 22, 2016 at 9:24 pm
        Reply

        If that is the case, scroll to the very bottom and click on the desktop button there.

    8. René Kåbis said on July 23, 2016 at 2:22 pm
      Reply

      IMHO the only thing missing from KeePass is an auto-updater exactly like the one built into Firefox.

      It could also use a server component that could keep disparate clients up to date without forcing a reload/merge (it queries the DB with every entry examination rather than loading everything on launch and keeping it resident), and much better non-Windows clients, but that’s just my specific use case.

    9. Wim Joosten said on July 23, 2016 at 4:28 pm
      Reply

      I would suggest to have also IrfanView being scrutinized

    10. wonton said on July 28, 2016 at 3:41 am
      Reply

      keepass needs a massive audit 1pass needs one too

    11. Ron said on October 6, 2016 at 11:39 am
      Reply

      Any news about the KeePass audit?

      1. Martin Brinkmann said on October 6, 2016 at 12:38 pm
        Reply

        No word on that yet. I post the findings once they become available.

        1. Ron said on October 6, 2016 at 1:26 pm
          Reply

          Thanks Martin !

      2. JC said on November 21, 2016 at 9:06 pm
        Reply
        1. Ron said on November 22, 2016 at 12:27 pm
          Reply

          Thanks !

    Leave a Reply