KeePass 2.35 is the next version of the popular password manager that will introduce a new version of the KDBX file format and security improvements among other things.
KDBX is the file format that KeePass uses for information storage on the device. Version 4 of KDBX features improvements and new capabilities.
KeePass will use the new format eventually, but at first only if certain requirements are met. This is done to give ports of KeePass time to update their versions of the software to support the new format.
Basically, none of the following conditions need to be true:
If none of the conditions are met, KeePass 2.35 will use the new file format automatically.
Probably the biggest change from a security point of view is support for the key derivation function Argon2.
The algorithm won the Password Hashing Competition against 23 candidates. Starting with KeePass 2.35 users of the software can switch the key derivation function from AES-KDF to Argon.
Once you have selected Argon2 as the key derivation function, additional parameters become available. You may change the number of iterations, memory, and parallelism.
You may increase iterations and memory to make dictionary and brute force attacks harder, but database loading and saving may take more time.
You may use the "test" button to test new values that you enter. KeePass runs tests and displays the time it takes to transform a key in a small window afterwards.
Some examples on a device with an Intel Core i7-6700k CPU and 32 Gigabytes of ram.
The main advantage of Argon2 over AES-KDF is that it provides better resistance against GPI/ASIC cracking attacks.
KeePass' Argon2 implementation supports all parameters that are defined in the official specification, but only the number of iterations, the memory size and the degree of parallelism can be configured by the user in the database settings dialog. For the other parameters, KeePass chooses reasonable defaults: a 256-bit salt is generated by a CSPRNG each time a database is saved, the tag length is 256 bits, no secret key or associated data. All versions of Argon2d (1.0 to 1.3) are supported; KeePass uses the latest version 1.3 by default.
Besides support for Argon2, KDBX 4.x will introduce a number of improvements and changes that are outlined briefly below:
Additional information on the new format are available on the KeePass website. It is not clear yet when the KeePass 2.35 will be released.
Now You: What's your take on the improvements?
If you like our content, and would like to help, please consider making a contribution: