KeePass audit: no critical security vulnerabilities found
We reported back in June 2016 that KeePass, a popular password manager, was getting a security audit by the European Commission's EU Free and Open Source Software Auditing project (EU-FOSSA).
EU-FOSSA is a pilot project to create a formal process for contributing software security reviews to open source communities.
The project created an inventory of open source solutions used by the Commission, published studies into the security practices of 14 open source communities, and reviewed two popular open source solutions.
KeePass is a password manager created for Windows -- also working on Linux -- that uses a locally stored encrypted database.
The password manager supports plugins and forks thanks to its open source nature. Plugins enable users to extend the program's functionality, for instance by integrating it in web browsers or synchronizing the database using online storage providers.
The research team audited the code of KeePass 1.31, and not of KeePass 2.34. While KeePass 2.34 is not mentioned anywhere in the report, it appears reasonable that KeePass 2.34 would fare similarly in a code audit.
KeePass 1.x is the legacy version of the password manager. The version does not require Microsoft .NET but lacks features that only KeePass 2.x ships with. It does not support linking KeePass to the Windows user account or one-time passwords for instance. You find a full edition comparison table here.
The KeePass audit went through all 84622 lines of code and found no critical or high-risk issues in the code. It did find five medium rated, three low rated, and six information only rated issues however.
No critical or high-risk findings were detected. Among the remaining findings, five medium and three low risk results were detected. The remaining six were of an informative nature.
The issues that were found by the researchers are detailed in the audit report which you can download from the project deliveries page on the EU-Fossa website. There you find listed the Apache security audit as well (look under WP6: sample code review near the bottom of the page).
KeePass is an excellent, secure, password manager for Windows. The results of the code audit suggest that it is a well designed program with no critical or high risk issues.
Now You: Which password manager are you using and why?Advertisement