KeePassXC security audit published, recommends this security setting
KeePassXC is a popular password manager for Windows, Mac and Linux that uses the KDBX file format from the password manager KeePass.
The developers of KeePassXC have published the results of a security audit on their website yesterday. The audit was conducted by Zaur Molotnikov, who is a Munich-based software engineer. Molotnikov's CV is listed on his website.
The audit was conducted free of charge, and while there is some rumbling about potential conflicts of interests on Hacker News, it is irrelevant for the purpose of the article that you are reading now.
Interested users may check out the full audit report here. The author makes several suggestions to the KeePassXC development team and also to users of the application. A core suggestion is to make sure that the latest database format is being used.
How to verify the KeePAssXC database format
KeePassXC users have two options during the creation of a new database in regards to the format. The application supports KBSX 3 and KBDX 4, with version four the more advanced format.
The makers suggest to users to use the latest format, by marking it as recommended. This is also the recommendation of KeePass. In fact, the only reason for selecting KDBX 3 is backwards compatibility.
KeePass users, regardless of which port they use, often use different applications to bring support to their other devices. There are several Android apps available, and if one of these does not support the KDBX 4 database format, the less secure database format three needs to be used.
Long-time users of KeePassXC may also use the older format. The new format includes major security improvements, such as support for Argon2 or improved header and data authentication.
KeePassXC users may verify the used database format in the following way:
- Open KeePassXC and unlock the password database that you want to check.
- Select Database > Database Security.
- Switch to Encryption Settings.
- Check the Database format option.
If you see KDBX 3, the old format is used. Switching to the new format is a matter of a few clicks. You may copy the database file on the computer's hard drive first for backup purposes. All data should remain accessible though and the process is quick.
- Select KDBX 4 (recommended) from the menu.
- Select OK.
That is all to it. The new database format offers better security and should be used, unless compatibility stands in the way; this is actually true for all applications that use the KeePass database format to protect user secrets.
Now You: do you use KeePassXC, KeePass, or another program?
Thanks for the share. I use keeweb as most of the work happens within the browser.
I chose keepass because I can keep the file local. No cloud involved and with the browser extension it’s simple to use.
I have used KeePassXC for years now. It is exactly what I want in a password manager. My passwords in a local file completely under my control.
Good to know about the DB format, since my DB was created years ago, I’ll have to check that I’m using the latest version.
And they publish those news after 3 months.
Thats makes no sense.
I’ve used KeePass for about 16 years now and I’m still discovering and utilizing features. I still prefer it over KeePassXC, even on Linux, due to those features I’ve come to rely on. But I’m sincerely grateful for projects like these.
Me also with Argon2d (KDBX-4 – recommended).
I forgot what the default is, but I think I chose Twofish over AES or ChaCha.
I thought I should leave the rounds, memory and parallelism settings at default (10, 256, 2).
Thanks Martin!
Oh yeah. My password is 22 characters long, a obscure lyric with a case, numeral and character mixture I can remember, and have remembered, and at this point it’s as much muscle memory as well when I type it in.
The info in the article is too shallow.
@Ben
What’s missing then?
I tend to agree… the entire article is to inform to use KDBX4 format. Nothing else beyond the default format for the DB.
The level of information in this article is fine. A link to details is provided for those who want to know more than the takeaway: “use the KBX4 format”. If the link were not provided, I might have agreed with you.
yes, I do use KeepassXC. thanks for the details of the test. checked the format and luckily I am already using the newer “4”format. thanks