KeePass password manager update improves security
Dominik Reichl, the lead developer of the KeePass password manager, has released KeePass 2.54 to the public. The new version of the application improves security in several meaningful ways, and it addresses potential attack vectors of previous versions of the program.
New and existing KeePass users find the download of KeePass 2.54 on the official website. The installer will update installations of the password manager automatically.
KeePass users who have used URL overrides may want to take a screenshot of them or write them down, as these will be disabled in the new version, unless stored in the enforced configuration file.
Check out my guide on improving KeePass security.
KeePass 2.54 the changes
The new password manager version improves the export functionality significantly. Back in February, a warning was released by Belgium's Federal Cyber Emergency Team regarding the export functionality.
It revealed that anyone with access to KeePass' configuration file could export the entire password database without user confirmation.
Reichl released KeePass 2.53.1 to address the issue by adding a master password prompt to data exports.
KeePass 2.54 improves exporting safety further. Exports do require the "export" application policy flag now "in most report dialogs" and the master password. The design of export confirmation dialogs has changed as well. The traditional "ok" button has been replaced with a "Confirm Export" button to make the action clearer, and the banners have a new background color.
Passwords and other sensitive data is hidden behind asterisks now in report dialogs. There is a new button in the toolbar to toggle the hiding of the information.
Another major change pushes several important configuration options into the program's enforced configuration file. The configuration options of the file have priority over changes made to the application's global or local configuration files.
The feature is designed primarily for system administrators who want to enforce certain settings, but it can also be used to protect against manipulation by third-parties.
Reichl notes that Triggers, global URL overrides, password generator profiles "and a few more settings" are stored in the enforced configuration file in KeePass 2.54. This may have some consequences:
- Triggers may be used to automate certain tasks in KeePass. The trigger system is turned off if triggers were not saved in the configuration file in earlier versions already. Users need to select Tools > Triggers and check the "enable trigger system" option there to start using them.
- Global URL overrides are disabled in KeePass, unless they are stored in the enforced configuration. These can be enabled under Tools > Options > Integration > URL Overrides.
- Password generator profiles. These too are now stored in the enforced configuration. To continue using them, select Tools > Generate Password > Shield button, make the changes and activate the save button.
Information for portable users and users who have used an enforced configuration file already are available on the official website.
Last month's reported security issue has been addressed in the release. Third-parties with access to memory dumps could restore all but the first character of KeePass' master password, which makes identification of the password trivial. The update to KeePass 2.54 resolves the matter.
Now You: do you use KeePass or another password manager?
I don’t get it, keepass is an offline password manager, if people got it hacked or something, it is because they allowed randoms in their computer, by remote or physical…. so it’s hard to know why would anyone want to hack some random who mean nothing to anyone.
Plus how many users use Keepass? not many, making it even harder.
Even a Notepad plaintext file with all passwords is safe if properly managed, just like Windows with password and all that.
I have been using Keepass for years, but I don’t do anything fancy to get around URL logins. If they change, I change. At least they have never been completely cracked, yet. I just need them to keep them secure enough to discourage amateurs, recorders, and script kiddies. My border does the rest.
If the security of a “safe” needs improved, perhaps one shouldn’t trust it to keep anything “safe”?
According to Chrome fanboys, the more exploits found in a “safe”, the more secure it is. The fact a safe is frequently attacked means it is more secure than a safe that is attacked less.
Don’t ask me what that means, it’s just what they say, and it contradicts what you say.
So how are we going to keep thing safe then?
That you would ask a random unknown person that question demonstrates the root of the problem.
Go teach yourself how.
Ah yes pretending again we need absolute security. They can always get a rubber hose or jail you forever if you refuse to talk:
[https://www.techdirt.com/2014/01/16/uk-man-jailed-not-giving-police-thumbstick-password/]
Just look at what it has done for Assange. Does anyone in here feel that important or interesting to the gov?
That you would make a random uniformed statement but then be completely unable to answer a random unknown person’s question demonstrates the root of the problem.
Go teach yourself how to answer questions properly.
The security problem reported last month has been fixed with this version. It also says in the change dialogue: “Improved process memory protection of secure edit controls”.
Dominik Reichl confirms this again here: https://sourceforge.net/p/keepass/discussion/329220/thread/f3438e6283/?page=2&limit=25#5a0c/abb7
Thank you Nils!