KeePass password manager update improves security
Dominik Reichl, the lead developer of the KeePass password manager, has released KeePass 2.54 to the public. The new version of the application improves security in several meaningful ways, and it addresses potential attack vectors of previous versions of the program.
New and existing KeePass users find the download of KeePass 2.54 on the official website. The installer will update installations of the password manager automatically.
KeePass users who have used URL overrides may want to take a screenshot of them or write them down, as these will be disabled in the new version, unless stored in the enforced configuration file.
Check out my guide on improving KeePass security.
KeePass 2.54 the changes
The new password manager version improves the export functionality significantly. Back in February, a warning was released by Belgium's Federal Cyber Emergency Team regarding the export functionality.
It revealed that anyone with access to KeePass' configuration file could export the entire password database without user confirmation.
Reichl released KeePass 2.53.1 to address the issue by adding a master password prompt to data exports.
KeePass 2.54 improves exporting safety further. Exports do require the "export" application policy flag now "in most report dialogs" and the master password. The design of export confirmation dialogs has changed as well. The traditional "ok" button has been replaced with a "Confirm Export" button to make the action clearer, and the banners have a new background color.
Passwords and other sensitive data is hidden behind asterisks now in report dialogs. There is a new button in the toolbar to toggle the hiding of the information.
Another major change pushes several important configuration options into the program's enforced configuration file. The configuration options of the file have priority over changes made to the application's global or local configuration files.
The feature is designed primarily for system administrators who want to enforce certain settings, but it can also be used to protect against manipulation by third-parties.
Reichl notes that Triggers, global URL overrides, password generator profiles "and a few more settings" are stored in the enforced configuration file in KeePass 2.54. This may have some consequences:
- Triggers may be used to automate certain tasks in KeePass. The trigger system is turned off if triggers were not saved in the configuration file in earlier versions already. Users need to select Tools > Triggers and check the "enable trigger system" option there to start using them.
- Global URL overrides are disabled in KeePass, unless they are stored in the enforced configuration. These can be enabled under Tools > Options > Integration > URL Overrides.
- Password generator profiles. These too are now stored in the enforced configuration. To continue using them, select Tools > Generate Password > Shield button, make the changes and activate the save button.
Information for portable users and users who have used an enforced configuration file already are available on the official website.
Last month's reported security issue has been addressed in the release. Third-parties with access to memory dumps could restore all but the first character of KeePass' master password, which makes identification of the password trivial. The update to KeePass 2.54 resolves the matter.
Now You: do you use KeePass or another password manager?