What are the main differences between KeepassX vs Keepass2?

377    Asked by AndreaBailey in Cyber Security , Asked on Feb 8, 2022

 I am using KeePass-Http connector (just such a useful and quick extension to enter logins/passwords!) and there are some security concerns re this: from the website of KeepassXC: https://keepassxc.org/project/

A note about KeePassHTTP KeePassHTTP is not a highly secure protocol and has certain flaws which allow an attacker to decrypt your passwords if they manage to intercept communication between a KeePassHTTP server and KeePassHTTP-Connector over a network connection (see https://github.com/pfn/keepasshttp/issues/258 and https://github.com/keepassxreboot/keepassxc/issues/147. )KeePassXC therefore strictly limits communication between itself and the browser plugin to your local computer. As long as your computer is not compromised, your passwords are fairly safe that way, but use it at your own risk! As of KeePass 2.3, we deprecated KeePassHTTP in favour of KeePassXC-Browser.


However, I have now tried using Keepass which has changed beyond recognition in the past few months. It doesn’t need Mono (if I understand correctly) and it uses KeePass-Browser (rather than KeepassHTTP)


Would anyone have any comments re the security of KeePass-Browser extension?


Also in order to run Keepass2 (esp if also using the Keepass-Http connector) one needs Mono. Some would say Mono is a security risk. See Under Linux, KeepassXC would probably be safer to use compared to Keepass2, right?

Answered by Andrew Jenkins

Some would say Mono is a security risk. See https://sites.google.com/site/easylinuxtipsproject/security


This page makes the point that by installing wine or mono, as that allows you to run more programs (like windows ones), they make it easier to run malware, too. (As you could be infected by eg. a ransomware that was developed for a windows target).

YMMV, as you may find that the benefit of running program X outweighs the added risk of higher exposure. How unlikely you are to accidentally have coke malware depends a lot on the person. Some people are very conscious and won't run as root anything not completely innocuous (or even they restrict themselves to their package manager), while others will do all kinds of stupid-to-harmful actions… as root (and should have no root privileges at all). However, running malware != running malware as root. Even if it isn't able to run as root, a malware can do a lot of harm, for example a ransomware. Your system files (which could be recovered by reinstalling) will be safe, but your photos and personal data won't. This was expressed by Randall Munroe on his xkcd 1200: Authorization:

Authorization xkcd

(image under a CC-BY-NC-2.5 licence) I haven't studied the extensions themselves, but from a brief look at the linked bugs, I think it is. If any, because KeePassHTTP has some shortcomings that KeePass-Browser was designed to fix. Note however that you could be using either of them without any browser plugin, in which case this piece may not be important. I personally prefer KeepassX from KeepassX vs Keepass2 under Linux as I find it to integrate better with the system overall. But in a security aspect, I would say that you can use both of them in a safe way.



Your Answer

Interviews

Parent Categories