New Update KeePass Password Manager - Updates and discussion

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
KeePass 2.53.1 Released:

Changes from 2.53 to 2.53.1:​

  • When testing a KDF ('Test' button in the database settings dialog), KeePass now spawns a child process that performs the KDF computation (which allows to cancel the test more cleanly in the case of excessive parameters; security is unaffected, because dummy data is used for the test).
  • Removed the 'Export - No Key Repeat' application policy flag; KeePass now always asks for the current master key when trying to export data.
  • Minor other improvements.
 

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
KeePass 2.53.1 Released:


KeePass 2.53.1: vulnerability resolved​

The point release addresses the issue. The official changelog highlights the fact: "Removed the 'Export - No Key Repeat' application policy flag; KeePass now always asks for the current master key when trying to export data.".

In other words: KeePass will prompt the user for confirmation before export data operations. Confirmation is given with the user's primary password, which needs to be entered before data exports begin.

The controversially discussed vulnerability shows how important it is to address concerns, especially regarding security. KeePass Developer Reichl may not have changed his initial opinion that the vulnerability is not one, but he reacted to public concern and made a change to the application to address these concerns.

Information about the use of triggers is not available, but it seems likely that only a minority of KeePass users use these. Even fewer may use the password export trigger.
 

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057

Should you still trust KeePass?​

So nothing really happened in January with KeePass. There was no attack or data breach. The researcher just pointed out an existing vulnerability that has been around for years. The cool customization options in KeePass that people love can also make it vulnerable if not used carefully.

If you still want to use KeePass, be sure to take some precautions, like keeping good antivirus software and a strong password for your Windows account. If you need to step away from your desk, lock your computer to protect your passwords. However, if you want to sync your passwords automatically, you'll have to trust the author of the sync plugin and rely on the security of your cloud storage provider. This means your passwords could be exposed if either the plugin or the cloud storage provider is not secure.
 

n8chavez

Level 16
Well-known
Feb 26, 2021
785

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
This is a moot point though. The export trigger without password has been removed. And no, trusting keepass does not mean trusting plugins? What if you don't use any? Articles like this are just trying to make people paranoid.
Well, I'm a long time user of KeePass and recently also trying KeePassXC. I have posted this article to inform forum people here about the risk when we talking about that most users does want to sync data among their devices, so this fact makes even KeePass riskier like other cloud-based Password Managers. I just quoted a small part of this article.
Of course, you mentioned true points, the password export trigger issue has been fixed and that is almost no risk when KeePass users doesn't installing any plugins like browser extension to login more comfortable on websites.
 

n8chavez

Level 16
Well-known
Feb 26, 2021
785
That is a good point that @silversurfer brought up. If you are using cloud storage to sync your databases, wouldn't it be safer to mount that as a virtual drive and then store your database there? That way you're not relying on any 3rd-party plugin. That's what I do and it works perfectly. You don't even have to allow keepass network access because the virtual drive is seen as local. I trust my cloud, Mega.nz. It's encrypted. Plus I also use a keyfile.
 

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
KeePass 2.54 has been released today!

You can get it here: Download KeePass 2.54.

This is a stable release. It is recommended to upgrade from any previous 2.x version to 2.54.

Changes from 2.53.1 to 2.54:​


New Features:
  • Triggers, global URL overrides, password generator profiles and a few more settings are now stored in the enforced configuration file.
  • Added dialog 'Enforce Options (All Users)' (menu 'Tools' → 'Advanced Tools' → 'Enforce Options'), which facilitates storing certain options in the enforced configuration file.
  • Export confirmation dialog banners now have a yellow-orange background.
  • In export confirmation dialogs, the text of the 'OK' button is now changed to 'Confirm Export'.
  • In report dialogs, passwords (and other sensitive data) are now hidden using asterisks by default (if hiding is activated in the main window); the hiding can be toggled using the new '***' button in the toolbar.
  • The 'Print' command in most report dialogs now requires the 'Print' application policy flag, and the master key must be entered if the 'Print - No Key Repeat' application policy flag is deactivated.
  • The 'Export' command in most report dialogs now requires the 'Export' application policy flag, and the master key must be entered.
  • Single line edit dialogs now support hiding the value using asterisks.
  • On Unix-like systems, commands that require elevation now have a shield icon (like on Windows).
  • TrlUtil: added 'Move Selected Unused Text to Dialog Control' command.

Improvements:
  • Improved process memory protection of secure edit controls.
  • The content mode of the configuration elements '/Configuration/Application/TriggerSystem', '/Configuration/Integration/UrlSchemeOverrides' and '/Configuration/PasswordGenerator/UserProfiles' is now 'Replace' by default.
  • The built-in override for the 'ssh' URI scheme is now deactivated by default (it can be activated in the 'URL Overrides' dialog).
  • When opening the password generator dialog without a derived profile, the '(Automatically generated passwords for new entries)' profile is now selected by default, if profiles are enabled (otherwise the default profile is used).
  • Improved UI update performance in the password generator dialog.
  • Improved and renamed dialog banner styles.
  • The separator line of light dialog banners is gray now.
  • Improved serialization/deserialization of custom configuration settings (used by plugins).
  • Improved reporting of unknown database header fields.
  • On Unix-like systems, the clipboard workarounds are now disabled by default (they are not needed anymore on most systems).
  • Improved clipboard clearing on Unix-like systems.
  • Improved starting of an elevated process on Unix-like systems.
  • TrlUtil: improved keyboard shortcut assignment and toolbar construction.
  • Installer: the desktop shortcut is now created for all users (if the option 'Create a desktop shortcut' is activated).
  • Installer: removed the Quick Launch shortcut option.
  • Upgraded installer.
  • Various UI text improvements.
  • Various code optimizations.
  • Minor other improvements.

Bugfixes:
  • In report dialogs, the 'Print' and 'Export' commands now always use the actual data (in previous versions, asterisks were printed/exported when the application policy flag 'Unhide Passwords' was turned off).
  • The icon of the custom algorithm options button in the password generator dialog is not cut off anymore.
 

CyberTech

Level 44
Verified
Top Poster
Well-known
Nov 10, 2017
3,247
Dominik Reichl, the lead developer of the KeePass password manager, has released KeePass 2.54 to the public. The new version of the application improves security in several meaningful ways, and it addresses potential attack vectors of previous versions of the program.

New and existing KeePass users find the download of KeePass 2.54 on the official website. The installer will update installations of the password manager automatically.
 

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
KeePass 2.55 is available to download: Downloads - KeePass

Changes from 2.54 to 2.55:​


New Features:
  • Added 'Compare Entries' command (in the main menu 'Entry' → 'Compare'), which compares the two entries that are selected in the main entry list.
  • Added 'Mark Entry for Comparison' and 'Compare Entry with Marked Entry' commands (in the main menu 'Entry' → 'Compare'); these two commands support comparing two entries that are stored in different databases (opened in tabs).
  • Report dialogs can now be closed by pressing the Esc key.
  • Added option 'Show warning when the key transformation settings are weak' (in 'Tools' → 'Options' → tab 'Security', turned on by default).
  • The options in the entry/group duplication dialog are remembered now.
  • The options in the HTML export/print dialog are remembered now.
  • In dialogs that have a 'Do not show this dialog again' option and multiple commands, the command that will always be used when turning on the option is now mentioned in the dialog.
  • Added 'More information' link in the dialog that is displayed when KeePass automatically disables enforcement-requiring items.
  • Added {NEWPASSWORD:/#/P/O/} placeholder, which generates a new password for the current entry using the specified pattern P and the option(s) O.
  • Added accessible names for some controls (custom keystroke sequence edit control in the auto-type item dialog, filter edit control in report dialogs, a few controls in the password generator dialog; if the option 'Optimize for screen reader' is turned on).
  • Added 'MasterKeyExpiryForce' configuration setting.
  • Enhanced Google Chrome passwords CSV import module to support the new format.
  • Enhanced mSecure CSV import module to support the new format.
  • Enhanced 1Password 1PUX import module to support the new password field/type.

Improvements:
  • The toolbar in report dialogs is now a tab stop.
  • Increased default number of AES-KDF iterations.
  • Improved syntax highlighting for {CLIPBOARD-SET:...} placeholders (in the auto-type item editing dialog).
  • The node mode of the configuration element '/Configuration/Meta/PreferUserConfiguration' is now 'None' by default.
  • Improved INI loading performance.
  • Improved data size formatting.
  • Renamed value columns/commands in the history entry comparison dialog from 'A'/'B' to '1'/'2'.
  • Improved process memory protection of history entry comparisons.
  • Improved process memory protection of 'CryptoRandomStream' objects.
  • Improved thread safety of process memory protection on Unix-like systems.
  • The MSI file is now built using Visual Studio 2022.
  • Various UI text improvements.
  • Various code optimizations.
  • Minor other improvements.

Bugfixes:
  • Searches using an XPath expression involving history entries now always regard all history entries.
  • KeePass now does not crash anymore when a plugin tries to upload a file to a server asynchronously.
Source: KeePass 2.55 released - KeePass
 
Last edited:

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
F

ForgottenSeer 103564

curious: installed 2.55 and got a popup: "the key transformation settings of the database are weak," suggest reset to default values. Never seen that before not sure I ever tweaked them or if I did it would have been to make them more secure...? on win10 upgrading from 2.54.
(Added option 'Show warning when the key transformation settings are weak' (in 'Tools' → 'Options' → tab 'Security', turned on by default). New option in this version.
 

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057

KeePass 2.56​

KeePass 2.56 has been released today! You can get it here: Download KeePass 2.56.

This is a stable release. It is recommended to upgrade from any previous 2.x version to 2.56.

KeePass 2.56 mainly features user interface and integration enhancements, and various other minor new features and improvements.

Hashes and signatures for integrity checking are available, and program binaries are digitally signed (Authenticode). New translations are available, too.

Changes from 2.55 to 2.56:​


New Features:
  • Added search box in the options dialog (keyboard shortcut Ctrl+F).
  • When pressing the Enter key in the group tree of the main window, the entries of the group are displayed now (this can be useful for instance when the entry list is displaying search results).
  • Added 'More' button on the 'History' tab page of the entry dialog, which shows a menu that provides the following two new commands: 'Select All Historic Entries' and 'Delete All Historic Entries'; the menu is also shown as context menu of the history entries list.
  • Added Ctrl+A keyboard shortcut for the 'Select All Historic Entries' command in the entry dialog (the history entries list must have the input focus).
  • Added workaround for Mono window size bug.
  • Added accessibility help page.

Improvements:
  • In the main window, the entry list is now updated when right-clicking onto a group in the group tree.
  • Expanding/collapsing a group in the group tree of the main window does not select it anymore.
  • The option 'Remember password hiding setting in the main window' is now turned off by default.
  • In the auto-type entry selection dialog, comments ({C:...} placeholders) are now removed from the values in the 'Sequence' column if the 'Sequence - Comments' column is displayed.
  • The view is now restored after syntax highlighting in the sequence box of the auto-type association dialog.
  • Reduced flickering in the sequence box of the auto-type association dialog.
  • Improved performance of Spr compilations of certain texts.
  • Minor process memory protection improvement for the password generator.
  • Minor process memory protection improvements for some report dialogs.
  • Improved thread safety of message box management.
  • Improved UUID object implementation.
  • Collection equality testing improvements (for plugins).
  • Various code optimizations.
  • Minor other improvements.

Bugfixes:
  • In the main window, the entry list is now updated correctly when performing overlapping keypresses into the group tree.
  • When cancelling a group drag&drop operation, the group selection is now restored correctly.
  • Fixed background of CHM help pages.
Source: KeePass 2.56 released - KeePass
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top