New Update KeePass Password Manager - Updates and discussion

[Gandalf_The_Grey]

KeePass 2.53.1 Released:

Changes from 2.53 to 2.53.1:​

• When testing a KDF ('Test' button in the database settings dialog), KeePass now spawns a child process that performs the KDF computation (which allows to cancel the test more cleanly in the case of excessive parameters; security is unaffected, because dummy data is used for the test).
• Removed the 'Export - No Key Repeat' application policy flag; KeePass now always asks for the current master key when trying to export data.
• Minor other improvements.

KeePass 2.53 released - KeePass

keepass.info

 

[n8chavez]

Oh good. I take it then now eliminated the export bug?

 

[silversurfer]

KeePass 2.53.1 Released:

KeePass 2.53 released - KeePass

keepass.info

KeePass 2.53.1: vulnerability resolved​

The point release addresses the issue. The official changelog highlights the fact: "Removed the 'Export - No Key Repeat' application policy flag; KeePass now always asks for the current master key when trying to export data.".

In other words: KeePass will prompt the user for confirmation before export data operations. Confirmation is given with the user's primary password, which needs to be entered before data exports begin.

The controversially discussed vulnerability shows how important it is to address concerns, especially regarding security. KeePass Developer Reichl may not have changed his initial opinion that the vulnerability is not one, but he reacted to public concern and made a change to the application to address these concerns.

Information about the use of triggers is not available, but it seems likely that only a minority of KeePass users use these. Even fewer may use the password export trigger.

KeePass 2.53.1 password manager resolves vulnerability controversy - gHacks Tech News

KeePass 2.53.1 is a new update for the password manager that addresses a potential vulnerability in the application.

www.ghacks.net

 

[silversurfer]

Should you still trust KeePass?​

So nothing really happened in January with KeePass. There was no attack or data breach. The researcher just pointed out an existing vulnerability that has been around for years. The cool customization options in KeePass that people love can also make it vulnerable if not used carefully.

If you still want to use KeePass, be sure to take some precautions, like keeping good antivirus software and a strong password for your Windows account. If you need to step away from your desk, lock your computer to protect your passwords. However, if you want to sync your passwords automatically, you'll have to trust the author of the sync plugin and rely on the security of your cloud storage provider. This means your passwords could be exposed if either the plugin or the cloud storage provider is not secure.

Here’s why you shouldn’t trust KeePass - gHacks Tech News

KeePass refuses to admit there’s an issue with it’s software, but vulnerabilities persist. Click here to read more.

www.ghacks.net

 

[n8chavez]

Here’s why you shouldn’t trust KeePass - gHacks Tech News

KeePass refuses to admit there’s an issue with it’s software, but vulnerabilities persist. Click here to read more.

www.ghacks.net

This is a moot point though. The export trigger without password has been removed. And no, trusting keepass does not mean trusting plugins? What if you don't use any? Articles like this are just trying to make people paranoid.

 

[silversurfer]

This is a moot point though. The export trigger without password has been removed. And no, trusting keepass does not mean trusting plugins? What if you don't use any? Articles like this are just trying to make people paranoid.

Well, I'm a long time user of KeePass and recently also trying KeePassXC. I have posted this article to inform forum people here about the risk when we talking about that most users does want to sync data among their devices, so this fact makes even KeePass riskier like other cloud-based Password Managers. I just quoted a small part of this article.
Of course, you mentioned true points, the password export trigger issue has been fixed and that is almost no risk when KeePass users doesn't installing any plugins like browser extension to login more comfortable on websites.

 

[n8chavez]

That is a good point that @silversurfer brought up. If you are using cloud storage to sync your databases, wouldn't it be safer to mount that as a virtual drive and then store your database there? That way you're not relying on any 3rd-party plugin. That's what I do and it works perfectly. You don't even have to allow keepass network access because the virtual drive is seen as local. I trust my cloud, Mega.nz. It's encrypted. Plus I also use a keyfile.

 

[silversurfer]

KeePass 2.54 has been released today!

You can get it here: Download KeePass 2.54.

This is a stable release. It is recommended to upgrade from any previous 2.x version to 2.54.

Changes from 2.53.1 to 2.54:​

New Features:

• Triggers, global URL overrides, password generator profiles and a few more settings are now stored in the enforced configuration file.
• Added dialog 'Enforce Options (All Users)' (menu 'Tools' → 'Advanced Tools' → 'Enforce Options'), which facilitates storing certain options in the enforced configuration file.
• Export confirmation dialog banners now have a yellow-orange background.
• In export confirmation dialogs, the text of the 'OK' button is now changed to 'Confirm Export'.
• In report dialogs, passwords (and other sensitive data) are now hidden using asterisks by default (if hiding is activated in the main window); the hiding can be toggled using the new '***' button in the toolbar.
• The 'Print' command in most report dialogs now requires the 'Print' application policy flag, and the master key must be entered if the 'Print - No Key Repeat' application policy flag is deactivated.
• The 'Export' command in most report dialogs now requires the 'Export' application policy flag, and the master key must be entered.
• Single line edit dialogs now support hiding the value using asterisks.
• On Unix-like systems, commands that require elevation now have a shield icon (like on Windows).
• TrlUtil: added 'Move Selected Unused Text to Dialog Control' command.

Improvements:

• Improved process memory protection of secure edit controls.
• The content mode of the configuration elements '/Configuration/Application/TriggerSystem', '/Configuration/Integration/UrlSchemeOverrides' and '/Configuration/PasswordGenerator/UserProfiles' is now 'Replace' by default.
• The built-in override for the 'ssh' URI scheme is now deactivated by default (it can be activated in the 'URL Overrides' dialog).
• When opening the password generator dialog without a derived profile, the '(Automatically generated passwords for new entries)' profile is now selected by default, if profiles are enabled (otherwise the default profile is used).
• Improved UI update performance in the password generator dialog.
• Improved and renamed dialog banner styles.
• The separator line of light dialog banners is gray now.
• Improved serialization/deserialization of custom configuration settings (used by plugins).
• Improved reporting of unknown database header fields.
• On Unix-like systems, the clipboard workarounds are now disabled by default (they are not needed anymore on most systems).
• Improved clipboard clearing on Unix-like systems.
• Improved starting of an elevated process on Unix-like systems.
• TrlUtil: improved keyboard shortcut assignment and toolbar construction.
• Installer: the desktop shortcut is now created for all users (if the option 'Create a desktop shortcut' is activated).
• Installer: removed the Quick Launch shortcut option.
• Upgraded installer.
• Various UI text improvements.
• Various code optimizations.
• Minor other improvements.

Bugfixes:

• In report dialogs, the 'Print' and 'Export' commands now always use the actual data (in previous versions, asterisks were printed/exported when the application policy flag 'Unhide Passwords' was turned off).
• The icon of the custom algorithm options button in the password generator dialog is not cut off anymore.

KeePass 2.54 released - KeePass

keepass.info

 

[CyberTech]

Dominik Reichl, the lead developer of the KeePass password manager, has released KeePass 2.54 to the public. The new version of the application improves security in several meaningful ways, and it addresses potential attack vectors of previous versions of the program.

New and existing KeePass users find the download of KeePass 2.54 on the official website. The installer will update installations of the password manager automatically.

KeePass password manager update improves security - gHacks Tech News

Dominik Reichl, the lead developer of the KeePass password manager, has released KeePass 2.54 to the public.

www.ghacks.net

 

[silversurfer]

KeePass 2.55 is available to download: Downloads - KeePass

Changes from 2.54 to 2.55:​

New Features:

• Added 'Compare Entries' command (in the main menu 'Entry' → 'Compare'), which compares the two entries that are selected in the main entry list.
• Added 'Mark Entry for Comparison' and 'Compare Entry with Marked Entry' commands (in the main menu 'Entry' → 'Compare'); these two commands support comparing two entries that are stored in different databases (opened in tabs).
• Report dialogs can now be closed by pressing the Esc key.
• Added option 'Show warning when the key transformation settings are weak' (in 'Tools' → 'Options' → tab 'Security', turned on by default).
• The options in the entry/group duplication dialog are remembered now.
• The options in the HTML export/print dialog are remembered now.
• In dialogs that have a 'Do not show this dialog again' option and multiple commands, the command that will always be used when turning on the option is now mentioned in the dialog.
• Added 'More information' link in the dialog that is displayed when KeePass automatically disables enforcement-requiring items.
• Added {NEWPASSWORD:/#/P/O/} placeholder, which generates a new password for the current entry using the specified pattern P and the option(s) O.
• Added accessible names for some controls (custom keystroke sequence edit control in the auto-type item dialog, filter edit control in report dialogs, a few controls in the password generator dialog; if the option 'Optimize for screen reader' is turned on).
• Added 'MasterKeyExpiryForce' configuration setting.
• Enhanced Google Chrome passwords CSV import module to support the new format.
• Enhanced mSecure CSV import module to support the new format.
• Enhanced 1Password 1PUX import module to support the new password field/type.

Improvements:

• The toolbar in report dialogs is now a tab stop.
• Increased default number of AES-KDF iterations.
• Improved syntax highlighting for {CLIPBOARD-SET:...} placeholders (in the auto-type item editing dialog).
• The node mode of the configuration element '/Configuration/Meta/PreferUserConfiguration' is now 'None' by default.
• Improved INI loading performance.
• Improved data size formatting.
• Renamed value columns/commands in the history entry comparison dialog from 'A'/'B' to '1'/'2'.
• Improved process memory protection of history entry comparisons.
• Improved process memory protection of 'CryptoRandomStream' objects.
• Improved thread safety of process memory protection on Unix-like systems.
• The MSI file is now built using Visual Studio 2022.
• Various UI text improvements.
• Various code optimizations.
• Minor other improvements.

Bugfixes:

• Searches using an XPath expression involving history entries now always regard all history entries.
• KeePass now does not crash anymore when a plugin tries to upload a file to a server asynchronously.

Source: KeePass 2.55 released - KeePass

 

[simmerskool]

KeePass 2.55 is available to download: Downloads - KeePass

Source: KeePass 2.55 released - KeePass

curious: installed 2.55 and got a popup: "the key transformation settings of the database are weak," suggest reset to default values. Never seen that before not sure I ever tweaked them or if I did it would have been to make them more secure...? on win10 upgrading from 2.54.

 

[ForgottenSeer 103564]

curious: installed 2.55 and got a popup: "the key transformation settings of the database are weak," suggest reset to default values. Never seen that before not sure I ever tweaked them or if I did it would have been to make them more secure...? on win10 upgrading from 2.54.

(Added option 'Show warning when the key transformation settings are weak' (in 'Tools' → 'Options' → tab 'Security', turned on by default). New option in this version.

 

[Pat MacKnife]

In our country the Police advises to use keepass

Belgische politie: gebruik KeePass als wachtwoordmanager - TechPulse

De federale politie heeft maandag een blogpost gepubliceerd over de noodzaak van het beveiligen van je wachtwoorden. Een wachtwoordmanager is hiervoor noodzakelijk.

techpulse.be

 

[silversurfer]

KeePass 2.56​

KeePass 2.56 has been released today! You can get it here: Download KeePass 2.56.

This is a stable release. It is recommended to upgrade from any previous 2.x version to 2.56.

KeePass 2.56 mainly features user interface and integration enhancements, and various other minor new features and improvements.

Hashes and signatures for integrity checking are available, and program binaries are digitally signed (Authenticode). New translations are available, too.

Changes from 2.55 to 2.56:​

New Features:

• Added search box in the options dialog (keyboard shortcut Ctrl+F).
• When pressing the Enter key in the group tree of the main window, the entries of the group are displayed now (this can be useful for instance when the entry list is displaying search results).
• Added 'More' button on the 'History' tab page of the entry dialog, which shows a menu that provides the following two new commands: 'Select All Historic Entries' and 'Delete All Historic Entries'; the menu is also shown as context menu of the history entries list.
• Added Ctrl+A keyboard shortcut for the 'Select All Historic Entries' command in the entry dialog (the history entries list must have the input focus).
• Added workaround for Mono window size bug.
• Added accessibility help page.

Improvements:

• In the main window, the entry list is now updated when right-clicking onto a group in the group tree.
• Expanding/collapsing a group in the group tree of the main window does not select it anymore.
• The option 'Remember password hiding setting in the main window' is now turned off by default.
• In the auto-type entry selection dialog, comments ({C:...} placeholders) are now removed from the values in the 'Sequence' column if the 'Sequence - Comments' column is displayed.
• The view is now restored after syntax highlighting in the sequence box of the auto-type association dialog.
• Reduced flickering in the sequence box of the auto-type association dialog.
• Improved performance of Spr compilations of certain texts.
• Minor process memory protection improvement for the password generator.
• Minor process memory protection improvements for some report dialogs.
• Improved thread safety of message box management.
• Improved UUID object implementation.
• Collection equality testing improvements (for plugins).
• Various code optimizations.
• Minor other improvements.

Bugfixes:

• In the main window, the entry list is now updated correctly when performing overlapping keypresses into the group tree.
• When cancelling a group drag&drop operation, the group selection is now restored correctly.
• Fixed background of CHM help pages.

Source: KeePass 2.56 released - KeePass

 

[silversurfer]

KeePass 2.57​

KeePass 2.57 has been released today! You can get it here: Download KeePass 2.57.

This is a stable release. It is recommended to upgrade from any previous 2.x version to 2.57.

KeePass 2.57 mainly features user interface and integration enhancements, and various other minor new features and improvements.

Changes from 2.56 to 2.57:​

New Features:

• Added option 'Prevent certain screen captures' (in 'Tools' → 'Options' → tab 'Security', turned off by default); note that this may also prevent legitimate other software (remote desktop solutions, accessibility tools such as screen magnifiers, etc.) from seeing KeePass windows.
• Added the new option 'Prevent certain screen captures' in the 'Enforce Options (All Users)' dialog (in 'Tools' → 'Advanced Tools' → 'Enforce Options').
• Key files can be created on the secure desktop now.
• Added shortcut keys for the 'Copy Group (Encrypted)' (Ctrl+Shift+C) and 'Paste Group' (Ctrl+Shift+V) commands.
• Ctrl+Shift+V can now be used for pasting entries while the group tree has the input focus and vice versa.
• Added 'More' button in the icon picker dialog, which shows a menu that provides two commands: 'Rename' and 'Export'; the menu is also shown as context menu of the custom icons list.
• When importing an icon, the file name without extension is now used as icon name.
• Added option 'Remember password hiding setting' in the main window column configuration dialog (turned off by default).
• Added support for long paths when running on .NET 4.6.2 or higher.
• Some error messages now contain the type and the HResult of the exception that occured.
• Some error messages are now more detailed when running KeePass with the '-debug' command line option.
• Bitwarden JSON import: two-digit years are now converted to four-digit years.
• Added UIFlags bit for automatically adjusting weak key transformation settings to the current default values (without a confirmation dialog).
• Added DPI detection on Unix-like systems.
• For applications using KeePass as a library: added a new common initialization method ('CommonInitialize') that allows a custom error handling/reporting.

Improvements:

• Databases are now always saved in the KDBX 4/4.1 file format; if you need a KDBX 3.1 file (e.g. for compatibility with an old app), perform an export: main menu 'File' → 'Export' → format 'KeePass KDBX (2.34, Old Format)'.
• Auto-Type: improved compatibility with Remote Desktop Client (WSL).
• In an auto-type error dialog, the sequence is now only displayed if KeePass has been started with the '-debug' command line option.
• Increased maximum length of the main window title.
• Improved handling of shortcut keys in the main window.
• Improved entry data exchange menu update performance.
• After moving a group, KeePass now ensures that the group is visible.
• Improved database save confirmation dialog text.
• When showing the master key creation/change dialog on the secure desktop, trying to perform an operation that is not supported on the secure desktop now results in a simple error message, i.e. it is not possible anymore to choose to cancel the dialog and perform the operation on the normal desktop; this avoids certain accidental data loss scenarios.
• Various improvements in the simple file browser dialog (for the secure desktop).
• While a hot key control of the options dialog is focused, dialog-specific keyboard shortcuts are now disabled.
• Changed the 'MAC Address' password generator profile such that it always generates a unicast, locally administered MAC address in the SLAP administratively assigned quadrant.
• In the icon picker dialog: moved the 'Export' command into the 'More'/context menu of the custom icons list.
• When running on .NET 4.7 or higher, KeePass now supports all TLS/SSL protocol versions that are supported/enabled by the framework/system.
• Improved error messages for exception chains.
• Improved serialization, deserialization and conversion of nullable booleans.
• Improved deserialization of variant dictionaries.
• Improved application context initialization.
• Improved termination of the program in case of a fatal exception.
• Various UI text improvements.
• Various code optimizations.
• Minor other improvements.

Bugfixes:

• (None).

KeePass 2.57 released - KeePass

keepass.info

 

[Bill K]

I just recently switched from Dashlane to KeePassXC, and am wondering how closely XC tracks updates made to KeePass. TIA

 

[silversurfer]

I just recently switched from Dashlane to KeePassXC, and am wondering how closely XC tracks updates made to KeePass. TIA

I am using also KeePassXC since almost two years, if we compare release date for 2023 and 2024, KeePassXC does update regularly like KeePass,
but the changes list... seems to be different in most parts:

Releases · keepassxreboot/keepassxc

KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”. - keepassxreboot/keepassxc

github.com

 

[silversurfer]

KeePass 2.57.1 released​

Changes from 2.57 to 2.57.1:​

• Added options 'Show confirmation dialog when running/opening a cmd:// URI', 'Show confirmation dialog when evaluating/replacing a {CMD:...} placeholder' and 'Show confirmation dialog when evaluating/replacing a {REF: p@...} placeholder (action)' (in 'Tools' → 'Options' → tab 'Interface (1)', turned on by default).
• Added option 'Follow redirects' on the 'Advanced' tab page of the 'Open From URL' dialog.
• When an exception occurs while creating/compiling a PLGX file, streams/readers/writers are now closed immediately.
• When an exception occurs while a plugin performs a certain web request, streams/readers are now closed immediately.
• Refactored code related to streams, import modules, menu/toolbar renderers and registry accesses.
• Removed Spamex.com import module.
• Minor other improvements.

Many thanks to the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) and mgm security partners for sponsoring and performing a code analysis of KeePass 2.x (the BSI will publish information about it soon here: project CAOS 3.0

).

No security vulnerabilities classified as medium, high or critical were found. However, two minor potential security vulnerabilities and some improvable code parts were identified. As a result, various improvements have been implemented; see above (version 2.57.1). For details about the code analysis and the improvements, see the release notes.

KeePass 2.57 released - KeePass

keepass.info

Downloads - KeePass

keepass.info

 

[Brownie2019]

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can store all your passwords in one database, which is locked with a master key. So you only have to remember one single master key to unlock the whole database.

KeePass Password Safe

KeePass is a free open source password manager. Passwords can be stored in an encrypted database, which can be unlocked with one master key.

keepass.info

 

[Bot]

That's correct! KeePass is an excellent tool for managing passwords securely. Remembering only one master key for all your passwords is indeed a great convenience. Thanks for sharing the link.