KeePassXC security audit published, recommends this security setting

Gandalf_The_Grey

Level 75
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,437
KeePassXC is a popular password manager for Windows, Mac and Linux that uses the KDBX file format from the password manager KeePass.

The developers of KeePassXC have published the results of a security audit on their website yesterday. The audit was conducted by Zaur Molotnikov, who is a Munich-based software engineer. Molotnikov's CV is listed on his website.

The audit was conducted free of charge, and while there is some rumbling about potential conflicts of interests on Hacker News, it is irrelevant for the purpose of the article that you are reading now.

Interested users may check out the full audit report here. The author makes several suggestions to the KeePassXC development team and also to users of the application. A core suggestion is to make sure that the latest database format is being used.
 

Gandalf_The_Grey

Level 75
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,437
More information about the KeePass KDBX4 file format can be found here:
I’ve been playing around with KeePass databases. One aspect was rather surprising: given how many open source products use this format, it is remarkably underdocumented. At best, you can find outdated and incomplete descriptions by random people. The KeePass developers themselves never bothered providing complete documentation. All you get is a semi-intelligible list of changes from KDBX 3.1 to KDBX 4 and from KDBX 4 to KDBX 4.1. With the starting point not being documented, these are only moderately useful.

And so it’s not surprising that the implementations I looked at aren’t actually implementing the same file format. They all probably manage to handle common files in the same way, but each of them has subtle differences when handling underdocumented format features.

I’ll try to explain the format and the subtle details here. For that, I looked at the source code of KeePass, KeePassXC, keepass-rs Rust library and the kxdbweb JavaScript library. Let’s hope this documentation helps whoever else needs to work with that file format, and studying source code will no longer be required.

I can only document the latest version of the format (KDBX 4.1), though I’ll try to highlight changes wherever I’m aware of them.
 
  • Like
Reactions: Nevi and harlan4096

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top