KeePassXC Audit Report

This part in the PDF gave me pause:<p><i>&gt;As KeePassXC is a relatively complex program and the review effort was limited, I did not review all of the code base. Some helper features stay not reviewed, for example: TOTP, SSH agent, browser plug-in communication, auto-type, KeeShare password sharing mechanism, freedesktop integration, HIBP support, database statistics feature. Maybe these features could be a subject to a next review version.</i><p>Those integrations seem like scary weak-points, especially to the browser.. and I&#x27;m a little confused because later on he says he did review the browser extension code:<p><i>&gt;KeePassXC supports integration with browser extensions. The communication between the password manager application and the browser extensions is implemented using secure and modern libsodium-style encryption. I personally trust this cryptography choice and salut the use of encryption to communicate with browser extensions.</i>

I have found that I develop emotional loyalty to good software. Most software is shit, but KeePassXC has been really good.

&gt; KeePassXC is written well and exercises defensive coding sufficiently.<p>This might be a transcription or language problem, but: auditors really shouldn’t normative claims like “software X is written well,” much less actually <i>endorse</i> the software they’re paid to review (as the audit’s summary appears to at the end of the post). It’s a massive conflict of interest, and undermines the actual purpose of an audit: to accurately report any weaknesses found (if any!), rather than offer an opinion on the product’s value or future exploitability (including against unknown adversaries).<p>(This is not a dig at KeePassXC or this auditor in particular; lots of auditing shops are guilty of this.)

I feel like &quot;Who is Zaur Molotnikov?&quot; is an important question that is not addressed on the page. His CV is here: <a href="https:&#x2F;&#x2F;molotnikov.de&#x2F;cv" rel="nofollow">https:&#x2F;&#x2F;molotnikov.de&#x2F;cv</a>

It is worth noting that most users use KeyPassXC with the mobile applications Keepass2Android or Keypassium on Apple. A complete picture of the security of the system must therefore necessarily include an audit of these tools as well.

I&#x27;m glad I read this. My database was on KDBX 3, when KDBX 4 is the latest and most secure version of the DB. I upgraded my DB right away.<p>If version 4 is mores safe, KeePassXC should insert a nudge for their users to upgrade.

Hi all. Zaur here, the author of the audit report.<p>Thanks a lot for the feedback here. I&#x27;ve decided to clarify some points and also introduce changes to the most recent audit PDF. <a href="https:&#x2F;&#x2F;molotnikov.de&#x2F;keepassxc-review" rel="nofollow">https:&#x2F;&#x2F;molotnikov.de&#x2F;keepassxc-review</a><p>- The links in the most recent review version are now highlighted with blue.<p>- I did not yet have a too deep of a look in Keepassium, KeepassDX, or browser extensions, although, I know these exist. On my radar, need to find time and dive deep!<p>- The not reviewed features by me are just not reviewed yet. I wouldn&#x27;t call them scary. The use of them is optional btw. Again, need to find time and look deeper. It is also a tip for other researchers where to look next.<p>- My review contains certain subjective statements like on quality of code, and on recommending the use of KeePassXC. Well, my goal was to inspect an offline, without servers, subjectively likeable and recommendable from the UI&#x2F;UX perspective tool, because the main problem with the password managers is that they are still not used enough in the wild. I have found a subjectively good desktop UI, checked the code quality (structure, availability of tests, clean use of C++ and Qt), could see sound modern crypto, and.. proceeded to solving a bigger problem - recommending the use of it. Making the judgment for the potential review readers, to whom the deep details are too much to interpret, and who need a simplified answer, what to incline toward, if to rather use it or not... I noted though for the next reviews to avoid too general judgements.<p>- Personal questions on who Zaur is, and why my opinion matters.. :) Well, the CV is pointed to, I know applied security and applied crypto, I have 6 years professional experience with C++. I code and review projects for security daily. No complex and working software is ideal and perfectly secure. Plenty of software online is low-bar in secuirty. I had capacity to check the basics and a little beyond them for KeePassXC, and put my subjective judgment here on the right side of the weights.<p>- Loved the discussion on mobile phone and multi-device sync. Syncthing and other suggestions. On an iPhone nothing really works very well, as files are compartmentalized per app... For those of us who only need a few passwords on mobile, it is recommendable to create a separate small database with only those passwords, and use it readonly on the mobile.

Based on the dates in the audit, I would have expected references to existing issues, e.g.<p>&gt; The memory deallocation could be improved to not to contain secrets after the database is locked though. See <a href="https:&#x2F;&#x2F;github.com&#x2F;keepassxreboot&#x2F;keepassxc&#x2F;issues&#x2F;7335">https:&#x2F;&#x2F;github.com&#x2F;keepassxreboot&#x2F;keepassxc&#x2F;issues&#x2F;7335</a> for progress on this issue<p>Then again, the PDF mysteriously doesn&#x27;t indicate which words are hyperlinked and so maybe I just didn&#x27;t wave my cursor over enough words to find those references<p>Also, because the outer blogpost didn&#x27;t mention it (although it is in the actual PDF) the auditor is <a href="https:&#x2F;&#x2F;molotnikov.de&#x2F;cv" rel="nofollow">https:&#x2F;&#x2F;molotnikov.de&#x2F;cv</a> and it says they work for AWS as a Senior Security Architect. I didn&#x27;t see anything especially C++ focused, but I guess any independent audit is better than none

How do people mange passwords themselves across laptop&#x2F;tablet&#x2F;mobile? I have been meaning to leave lastpass but always seems like too much hassle.