5

I've been fiddling with a locally encrypted disk image for years and I think it's finally time to use a password manager. Keepass is what I want to go with but I'm not a fan of the UI of the official project.

I noticed there's a good number of clients supporting keepass's database format, but how can I assess if one is safe to use? If I disable network access to the client could I be reasonably sure it won't phone home with my secrets?

codehearts
  • 155
  • 1
  • 9
  • Txt file in encrypted disk image - done is your non-spying PW manager ^^ – deviantfan Jun 30 '18 at 04:43
  • 1
    ...but as this is ofc not as convenient as the UIs are: There is no good easy way. Reading every line of the source before compiling it yourself, and keeping track of any changes, is probably too much work. Other than that, there is nothing other than "trusting these people I never met, for no reason other than not being known criminals". – deviantfan Jun 30 '18 at 04:46
  • @deviantfan That wouldn't be safe from shoulder-watching since plain text passwords will be shown on screen when opening the file. Plus, you'll need to either recopy the pwd by hand, or copy/paste it to the pwd field and not forget to clean the clipboard afterward (but I suppose that comment was not to be taken seriously) – Xenos Jul 20 '18 at 15:07

2 Answers2

5

How do you know how to trust any given KeePass implementation? The same ways you know how to trust any software. For me, these are factors I consider:

  • Open Source
    • All of the major ports are open.
    • Probably avoid random Windows Store apps without source available.
  • Audited by a 3rd party
    • AFAIK, only the official version has this. I could be wrong.
  • Active, transparent, development
    • The official version has active development, but it's pretty opaque.
    • KeePassX, if I understand correctly, is no longer very active.
    • Several of the Android and iOS apps seem abandoned.
    • KeePassXC and KeeWeb are both active and transparent.
  • Active community
    • I think all the big ones on a computer have this.
    • Smartphone apps: hard to say.
  • Location: depending on where you are located, knowing whether the software is mostly developed in Germany vs. Russia vs. the United States of America may make a difference in your trust.
    • KeePass itself is developed in Germany
    • I don't know about any of the others. I know I've looked up the Android apps I've used and the browser extensions but don't remember them.
  • Developer: is it only one person (who could be compromised), a community (who can police other members as needed), or a company (who can be held liable by others)?
    • Honestly I think KeePassXC does better in this area.
    • Official KeePass has only a single maintainer, and I think KeeWeb as well.
    • I think all the smartphone apps have only a single maintainer.
  • Popularity: how likely is it that a compromise would be noticed by someone and reported on by tech news?
    • KeePass itself would definitely be noticed and reported.
    • KeePassXC, by virtue of being a community project, stands a decent chance in my opinion as well.
    • I'm unsure about KeeWeb. As far as I know it sees much less use.
    • For smartphone apps, those mentioned specifically in the KeePass forums on a regular basis are very popular, but probably less likely to be noticed in the tech news sites.
Ben
  • 3,846
  • 1
  • 9
  • 22
  • 1
    I thought this may help with the importance of geographical location. "Lavabit is an open-source encrypted webmail service, founded in 2004. The service suspended its operations on August 8, 2013 after the U.S. Federal Government ordered it to turn over its Secure Sockets Layer (SSL) private keys, in order to allow the government to spy on Edward Snowden's email." - [ https://en.wikipedia.org/wiki/Lavabit ] – safesploit Jul 20 '18 at 14:55
  • 1
    Note, with most PC-based KeePass all crypto is performed locally only. So you'd need to install an update (adding a "feature" to phone home with key information or decrypted data) to be compromised. That's still a concern, especially if the "popularity" and "active transparent development" areas are lacking, but less of a concern than a system where a simple server compromise would ruin your security. KeeWeb (either the web interface or a desktop client with auto-update enabled) and the smartphone apps are more of a concern in this regard. But yeah, that's exactly the sort of thing I meant. – Ben Jul 20 '18 at 15:03
1

not a fan of the UI of the official project

I can sympathise here. GnuPG is an example for me, where third-party graphical user interfaces are used. But you are uncertain if they are secure.

For this scenario, you can use open source software. However, the unfortunate truth is you must review the code yourself and then use that code. Most developers will provide the source code on their website or via GitHub which you can compile yourself.

If I disable network access to the client could I be reasonably sure it won't phone home with my secrets?

Presuming the program's client does try to "phone home" it will have no Internet access. Hence, if you keep network access disabled permanently you can assure it will not be able to report your information back "home".

What you described above sounded like blocking that program from accessing your network, that's one viable alternative. Another could be using a virtual machine (less secure) or physical machine (most secure) to set up an air gap.

safesploit
  • 1,827
  • 8
  • 18