KeePass 2 MitM vulnerability won't be fixed

Both keepass and keepassx are under GPL. Is there any advantage of using kpx over regular kp?

I'm kind of tempted to write my own password manager. Keep things very very simple- an SQLite schema with encrypted passwords, use AES, write multiple UIs (CLI, Cocoa, web-based?), follow best security practices.

Could this be a Sup Forums project? It's both feasible (if we could keep back feature creep) and actually useful.

Password managers not even once

I tested both and didn't notice any difference.

>vulnerability present
>it doesn't affect me!
Lmao Freetards

Use keypassX dude.
It's a solid program.

Time to fork

It works, but it's fucking dog ugly and unintuitive on OS X. It also seems to use a proprietary database format, so a) I can't access it if needed using standard tools and b) I can't trust it not to get corrupted.

>ads impede security
Gee, what else is new.

keepassx is a keepass ripoff

p a s s

>seems to use a proprietary database format
IT'S FUCKING ENCRYPTED, IDIOT

Calm your rage, user.

It is not necessary to use a proprietary format in order to store encrypted data. Instead, you simply use a standard SQL-compatible DB.

Store values, not in plain text, but as BLOBs containing AES-encrypted data. Or, if you prefer, store foreign keys to an "EncryptedValues" table. Each row of that would contain both the BLOB with the data, and metadata about the encryption scheme (to allow for flexibility).

This has the distinct advantage that anyone, without access to the program, could extract their data from the file in a pinch- provided they have a little SQL knowledge and, of course, the password/keyfile. With a custom scheme, this is completely impossible.

Automatic updates is the first thing I disable on any software.

this, so much this

I just created a python script to auto find latest release of my windows software and update it in silent mode. Maybe should I add something like checksum or scanning with online AVs?

Well it's GPLv3 so it's literally not proprietary

As long as it uses solely 100% HTTPS and doesn't skip checking certificate validity, you're fine.

So you care about a Freetard program though?

That doesn't help you get data out of it, though.

>SHIT SHIT SHIT SHIT SHIT

SHIT ON SUICIDE WATCH!

this is so retard
must be some american tv show

There is already a command-line one, but I haven't tried it yet passwordstore.org/

>letting your users get infected so you don't lose ad revenue
idk mang I think you're going to lose more ad revenue if all your users leave but okay

Browser autocomplete!

Brain dead morons who use these "password managers" don't belong on Sup Forums.

Fuck off and/or kys.

Fuck off NSA.

>password manager

>memeing this hard
Fuck off NSA.

>memeing

How is that NSA?
What are they going to do, brute force your neurons?

Why do you need a fucking password manager? Just store it in an encrypted text file.

autocompletion, syncing, password generation, other blah blah blah

>It also seems to use a proprietary database format

It's literally using the same format keypass2 uses, with the ability to import from keypass1

KeyPass2 doesn't even have an auto-update, it's one of its most annoying issues. All it does it bug you to go to the KeePass website and download the new version.

>like lost advertisement revenue

'free' software goyim

Sup Forums now has to back to lastpass

The entire database is encrypted end to end, whereas your SQLite database idea only encrypts the contents. Meaning the schema is still game for intrusion.

Furthermore there are plenty of implementations of kbdx readers and writers. You could build recovery tools on top of that.

Just because you could readily query your SQLite solution does not mean it is any more recoverable than a standard kbdx database. All it does is provide unnecessary access to hopefully properly encrypted contents. The only "recovery" scenario I could see that applies is you lost the encryption keys and need to run the database against a dictionary of keys. You can do the same to a kbdx database.

>kbdx

I mean kdbx, ofc.

Told you kids bout them password managers.

Upgrade your brain and learn your passwords

This is basically like posting a link on facebook with a keylogger disguised as something else and calling it a vulnerability.

>2002 + 14
>Using a password manager
Holy shit Sup Forums has become a fucking reddit-tier shitplace.

I don't use automatic update and I've blocked Keepass on my firewall

>tfw automatic updates disabled since you started using keepass2
I knew this would happen

>mfw I'm not retarded enough to click on malicious download pages

So whats the best way to encrypt text files if password managers are shit? ( im using windows btw )

GPG

There's a cool password manager called Masterpassword that does not save your passwords so you can use it on any device.

Just the username and master password needs to be the same because they both generate a masterkey. Then the masterkey is used to generate passwords for multiple user accounts. Its passwords aren't saved

They are not all shit, only LastPass and Keepass2.

Use KeePassX and don't let the NSA niggers tell you what to do.

>inb4 use common sense 2016
Also this, but also a password manager.

How the fuck am I supposed to use password managers on anything but my desktop computer? It's not like I can open the encrypted file on my cellphone.

>being this ignorant

Except you can, idiot.

damn

I don't see the point of password managers. Just write your damn passwords down. Notepad + works well and I have never had problems

And this is why I use keepassx instead of that .NET garbage.