KeePassXC 2.2.0 released with YubiKey and TOTP support (opens in new tab)

A few things to be wary of:

* KeePassHTTP doesn't use authenticated encryption for its protocol and thus is insecure (decrypt password level insecure). Please make sure you don't have this issue.

* Browser integration means there is only some JS code between my unlocked password vault and random websites. Please study findings from Tavis Ormandy and others who found such vulnerabilities in LastPass et al

The official and latest version is always available here: https://github.com/varjolintu/keepassxc-browser

Firefox Nightly (version 56) is also supported. The extension will work officially when Mozilla releases build 57.

Have you considered dual browser extensions as in this paper:

https://arxiv.org/abs/1706.05085

>The prototype Horcrux client, implemented as a Firefox add-on, is split into two components, with code that has access to the user's master's password and any key material isolated into a small auditable component, separate from the complexity of managing the user interface.

Can I talk to you about an idea I have regarding automating authentication extensions? There's no email in your profile, I'm afraid.

Any chance of creating an Opera version as well? I just force installed the chrome version on Opera, but it doesn't seem to work.

awesome will definitely signup to be a beta test when you get it where you want that.

actively using lastpass now and would like to move to an open source solution I feel like I can trust

That would be me.

I wrote the patch against the original KeePassX which seems to be no longer maintained (?). One of the KeePassXC guys asked me to rebase it over so I did. Then we (they) spent a week or two debating on how to support libargon2 and the newer libgcrypt required for ChaCha20, coming to no resolution, and I just lost any motivation to push for them to merge my patch.

They also disagreed with the way I implemented KDBX 4 (by adding conditionals to the KDBX reader/writer instead of just creating a whole new class — I did this because KeePass did it this way). I agree that it should be separated, but at that point I already gave up on getting them to accept my patch.

The PR is [here](https://github.com/keepassxreboot/keepassxc/pull/399), you can read it, I know I sound rather impatient here. The other PR on updating their Docker to get newer libraries (libargon2 and libgcrypt) is [here](https://github.com/keepassxreboot/keepassxc/pull/419).

I honestly thought someone else would take it up after I gave up to get it in by 2.2 (it's not even a very big patch), but.. I guess not.

Someone with more experience/patience/persistence, please, you can take the patch and rebase it and clean it up to what they want. You'll also need to wait for them to figure out how they want to use the libraries required with their packaging system.

There doesn't seem to be active development on KeePass/KeePassX, hence the KeePassXC fork.

The C in the fork title apparently stands for 'community'. It has a lot of support behind it.

KeePass is the original, and also not very cross-platform. KeePassX has gone through several iterations and now represents a fairly stable and low-feature release of KeePass with cross-platform support. KeePassXC is where all the new and exciting features are being integrated into KeePassX while fixing latent bugs and cross-platform issues. Hope that makes sense.

Previous discussion of this: https://news.ycombinator.com/item?id=13468486

Keepass is actively developed but uses .Net so Linux requires mono. So KeepassX was created to use C++ so Mono is not required but the project is inactive.

So KeepassXC was created as a fork of KeepassX for the linux users who don't want an ugly MOno version of Keepass.

Wow thank you for the kind words! Appreciate the support.

I find it almost better than the original KeePass 2.x program.

I say almost because I'm used to the original interface, but I'm sure after getting used to it, it will supersede it on my systems.

I use Command-L to lock, for what it's worth.

corrected thank you! I also added links to the 32-bit variants.

For anyone wondering - the TOTP 2FA is not on the password wallet itself, but that the wallet is able to store the TOTP key, authenticating TOTP involves knowing the key, by which point there's really no value in using it to authenticate the wallet, it'd be a UI-only protection.

However I think storing TOTP keys in your wallet is a bad idea for security - now if someone hacks your machine they get both your password and your TOTP key at the same time. The main advantage of TOTP is that it puts your second form of auth on a separate device, preventing a single point of compromise.

not much malware will exploit this as not many people will use it, but a targeted attack might greatly benefit from something like this.

Have you tried the snap install ?

Keep 1 key on your keychain, one in a fire vault in the house, and one in the safety-deposit box at the local branch bank office. Most U2F-enabled sites let you register multiple keys. Add new sites with keychain during the day, in the evening add the fire-vault key at home. Once a quarter add the third key from the safety-deposit box.

I am playing with YubiKey storing certificates, then using the certificates like any other GPG setup, so I can have redundancy and revocation. But I have yet to make it dead simple enough to use for real-world application.

Or maybe I am just procrastinating.

Decent mobile support is the only thing holding me back from switching. The current 3rd party options are underwhelming.

If you feel like keeping your kdbx file in Dropbox you may use ikeepass[1] on iOS to load and modify it. For Android there is keepassdroid [2]

[1] https://itunes.apple.com/us/app/ikeepass/id299697688?mt=8 [2] http://www.keepassdroid.com/

I use MiniKeePass on iOS and have been very happy with it.

For standard keepass I use keepass2android and nextcloud for syncing. That said I don't believe it supports any of the fun new stuff from KeepassXC. It does work with NFC and HOTP though. I'd love to use TOTP instead.

1. Unlocking the database takes much longer than it should. Linux Keepass2 is much slower at unlocking than Windows Keepass2 on the same machine.

2. On Linux, after entering the password the windows disappears, giving no UI feedback during the lengthy unlocking process. When you type the password wrong, it takes even longer for some reason, and there's no tray icon when you type the password wrong, so you'd have to minimize all your windows to find the dialog box all the way in the back.

3. Lacking Unicode support in 2017 is simply unacceptable: https://i.imgur.com/X0T46bY.png

None of this is the fault of the Keepass developers, since all three problems are absent in the Windows build. As far as I can tell the problem lies with Mono.

I'll answer part of my own question- this does look like it's compatible with the Keepass protocol 2. So that shouldn't be the reason to stop.

Of course there could be other reasons.

Would you be so kind to file a feature request for that on GitHub? Thanks!

Just plug it in. ;-)

Reading it, it sounds like they use HMAC challenge response for the password to the vault. For that to work, you'd insert yubikey, enter a password, and the password is passed through the yubikey and hashed. The hash is then used as the password to open/lock the vault. That gives you a reasonably strong password for the vault. It does not prevent phishing. Therefore, anyone with the hash and access to the vault can still access all passwords without your knowledge. The TOTP thing sounds like a google authenticator sort of feature.

I'm sticking with zx2c4 pass. It is an assembly of gnupg, git, and pwgen. Trusted open source components. Works with a Yubikey (opensc and gpg-agent) to prevent private key theft via software. QTPass is a nice cross platform gui client. PassFF extension provides excellent browser integration. Android Password Store and OpenKeychain allow pass and yubikey to work on my mobile. Strong 2 factor password storage everywhere I need it.

My biggest problem these days is dealing with sites that don't allow 30+ char passwords with full range of special characters. Almost exclusively, banks.

I think Yubikey can be used to unlock the database

For 1) Download favicon option is there inside "icon" menu of a keepass entry. https://keepassxc.org/images/screenshots/macos/screen_003.pn...

I wish there was a way to download and associate favicon of all entries in one-click.

Okay, issue 254 has documentation on the CLI. Looks like you can't query password if that's what you're after

Indeed, wish there was more documentation on how to use the CLI

Can you open an issue on Github?

Would you be so kind to file a feature request on GitHub? Here it gets lost. Thanks!

Try MiniKeePass.

It works well but has some actions flow to sync your kdbx backups with updated data from the phone and vise versa.

https://itunes.apple.com/us/app/minikeepass-secure-password-...

Works OK for small teams. If a user forgets to close the database then other team members are only able to open it as read-only. My biggest gripe is that you don't know who is holding the write lock. We work around this by using a setting in our keepass client to close the db after a certain amount of time.

You can already select a char-set. Do you mean selecting only a few chars and use them to generate the password?

You should store your TOTP keys in a different KDBX file, locked with a different master password, and maybe even used on a different device/PC.

We all know that you shouldn't store your password along with TOTP secrets, or should I make a blog post explaining this?

Well instead general password without password manager assumes the fact someone remembers that password. (and perhaps reusing that password.) Using password manager (with different password for each service) plus TOTP would serve its purpose. You still have to enter the code, so it still require you to "have" that code somehow which makes it no different than provisioning multiple devices which many 2FA systems won't prevent, perhaps other than hardware TOTP devices.