Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.
The problem is that the password generation pattern profiles are stored in unencrypted KeePass.config.xml file.
This is very bad, because significantly reduces the cryptographic strength of the passwords, which is generated by patterns.
Please fix this issue, by encrypting whole config.xml file, or move user created password pattern settings to another special encrypted file.
Why does storing the setting unencrypted reduce the strength? At worst it allows a hacker to limit their searches to a specific pattern, but if the hacker knows your pattern he must have access to your machine. In this case he already has your passwords.
Patterns are usually only used when you're forced to follow some specific rules by a website/service. In such a case, the pattern is public (everyone sees the required pattern when trying to register for the website/service). By getting access to your configuration file, the existence of a pattern might allow an attacker to deduce that you're using some website/service, but this provides him no information at all about what your password actually is.
Having access to the machine where is stored KeePass does not mean to have access to all encrypted passwords.
All have a free access to my machine, but I'm keeping all the passwords encrypted in
The problem is that I have to use the user patterns, because I need guarantees that at least one character from the alphabet (for ex. digits) will be added to the password. The first method "Generate using sets" don't give these guarantees. I can select two alfabets - digits and letters and letter may be not included in the random password. So I'm forced to use patterns, because with pattern my password guaranteely will have at least one digit, uppercase letter, lowercase letter and special character.
Passwords containing digit, upper, lower and special are no more secure than properly generated passwords that may contain those characters. Random password are not guaranteed to contain a mix of characters.
Password security is measured by its Search Space Depth (Alphabet) and Search Space Length (Characters). Guaranteed containing of a one digit, upperletter, lowerletter and symbol guarantees, that password haves depth 26+26+10+32 = 94. This is very important moment for security.
It should also be securely kept password generation rules (patterns), also password length, used alphabets, etc. In general - no any kind of information about passwords.