I find the functionality extension that KeeOtp2 gives worth using a plugin, but has anyone audited the plugin (from a malicious standpoint)? I want to use it, but I don't want to trust anything when it comes to a password manager where a single malicious program can ruin a users life.
If KeeOtp2 is trusted, would it expose anything in memory which could compromise secrets? My understanding is that KeePass 2 is hardened against things being exposed in memory. This is less of a concern as long as it only exposes TOTP secrets and not anything more.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
As it needs to read the OTP key it probably exposes it in memory for a short time while it generates the TOTPs. If you want details you could contact the author on GitHub.
cheers, Paul
🎉
1
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I find the functionality extension that KeeOtp2 gives worth using a plugin, but has anyone audited the plugin (from a malicious standpoint)? I want to use it, but I don't want to trust anything when it comes to a password manager where a single malicious program can ruin a users life.
If KeeOtp2 is trusted, would it expose anything in memory which could compromise secrets? My understanding is that KeePass 2 is hardened against things being exposed in memory. This is less of a concern as long as it only exposes TOTP secrets and not anything more.
We do not have the resources to audit plug-ins.
As it needs to read the OTP key it probably exposes it in memory for a short time while it generates the TOTPs. If you want details you could contact the author on GitHub.
cheers, Paul
I had not hoped you as a developer had audited it, but maybe someone in the community had looked through it.
Thanks.