Too much of Keepass is unofficial
A lightweight and easy-to-use password manager
Brought to you by:
dreichl
Menu
▾
▴
Too much of Keepass is unofficial. The EU audit was pointless when there is no official mobile clients and unofficial plugins support. More features should be integrated than developed independently so they can be audited and maintained internally. Besides, it alienates those that make essential features yet are officially outside of the actual scope of the project.
I have no idea what are considered de facto extensions when more than one can do the same thing and some listed have not been touched for years. Firefox support? I suppose I have to investigate at least KeeForm, KeeFox, PassIFox, KeePassHelper, WebAutoType, and KeePassHttp to see what is the preferred and up-to-date solution. And even if you gave me a recommendation... ok... well my first question is why do the others exist then? There are entire articles on the web written every year with this person or that person recommending this one over that one for whatever reason. It's a weakness.
Additionally, I doubt there is an update mechanism for plugins so, if there is a security patch for one, you are left with an increasing lack of security.
Bring these extensions and unofficial ports under the umbrella so we know what we're dealing with.
What's the point of the EU spending 1 million dollars auditing Keepass if they're only going to look at the kdbx file. Everything else is an attack vector that can render the actual database security useless.
Last edit: wms 2017-08-30
You will have to ask the EU
Nothing can prevent targeted malware stealing your data which is why you must be vigilant about security.
No plug-ins are required to make KeePass work on a Windows PC, which is what it was designed for.
If you have a spare million we could set up a company to make official versions of all the stuff you want, but we'll charge you for using KeePass. (pardon the sarcasm)
cheers, Pual
On the contrary, the open nature of KeePass plugin support encourages developers to attempt to "scratch an itch" for niche use-cases. I've got a few ideas running around in my head for plugins which I'd never try getting added to the official product...and probably not enough people would use them to warrant adding to the official code anyway so at best I'd need to maintain a fork.
Plus, define "essential features". KeePass without plugins can pretty much meet any need I have. It's just a lot nicer to automate things like database backups, cloud sync, downloading faviocons, etc. Those aren't "essential" features even if I wouldn't want to use KeePass without them now that I have them.
You could...but really it's just a user preference. And it's perfectly possible to use KeePass without any official plugin, only using auto-type or drag-and-drop. You just need to pay careful attention to window titles if you're using auto-type. The plugins just make it easier/more automated.
Because someone else thought they could do it better. That's open-source for you. It's a strength not a weakness.
Wrong. The update check automatically checks for plugin updates as well. Most (all?) plugins I use integrate with the update check mechanism. All the author needs to do is keep a file on a server somewhere up-to-date with version information. Then just like KeePass itself the user will get notified on startup that a new version is available and the user must go download the new version to install.
Since KeePass is maintained completely by a single person, who may not even have expertise in all the areas that plugins are developed for, this would be unworkable and we would lose all sorts of features if every plugin had to be personally approved by Dominic in an "official" distribution. Nobody is forcing you to use plugins. If it worries you, don't install any and use it the way it was originally intended, with auto-type and drag-and-drop only, and manual or trigger-based backups.
Well...now you know that if you limit yourself to the "official" version, then there are (probably) no network exploits to worry about, no backdoors in the code, no broken encryption that somebody could use as a shortcut to your data. It gives me a great deal of peace of mind, actually, knowing that somebody has vouched for the implementation of the encryption and non-maliciousness of the codebase. The common "many eyes" argument for open-source code is worthless if no qualified eyes actually look at it, I have some level of confidence now that it's valid for KeePass.