Security of Application
Brought to you by:
paujones2005
Menu
▾
▴
Hello all, I have loved the original KeePass and was initially excited about webkeepass until I started thinking, and I have some concerns.
My understanding as to how this works with sharing of passwords and such is troubling if I'm correct. In the original KeePass the whole database is encrypted using your master database password, no one can get in without either compromising your password somehow, or compromising the software on their servers to get you to install a trojan horse type of attack.
With Web Keepass I initially thought it was the same model, that the end users browser hashed their password to unlock their own personal database. However I then noticed that you allow sharing of passwords with other people via groups and such. How does this work? It would seem to me that you either create a new "database" for the group and update that with the shared passwords and either then encrypt it separately… or it is all one big signally encrypted database that the program always has access to it where a user's login simply authenticates them to receive the already decrypted data. Perhaps the shared passwords use something akin to luks with multiple keys unlocking the master password?
I'd love to use this as an alternative to lastpass, but from what I understand of their model everything is done client side, they simply store the encrypted database which is sent to your browser, decrypted with your password and away you go. They could be subject to the same attacks as keepass with someone either inserting bad code in their repositories or a man in the middle attack. I however am concerned about webkeepass just leaving the whole database decrypted with one key that then simply authenticates others based on their logon credentials.
Then again if someone hacks my server they could rewrite the code to do whatever they want anyway. I appreciate anyone taking the time to respond to my concerns.
Read the docs and the forms.. All encryption is done by our java client - CLIENT SIDE. This is layered on top of HTTPS as well… Master passwords cannot be shared…