Chris

You must not have read the conversation about the export trigger I don't need your master Password nor malware to have access to all your passwords in clear text.

Yes, my request has also been closed : https://sourceforge.net/p/keepass/feature-requests/2773/ But many people do not know (or talk about) the silent export feature and continue to post : this question : "Can Keepass database be hacked using brute force ? If someone (sys admin/colleague/hacker) obtained (...) Keepass database, can the database be hacked using brute force? " (www.reddit.com) or partial solutions, I mentioned it here : https://sourceforge.net/p/keepass/discussion/329220/thread/a146e5cf6b/#49c2...

In this case, if I have a great antivirus, a great windows configuration and a great encrypted disk : then I can protect a plain text file. So why do I need keeypass ? You will also tell me that hashcoding passwords on a server is useless because the system is supposed to be secure, or why I don't have to enter a code on my credit card because I'm supposed to keep it protected in my wallet Allowing silent export to plain text without asking for confirmation : I think keepass can avoid that. Unless...

addendum : in your post : https://sourceforge.net/p/keepass/discussion/329220/thread/ba82af7955/#628f you forget to mention that a hacked configuration file can reveal all the content of the password database without the user knowing it

First of all, as you can see, I am looking for ways to improve the security of keepass and I thank you for answering my questions. 'Ignore' is not the right word, you avoid. I suggest that the consequences of changing the configuration file are significant and can be improved these suggested solutions are based on the same weak configuration file : https://sourceforge.net/p/keepass/discussion/329220/thread/a146e5cf6b/?limit=25#1914 https://sourceforge.net/p/keepass/discussion/329220/thread/a146e5cf6b/?limit=25#42af...

In a sensitive application, the password is requested before an impacting modification action. For example in windows : when changing the password, or when entering the admin account before a system modification. "Open databases get some protection against generic attacks." I gave a counter-example for keepass, open it and perhaps someone has exported its content. A chain is as strong as its weakest link Why do you ignore my request to add a confirmation before exporting all passwords in clear text...

So why do most users need to use a tool like keepass (encrypted password database) if using a timely patched, properly managed, and responsibly used Window environment is enough ? Having multiple layers of security is better The keepass application security layer seems too light and the risk is very important : keepass allows to discover silently ALL the user's passwords To bypass keepass security layer : no need for a virus or any special skills the windows notepad application with keepass documentation...

Why people trust keepass so they use it instead of a spreadsheet ? perhaps because it is supposed to provide additional security, simply by clicking on the 'install' button. And how many know that by default a simple text editor (not a spyware) will configure keepass to export, the next time they open it, all passwords in clear text without notification or confirmation? And above all why don't you say on your homepage : "An attacker who has write access to the KeePass configuration file can modify...