John Jones

To clarify Paul's comment, SHA-2 is used only to 'compress' all keys(password, keyfile, WUA) into a single 'Master Key' as such: SHA(SHA-password + SHA keyfile + SHA WUA) The real protection of the final encryption key is provided by the KDF step where high iteration count and salt are used to derive with a strong 256 bit key

Even if SHA-2 was completely broken, you still need to pass KDF step which utilizes Argon2 or AES based iterations Length extension attacks are relevant mostly for authentication where the attacker can append his own message to the original, irrelevant in this case as the database would have invalid HMAC signature

Literally your link: " HMAC also uses a different construction and so is not vulnerable to length extension attacks." HMAC is used to verify database wasn't tampered with, nothing to do with database encryption...

Database formats are compatible, which is KDBX4 format. KeePassXC does have a free built in extension as well: https://keepassxc.org/download/#browser Personally, I'd avoid browser extensions and default to auto-type feature for maximum security but you have either option in both.

If you're using GNU/Linux on a regular basis and need a password manager there, I would look into KeePassXC It is an excellent fork and designed to be cross platform, OG KeePass is a .NET project(not even .net core)

There's no benefit from that. KeePass is a local application and it's crypto is robust.

'Breaking' SHA-2 is unlikely, the 'Breaking' of SHA-1 wasn't really meaningful to actual applications, it was a highly tuned collision with very specific conditions of a highly manipulated input. SHA-2 is used extensively in cryptocurrencies like bitcoin where there is huge sums of money to practical collisions and we have yet to see anything close to that.