Is Keepass Still Supported

[Midas Souza]

Ihave 2 Keypass groups, general internet sites(1) and banking sites (2). I used to be able to set the KEE HOME GROUP to one or the other, but that no longer seems to be an option. Are multiple groups still supported? I recently updated Keepass to 2.5.6 and KeeRpc to 1.42.

KeePassX is no longer developed - as announced on the KeePassX website on 2021-12-09. Our decision to fork KeePassXwas made some years prior, due to a sharp decline in code frequency at the time, combined with our wish to provideyou with everything you love about KeePassX plus many new features and bugfixes.

KeePass is a very proven and feature-rich password manager and there is nothing fundamentally wrong with it.However, it is written in C# and therefore requires Microsoft's .NET platform.On systems other than Windows, you can run KeePass using the Mono runtime libraries, but you won't getthe native look and feel which you are used to.

KeePassXC currently uses the KeePass 2.x (.kdbx) password database formats KDBX 3.1 and KDBX 4 as its native file formats.KDBX 2 files can be opened, but will be upgraded to a newer format. KeePass 1.x (.kdb) databases can be imported intoa .kdbx file, but saving a .kdbx file as .kdb would be lossy, and saving to .kdb is not supported by KeePassXC.

Cloud synchronization with Dropbox, Google Drive, OneDrive, ownCloud, Nextcloud etc. can be easily accomplished bysimply storing your KeePassXC database inside your shared cloud folder and letting your synchronization service ofchoice do the rest. We prefer this approach, because it is simple, not tied to a specific cloud provider and keepsthe complexity of our code low.

No, KeePassXC does not support plugins at the moment and probably never will. KeePassXC already provides many of the features thatneed third-party plugins in KeePass2, so for most things you don't even need plugins, nor should you ever want them.Plugins are inherently dangerous. Many KeePass2 plugins are barely maintained (if at all), some have known vulnerabilities thathave never been (and probably never will be) fixed, and none of them are as thoroughly tested and reviewed as we test and reviewcode that goes into our main application. We find that encouraging users to install untested (and often quickly-abandoned) third-partyplugins is inherently incompatible with the security demands of a password manager.

If you really need external functionality notavailable in KeePassXC, you can look for "plugins" that use the KeePassXC-Browser API, which is a much more secure way of sharingpasswords with third-party applications than loading those applications as plugins directly into KeePassXC.

Yes. But only if you store them in the same database as your password. We believe that storing both togethercan still be more secure than not using 2FA at all, but to maximize the security gain from using 2FA,you should always store TOTP secrets in a separate database, secured with a different password, possibly even on a different computer.

Password reuse and simple, easy-to-guess passwords are the biggest problems when using online services.If one service gets compromised (either by guessing your password or by exploiting a security vulnerabilityin the service's infrastructure), an attacker may gain access to all of your other accounts.

But using different passwords for all websites is difficult without a way of storing them somewhere safe.Especially with arbitrary password rules for various services, it becomes increasingly hard to use both strongand diverse passwords. KeePassXC stores your passwords for you in an encrypted database file, so you onlyneed to remember one master password. Of course, the security of all your services depends on the strengthof your master password now, but with a sufficiently strong password, the password database should beinfeasible to crack.

The database is encrypted with either the industry-standard AES256 or the Twofishblock cipher and the master password is strengthened by a configurable number of key transformationsto harden it against brute force attacks. Additionally, you can use a key file filled with an arbitrarynumber of random bytes or a YubiKey to further enhance your master key.

Yes, an audit was conducted by Zaur Molotnikov, an independent security consultant, and completed on January 19, 2023. Thisaudit was conducted free of charge to the KeePassXC Team and the findings and writeup were reviewed for correctness.Download the Audit Report.

KeePassXC needs network access for downloading website icons (favicons) for password entries. This feature is optionaland opt-in. KeePassXC will never access any network resource without your explicit prior consent. If youdon't use this feature, you may also compile KeePassXC without any networking code (seenext question).

The AppImage should run out of the box on almost any moderately modern Linux distribution. The Snap is supported on allsystems, which have snapd installed. This is primarily Ubuntu, but also Debian, Fedora, OpenSUSE,Arch Linux and many more. For a full list and more information visit snapcraft.io. Notethat not all systems that can run Snaps also support confinement via AppArmor.

Due to Snap's isolation and security settings, you cannot access any files outside your home directory.Furthermore, you cannot access any hidden files within your home directory. The only exception is mountedUSB drives, but you must type in /media/ into the file open dialog to see them.

A key file is a file containing random bytes that can be added to your master key for additional security.Think of it as a really complicated and long password that is read from a file, so you don't have to rememberor type it into your master password field. You can basically use any file you want as a key file, but itis of utmost importance that a) the file never changes and b) it actually contains unpredictable data. If the filechanges, it is as if you forgot your password and you will lose access to your database.

On the other hand, if the datais not random enough, then it's a really bad password. So, for instance, a static and never-changing holiday pictureis okay, your personal notes file is not. Generally, we recommend you let KeePassXC generate a dedicated key file for you.Go to Database -> Database Settings -> Security. There you click on Add Key File and thenon Generate. Select the location where to save the key file, make sure the path to the new fileis inserted into the Key File field, and save your database. Don't forget to keep a backup of the key file ina safe place!

But whatever you do, keep a backup in a safe location!If you lose your key file, you lose your database. Keep in mind that USB thumb drives are notoriously unreliable,break easily, or get lost. If you can afford it, we recommend you use a hardware token such as a YubiKey or OnlyKeyinstead of a key file (see next section). Such a key adds an even greater amount of security, but with fewer potential pitfalls.

Yes and no. No, because technically speaking, KeePassXC is not a service and therefore does not use "authentication". Instead,you are "decrypting" your database, which is different from "authentication". Nonetheless, you can improve the security of your databaseby use of a YubiKey in a slightly different way. KeePassXC generates a challenge and uses the YubiKey's response to this challenge toenhance the encryption key of your database.

So in a sense, it makes your password stronger, but technically it doesn't qualify as aseparate second factor, since this is not an authentication scheme and also because the expected response doesn't change every time youtry to decrypt your database. It does, however, change every time you save your database. Be aware, however, that the previous version of yourdatabase can still be decrypted with the old challenge/response (but no other version prior to that and no future version either).

Our implementation differs from how KeeChallenge handles YubiKeys. KeeChallenge uses the HMAC secretdirectly to enhance the database. To make this work, they need to store the secret in a side-car file,encrypted with the response of a challenge-response pair that is calculated ahead of time. In KeePassXC,we do not require any knowledge of the HMAC secret. We use the database's master seed (a random byte string that is part of your database)as challenge and then use the response to encrypt the database. That way we do not need an extra file and also gainthe advantage that the required response changes every time you save the database, which resemblesactual two-factor authentication more closely.

Due to the fact that our YubiKey implementation differs from KeeChallenge's, they are inherently incompatible(see question above). If you need compatibility between KeePass2 and KeePassXC, you cannot use YubiKeysat the moment.

Both FIDO-U2F and TOTP require a dynamic component (i.e., a counter or timestamp) for successful authentication.This is perfect for authenticating at an online service, but doesn't work for an offline database which needsto be encrypted with a fixed key. HMAC-SHA1, on the other hand, can be computed ahead of timeas it only needs a fixed secret and no dynamic component of any kind.

We do support generation of timed one-time passwords (TOTP), but do not (and cannot) support it for securingyour KeePassXC database. KeePassXC allows you to store TOTP secrets for online services inside a databaseand generates the corresponding timed one-time passwords for you. For TOTP, see also the questionKeePassXC allows me to store my TOTP secrets. Doesn't this undermine any advantage oftwo-factor authentication?

You should always make a copy of the HMAC secret that is stored on the YubiKey and keep it in a securelocation. This can be an analog paper copy, but since the YubiKey personalization tool allows you toprogram a custom secret into the key, you may as well program a second key with the same secret.

Yes. KeePassXC supports the extension KeePassXC-Browser.You can download it for Mozilla Firefox andGoogle Chrome / Chromium / Vivaldi.Firefox ESR (52.x) is supported, but the following features are disabled because of WebExtension API limitations:

3a8082e126