CVE-2023–35866
CVE-2023–35866
You're viewing a single thread.
There has been a lot of discussion in the infosec community about "keepass being insecure" because of CVE-2023–35866
In this official statement by the devs, they basically explain the criticality of the CVE is basically overblown:
- You need local access
- You need an application which was authorized to access your database
That's a lot of ifs, even though, theorically, this application with local access and which was previously authorized could change the master password of your database.
A lot of people in the infosec community recommend 1Password, but IMHO, 1Password is the new LastPass.
For context lastpass has suffered heavy hacks recently, and it was insecure from the bottom up. Lastpass then lied about the gravity of the hack
1Password (like LastPass) is closed source and run by a for profit company. My advice:
- Use KeepassXC
- If you need sync use Bitwarden
- If you're ready to self host, use Bitwarden with Vaultwarden (preferably only accessible behind a wireguard VPN)
Completely agree. If you can't secure your machine properly, everything is at risk. I don't care when the infosec community says. KeePass is by far the most secure solution in my opinion. Also, Syncthing works quite well for syncing KeePass databases. It's FOSS as well, and provides E2E encryption.