![]() ![]() Don't ever trust a security application at face value. Sorry, but Password Agent still seems more secure to me. Passwords do exist, in plaintext, under at least some circumstances while KeePass is running. I proved it by looking at the KeePass process memory with my own eyes, not just by taking the author's word for it. Note: I did see the "In-memory passwords protection" blurb on the home page, but that's not accurate information. (If you can't duplicate it, you aren't doing it right.) Test it with WinHex, and see for yourself. Sorry, I'm not talking about KeePass using the clipboard I'm talking about simply having the "Add entry" or "Edit entry" dialog open, and KeePass retaining sensitive information in its own memory, in plain view. It may even be (potentially) obtained remotely by way of a remote-access trojan. Having sensitive information in memory, in plaintext, makes it possible for it to be written to the page file or hibernation file, where it may reside indefinitely. Nice, great feature set and design, but it still retains plaintext user IDs and even passwords in memory under some circumstances, whereas Password Agent does not. Overall, it is very well designed, and superior to even Password Agent in several respects. It's not a very major issue, though, and I still trust KeePass nearly as much as anything else. Incidentally, judging only by the release notes for this version of KeePass, the security hole I mentioned below still exists. They eventually claimed to fix the bug, but by then, I had dumped their product. ![]() ( Password Agent had the same bug, at the same time, coincidentally.) When I reported these bugs, the author of Password Agent fixed it immediately, but the RoboForm people initially told me "big deal". Want to know something ironic, given the post by rijp below? (Note: The post I was originally referring to was subsequently deleted.) I found a bug in RoboForm not too long ago, in which the master password was stored in plaintext in memory-where it could easily be written to disk, or grabbed by malware. I'll maintain this position until either I review it personally (ain't gonna happen), or until a reputable party like Bruce Schneier reviews it (also ain't gonna happen). I haven't reviewed the code for KeePass, so I have no reason to trust it any more than I do anything else. KeePass is open source, and open-source security products are generally preferable to closed-source security products. What does price have to do with security? I agree that often times, you get only what you pay for, but also a lot of times, you don't. ![]() * There is no built-in backup function, either automatic or manual. Windows being what it is, I'd really like to see it save the database after every change, or on a timed interval. * KeePass Password Safe will not save the database automatically, except when closed. Even if you create a "Root" group, and make other groups a subgroup of that, selecting "Root" will not show the entries in the subgroups. * Unless you have one all-encompassing group, with all of your entries in it, there is no way to view all entries at once. This is very convenient with sites that store your user ID after the first visit. Password Agent has one hotkey to perform whatever auto-type function is configured, and another hotkey to auto-type just the password. * There seems to be no hotkey to send just the password-you either send the preconfigured auto-type stuff, or you send nothing. This is ideal sometimes, but not always, since (1) It's inconvenient to set up (2) It doesn't work with simple server authentication, and (3) Of course, web site titles can change at any time. * KeePass Password Safe has no capability to send IDs and passwords to the window with focus rather, it forces you to enter title bar search strings in the Notes field (or use the default, which is *title*). I like the way Password Agent lets you simply press Enter one time.) (I do not consider hitting Tab more than once "easy", given how often I do this. And once you're there, you have no easy way to jump to the entries below. * There is no accelerator key to jump to the toolbar's "quick search" text box. * Ctrl+F opens a search dialog sometimes, and other times does not-depending on what part of the main window has focus. I do still find many things about the interface and general operation quite clunky, and sometimes downright inconvenient. This finally quells my complaints (and those of others) regarding sensitive information being stored in memory. I tested this, and it seems to work as designed. Added new secure edit controls (if enabled, no password edit control spies can read out the text of the control the password isn't even visible in the process memory of KeePass) ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |