There has been a lot of discussion in the infosec community about “keepass being insecure” because of CVE-2023–35866

In this official statement by the devs, they basically explain the criticality of the CVE is basically overblown:

• You need local access
• You need an application which was authorized to access your database

That’s a lot of ifs, even though, theorically, this application with local access and which was previously authorized could change the master password of your database.

A lot of people in the infosec community recommend 1Password, but IMHO, 1Password is the new LastPass.

For context lastpass has suffered heavy hacks recently, and it was insecure from the bottom up. Lastpass then lied about the gravity of the hack

1Password (like LastPass) is closed source and run by a for profit company. My advice:

• Use KeepassXC
• If you need sync use Bitwarden
• If you’re ready to self host, use Bitwarden with Vaultwarden (preferably only accessible behind a wireguard VPN)

I have to agree with the reasoning. As a very interested user of KeePass, a CVE took my attention, and I do a lot of security research as part of my job.

I don’t think this should qualify as a CVE because it’s so close to assuming the conclusion that it’s effectively not a vulnerability. If you have a local attacker with arbitrary memory access, your password is in all likelyhood already owned.

It’s nearly the argument that a locally authenticated user could modify my bash.rc to alias sudo and steal my password. Of course, I know him; he’s me!

As far as I remember, this same issue was also brought up with Original KeePass. I agree with the developers on this one - KeePass databases are nothing more than encrypted files (which is why it’s awesome). The same “vulnerability” applies to my computer - the hard disk is encrypted with Bitlocker, however when I turn the computer on and decrypt it, it is open to attacks, just like any unencrypted hard drive.