How to Make Sure Your Copy of KeePass is Legit

Password security is key in ensuring that your client and personal data stay safe. In order for a password to be secure, you need a strong password – something difficult for a human to guess or a machine to crack. However, strong passwords are also lengthy and difficult to remember. Because of that, password managers, which allow you to create one strong password while the manager generates and remembers strong passwords for everything else, are very useful. However, password managers are only effective when they themselves are very secure.

KeePass is a free and open-source password manager primarily for Microsoft Windows. Recently, there was a report that KeePass was vulnerable to a man-in-the-middle (MITM) attack. A MITM attack occurs when someone gets between you and the entity you think you are communicating with. In this instance, what this means is that someone figured out how to get between a user and KeePass while updating the program, replacing the update with a malicious file instead.

KeePass has addressed the problem, but the solution is a bit complicated to understand. KeePass agreed that it is theoretically possible for a user to download an unofficial, malicious update because traffic between the user and the download site is unencrypted. However, if a user is cautious about making sure the update is “signed” by KeePass, they can stay safe.

In order to make sure that the downloaded file is official, users should check whether the file is digitally signed. […] The digital signature can be checked using Windows Explorer by right-clicking the file -> ‘Properties’ -> tab ‘Digital Signatures’. When running the installer, the UAC [User Access Control – the Windows dialog box that pops up when you try to make changes to your computer] dialog displays the digital signature information, i.e. users who carefully read the UAC dialog do not have to inspect the file properties separately.

Translation: if you check to make sure that you have downloaded the official version of KeePass, you will be fine.

You are not alone, however, if you think this seems like a suboptimal solution.

[The developer states] that he’d like to move to encryption as soon as he believes it’s possible. You can also verify that you’re getting a signed download, if you’re worried. However, it’s still contradictory to develop a security-centric app and decide that security should take a back seat.

Part of the benefit of a password manager is supposed to be that you do not need to think about things like this. That said, KeePass is free, unlike its main competitors, Dashlane and LastPass, so it might be worthwhile for some users to deal with a bit of fuss in order to avoid the hefty costs associated with some other password managers. No matter what you choose, there is no question you have to remain ever-vigilant about the security of your data.

Leave a Reply