KeePass is an open source application, and that was patched as soon as it was found. Nothing will be 100% resistant to attacks, and you don’t have to make your kdbx available online at all which mitigates that attack entirely. What matters is how the maintainers react.
Calling a local FOSS app worse than a privately owned and centralized SaaS is hilarious.
Explain to me how someone ‘allows’ leaking a password that is used locally on the user’s machine in an app that only connects to the web to download website icons.
You don’t host anything with KeePass, it’s an application that you install. People use this type of software literally every single day. I’m not sure where you get your information from. There was no “leak”, it was an attack that someone could execute if they had access to your physical machine and only used a master password without a keyfile. If someone didn’t have that, they don’t have your master password, because it doesn’t go to the cloud at all. It’s all entirely local. Stop handing out misinformation like candy.
Vulnerabilities happen, end of story. Like I said, what matters is the maintainers’ reaction and how open they are about the details. If you rely on other people/developers to handle your OpSec for you, then you shouldn’t be using computers at all and are putting yourself at risk no matter what software you use.
And if this is your litmus test, then holy shit do I have some bad news for you about iOS/Android/Linux/Windows/macOS/literally any web browser… and I guarantee that whatever you use now for your password manager has it’s own share of issues regarding security, which again points back to taking care of your own OpSec instead of relying on others.
Expect shit to hit the fan, and you’ll always be prepared when it does.
Hm, neat. Thanks for the cve ref. Seems KeePassXC was unaffected.
Issue was residue of typed characters left in memory (managed by .NET). This means the attacker needs to be able to dump memory and search it. If they can do that on your machine, you have other problems. They could probably just keylog you to the same effect with that level of access (on x11 anyways).
KeePass is an open source application, and that was patched as soon as it was found. Nothing will be 100% resistant to attacks, and you don’t have to make your kdbx available online at all which mitigates that attack entirely. What matters is how the maintainers react.
Calling a local FOSS app worse than a privately owned and centralized SaaS is hilarious.
As a regular user they allowed my master pass to be leaked. So i started using another password manager that didn’t do that.
Regular users don’t host their own password manager apps usually.
Explain to me how someone ‘allows’ leaking a password that is used locally on the user’s machine in an app that only connects to the web to download website icons.
The way password managers work is you sign up and use their app to store passwords.
Explain to me how a regular user signing up for this service is jumping through the hoops of self hosting.
KeePass is a local app, dummy. It doesn’t use any ‘service’.
I have bad news for you https://www.malwarebytes.com/blog/news/2025/08/clickjack-attack-steals-password-managers-secrets
Yeah password managers are just insecure
You don’t host anything with KeePass, it’s an application that you install. People use this type of software literally every single day. I’m not sure where you get your information from. There was no “leak”, it was an attack that someone could execute if they had access to your physical machine and only used a master password without a keyfile. If someone didn’t have that, they don’t have your master password, because it doesn’t go to the cloud at all. It’s all entirely local. Stop handing out misinformation like candy.
edit: the actual CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-32784
Vulnerabilities happen, end of story. Like I said, what matters is the maintainers’ reaction and how open they are about the details. If you rely on other people/developers to handle your OpSec for you, then you shouldn’t be using computers at all and are putting yourself at risk no matter what software you use.
And if this is your litmus test, then holy shit do I have some bad news for you about iOS/Android/Linux/Windows/macOS/literally any web browser… and I guarantee that whatever you use now for your password manager has it’s own share of issues regarding security, which again points back to taking care of your own OpSec instead of relying on others.
Expect shit to hit the fan, and you’ll always be prepared when it does.
Hm, neat. Thanks for the cve ref. Seems KeePassXC was unaffected.
Issue was residue of typed characters left in memory (managed by .NET). This means the attacker needs to be able to dump memory and search it. If they can do that on your machine, you have other problems. They could probably just keylog you to the same effect with that level of access (on x11 anyways).