| (Full disclosure: I contribute to KeePassXC) In fact, KeePassXC has shown to have better memory protection than KeePass: https://keepassxc.org/blog/2019-02-21-memory-security/ (note the article is from February, some things have changed since then, see below).
The only thing we do not have at the moment is in-memory encryption. We do, however implement the following security measures on all platforms: - prevent swapping of master key hashes (using gcry_malloc_secure) - prevent non-root / admin access to our process memory (KeePass does NOT have this) - overwrite all dynamically allocated memory with zeros on free - disable any kind of coredump or crash reporting A patch for in-memory encryption is being worked on, but needs further testing before it can be merged: https://github.com/keepassxreboot/keepassxc/pull/3055 Please note that this still cannot fully prevent swapping out of secrets. As soon as things are to be displayed somewhere in the GUI, they are basically out of our hands. We also cannot fully protect everything while the database is being loaded or written. However, the same applies to KeePass. There is just too much going on with memory management on modern operating systems. |