[mikece]

I have read that the KDBX4 password database is "very secure" but am curious if any hacking challenges have been conducted to see if anyone can break it? The challenge I have in mind put some kind of contact info in an entry and then post the KDBX file on a public site for anyone to download and try to hack. If you get it open, use the info to contact the contest organizers and once you explain how you overcame the security and it's replicated you get however much has been donated as a hack bounty.

I'll put $100 in right now if the maintainers of KeePassXC are down with this.

[Mikescher]

I'm no cryptographic expert, but I always liked the simple design of the kdbx files. So simple that I can understand it and see tat there are no (obvious, assuming the underlying algorithms are called correctly) problems:

The whole database is a single big xml document which is then encrypted with a normal symmetrical encryption method (most of the time AES). And that is already the core of it. There are a few additional things (A user-chosen key-derivation-function is used to increase the brute-force time and there is a header in the binary format with such things as keepass version, which algorithms are used for encrypting and a checksum...).

But in comparison to other cloud-based password managers it's a nice feeling to intuitively "know" whats happening under the hood.

[paulryanrogers]

There have been audits of the official KeePass.info software which some argue still has open vulnerabilities.

Not sure if there have been audits of this popular fork or the format itself.

IIRC the format is relatively simple: an encrypted XML stream. So it may be OK.