[gbalduzzi]

I don't understand how this solves the issue in this case.

Bitwarden vaults were not compromised, there was a problem in a tool you used to access the secrets.

What makes it impossible for KeePass access tools to have these issues?

[john_strinlai]

>What makes it impossible for KeePass access tools to have these issues?

the superiority of keepass users scares away the bad actors

[prmoustache]

> I don't understand how this solves the issue in this case.

I'd say since it is a local only tool, you don't really need to update it constantly provided you are a sane person that don't use a browser extension. It makes it easier to audit and yourself less at risk of having your tool compromised.

It doesn't have to be keypass though, it can be any local password management tool like pass[1] or its guis or simply a local encrypted file.

[1] https://www.passwordstore.org/

[nathanmills]

Why are browser extensions not sane in your opinion?

[akimbostrawman]

Browser password manager extensions are like putting a dog door on your reinforced vault door. Giant increase in attack surface.

[neobrain]

Quite the contrary, actually: not using a browser extension makes you much more susceptible to phishing attacks, since your password manager won't be able to protect you from copy-pasting credentials into an imposter website.

[akimbostrawman]

You don't need any of that to protect against phishing. Simply bookmark the website once and only use the bookmark to go to the site.

Browser password extension are just percieved convinence over security.

[Capricorn2481]

Well we're in a thread about the CLI being compromised. I've never heard of a sandboxed browser extension being compromised.

[akimbostrawman]

You don't need to compromise the extension but that sure is another drawback of installing more software than actually needed. You could exploit the password manager extension from inside the browser and that way get access to the password manager since you created a direct path to it weakening the otherwise strong browser security.

The browser should stay isolated and seperate from anything on the device instead of integrating "dog doors" in the software with the no1 biggest attack surface of any modern device.

[Kiboneu]

KeepassXC can also be configured to allow / deny when a browser extension requests a password.

[d3Xt3r]

It's not impossible, but most KeePass tools are written in sane languages and built with sane tooling, and don't use trash like Javascript and npm. Of course I'm not considering browser extensions or exclusive web-clients, but the main KeePass client has a good autotype system, so you don't really need to use the browser extension.

In any case, the fact that the official BitWarden client (which uses Electron btw) and even the CLI is written in Javascript/Typescript - should tell you everything you need to know about their coding expertise and security posture.

[lousken]

Fully agree, I can't wait for the day when developers finally stop using javascript for shit it was never designed for. .NET is decades ahead at this point.