Comment by aw1621107

1 month ago

> trying to pressure KeepassXC to remove exporting passkeys in an open format

I'm not sure that's an entirely accurate representation of the request? At least from a quick skim the claimed issue is being able to export keys in plaintext. For example, from the issue author:

> I strongly recommend you temporarily disable this feature or at a minimum require file protection/encryption.

And later:

> > Besides, determined advanced users could just write code to decrypt the kdbx file and extract the passkeys anyway.

> That's fine. Let determined people do that, but don't make it easy for a user to be tricked into handing over all of their credentials in clear text.

> I don't quite understand why requiring file protection/encryption can't be a temporary minimum bar here.

To me that doesn't sound like they're requiring a proprietary format. Something like AES encrypted JSON sounds like it'd work as well, and that sounds pretty "open" to me?

3 comments

aw1621107

Reply
g-b-r  1 month ago

> > That's fine. Let determined people do that, but don't make it easy for a user to be tricked into handing over all of their credentials in clear text.

Has there even, ever, been an instance of that happening?

  • lucideer  1 month ago

    There have been literally thousands of documented incidents of this.

    There's an entire subsection of the security industry dedicated to this happening. The DefCon international security conference holds an on-stage competition where security researchers demonstrate this happening to real targets in real time in front of a live audience.

    • g-b-r  1 month ago

      > There have been literally thousands of documented incidents of this.

      Of making people export all their credentials from a password manager and send them to a scammer?