Recommend KeePass instead of KeePassXC

[ghost]

KeePassXC is recommended however it doesn't have a security audit. As such I think it's better if you recommend KeePass instead, which has been audited.

[samuel-lucas6]

Fair point, but I disagree.

1. KeePassXC has a better UI and website, is properly cross-platform, the code is available on GitHub, and it's developed by more people. From an end user perspective, KeePassXC clearly wins. The more accessible source code and a team of developers also means better peer review.

2. As the team say in the FAQ, an audit is ridiculously expensive. For a few thousand lines of code, which is not a large project, you're looking at $5,000+ for a company like Cure53. An audit of KeePassXC would cost significantly more than that because it's not a small program. I haven't calculated the line count, but KeePass v1.31 was 84,622 lines according to the audit report. Assuming you get regular donations (most FOSS projects don't), it would still take many years of saving to afford an audit. Therefore, the audit requirement is unfair for FOSS software unless it's produced by a company or has been lucky enough to have received funding.

3. An audit gradually loses value over time because changes can introduce or reintroduce vulnerabilities. You'd either need to not update the program or only update non-security components (e.g. the UI) for the audit findings to remain up-to-date. KeePass v1.31 was audited in 2016. It's now nearly 2022, and the program is at v2.49.

4. Audits miss things, so they don't prove that software is secure. There have also been cases of reviewers listing misleading findings. For instance, I remember a Cure53 report where the vulnerability was classed as Medium despite the fact that the code wasn't even vulnerable to what they were discussing. It feels as though that's done to pad out reports. It's sometimes hard to classify issues correctly though.

In the real world, audits rarely happen for non-business products and are somewhat overhyped. Regular peer review by enough people is arguably better because then there are even more eyes on the latest version of the code and less time constraints. Ideally, both would happen. It's not the fault of the maintainers that this is so rare. It's a problem in the industry in general, as demonstrated by things like Log4j.

[ghost]

KeePassXC has a better UI and it's non-Windows versions are better sure, but this doesn't necessarily make it better than KeePass.

and it's developed by more people.

More people != More secure

Maybe a better solution is to make the recommendation KeePass/KeePassXC and mention that if you don't care about UI and only use Windows KeePass is better. Otherwise, KeePassXC might be a better option although it's not audited

[samuel-lucas6]

KeePassXC has a better UI and it's non-Windows versions are better sure, but this doesn't necessarily make it better than KeePass.

It implies that it's better from a usability standpoint, which is extremely important. The average user likes a nice GUI.

More people != More secure

More eyes means more secure if they know what they're doing.

Maybe a better solution is to make the recommendation KeePass/KeePassXC and mention that if you don't care about UI and only use Windows KeePass is better. Otherwise, KeePassXC might be a better option although it's not audited

Why is KeePass better besides the audit from several years ago? That would also rather complicate the recommendation. The site is moving away from Worth Mentioning sections, so that can't be done either. Therefore, it seems likely that KeePassXC will be left as is.