Ross, this is very interesting, nice work. Because this is an intentional feature of the program, I'm choosing to not ask for a CVE number, and I'm also just opening the bug report for public view. This is likely a feature designed to ease inter-operation with the Windows program of similar name, and "fixing" this issue would likely break the easy movement of encrypted password stores.
At least once the trade off is publicly visible, users can choose to continue using keepassx or not as they wish, or modify how they use it, with knowledge of its limitations. I'm curious if you can speak to the key derivation function used? Their website is remarkably information-free on the important parts of password storage and the corresponding keepass.info Windows-program has the rather terrifying "SHA-256 is used as password hash. SHA-256 is a 256-bit cryptographically secure one-way hash function. Your master password is hashed using this algorithm and its output is used as key for the encryption algorithms." Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1214844 Title: Non-CP1252 characters in passwords are insecure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/keepassx/+bug/1214844/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
