KeePassXC on Android caches its database
This one is worth at least three dagnabbits, a golly gee and two daggums.
I use KeePass, or some of it's forks, flavors and versions, for password management. I store the database locally on each device and keep them synced between devices with Syncthing.
I got a notice that a password on one of my accounts had been compromised. So I went to that website on my desktop, logged in, changed my password, and updated the entry in KeePass, saved and quit the application. I checked my phone to see if the change had propagated there...it hadn't.
I started poking around, making sure Syncthing was running, I went so far as to copy the database on my PC somewhere, delete it from both systems, and then put it back on my PC to see if I could get it to resync the whole file at once. The change didn't propagate.
Somehow I ended up in Keepass' settings menu on the phone, and noticed an option called "Database Caching." Turns out, it had copied the database to the app's cache directory, and it was pulling from there rather than the actual file. I guess assuming that the database would be stored in the cloud or something, rather than in the device's onboard storage.
That's 25 minutes I'm not going to get back, and now neither will you!
19 replies
I looked for and can't find "Database caching" anywhere in KeepassDX's settings. Maybe it's the fork I'm using that doesn't have it.
I'm running KeePass2 Android on my phone. It didn't allow me to take a screenshot. Good for it.
You are talking about KeepassDX, not XC, right? I have the same setup, but I have not noticed this problem yet.
I don't fucking know man. Choose your own damnation: Go with a commercial package like LastPass and have your data
soldexfiltrated by elite dark-web h4xx0rz, or go with an open source package like KeePass that has been forked by 40 different communists who cannot be made to agree to what extent Stalin and/or Maos shit didn't stink. I'm running KeePassGY because random fucking letters I guess.The more alcohol I drink, the less mildly I'm infuriated.
I had this same problem… it's a problem inherit to all password managers actually. Even proprietary cloud based ones like Bitwarden to some extent.
Fundamentally, it's a bad user experience if you have to redownload, parse, load, verify, the entire database each time you need to use a password. Most phones block this kind of activity in the background as well to save power. So it caches it and only updates this cache occasionally. Ideally there would be some sort of pub/sub situation that updates the cache automagically but this doesn't seem to be the case.
I have a bigger yet more basic problem:
I haven't seen software documentation aimed at users since Windows 3.1.
Early 90's Microsoft software came with a softcover tome about how it worked. Those white books with the blue banners? If you're over 35 you know what I mean, the ones nobody read so the entire fucking
industryculture stopped trying to write that kind of thing at all.Linux Mint's documentation is almost entirely a teen's livejournal entry about how it's totally not a phase and how daddy Ubuntu just doesn't understand our vibe, man. Seriously, go to linuxmint.com and look at their Documentation session, it's 80% grievance airing.
Do you know what I did today? I physically gave up on Meshcore. I put every LoRa node I owned in a box, complete with the batteries and antennas and shit I owned in a cardboard box, and hauled them to a Ford dealership to give to a fellow Ham, because Meshcore's website documents the message packet protocol, but not what a room server is.
So KeePass is one of those things that exists as a system of forks, I use two different forks on x86 Linux and ARM-Android. They assume I'm going to access one cloud-based file from everywhere, when I sync files locally, which...
Okay, interrupting one drunken inappropriately misogynistic rant for another drunken inappropriately misogynistic rant: It is for all intents and purposes fucking impossible to use Android. I've got a Pixel 10, the dirtfucking may-god-force-him-to-watch-the-murder-rape-of-his-family-especially-his-kids salesman sold me a vendor locked phone, and, modern Android is a total woman of an operating system. It doesn't do things you want it to do and won't explain why. Like browse it's own fucking file system. If you've got a database file and it's associated keyfile stored in ~/Documents/Passwords that you want to open with KeePass...Go back to your bedroom at your mom's house and pull your dick there, perv! I'm not doing that because my mama didn't raise no hussy!
In conclusion, may everyone who knows a programming language including me have their genitals repeatedly burned out eternally in hell for our crimes against our fellow human. Amen.
Actually, it didn't take me 25 minutes to read this.
Also password management is easy. Just use "Password124567890" for everything. It's genuis because the 3 is missing. Therefore, if someone did guess your password correctly, no they didn't. They'd move on to less simple passwords, simply because you left off the 3.
It's TOO stupid to be real, and the brilliant twist makes it even better.
So by the logic of about half the English teachers I know, you didn't read it hard enough. I'll let you try again to improve your grade.
I read it. You used a password manager instead of just using your memory to remember your password. They cached the database, and it didn't update the database fast enough for you.
Seems to me you could have avoided the whole thing by just typing it in yourself.
How would you keep list of 200 different 30+ character passwords?
By not doing that.
Doing what? You have the same password for all accounts?
At least they are not using the published password on their account here (I tried).
Not the same one. You just have tiers.
Low level security? Things like netflix, or whatever, this is the bulk of your passwords, but none of them are in danger if your account gets hacked. Oh no! They're going to mess with my time markers where I left off in my shows!!!
Then a tier 2, maybe something has a bit more risk. This only has 2 or 3 services you'd use.
And then tier 3. I only have 1 tier 3 password. It's for my bank.
So now I just remember 3 passwords. One of which is the bulk of my passwords. And one I almost never use.
Yeah, Netflix has my phone number, so any non-netflix breach which did not have my phone number would now also include my phone number. That's pretty bad security. I just remember a single, very strong password and can access all accounts securely. I started using a password manager and maximum security passwords everywhere after my ancient skype account got hijacked via a leaked password and started messaging all my contacts with spam links.
This is much less secure than you are thinking
Yeah but you didn't waste the allotted time on it which is the main purpose of college.