discussion/request: test of password managers (like KeePassXC) by German consumer protection magazine, bad overall grade due to password policy for master password and accounts by KeePassXC — maybe enforcement policy or at least advice #10012
Comments
|
That is silly, but see here: #9782 |
|
Yes, it is kind of silly. But, maybe, for inexperienced users it is of some actual relevance… To make it clear: I personally don't need this feature and don't ask for it for myself. I check password quality on myself, do have a master password of fair quality (and still memorisable), and choose passwords for accounts/entries due to the relating policies of the sites/servers. But I thought it would be better advertisement for KeePassXC if the stated magazine and article award a better (i.e. a good) grade (instead of a bad one). Of course, it's up to the user to use KeePassXC and policies the right way — but maybe, it's easier for inexperienced users with a little help. |
In general, these magazines and websites do these reviews because they are actually affiliated sponsorship ads in disguise. There is nothing we can do to score a good grade, or at least a grade above the paying customer. The game is rigged, and it's not worth anyone's time to worry about it. We do have password quality scoring when a user generates a password for an entry. So half of their reason is not true. |
|
TL;DR: I generally do agree (except for details), so ticket can be closed (as it already is). More detailed: I for myself am pretty fine with KeePassXC as it is, for personally me there's no need on this issue. But I want to state some things more clearly: that German Institution Stiftung Warentest is independent! When they test fee-paying items, they buy them on their own. That is why they sell their printed magazines and online articles. They don't get items provided by producers. And I had to talk to their customer support in this special case because I just was reading the yearbook. In their yearbook, there are just the summaries of the tests. The full article is available in the printed magazine and in the full online article. When I was talking to them, they provided me with the full online article, for free. So, I don't want to put specifically this organization in a bad light. But you're right, you can argue about the exact test criteria. |
|
Yeah, I'll give this magazine some credit for being independent. The security test criteria makes you scratch your head, though. We've had other placements in decidedly not independent magazines and we are always last or near to it (included often as the "open source option, but you don't want that"). |
|
One thing to note - some sites and programs still limit how 'secure' a password can actually be. I have sites that won't let me use a password larger than 8 characters, many sites that restrict the types of characters I can use in a password, and more. Having KeePassXC enforce a threshold for all generated passwords is moot in every one of these situations - as the entity requiring the password defines the password rules, and there is simply no way to KeePasXC (or any other password manager, for that matter) to know what each and every restriction is on every site and every app out there. Therefore, while their testing might be independent, they are projecting a false narrative in terms of password security that not every site follows, and they make 0 mention of this caveat at all. |
That is clear. But that is actually not the point. It's clear, that specific restrictions are related to the needs/restrictions of the source site and limited by there. They criticise that there are no restrictions at all, so you can even input a one (1) char password, if you really want. That's what they pointed out. And because this is also possible for the master password, the overall grade was bad. (There are detailed grades for specific detail categories of test — also besides security, like user experience e.g. and others. Only the master password behaviour led to a really bad overall grade.) And to make it clear: I personally do not need that option. I am pretty fine with KeePassXC and I know what I do when using it. I just think it's a pity that KeePassXC got a bad overall grade being an OpenSourceSoftware program and actually appreciated by me. I just think it's a pity that it's bad advertisement. That's all I wanted to refer to. I would like to see OpenSourceSoftware (and especially this one) promoted… |
|
And I think it is a pity that they are applying an artificial constraint that is not needed, so seemingly giving KPXC's rep a hit., Does it affect my personal opinion of KP and KPXC? Nope. Never will. |
Dear all,
I just got the 2023 yearbook (articles are from 2022, it's released at the end of the year — so, the 2024 yearbook will be for this year 2023) by German consumer protection magazine Stiftung Warentest.
There is a test about password managers Passwort-Manager im Test. Many proprietary products… and KeePassXC.
KeePassXC did receive good grades for some categories, but a bad mark for category "security" leading to a bad overall grade.
I discussed with their customer service about this issue. The bad grade for category "security" (leading subsequently to a bad overall grade) is due to the policies for creating passwords for the master password and specific accounts/entries. There is no enforcement of a certain security policy like minimum of password alphabet or minimum of string length (the length is pretty essential for them). If the user was forced to create a "rather secure" password or at least given an advice that it's too weak (and why it's too weak), they would serve a good grade for the category and overall.
Because I read that magazine now and then (and somehow count on, the more or less) AND I do like OpenSourceSoftware in general and KeePassXC specifically, I would like to leave this point for discussion and, maybe, some action.
Thank you,
Gunner
The text was updated successfully, but these errors were encountered: