As written in the blog post, there are no AI features in KeePassXC, hence there is no LLM running with access to your data. The code produced by LLMs is just an output and not any kind of AI itself. It’s static, verifiable and open, even if the LLM itself is a blackbox. Imagine an LLM writes a book. Of course, the LLM is capable of a lot more than that and I wouldn’t trust it with any private data. But if you were to buy the book, it wouldn’t do anything harmful sitting on your shelf, even if you write your password on the first page.
The contents of this book are instructions on how your passwords should be managed. Following these instructions is safe, because a team of expert editors checked them line by line, character by character. By the way, Chapter 5 was not written by an LLM, but by a random (human) stranger from the internet. But that doesn’t make their written instructions any safer or less safe, and so they undergo the same review process as anything else before being printed in the book.
Genuine question here: do the people saying “no” to this question honestly believe that using an LLM for writing code somehow makes the code not do what it would normally do if written by a human?
LLMs are one kind of AI. Not every AI is an LLM. But that is beside the point.
You are a human being (I suppose), and you speak English (I suppose). Humans can perform very complex tasks and they can be very dangerous and untrustworthy. That doesn’t mean that a text you write is also a human being or also dangerous in the way that you are.
I will not say that it is bad before CVE exactly because of AI happened, but I will keep extremely sensitive data away from it.
For now I think it is time to completely move to Proton Pass or Bitwarden. For local storage encrypted volume via VeraCrypt or Cryptomator
Anyways, autofill less secure than copy/paste (it even recommended here by Proton):
Consider disabling manual autofill and using copy and paste only. Proton Pass allows you to autofill your passwords using two clicks in order to give you time to assess whether a website is secure for yourself, but you can also opt not to use autofill if you’d prefer to reduce risk.
So I will live without it.
P.S: Even more concerning that they use proprietary AI, which i don’t trust even more.
Dangerous advice! Autofill is definitely more secure than copy-paste, because without it you lose one of the strongest security features: the protection against phishing. This whole click-jacking thing is wildly overblown. KeePassXC also has click-jacking protections, but we would never recommend disabling autofill.
But the rest of my opsec probably needs to be taken into account too.
Not sure if the most secure but I also don’t mind not having the feature, not a big hindrance haha.
This is indeed better, but unfortunately have several drawbacks:
It is not widely supported. Most services still require password (even Tuta!)
It requires hardware key. Yeah there is some workarounds, but try to use passkey on Linux and Android simultaneously (most non custom Android uses Google binary to make it work)
So… If we will ping all supports to add passkeys only this will really make difference. And we still need something that will allow to use passkeys on Android and Linux simultaneously without workarounds.
For example Fennec for android not supporting passkeys at all - Google proprietary binary
If you are genuinely interested in a technical answer, here it is: Auto-fill is ALWAYS more secure than copy-paste.
Why is that? Auto-fill checks the URL of a page and provides credentials only if it matches the entry in your password database (and even then only after an explicit action by the user, not automatically on page load—by default, KeePassXC also asks the user for permission, so the browser has access to nothing without explicit approval). The only way an attacker can get their hands on the credentials is if that site is compromised (either via the backend or via cross-site scripting). Generally, if the site is compromised, an attacker can do anything, regardless of how you entered your credentials. They can steal all your inputs (regardless of source) and they can also steal your entire session. The only thing that click-jacking does is being more sneaky about it so that you don’t notice what’s going on. But in general, a cross-site-scripting attack could also replace the full page and you would never know.
There is nothing that protects you against this attack. In fact, you are MORE vulnerable to click jacking with copy-paste, because you have to actively interact with the page. There are no automatic checks for anything when you use copy-paste. You also lose any sort of phishing protection, because without auto-fill, there are no URL checks. So you might as well be entering your credentials on a typo squatting website or after a malicious redirect.
Auto-fill via the browser extension is the best way to keep your credentials safe. Copy-paste is the worst possible alternative. With copy-paste you also make your credentials available to all applications on your system via the global clipboard, which is another risk factor (and you might also paste them somewhere else accidentally). The only safer alternative to auto-fill are passkeys.
You are welcome to use whichever product you like. You are welcome to reject whichever service you don’t welcome. You have that choice, you can do that. But what you cannot do is use unsubstantiated information for the purpose of fear mongering. You haven’t presented a single instance or evidence of an AI generated contribution that has lead to KeePassXC being less secure or untrustworthy. So, unless you can do so, I kindly suggest you to stop with your agenda, because it simply isn’t going to work. Have a good day!
Copilot is good at helping developers plan complex changes by reviewing the code base and writing suggestions in markdown, as well as boilerplate tasks such as test development.
Using Copilot in general isn’t recommended. Copilot, which belongs to Microsoft, as you may imagine, stores everything you provide to it linked to your identity. Rather than using ChatGPT or Copilot, I’d recommend using duck.ai, which belongs to DuckDuckGo, as chats are
anonymized
not used to train models
and as DuckDuckGo does not collect logs or usage stats if you didn’t agreed. Most models are freely accessible, although some may require a paid DuckDuckGo Premium subscription.
Duck.ai cannot be integrated into Github as of now. However, people need to decide on their own if they prefer privacy or integration.
This is not a socially acceptable way to engage in public discourse. Logical fallacies are best reversed for meta-analysis of a discussion rather than in a discussion itself. Please consider addressing your opponent without verbally assailing them.
