droidmonkey
commented
2 years ago We got into a debate about this on Matrix. Personally, I find this to be an asinine finding from the magazine and to rate us poorly because of a user choice / option. The underlying encryption is still just a secure of you use a 1 character password over a 100 character password. What becomes insure is the possibility of an attacker, who has access to your database file, to more easily guess your password through brute force.
The user can choose to do what they want to afford them the security they want. Whether we restrict the password length to some minimum or supply a warning is irrelevant. They can use any other keepass app to set a single character password and can also just set it to 123456. At the end of the day, why the heck do I care what they decide to set it to?
I can see this argument much more if we were a cloud service and third parties could remotely brute force the authentication. But we are not, you need the database file to even start to do anything.
markusd112
michaelk83
h1z1
phoerious
Overview
It is possible to create password databases with a master password length of only 1 character, which is absolutely insecure. The german magazine „Stiftung Warentest“ has given KeepassXC a bad score because of this issue. Please set a minimum password length that is secure or give a warning to the user if the master password is too short.
See actual Test magazine:
https://www.test.de/Passwort-Manager-im-Test-5231532-0/