password manager PSA (keepassxc)
if you use keepassxc, do not update past the current latest update (2.7.10) as future updates will include LLM generated code, which is a utterly horrible idea for an application that manages people's passwords
the maintainers approve of this and don't see the horrible security implications in allowing it
re: password manager PSA (keepassxc)
password manager PSA (keepassxc)
How is it different from allowing pull requests from rando's on the internet?
Using LLMs for coding has some ecological, legal, and ethical repercussions, but as long as you review the generated code properly the same way you're supposed to review code from 3rd parties, *security* should not be an issue, in my view.
Am I missing something?
- replies
- 1
- announces
- 0
- likes
- 0
re: password manager PSA (keepassxc)
@wouter that's a big assumption (the whole 'point' of LLMs is to reduce effort, why would some LLM liker then spend effort fully checking that the output is correct, additionally i suspect that LLM likers trust it more than they trust randos on the internet, though i doubt they'd admit that)
but aside from that, LLMs introduce bugs in ways that people don't. the statistically likely next token may look right but it is not necessarily correct
(my definition of 'security' here may also be different from what you expect, exposing your passwords is indeed unlikely, but it introducing subtle bugs that corrupt, delete, or incorrectly import your passwords is far more likely)
re: password manager PSA (keepassxc)
OK. I see what you mean. It's a risk, though I don't see it as likely as you seem to think.
IME, reviewing code is faster than writing it from scratch. This applies whether the code is generated or submitted. Whether that happens is the more interesting question, rather than whether LLMs are used, IMO
Corruption bugs are always possible, LLMs may increase the risk but they don't introduce it. You need backups of your vault regardless.