Password Manager Vulnerability?

Discussion in 'Software' started by GoshenGeek, Apr 8, 2017.

  1. GoshenGeek

    GoshenGeek Corporal

    I had posted this on another forum and received no answers. Perhaps here?

    See the article at
    https://arstechnica.com/security/20...-encrypted-credentials-from-password-manager/

    Fascinating discussion about the malware KeeFarce that targets KeePass password manager. Keefarce uses DLL injection to "... call an existing KeePass export method to copy the contents of a currently open database to a CSV file. The resulting file contains user names, passwords, notes, and URLs all in clear text." The bottom line is that if one's computer is compromised, all bets are off as to whether the password manager one is using is secure. (True??) Note that malware similar to Keefarce could probably be written for other password managers. So KeePass is not alone with this vulnerability?

    Big question: Should we be concerned with this vulnerability?

    Another question: I currently store my passwords on paper. My laptop never leaves my home so I consider this reasonably secure. Any reason I should use a password manager?
     
    GoshenGeek, Apr 8, 2017
    #1
  2. Eldon

    Eldon Major Geek Extraordinaire

    Eldon, Apr 8, 2017
    #2
  3. Earthling

    Earthling Interplanetary Geek

    I guess you simply forgot your other thread, but if you are still considering LastPass you may find THIS reassuring.
     
    Earthling, Apr 8, 2017
    #3
  4. Anon-c1150d5334

    Anon-c1150d5334 Anonymized

    This is why they have Keepass Portable, so it is not on your machine waiting for the bad guys.
     
    Anon-c1150d5334, Apr 8, 2017
    #4
  5. mjnc

    mjnc MajorGeek

    The article that you linked to is from November 2015.

    Keepass Password Safe has been updated at least twice since then.
    If this was a true vulnerability, it would have been patched already.
    The program referenced in the article is a tool available at github.com.
    It is not regarded as a threat.
    You can read a discussion about it at the Keepass forum:
    https://sourceforge.net/p/keepass/discussion/329220/thread/8e511d96/#e919
    https://sourceforge.net/p/keepass/discussion/329220/thread/8e511d96/#df4e/8125

    As I understand it,
    In order for that program, Keefarce, to work, it has to be downloaded and run.
    Keepass has to be running and the database already unlocked and loaded.
     
    mjnc, Apr 11, 2017
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds