I understand that Keepass stores it notes field in memory unencrypted. Would it be possible to either add two user definable fields that are encrypted or basic encryption on the note field? Several of my password entries also contain recovery information like:
Secret question and answer
Specific information used at sign-up time for the account (i.e. zipcode, address, e-mail account, phone numbers, birth date, account number, user name, business)
This information needs to be protected as well. If a person gains this information they can just reset my password so having all this encryption and protection does not help if basic information is compromised by the note field being in memory. At the minimum basic obfuscation or encryption of the notes field while in memory would be nice.
you are right. This is my problem too. It needs more time to encrypt/decrypt all entries, but I would spend this time.
RC4 or even 3DES would be nice if needed to balance speed with security for the notes field.
OR at least an option to encrypt all fields in memory under the advanced tab this way the user decides how slow it is.
In my professional opinion this is a major security hole for Keepass. My shock of this gapping issues is only furthered that no Trojan or Virus has been found yet exploiting this issue. Now that this issue has been written about on several public bulletin board systems it is only a matter of time before users of Keepass will most likely be compromised. This issue needs to be fixed as soon as possible for this product to remain a viable solution. Any script kiddie or knowledge IT professional could in theory gain very vital information from Keepass while it is in memory.
I agree any field should become encrypted. Is this really a speed issue?
KeePass isn't going to be able to protect your passwords from a trojan / virus on your host. In order for you to access your data you need to be able to get to it in an unencrypted form. The trojan / virus that specifically targets KeePass could just as easily trap when you decrypt the data and read it out.
KeePass can't protect your data if the host on which it resides is seriously compromised. I suggest installing a good virus checker and such.
thats right. But not only malware snoops in memory. Some application error reports takes memory snapshots and send them to the developer.
Its fine to keep the memory encrypted, but since the key must necessiarly be in memory (unless you are prompted every time), it'll be sent too. The best bet would be to set a low timeout on the auto-lock functionality and have all the fields be encrypted in memory, realizing this is obfusacation at best.
Better to have obfusacation then some Microsoft employee in Bombay looking at all my note fields and possibly passwords.
so far this application is far more secure than other products ... just so you know...
> so far this application is far more
> secure than other products ... just
> so you know...
Oh, OK, an anonymous "Nobody" on the internet says that it's more secure, so I feel much better now. I think I'll switch.
What this issue fixed in the KeePass 0.99c release?
Are the notes fields, username, etc kept encrypted in memory?
Or is KeePass still leaking information out via memory dumps, error report memory snap shots to vendors and hibernation files?
Rather than ask if it has been fixed, get a memory viewer and look yourself. Then you can let us know what, if anything, has changed and what information is still visible.
Unfortunately, it appears that KeePass v0.99c stores it NOTES field in memory UNENCRYPTED. Also, the USER NAME, URL and TITLE FIELDS are easily viewable as PLAIN TEXT for your hacking pleasure.
To review KeePass currently shows the following fields unencrypted in memory that can easily be viewed in plain text:
2. User Name
How to view KeePass database entries in memory:
This tutorial will show you how to view KeePass database entries in memory. However, it will not show you how to force a dump file and upload it to a web server for attacks against users accounts. The intent of this tutorial is to illuminate how easy it is to view KeePasss database entries while in memory so that this program will eventually be better than what is on the open market.
1. Get a copy of WinHex from http://www.x-ways.net/winhex/index-m.html and install it.
2. Open your KeePass v0.99c and database file (i.e. database.kdb) then enter your password. Now the KeePass dB is in memory and mostly unencrypted.
3. Load up WinHex and select TOOLS, OPEN RAM, FIND THE KeePass Process.
4. Double Click on the KeePass Process to reveal PRIMARY MEMORY or ENTIRE MEMORY
5. Once Primary or Entire Memory is open you will see a tab with KeePass: Primary Memory and below that a list of memory offsets and contents in the body section.
6. You can now search the KeePass memory contents to reveal the following; title, user name, url and notes fields.
7. To search from the WinHex menu select SEARCH, FIND TEXT and enter a title or notes field text to be taken to an entry. In my test the needed information a hacker would need to mount an attack was found at Offset 00BE0B00.
1. Using Windows-XP OS fully patched
2. Latest version of KeePass v0.99c release on 2005-05-14
3. Relevant Option settings: CHECKED Disable Unsafe Operations, CHECKED Use More Secure Edit Controls, CHECKED Enhanced Clipboard Behavior, CHECKED Hide Passwords Behind Asterisks, CHECKED Hide User Names Passwords Behind Asterisks.
Also recently tested was Steganos Security Suite 7 password manager. The Steganos password manager showed every thing in memory including the passwords in plain easy to decipher clear text. SO KEEPASS IS BETTER THAN STEGANOS in that the Passwords are at least encrypted while in memory.
/// Coming soon how to take memory snapshots and send them off or how to your favorite application crash can send a memory dump file of all your sensitive data (in memory) to offshore programmers . this and much more fun /// Have you had your ID stolen today? Where do you want you sensitive data today?
Whoa that is tooo easy.... guess i will keep my notes brief and non-descriptive. So much for putting account reset information in the notes field.
It would be nice to have a link to record then I could briary some of my account info in other records and find it via a link
Notes field etc. being in RAM as plain text is just a surprise for the technically inexperienced. If this is a real problem, you're lost anyway (i.e. you have malware on pc).
otoh I see no problem having all fields encrypted. Maybe it's a speed issue. E.g., for global auto type, keepass would have to decrypt any field on the fly to perform it's auto type action.
Possible Solution. for the encrypted fields issue! Two notes fields:
Have two notes fields one standard and another encrypted. The encrypted one could be unmasked by the same function as the password unmask. Thus only when the users need to see the encrypted information does the program uncrypt it just like the PW. This could address the speed issue as the unencrypted would be a user triggered action not a programmatic auto function on view of entry. GUI ideas, perhaps a check box to enable an encrypted notes field for an entry and a button to mask/unmask it.
Questions would having this make the program and/or database that much bigger?
What I have done as a temporary solution for now is PGPd all my sensitive notes fields. I like the organization, storage and retrieval of KeePass. However, I do need some info encrypted more of the time than the rest. I only need to look at this type of second encrypted notes field once in a blue moon so that is my temporary solution. This is more work, but my goal of keeping additional account information safe that is inputted into the notes fields that could be used for account reset is addressed. I do not have to worry as much about a memory snapshot, memory dump or hibernation file of this information getting viewed in plain text at some point.
Last night someone tried to amputate my legs. He said: "Give me passwords pleaze". Can you add a Anti-Amputate-Option?
Personally I think there should be NO excuse to not encrypt
2. User Name
The notes field in my opinion should be encrypted also....with todays computing power.
I differ on that opinion - their should be more excuses.
As we have seen with the EU "AN APPRAISAL OF THE TECHNOLOGIES OF POLITICAL CONTROL" we now have the upper hand ( http://www.europarl.eu.int/stoa/publi/166499/execsum_en.htm )
The time is now why we have moment up to keep technology and laws moving so fast that the common man will not be able to keep up. It is best to buy off developers code of programs like these and PGP so we can gain better intel to control the world before it is to late to bring out this new world order.
How else would the NSA, Echelon, CIA, FBI, COMINT, Patriot Act II (FBI searched without warrants), SIGINT, MOSSAD and the like find any good morsels of data.
For more on Patriot Act II the coming Gestapo in Amerika see:
We do not need no stinking judges: 'Plan would bypass judges in FBI probes'
KeePass must be weakened else we have too many secrets... All your bases belong to us.
Enough from the peaNUT gallery...
KeePass is just fine the way it is. The developer should focus more on fixing what open issues not this non-sense. However, it does make one wonder why Rreichlhe is not using CVS anymore. Perhaps he is no longer in control of this project. He did say he was unable to login to CVS....
If YOU know how to make WinCVS 220.127.116.11 work correctly together with PuTTY's SSH client (PLink), let me know!
Why don't you use TortoiseCVS instead?
All kidding aside this program is cryptography and could be considered a weapon so in good faith some things should be left in the clear in memory. Who know this could help fight the war on terrorism.
It has been stated that Al Queda uses programs like these to communicate with. So they should be weakened enough to allow our government's intervention and supervision to prevent crime and terrorism. Seriously, this stuff is getting to be no joke.
To the guy that wrote about Echelon:
Dude writing about Echelon is no joke. You have just beamed the spotlight on this SF project. Thanks. The realm these guys play in is real. You should educate yourself before playing in this league. The EU is very concerned and has many real life issues of industrial espionage or worse from this faction of info freaks.
European parliament report on the existence of Echelon
Temporary Committee on the ECHELON interception system
Temporary committee on the ECHELON interception system (July 2000-)
EU Member composition of the temporary Committee on the ECHELON interception system: