KeePass / Bugs / #1777 Passwords are not sanitized from memory

#1777 Passwords are not sanitized from memory

Milestone: KeePass_2.x

Status: closed

Owner: nobody

Labels: None

Priority: 5

Updated: 2018-09-26

Created: 2018-09-25

Creator: ISE Labs

Private: No

Hello,

KeePass 2.40 on Windows does not remove or sanitize saved passwords from applciation memory after the user views or otherwise interacts with them. This applies to passwords stored in the user's database, not their master password. I have attached several items to assist in reproducing the issue.

Attachment 1 shows an excerpt of memory after unlocking a KeePass database. The password is still encrypted.

Attachment 2 shows the user viewing the password in KeePass.

Attachment 3 shows the user hiding the password in KeePass.

Attachment 4 shows a memory dump displaying the user's password in both ASCII and Unicode formats.

Attachment 5 shows the region of memory where secrets are not sanitized after use.

The unsanitized secret (the password) remains in memory even after closing the dialog, interacting with other entries and even locking the database completely.

5 Attachments

attachment_1

attachment_2.png

attachment_3.png

attachment_4.png

attachment_5.png

Discussion

Dominik Reichl - 2018-09-26

status: open --> closed

private: Yes --> No
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dominik Reichl - 2018-09-26

This is a well-known and documented limitation of the process memory protection:
https://keepass.info/help/base/security.html#secmemprot

Best regards,
Dominik

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Passwords are not sanitized from memory

A lightweight and easy-to-use password manager

Group

Searches

Help

#1777 Passwords are not sanitized from memory

Discussion