Vulnerability of open Keepass database file.

A lightweight and easy-to-use password manager

Brought to you by: dreichl

Vulnerability of open Keepass database file.

Forum: Open Discussion

Creator: Malcolm Peill

Created: 2019-05-08

Updated: 2019-05-09

Malcolm Peill - 2019-05-08

I have read that the database file is vulnerable while open on the desktop, with rogue software being able to export all its data to an unencrypted csv file.
Can you clarify if this is true?

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Paul - 2019-05-08

Rule #1: if a bad guy can persuade you to run software on your computer, it's not your computer anymore.
There is no defense against this.

See the FAQ.
https://keepass.info/help/base/security.html#secmemprot
https://keepass.info/help/base/security.html#secspecattacks

cheers, Paul

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

John Jones - 2019-05-08

That's a very general question that lacks a lot of details.
In general, if someone can run software with equal permissions to KeePass or access to KeePass files
he can add a malicious trigger to export the data(KeeThief does just that)
but if an attacker can write to the KeePass files he can do whatever he wants, this is not a normal situation.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Malcolm Peill - 2019-05-08

I appreciate it is rather a vague question. I'm asking from a general user point of view, in that we're encouraged to keep our important passwords secure. On a superficial level, a password protection application like KeePass fits the bill. However, with virus protection enabled on the computer, does this mean all is now safe, or are there vulnerabilities still present that may compromise our passwords? Obviously for things like forum passwords and the like it may not be that important, but for financial details it's a whole different ball game, perhaps requiring off-line storage only.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
- John Jones - 2019-05-08
  
  So basically you're asking if using anti-virus gives you 100% protection?
  again this is too general and non-technical.
  if we speak in a general sense, every system can get breached, nothing is completely safe.
  
  the golden rule is: if it was made by humans, it's inherently imperfect.
  Even mathematically "uncrackable" cryptography like one-time-pad is limited by our knowledge of math and maybe who knows can be broken.
  
  so how general this got. basically not practical at any level
  
  If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Paul - 2019-05-09

for financial details it's a whole different ball game, perhaps requiring off-line storage only

When you then use the details online your data is lost.
You are effectively proposing not using computers.

cheers, Paul

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.