Passwords and passphrase visible in memory
A lightweight and easy-to-use password manager
Brought to you by:
dreichl
Menu
▾
▴
I had a look with WinHex at KeePass memory. All of the passwords and the passphrase are visible. This seems to be a serious problem.
An interesting article about this security problem can be found at:
http://www.infosecwriters.com/text_resources/pdf/Discovering_Passwords_In_Memory.pdf
After further reseaching, it seems that only some of the passwords from the database are visible in memory. BUT, the passphrase is always visible.
I got Winhex, startet it, started Keepass, entered master password, in Winhex I looked the complete RAM of keepass: I found my master password there in RAM. Arrg.
Yes, I know this security problem and KeePass has been designed to cleanup all plain visible passwords in memory as soon as possible. Unfortunately I was able to reproduce the bug you mentioned. When opening a database, a copy of the master password remained in memory, in plain text. All other passwords are encrypted correctly, just the master password was unencrypted when opening a database.
I've fixed this bug, if you want to try:
http://www.dominik-reichl.de/filepool/KeePass-040627.zip
That's the latest development version, unstable and NOT for daily use! Use it just to verify if the memory cleanup works now.
Thanks for reporting this problem and best regards,
Dominik
It doesn't help so much because a big part of the master password still remains in memory. I think it would help to reduce master password bruteforce enormous.
You say that the database is stored encrypted in memory which is not true because many information like URLS an some passwords at least in the stable version is stored in plain text.
After lock keepass database an keep KeePass running many things of the database are still readable.
The big problem is that Memory often swaped so a person needs only to check the swapfile for the master password or parts of it.
First: you said "a big part of the master password still remains in memory"... This can't be true. Either it's there (what shouldn't be) or it isn't (as it is now in the release above). Of course, the hash (SHA-256) of the password remains in the memory of program, but it's impossible (read: computationally infeasible) for an attacker to reverse this hash.
Second: no, I didn't say that the _database_ is stored encrypted in memory. The _passwords_ are stored encrypted all the time, fields like URLs, usernames, titles and notes aren't encrypted.
Third: this cannot be true. KeePass closes the whole file when locking the database (therefor you must save the file before you can lock the database) and deletes all memory, so there cannot even be a single password in KeePass' memory.
Fourth: I've checked the whole memory for the master password. It isn't there any more, nor is any part of it visible.
If you are able to locate only one password (master password or any password in your database) in the memory of KeePass, please describe exactly what you are doing. I wasn't able to locate any password (all encrypted properly), and if you are able to locate one, this is a bug and I would be glad to know how you did it, so I can fix the bug.
Best regards,
Dominik
1. Dominik, I have a 14 char master pw and with your bugfix release, I am able to find the first 4 chars of it in keepass ram- multiple times even!
3. In latest stable release, even if I lock keepass and then have a look with winhex, I was able to find the complete master password-
1. Create a new database with a different password (totally different from your 14 characters password) and search again for those 4 characters (the 4 characters you mentioned!, which are part of this 14 character password). I think those 4 characters are just normal binary code and not the first characters of your password. It's highly unlikely that the first characters of the password shouldn't be cleared... The memory-erase routine overwrites the whole string...
3. As I said above that is true. There was a bug and I've fixed it. Please try the development version!
Best regards,
Dominik
Ich mache das lieber auf Deutsch.
Ich meinte das Benutzerpasswort und nicht den 256 Bit Hash.
Ok, also ich habe Keepass, die unstable Version vom 27.06.2004, installiert.
Ganz normal die Datenbank geladen. Das Benutzerpasswort ist 32 Stellen lang. Davon sind mindestens 15 Stellen als plain text im Arbeitsspeicher mit WinHex auszulesen (einfach in Winhex\Extras\Ram ffnen\Keepass\Keepass.exe. Aber ich kann das nochmal mit unterschiedlichen Datenbanken berprfen.
Sobald Keepas selbst die Datenbank schliet, also sie abmeldet, das Programm aber nicht beendet wird, sind die Daten wie die Titel oder URLs und dementsprechen auch die verschlsselten Passwrter im Arbeitsspeicher immer noch auszulesen.
Thanks Dominik for responding so quickly, but there still appears to be problems in the developmental version. Below is how I tested it.
1. I downloaded your new developmental version and created a new database with a new passphrase password of "qwertyqwerty".
2. I added one entry to the database with a unique username, title and password.
3. I closed Keepass and saved the database. I re-opened the new database with the developmental version of Keepass.
4. With Winhex, I searched the memory of Keepass. I found the first half of the passphrase "qwerty" in memory. I also found the complete password of my only entry in the database.
Dominik I did the same as the guy before. I chose "pappnase75". I was able to find "papp", "pappna" and "pappnas". In Winhex I chose "primrer Speicher" in Ram editor.
Also, after I locked the database after the above test, I still found the first half of the passphrase "qwertyqw" in the Keepass memory.
Hmm, ok... I'll have a look at that...
Best regards,
Dominik
Hi,
as far as I've read the source code, Keepass always overwrites variables asap. But what I asked myself and I don't know the answer (maybe OS dependent): If you do like:
i:='1234567890"
i:='----------"
Does this necessarily mean the ram is overwritten exactly in this place? Whats a safe solution?
No, normally KeePass clears the strings using the EraseCString routine (see StrUtil.cpp). This routine doesn't simply set the string to a new value (so it doesn't do the thing you have written), it overwrites each character using the SetAt member function which works in place, not creating a new copy of the string...
Best regards,
Dominik
On 20th Feb 2019 DDay.it published an article about this problem which appears not to have been fixed: using Keepass, the master password can be found in PC's RAM memory. Other softwares have this problem: Lastpass, 1Password, Dashlane.
Do we have to choose other security procedures?
I assume you are referring to this report:
https://www.securityevaluators.com/casestudies/password-manager-hacking/
What ISE found is a well-known and documented limitation of the process memory protection.
The relevant documentation is here:
https://keepass.info/help/base/security.html#secmemprot
Best regards,
Dominik
PS: Why are you resurrecting a thread from about 15 years ago? We've discussed the ISE report in detail already; just search the recent threads.
This article is really interesting. As You can see it was published really recently (February 19, 2019). Certainly DDay.it referred to it. I'm not an expert and I read something that seemed worrying. It was surprising for me that this was a very old and not solved problem.
However, now I can make a more informed use of the software. Thank to your suggestion I activated secure desktop and I'll try to use TCAT obfuscation .
Best regards.
Alberto
This is only an issue if you let malware onto your PC and is the same for anything you do on your PC - like logging into your bank. Using extra security options is less effective than keeping your PC clean, regular AV/malware scanned and backed up.
cheers, Paul