If an attacker modifies the xml config file (adding an export trigger on 'Opened database file') he will be able to export all the passwords, without us knowing it. Shouldn't the user be asked to confirm before exporting ?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I a word, yes.
You can turn off "Do not require entering current master key before exporting" under Tools > Options > Policy.
However, an attacker with enough access to add a trigger and then collect the export can turn this off.
Basically, if an attacker has full access to your machine, it's no longer your machine.
Use full disk encryption, make sure your anti virus is up to date and run a regular malware scan with something like MalwareBytes AM.
cheers, Paul
😕
2
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thank you Dominik,
But I'm not talking about a virus : a notepad is enough with access to the configuration file (for example by gaining remote access to the file).
As a keepass user I was not fooled since silent export is a standard feature of keepass.
If a password manager is as secure as a plain text configuration file, why should I use it instead of a spreadsheet to store my passwords on my computer ?
Forcing the use of 'require entering current master key before exporting' could be great
Best regards
👎
1
👍
4
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
If your computer is available to others you do not trust perhaps using the portable version on a memory stick that is kept in your pocket is a better choice than installing the app on a that computer?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
+1 for password confirming this activity. I've always used a portable version in a [veracrypt] encrypted file mounted only when I'm logged in, to protect against the possibility of the main executable being tampered with when others are using the PC.
But for other people I've simply recommended KeePass to, I hadn't appreciated this relatively trivial way to exfiltrate information.
👍
2
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Forcing the use of 'require entering current master key before exporting' could be great
It seems you missed Paul's post above. "You can turn off "Do not require entering current master key before exporting" under Tools > Options > Policy."
There is also a policy to disable export entirely.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello wellread1 ,
When I said 'force' I meant 'not be able to disable'.
As Paul also said : 'However, an attacker with enough access to add a trigger and then collect the export can turn this off.'
And the policy to disable export also seems to be stored in the configuration file.
With the windows program, the encrypted database is by default as secure as a plain text file (ie the keepass configuration file)
👍
2
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The database is at least as secure as the physical PC. A password manager should not rely on the user setting propper permissions for the config files, and security related settings should be as protected as the passwords themselves.
If the executable or the libraries are modifyable there is nothing anyone can do, but besides that, the database should be more secure than the PC it's running on.
👍
3
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
wellread1, I have read the documentation about enforced configuration file, but by default configuration file is a plain text file : by default keepass exe is insecure.
Paul, You should say The database is as secure as Notepad
Why do you use keepass?
I chose to encrypt my passwords with keepass so that they are easier to manage, and not readable by everyone.
I don't use it so that an attacker can easily access all my passwords, at once, using notepad
There is a mistake on the keepass homepage (for windows application) because it says : "which helps you to manage your passwords in a secure way", "Database files are encrypted using the best and most secure encryption algorithms currently known"
This point is missing: "someone can ask to export all your passwords in clear text without you knowing it"
👍
4
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
by default configuration file is a plain text file : by default keepass exe is insecure.
The KeePass configuration file is a set of workspace settings that must be loaded at startup before any database is loaded. These settings are not secrets. While it is possible to choose inappropriate workspace settings, obfuscating or encrypting a user's poor settings choices would not make KeePass more secure.
Though many workspace settings don't require protection, it may be appropriate to write protect others, even though they aren't secrets. The operating system provides the means to write protect workspace settings through the appropriate application of folder permissions. KeePass can make use an enforced configuration file that is suitable in this situation.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
You propose a workaround.
Why people trust keepass so they use it instead of a spreadsheet ? perhaps because it is supposed to provide additional security, simply by clicking on the 'install' button.
And how many know that by default a simple text editor will configure keepass to export, the next time they open it, all passwords in clear text without notification or confirmation?
👍
2
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Not all configurations are desired, feasible or appropriate in all circumstances for every user. KeePass ships with its I/O features enabled. It is intended for a user that wants flexibility and is willing to configure KeePass features appropriate to the working environment. It certainly makes sense to disable I/O features that you don't use. If you are concerned that your working environment is vulnerable, you can also sacrifice some convenience and disable additional I/O features, or increase the security of your working environment.
For most users a default installation of KeePass is safe when running on a timely patched, properly managed, and responsibly used Window environment. No password manager is safe to use when the operating environment is compromised by a malicious actor.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
So why do most users need to use a tool like keepass (encrypted password database) if using a timely patched, properly managed, and responsibly used Window environment is enough ?
Having multiple layers of security is better
The keepass application security layer seems too light and the risk is very important : keepass allows to discover silently ALL the user's passwords
To bypass keepass security layer : no need for a virus or any special skills the windows notepad application with keepass documentation are enough
👍
4
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Using a password manager is one layer in an inter-dependent multi-layer security scheme. A password manager provides the following:
Provided that the database master key remains secret, account credentials are completely safe when the database is closed.
Account credentials can be conveniently stored, managed and used with features designed for the task.
Open databases get some protection against generic attacks.
The amount of protection can be customized through proper configuration, and by correctly using OS provided security features such as administrator & standard user accounts, and folder permissions.
Last edit: wellread1 2022-12-10
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
In a sensitive application, the password is requested before an impacting modification action.
For example in windows : when changing the password, or when entering the admin account before a system modification.
"Open databases get some protection against generic attacks." I gave a counter-example for keepass, open it and perhaps someone has exported its content.
A chain is as strong as its weakest link
Why do you ignore my request to add a confirmation before exporting all passwords in clear text as done with export trigger ? (saying there is an optional disable option is not very secure)
👍
2
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
First of all, as you can see, I am looking for ways to improve the security of keepass and I thank you for answering my questions.
'Ignore' is not the right word, you avoid. I suggest that the consequences of changing the configuration file are significant and can be improved
If an attacker modifies the xml config file (adding an export trigger on 'Opened database file') he will be able to export all the passwords, without us knowing it. Shouldn't the user be asked to confirm before exporting ?
I a word, yes.
You can turn off "Do not require entering current master key before exporting" under Tools > Options > Policy.
However, an attacker with enough access to add a trigger and then collect the export can turn this off.
Basically, if an attacker has full access to your machine, it's no longer your machine.
Use full disk encryption, make sure your anti virus is up to date and run a regular malware scan with something like MalwareBytes AM.
cheers, Paul
See also:
https://keepass.info/help/kb/sec_issues.html#cfgw
https://keepass.info/help/base/security.html#secspecattacks
Best regards,
Dominik
Thank you Dominik,
But I'm not talking about a virus : a notepad is enough with access to the configuration file (for example by gaining remote access to the file).
As a keepass user I was not fooled since silent export is a standard feature of keepass.
If a password manager is as secure as a plain text configuration file, why should I use it instead of a spreadsheet to store my passwords on my computer ?
Forcing the use of 'require entering current master key before exporting' could be great
Best regards
If your computer is available to others you do not trust perhaps using the portable version on a memory stick that is kept in your pocket is a better choice than installing the app on a that computer?
This is a timebomb. There are times on most computers when someone else has access. Perhaps a version of Keepass without this feature at all!
+1 for password confirming this activity. I've always used a portable version in a [veracrypt] encrypted file mounted only when I'm logged in, to protect against the possibility of the main executable being tampered with when others are using the PC.
But for other people I've simply recommended KeePass to, I hadn't appreciated this relatively trivial way to exfiltrate information.
It seems you missed Paul's post above. "You can turn off "Do not require entering current master key before exporting" under Tools > Options > Policy."
There is also a policy to disable export entirely.
Hello wellread1 ,
When I said 'force' I meant 'not be able to disable'.
As Paul also said : 'However, an attacker with enough access to add a trigger and then collect the export can turn this off.'
And the policy to disable export also seems to be stored in the configuration file.
With the windows program, the encrypted database is by default as secure as a plain text file (ie the keepass configuration file)
To enforce policies and other settings, use an enforced configuration file (KeePass.config.enforced.xml file) and write protect the KeePass application directory (typical for a version of KeePass installed in a Windows Program Files directory). See https://keepass.info/help/kb/config_enf.html and https://keepass.info/help/base/configuration.html.
The database is as secure as the physical PC. Computing security 101.
cheers, Paul
The database is at least as secure as the physical PC. A password manager should not rely on the user setting propper permissions for the config files, and security related settings should be as protected as the passwords themselves.
If the executable or the libraries are modifyable there is nothing anyone can do, but besides that, the database should be more secure than the PC it's running on.
wellread1, I have read the documentation about enforced configuration file, but by default configuration file is a plain text file : by default keepass exe is insecure.
Paul, You should say The database is as secure as Notepad
Why do you use keepass?
I chose to encrypt my passwords with keepass so that they are easier to manage, and not readable by everyone.
I don't use it so that an attacker can easily access all my passwords, at once, using notepad
There is a mistake on the keepass homepage (for windows application) because it says : "which helps you to manage your passwords in a secure way", "Database files are encrypted using the best and most secure encryption algorithms currently known"
This point is missing: "someone can ask to export all your passwords in clear text without you knowing it"
The KeePass configuration file is a set of workspace settings that must be loaded at startup before any database is loaded. These settings are not secrets. While it is possible to choose inappropriate workspace settings, obfuscating or encrypting a user's poor settings choices would not make KeePass more secure.
Though many workspace settings don't require protection, it may be appropriate to write protect others, even though they aren't secrets. The operating system provides the means to write protect workspace settings through the appropriate application of folder permissions. KeePass can make use an enforced configuration file that is suitable in this situation.
You propose a workaround.
Why people trust keepass so they use it instead of a spreadsheet ? perhaps because it is supposed to provide additional security, simply by clicking on the 'install' button.
And how many know that by default a simple text editor will configure keepass to export, the next time they open it, all passwords in clear text without notification or confirmation?
I propose a supported configuration.
Not all configurations are desired, feasible or appropriate in all circumstances for every user. KeePass ships with its I/O features enabled. It is intended for a user that wants flexibility and is willing to configure KeePass features appropriate to the working environment. It certainly makes sense to disable I/O features that you don't use. If you are concerned that your working environment is vulnerable, you can also sacrifice some convenience and disable additional I/O features, or increase the security of your working environment.
For most users a default installation of KeePass is safe when running on a timely patched, properly managed, and responsibly used Window environment. No password manager is safe to use when the operating environment is compromised by a malicious actor.
So why do most users need to use a tool like keepass (encrypted password database) if using a timely patched, properly managed, and responsibly used Window environment is enough ?
Having multiple layers of security is better
The keepass application security layer seems too light and the risk is very important : keepass allows to discover silently ALL the user's passwords
To bypass keepass security layer : no need for a virus or any special skills the windows notepad application with keepass documentation are enough
Using a password manager is one layer in an inter-dependent multi-layer security scheme. A password manager provides the following:
Last edit: wellread1 2022-12-10
In a sensitive application, the password is requested before an impacting modification action.
For example in windows : when changing the password, or when entering the admin account before a system modification.
"Open databases get some protection against generic attacks." I gave a counter-example for keepass, open it and perhaps someone has exported its content.
A chain is as strong as its weakest link
Why do you ignore my request to add a confirmation before exporting all passwords in clear text as done with export trigger ? (saying there is an optional disable option is not very secure)
Nobody ignored your request.
You have already been told how to enable an export confirmation, or block exporting entirely. See
https://sourceforge.net/p/keepass/discussion/329220/thread/a146e5cf6b/?limit=25#1914
https://sourceforge.net/p/keepass/discussion/329220/thread/a146e5cf6b/?limit=25#42af
You have also been told how to enforce these settings. See
https://sourceforge.net/p/keepass/discussion/329220/thread/a146e5cf6b/?limit=25#9a36
First of all, as you can see, I am looking for ways to improve the security of keepass and I thank you for answering my questions.
'Ignore' is not the right word, you avoid. I suggest that the consequences of changing the configuration file are significant and can be improved
these suggested solutions are based on the same weak configuration file :
https://sourceforge.net/p/keepass/discussion/329220/thread/a146e5cf6b/?limit=25#1914
https://sourceforge.net/p/keepass/discussion/329220/thread/a146e5cf6b/?limit=25#42af
and if I apply these settings, why would I need keepass if I can protect a file :
https://sourceforge.net/p/keepass/discussion/329220/thread/a146e5cf6b/?limit=25#9a36
why can't you add a confirmation before exporting all passwords in clear text as done with export trigger ?
addendum :
in your post : https://sourceforge.net/p/keepass/discussion/329220/thread/ba82af7955/#628f
you forget to mention that a hacked configuration file can reveal all the content of the password database without the user knowing it
Right, It is time for you to find another password manager or use notepad.
Unfortunately that will not help him
if he let others execute arbitrary tools on his PC.
Last edit: Horst 2022-12-10
https://keepassxc.org/
As far as I can tell, KeePassXC doesn't have this vulnerability.