Has anyone validated if KeePass is safe to use? Does it have any backdoors?

Question

Everyone says "the code is open source, go check it out". The truth is, I neither know how to validate the complex code nor can I understand the binaries in code or predict their behaviours. Has anyone actually read it, understood it and validated it for

proper implementation of AES standards
backdoors
risk of the program itself sending data to places it shouldn't (malicious code).

I did my part by researching online and found no shred of evidence of anyone serious (who is actually in the position of judging implementation of cryptography) validating this and confirming it's safe to use. It'd be very helpful if anyone can point me to relevant literature or verify if they've actually done the work.

I should add that I've seen ad-style pages, such as the ones in PC Magazine or such, that encourage the use of KeePass by saying how great the interface is, but that's far from actually judging its implementation. — LearnByReading, Nov 26 '15 at 13:42

score 12 · Accepted Answer · answered Nov 26 '15 at 13:59

12

There is a paper by Paolo Gasti and Kasper Bonne Rasmussen from the University of California which looks at the storage formats used by various passwords managers - they do highlight some issues with Keepass 2.x format, but these have been fixed since the paper was published.

There was also a tool released, KeeFarce which claimed to be able to extract passwords from memory of running Keepass instances.

However, I can't find any evidence of an independent security analysis being carried out against the code. I can't find any evidence of one against PasswordSafe, which is probably the most direct competitor either.

In this case, though, I suspect that even a password safe with local flaws (e.g. in-memory data being recoverable) is better than repeating passwords across multiple sites, given the most common attack vectors. It is rare for non-nation-state/espionage attackers to go after specific passwords. They tend to go for database dumps with lots of different passwords in, looking for potentially useful data they can use to gain value, in the form of more useful sites, or in goods. Even an unencrypted text file with site-specific passwords in, stored on your local system (please don't do this!) offers good protection against this attack method, compared with memorising one really strong password and using it everywhere. Clearly, this wouldn't apply if the safe was sending password data out to a third party, but this is also easier to check - run the application on a machine connected through a monitoring switch, and see if it sends anything you aren't expecting during use.

I would be all for an independent security analysis of various open-source password safe systems, but this does require specialist knowledge, and to be repeated if there are major changes to any part of the codebase. This is probably out of the budget for any lone open-source developer. Until then, I would rather people use a unique password for each site they log into, and even a flawed local implementation is probably overall more secure.

answered Nov 26 '15 at 13:59

Matthew

27,233
7
87
101

Wow, thank you so much for your insightful answer - I definitely had not seen that scientific publication. I will review that shortly – LearnByReading Nov 26 '15 at 14:25
7

An attacker in the position to use KeeFarce (i.e. can execute code as a local admin) can do many other things, like targeting the victim with a keylogger. I wouldn't really count this as a flaw of KeePass. KeeFarce just shows: don't allow malware on your system. – Volker Nov 26 '15 at 15:10
1

@Volker Exactly - there are means of protecting against such accesses, which could be applied, but it seems to make more sense to address any issues that could result from, say, an attacker obtaining a password database, first, since it's a more viable attack method. – Matthew Nov 26 '15 at 15:17
3

@Matthew: But this isn't what KeeFarce is about. It can read the passwords from memory if the user has currently opened the KeePass database. With every password manager the passwords are going to be in memory eventually. KeePass still properly encrypts the database, so it's still safe against offline attacks. – Volker Nov 26 '15 at 15:21
1

@Volker Yes, and it would be possible to protect against that kind of memory reading. For example, it could refuse to run if any unknown software is currently running - it would be unusable, but even so! In a less dramatic method, it could require the master password to be entered for each individual stored password accessed, only decrypting each one as required, with a slow process. Still fairly unusable, and only defending against a very specific attack. It isn't worth doing so - it's not a very viable attack method, and would make the system less user-friendly at all times. – Matthew Nov 26 '15 at 15:50
I had thought that KeePass has an option that turns off any potential key loggers. Is this not true? is that feature not reliable? – LearnByReading Nov 26 '15 at 16:45
2

@LearnByReading It has an anti-keylogging feature. This works by splitting up the password into a series of steps, such as pasting half the password into the field, sending keypress events to go back x positions, pasting in other bits, sending keypress events for some keys, and generally making it difficult for a keylogger to find the whole password. It doesn't protect against memory reading, which is the method KeyFarce uses. Against keyloggers, this is fine - Ctrl-V doesn't tell you the password, and arrow keys are unhelpful, but it's a protection for a specific threat. – Matthew Nov 26 '15 at 17:01
You're truly in trouble if someone is reading your memory... but at least, KeePass times out the memory hold, you can set it to whatever. I believe default is 12sec and my understanding is it then overwrites it, but I am not 100% on this. Which is better than KeePassDroid... it stops the pasting after an allocated time, BUT you can retrieve all that you copied (user, pw) from the clipboard. – rhymsy Nov 27 '15 at 16:36
2

If your attacker has local admin rights, it doesn't matter how much obfuscation, avoidance, or key pressing the password manager do. For all we know, the attacker could have replaced the kernel to lie to the password manager and the user about anything. – Lie Ryan Nov 30 '15 at 15:05

score 5 · Answer 2 · answered Nov 28 '15 at 01:54

I am personally not qualified to be reviewing the code and commenting upon it either, however, I can tell you that submitting code ("packets") over the network from a computer is not an easy task: you need to provide network address and overcome both OS firewall and antivirus firewall. I also found a paper that seem to suggest that the authors have looked at the implementation of this program. Aside from these ASSUMPTIONS here is the test I conducted:

I installed KeePass on a test computer that has no programs except the OS and drivers installed on it. All drivers are blocked from obtaining updates from the internet. I reviewed the network traffic using the logs from my firewall (Sophos Enterprise firewall ) and found no communication from KeePass to any external network parties. Further, I found no communication from my computer to the internet except a few of host/windows processes.

It would be good if you linked to your complete results as well, but it might be overkill for such a straightforward test. — Wildcard, Jan 08 '17 at 13:09

Has anyone validated if KeePass is safe to use? Does it have any backdoors?

2 Answers2