5

I often need to get several passwords from my Keepass during the same day and I find myself having to open it and input the master password every single time, which is awfully laborious. The obvious solution to this problem would be to leave it opened permanently, but is it secure?

(I know I can "lock" it but I'd still have to input master password each time so not really satisfactory option)

drake035
  • 453
  • 1
  • 4
  • 11
  • 4
    This really depends on where you're going, if you're sitting in your apartment all alone then it's probably safe. Basically the biggest issue here would be someone using the device while you're away, but you should **never leave your device unattended**. – sethmlarson Feb 18 '16 at 23:50
  • Yep living alone, I'm just worried about some trojan/malware being able to access all my passwords since Keepass is left open on my computer (and hence the master password barrier is gone) – drake035 Feb 19 '16 at 12:01
  • Also see [Super User](https://superuser.com/questions/575715/) and [Reddit](https://www.reddit.com/r/KeePass/comments/i3x016/) – Marco Eckstein Dec 14 '21 at 16:26

3 Answers3

6

It is safe if your computer is safe from unauthorized access. This includes malware.

If your computer is not physically safe, then no, anyone can access your Keepass. If your computer has malware on it, it can also access your Keepass if it is left unencrypted.

d1str0
  • 2,348
  • 14
  • 24
1

When you have it open, it is as safe as the computer, especially if you dont have auto lock enabled.

It is vulnerable against: physical access malware basically anything that can access your computer. If you can prevent those + some less prevalent ones, it´s safe, but if you cannot, i would not risk it

Ladislav Louka
  • 573
  • 3
  • 11
  • 1
    Malware can just as easily access the data in the short period of time while the password store is unlocked, as at some other point in time. That particular threat wouldn't depend on the password store remaining unlocked for any significant amount of time. – user Feb 20 '16 at 12:23
  • Well of course, it was meant as an example of direct dangers to the system. – Ladislav Louka Feb 20 '16 at 13:30
  • Are you absolutely sure about that? I mean if Keepass is opened on my computer with all passwords listed on my screen, then surely some malware could access to these more easily than if Keepass was closed isn't it? – drake035 Feb 22 '16 at 18:03
  • 2
    Yeah but the point is that leaving it open open on infected computer is no different from just logging in. The time period is irrelevant for this kind of attack. Only one thing comes to mind which is RAT (remote access trojan), which would benefit for you not being at the computer. Other kinds of infection would more likely try to extract data from inputs, memory or other sources then direct control – Ladislav Louka Feb 23 '16 at 13:44
0

Assuming there is malware on your device which tries to scan main memory for your sensitive data, the answer unfortunately is no.

Keepass provides some protection against this threat. It admittedly tries its best to protect your passwords (but not your user names etc.) in memory:

While KeePass is running, sensitive data is stored encryptedly in the process memory. This means that even if you would dump the KeePass process memory to disk, you could not find any sensitive data. For performance reasons, the process memory protection only applies to sensitive data; sensitive data here includes for instance the master key and entry passwords, but not user names, notes and file attachments. Note that this has nothing to do with the encryption of database files; in database files, all data (including user names, etc.) is encrypted.

Furthermore, KeePass erases all security-critical memory (if possible) when it is not needed anymore, i.e. it overwrites these memory areas before releasing them.

For some operations, KeePass must make sensitive data available unencryptedly in the process memory. For example, in order to show a password in the standard list view control provided by Windows, KeePass must supply the cell content (the password) as unencrypted string (unless hiding using asterisks is enabled). Operations that result in unencrypted data in the process memory include, but are not limited to: displaying data (not asterisks) in standard controls, searching data, replacing placeholders (during auto-type, drag&drop, copying to clipboard, ...), importing/exporting files (except KDBX) and loading/saving unencrypted files. Windows and .NET may make copies of the data (in the process memory) that cannot be erased by KeePass.

A 2019 study linked on Reddit (using KeePass 2.40) has demonstrated how passwords can be left in memory unencrypted. This applies only to passwords you have interacted with in the open session, and does not apply to the master password. Apparently, there is no difference in security regarding this issue with locked or unlocked state. (Obviously, locked state still prevents people from using your Keepass file if you leave your device unlocked and unattended.) They conclude:

End users should, as always, employ security best practices to limit exposure to adversarial activity, such as:

(...)

  • Shutting a password manager down completely when not in use even in a locked state (If using one that doesn’t properly sanitize secrets upon being placed into a locked running state)

However, there is only a threat if there is malware on your device. So, it could also be that the malware

  • steals your sensitive data in the few seconds you have Keepass opened.
  • is a keylogger. Though Keepass offers some protection against keyloggers, I am not sure whether it applies to the master password. If not, you could still use an additional master key file to mitigate this issue.

So the question remains open how much additional security the habit of always closing (not only locking!) Keepass as soon as possible really offers in practice.

As an idea for a tradeoff between security and convenience, you could use two Keepass files: One you close as soon as possible that you use for super-sensitive data like email logins, banking logins, crypto asset keys etc.; and another one you leave open for a long period of time that you use for less sensitive data like message board logins etc.

Disclaimer: I am not a security expert, only a professional software developer.

Marco Eckstein
  • 101
  • 3