16

Can a malware that infected your local computer compromise a KeePass database stored locally in any way?

If yes, what's the point for KeePass to have such strong security mechanisms if it cannot resist to this scenario? If you keep your DB locally, isn't this scenario the main threat that exists?

user2428118
  • 2,768
  • 16
  • 23
KB303
  • 423
  • 2
  • 5
  • 15

5 Answers5

28

Yes - if the malware included a keylogger, for example, it could simply read the master password when you typed it in. The only real way to prevent that would be to have KeePass be the only software running, on a verified secure computer (e.g. no hardware keyloggers, no VMs, etc.) which would somewhat defeat the purpose of having passwords to hand.

However, the same malware would also be able to read the master password for a cloud based database, when you opened it. It's not specific to local database files. In fact, it could take a less invasive piece of malware to do that - if you've installed a dodgy browser extension and view your passwords through a web site, it would be able to see what you typed in the browser, but (probably) not what you typed into any other program.

If you're using a system which has malware on, assume it can do anything you can do - if you can read a file, so can the malware. If you can contact a specific server, so can the malware. If you can disable your AV software, so can the malware. It might need to get details off you in order to do it (e.g. passwords), but the key is to avoid getting it on the system, rather than trying to ensure that every single piece of software detects the presence of it.

Matthew
  • 27,233
  • 7
  • 87
  • 101
  • 14
    KeePass actually does have systems in place to stop keyloggers (such as only allowing the master password to be entered in a secure UAC prompt on Windows). That said, no system is foolproof. – Ajedi32 Jun 19 '17 at 15:36
  • 16
    @Ajedi32 That doesn't appear to be the default setting, at least, not for the portable version. It also wouldn't be impossible to produce a fake UAC prompt, even if it might not stand to close inspection. Most users just enter their credentials in anything that looks vaguely right. – Matthew Jun 19 '17 at 15:58
17

When your computer is compromised, pretty much any defense on it should be considered broken. Security threat models consider this as an out-of-scope scenario - barring very few exceptions (e.g., the very purpose of your software is to be the last-line of defense).

That said, password managers (like KeePass) that store the password database locally do resist a compromise to some extent - by encrypting the database using strong measures. If you configure it as intended (e.g., use a strong master password + a keyfile that you don't store locally) it will resist bruteforce and dictionary attacks. It will even resist capture of passwords from clipboard if you only use the auto-type feature. The clipboard exposure can also be limited to single use and within just a few seconds.

However, it cannot resist keyloggers because that is an environmental problem outside KeePass. The environment is given to KeePass - not something it can control. It is possible for a keylogger to capture the master password as you type it and call home to report it - along with the KDB / KDBX file and any associated key file.

I wouldn't expect every software to resist every possible attack (somewhat like looking for a panacea). I would consider password managers - especially KeePass / KeePassX as very good for what they do.

Sas3
  • 2,638
  • 9
  • 20
  • Thank you for your answer. Good to know for the dictionnary and bruteforce attacks. Concerning the auto-type feature, unfortunately KeePassX does not propose it, it's only propose for KeePass I think. I would have liked so. – KB303 Jun 19 '17 at 12:10
  • I use KeePassX v2.0.3. I use AutoType wherever "2-step login" is not required. It can be customized to a small extent too (delay and the order of field-data, mostly). It causes some unexpected results sometimes (e.g., if capslock is on; or if the cursor is not in the userid field), but the feature is definitely there. Unless of course, we both mean different things by auto-type. :) – Sas3 Jun 19 '17 at 12:28
  • You must be running a Linux distribution. I'm afraid this feature does not exist on OS X. – KB303 Jun 19 '17 at 19:54
  • @KB303 Windows KeePass has AutoType as well. – JAB Jun 20 '17 at 00:20
  • People who use KeePass also lock their doors, even though its known that a lock won't deter a serious adversary =) – Cort Ammon Jun 20 '17 at 19:01
  • @CortAmmon Ok, that bust my bubble! xD OTOH, all defense is good ONLY as long as you aren't targeted. When targeted the best skills to have (practiced earlier) are detection and rapid recovery. – Sas3 Jun 21 '17 at 01:44
10

It's worth mentioning that there are settings inside KeePass to help restrict what malware (and you) can do. This lets you, for instance, prevent malware from simply exporting your entire database by injecting a few keystrokes.

It's not a failsafe, but it gives you more of a buffer between when you get infected and when you actually realize you've been infected.

Policy Dialog in KeePass 2.x

(Screenshot is from KeePass 2.36)

Spacedog
  • 201
  • 1
  • 2
6

Attacks on KeePass

Can a malware that infected your local computer compromise a KeePass database stored locally by any way?

If you don't open it, they can only snatch the database file and try to brute-force the password (not easy) – unless, of course, they manage to obtain the master password in some other way.

If you do open the file, they can try to obtain the master password when you are typing it in to unlock the database. There's been at least one piece of malware that did just that.

Furthermore, it is possible for malware to inject itself into the KeePass process and extract the passwords stored in the database. A proof-of-concept piece of malware that does this was released in 2015.

Why use a password manager?

If yes, what's the point for KeePass to have so strong security mechanisms if it cannot resist to this scenario?

Well, defending against all other possible scenario's in which your passwords can become compromised of course! Because, what's the alternative to a password manager? Writing down passwords in a notebook? Re-using the same password for multiple accounts because you can't remember hundreds of passwords? Coming up with some 'clever' password creation scheme that results in different, but entirely predictable passwords for every account?

Yes, it's theoretically possible to gain access to your password database in these ways, but because of the protections KeePass offers, it's only possible to compromise your passwords in these ways. (Okay, there's another way.)

But there are plenty of ways your passwords won't be compromised, such as:

  • A nosy colleague looking in the notebook with your passwords;
  • The file your passwords are in being included in a backup and stored somewhere insecure;
  • Somebody looking over your shoulder when you enter the password;
  • Somebody accessing your computer you forgot to lock when you went away;
  • A generic piece of spyware dumping your browser password database, or stealing the file with your passwords;
  • Malware intercepting web browsing traffic before it gets encrypted (assuming you're using HTTPS) and stealing your login details from there;
  • Hardware keyloggers (although they can steal the master password, an attacker would still need to obtain the password database using other means);
  • The editor you're using to save your passwords crashing and the crash dump with your passwords getting sent to the developer;
  • Somebody booting up your PC from USB or CD and taking your password file;
  • Somebody stealing your computer and taking your password file
  • You reusing your password on multiple websites because you can't remember 1,219 different passwords, and one of these websites getting hacked
  • … et cetera.

If you keep your DB in local, isn't this scenario the main threat that exists?

No. I'm positive that, of the scenario's above, there's multiple that are far more likely to occur than malware going specifically after KeePass. Risk #1 is probably re-using a password across websites and that site getting compromised. (For example, there are currently 3,805,757,030 breached accounts listed in Have I been pwned?.)

Defense

Although, as KeePass' developer agrees, there's ultimately no way to stop against attacks specifically targeting KeePass, it is certainly possible to raise the bar for an attacker. For example, there's a feature to defend against keyloggers obtaining the master password when unlocking the database, a feature for locking your password database when you're not using it et cetera.

It's worth investigating if you want to enable some of these features, but I'd not recommend just turning on some or all of these without thinking; there's a non-negligible impact on usability, and the potential benefits might be small, depending on what you're up against. Mind that an attacker won't necessarily have to get your password from KeePass, but can also choose to attack the program that you're entering the password in.

Conclusion

A password manager won't defend you against everything… because it can't. To quote Law #1 from the Ten Immutable Laws Of Security,

If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.

The things a password manager does defend against, however, still mean that using one is a very good idea.

Community
  • 1
user2428118
  • 2,768
  • 16
  • 23
  • +1 for quoting the Ten Immutable Laws Of Security. I'm surprised no one mentioned it until now. – Ploni Jun 20 '17 at 17:06
3

To complement @matthew answer: the point of having an encrypted password database is to protect it against offline attacks. For example, it can protect the database if you put it on a USB key and lose it, or if your powered off computer is stolen. Also, you can safely use a backup service or cloud-base synchronization service with your password database. (This applies only if you use a strong passphrase and do not synchronize your key file.)

A. Hersean
  • 10,046
  • 3
  • 28
  • 42
  • Thank you for your answer. Ok, so if I have a desktop computer that does not risk to be stolen and if I don't use a USB/Cloud solution to expose my database (so if I keep my DB exclusively locally), there is no need to use KeePass, no ? I was intending to use it considering the threat of a malware compromision, but apparently it wouldn't protect my passwords. – KB303 Jun 19 '17 at 11:55
  • There is a benefit to use a password manager, at least to generate strong random passwords different for each website. However I do not make any recommendation on the password manager to use: it strongly depends on your needs. You can use the one provided by your browser, use a plugin, use a dedicated software or a pen-&-paper notebook. Some are better than others, some have public audits or reports on their security (or lack of thereof). I do not know of a perfect password manager, but I still use one. – A. Hersean Jun 19 '17 at 12:04
  • Right, the complexity of the password is interesting indeed . Thank you. For the password manager, I would quiet recommand KeePass that is maybe the only free and open source one (or at least the most known). I has been recommanded by official certifying structures. – KB303 Jun 19 '17 at 12:05
  • 1
    The longest standing open source implementations are probably KeePass (and derivatives such as KeePassX and the various third party mobile clients) and Password Safe (which also has compatible implementations). Both of these have had some analysis performed against the DB formats: https://www.cs.ox.ac.uk/files/6487/pwvault.pdf – Matthew Jun 19 '17 at 12:28
  • @Matthew : Very instructive article, thanks ! However, I do not find the date of released, the Chrome password manager (Smart Lock) does not store the password locally in clear today. – KB303 Jun 19 '17 at 13:41
  • @KB303 January 2012, for that paper, so it's fairly old. There are other assessments of specific software around too, but they don't always cover these specific packages. – Matthew Jun 19 '17 at 14:09