6

Plenty of "passwords in memory" and "keepass" related (old) topics in here, but most of them are about how to harden key protection ; plus it seems protection mechanisms by Keepass have evolved for the last couple of years.

In 2021, as KeePass is running and unlocked, I understand the master key is stored in the RAM (obfuscated though). So the only moment you are vulnerable is when your KeePass is kept unlocked for the day and someone could have some kind of control over your device, preferably on a remote session (RDP, C2, TeamViewer, etc.) or physically (unprotected Windows 10 session as I understand you can't easily dump the RAM from USB/FW ports anymore while session is locked).

Question 1: is the above still right on this day?

Question 2: while KeePass is opened and the RAM just dumped, has it become really difficult* to find the master key since KeePass states it's been obfuscated? *By difficult I mean 2 types of scenarios:

  1. for a national agency
  2. for a very good lonely hacker with limited financial means.
Ozwel
  • 161
  • 7
  • 3
    If a national agency has access to your laptop, they probably also have access to you and thus can use "enhanced interrogation" to extract the key not from the laptop, but from you. –  Feb 15 '21 at 09:52
  • Interestingly, the concept of *plausible deniability* never worked against a proper "enhanced interrogation" – usr-local-ΕΨΗΕΛΩΝ Feb 15 '21 at 10:25
  • 1
    @MechMK1 "Enhanced Interrogation" is not always a feasible approach, and sometimes it is not even possible (as in the case of remote access only). – nobody Feb 15 '21 at 10:32
  • 1
    @nobody That is true. But then again, password managers aren't designed to mitigate against this kind of threat. They're designed to mitigate against using `Spring2021` as password, and against companies who think storing passwords as MF5 hash or plain text is a great idea. Good luck cracking a 64-char random password. –  Feb 15 '21 at 10:43
  • 1
    @MechMK1 You're absolutely right. They don't protect against passwords stored in plaintext though. – nobody Feb 15 '21 at 10:47
  • @nobody It really shows I've been awake for 30 hours, huh? And yeah, that is true, but if done well, it'll limit the damage done, since you won't re-use passwords. –  Feb 15 '21 at 11:21
  • Is it really obfuscated? That sounds silly. – forest Feb 16 '21 at 03:21

1 Answers1

10

Question 1: is the above still right on this day?

That is the only time the key can be extracted from memory. But if someone has the level of access to access memory, they can compromise your system in other ways, and then grab your keys the next time you log in.

has it become really difficult to find the master key since KeePass states it's been obfuscated?

The problem with obfuscation, or security by obscurity in general, is that only one person has to figure out how your system works and then the system is easy game for everyone.

In the particular case of KeePass, this is demonstrated by the existence of KeeThief. One person (or a group) reverse engineered the obfuscation, and now state-sponsored and lone hackers alike can extract KeePass keys from memory. However, since KeePass protects the keys with DPAPI, the keys cannot be extracted from an isolated memory dump alone. Instead you would have to be able to execute code on the same device (under the same user account) to decrypt the keys.

nobody
  • 11,251
  • 1
  • 41
  • 60