KeePass is a program in which you can store your password and copy and paste them into websites. Does anyone know if it is safe against key logging software? Does key logging software pick up what you copy/paste?
Asked
Active
Viewed 9,252 times
15
-
2KeeForm (an addition to KeePass) can help make you more resistant to many types of keyloggers, it securely sends your password directly to the form fields in your browser. Unfortunately, this doesn't completely protect against keyloggers that actually scan the forms in web browsers. – Adi May 20 '13 at 19:19
-
4The [clipboard](http://en.wikipedia.org/wiki/Clipboard_\(computing\)) is shared memory that can be accessed from most or all programs. You can imagine the rest for yourself. – Gumbo May 20 '13 at 19:51
-
2@Gumbo: Unless you use KeePass auto-type feature, as mentioned by user32089 below. – WhiteWinterWolf May 07 '15 at 10:08
5 Answers
16
The point of keepass is not to prevent keyloggers. (Granted incidentally it will almost prevent hardware keyloggers; someone inserting a keylogging device between your keyboard and computer will not be able to observe a password you used once via cutting and pasting. It doesn't really succeed in this task though, as an attacker could trivially record your login details as well as the passphrase used to unlock your keepass file and then access all of your passwords).
It's main benefits are:
- Never reuse a password (every site has a unique password), so if a password at example.com is leaked your other passwords are not compromised. Never accidentally enter the wrong password at the wrong site if you can't remember which one you used.
- Easy to generate strong random passwords at each site; e.g., 20 random upper/lower/numbers/symbols for each site, without difficulty of copying, or difficult to remember to clear your history.
- Easy to protect with one global strong passphrase and keep in a strong encrypted file that you can back up and sync among your computers. (And it doesn't lock you into one web browser or OS).
The major downside is that you shouldn't have any applications that record your clipboard history while using keepass.
dr jimbob
- 38,768
- 8
- 92
- 161
11
From the offical website:
The Auto-Type feature of KeePass is very powerful: it sends simulated keypresses to other applications. This works with all Windows applications and for the target applications it's not possible to distinguish between real keypresses and the ones simulated by Auto-Type. This at the same time is the main disadvantage of Auto-Type, because keyloggers can eavesdrop the simulated keys. That's where Two-Channel Auto-Type Obfuscation (TCATO) comes into play.
TCATO makes standard keyloggers useless. It uses the Windows clipboard to transfer parts of the auto-typed text into the target application. Keyloggers can see the Ctrl-V presses, but do not log the actual contents pasted from the clipboard.
Clipboard spies don't work either, because only parts of the sensitive information is transferred on this way.
Anyway, it's not perfectly secure (and unfortunately cannot be made by theory). None of the currently available keyloggers or clipboard spies can eavesdrop an obfuscated auto-type process, but it is theoretically possible to write a dedicated spy application that specializes on logging obfuscated auto-type.
machineaddict
- 103
- 4
user32089
- 111
- 1
- 2
-
It is sad that most other answers and comment seems to miss KeePass auto-type feature which is actual KeePass answer against keyloggers and clipboard spies. – WhiteWinterWolf May 07 '15 at 10:07
-
But this protection does not apply to typing in the master password, or does it? – Marco Eckstein Dec 14 '21 at 17:07
3
No, it is not a defense against key loggers. While it may protect against the most basic of key loggers, a smart key logger will hook in to the actual mechanism that enters characters (whether coming from the keyboard, an on-screen keyboard, or the paste buffer).
The only strong defense against key-loggers is some type of one-time method, such as a one time password. This also has to be coupled with a trusted connection to the server so that an attacker can't intercept the one time password or hijack the user's session. Good user education is also needed to ensure that users report if they attempt to connect and fail when their credentials were correct. (An attacker could present a valid challenge, get the response and then prevent it from going to the server if they have local control. They can then use the code to connect from their own system, but they would have to make it appear to the user that the connection failed.)
AJ Henderson
- 41,816
- 5
- 63
- 110
-
1I can think of another strong defense against keyloggers. You know... don't get a keylogger in the first place! :) – May 21 '13 at 01:00
-
@TerryChia not sure not getting them is a defense, but agreed it's probably the best practice. :) – AJ Henderson May 21 '13 at 03:26
3
A smart malware which got on your computer can even benefit from a password manager like KeePass to steal all your passwords at once. On a PC it is simply not possible to completely protect processes against each other. A malware could intercept your KeePass master password and keyfile when you log into your password manager and use it to decode your password database in the same way your password manager does.
But this should still not prevent you from using one. The benefit of having unique, very long and completely random passwords for everything greatly outweights the risks.
Philipp
- 48,867
- 8
- 127
- 157
0
The clipboard on Windows is shared by all applications. A keylogger can not log whats being copy and pasted, however the keylogger can detect if your copy and pasting something. Since the clipboard is shared among all programs, you could write a program to view and dump the data in the clipboard. So while it is not actually possible to log copy and pasted data, it is still possible to view and dump it.
eclipse
- 83
- 4