back to article KeePass looter: Password plunderer rinses pwned sysadmins

Kiwi hacker Denis Andzakovic has developed an application that steals password vaults from the popular local storage vault KeePass. The jeu de mots KeyFarce works when a user has logged into their vault, and will dump the contents to a file that attackers can steal. It is no death knell for KeePass or other password managers …

  1. raving angry loony

    When spelling is important.

    KeePass or KeyPass? Two different products, but you seem to use the terms interchangeably in the article. Which one are you actually talking about? It's not Friday yet.

    1. chivo243 Silver badge

      Re: When spelling is important.

      I think it's a typo, they start talking about Keefarce then forget to change kee back to key?

      1. Chronos

        Re: When spelling is important.

        Whichever it is, the lesson is clear: Never leave your password manager's database unlocked if you're not using it. As I read the article, the password manager isn't the issue; it's a case of PEBKAC and insecure memory. It's also Windows only as it's talking about dll entry points but don't let that stop you from closing your KeePassX database, just in case. If it can be done there, it can probably be done elsewhere as well.

        This may also be a good time to set a nice, strong password on your browser's password store, too.

        1. Thunderbird 2

          Re: When spelling is important.

          Haven't used PEBKAC in a long while

          been using the friendlier acronym PICNIC

          Problem In Chair Not In Computer

        2. I_am_Chris

          Re: When spelling is important.

          I set a timer on my database. It is never open for more than 30sec.

        3. tony2heads

          Re: When spelling is important.

          DLL problem

          Does that mean the portable version is OK?

        4. inmypjs Silver badge

          Re: When spelling is important.

          "Never leave your password manager's database unlocked if you're not using it."

          If your machine is compromised with a trojan running and waiting for an instance of keypass to attach to you are going to loose all your password the first time the database is unlocked.

          Your 'clear lesson' typically isn't going to protect passwords for more than a couple of hours.

    2. SolidSquid

      Re: When spelling is important.

      Since this is a proof of concept I suspect it would work with either one, but considering the name Keepass is probably the one they used for demonstration purposes

  2. Anonymous Coward
    Anonymous Coward

    Of course I read this

    just after I dumped LastPass for KeePass ...

  3. Inventor of the Marmite Laser Silver badge

    KeeFarce works by leveraging DLL injection

    KeeFarce works by using DLL injection


    1. Martin-73 Silver badge

      Re: KeeFarce works by leveraging DLL injection

      THANK you. Leveraging is one of those neologisms I can't stand

      1. Anonymous Coward
        Anonymous Coward

        "Leveraging is one of those neologisms"


        Managerspeak for "getting more out of less", e.g. more work out of less "resources" (another one, meaning "employees" or "people")...

        1. Anonymous Coward
          Anonymous Coward

          Re: "Leveraging is one of those neologisms"

          > "resources" (another one, meaning "employees" or "people")

          Or carbon paper.

  4. I_am_Chris


    This only affects KeePass2 on windows. KeepassX on Mac and Linux shouldn't be affected. Although, it will be vulnerable to a similar exploits on those systems.

    1. Jim 59

      Re: Windows-only

      Ditto on Android - keepassdroid

  5. Khaptain

    Extremely Dangerous

    This is far more dangerous than just gaining access to a server. Any Admins on here will undoubetdly have passwords stored for much or all of their other equipement .

    Domain Admins passwords



    RDP Sessions to other sites.

    (S)FTP servers.

    SSH login with possibly the keys.

    Building access codes.


    Web Serveurs

    and the list goes on.

    What advice does anyone have to offer ?

    1. Somone Unimportant

      Re: Extremely Dangerous

      Three options spring to mind.

      1 - run up keypass on an iPhone or Android device and use the file exclusively there. I have a keypass compatible app on my BlackBerry Classic and do just that, then just use my PC as a backup location for the keypass encrypted data file.

      2 - run keypass for windows inside a VM on your desktop, and don't give the VM any network connectivity - almost like an air-gap system. It's harder to backup the keypass file but it can still be done - or you can backup the VM that runs it.

      3 - or for the completely paranoid of us, just run an air-gap system for some really sensitive stuff.

      I'd be more worried about keyboard grabbers intercepting copy/paste traffic as I paste usernames and passwords into fields myself.

    2. Stuart 22 Silver badge

      Re: Extremely Dangerous

      "What advice does anyone have to offer?"

      Don't keep anything that really needs to be secure on a Windows PC. That's nothing to do with how secure Windows is - but that any flaw is going to be exploited to a far higher degree than on any other OS. Its just not worth it for most blackhats to go after Linux or MacOS when there are so many rich pickings elsewhere. Security by obscurity is a layer not to dismiss lightly.

      Hence those of us who use KeePass on Linux/MacOS are shifting uneasily in our seats but far from panicking. But what news of a rewrite? I'm guessing this needs much more than a patch to sort.

    3. Anonymous Coward
      Anonymous Coward

      Re: Extremely Dangerous

      Qu'est-ce que c'est "Routeur" - Is it a router?

      1. Khaptain

        Re: Extremely Dangerous

        Mes excuses pour cette petite faux pas, yes I meant to write Router...

        French is my daily language et c'est vraiment facile to confndre the words qui sont very similar... Malgre the fact que je suis an English speaker, beaucoup de ce que j'ai learned en IT was appris en French..

        And oui, je trouve that it is parfois easier to parler Franglais.

    4. Schultz

      What advice does anyone have to offer ?

      It comes down to decreasing the attack surface - so best use a device with small online presence to store your passwords. I wonder if a sandboxed 'secure' phone (i.e. Samsung Knox) or an offline virtual machine might help? Unfortunately I know little about how / how well that should work. Maybe somebody here can explain.

  6. Anonymous Coward
  7. Anonymous Coward
    Anonymous Coward

    This is good to know but not enough to make me move away from KeePass just yet (especially after I've not long ditched LastPass). The way I see it every site requires a password and there's a limited amount of space in my head for strong passwords so I'm going to have to write down passwords somewhere. KeePass seems like a decent option for storage of those passwords: it's with me most of the time and it's easy enough to use. I actually suspect a piece of paper would be more secure but it would certainly be less convenient.

    I see security as being a bit like running away from a hungry bear. You don't need to be the fastest runner you just need to be faster than the slowest guy.

  8. Ben Liddicott

    Arrows go in quivers, bows have extra strings

    Also, this requires the attacker to be already running code at the user's current level of privilege - in which case they can install a key-logger and swipe the file.

    Nothing to see here.

    1. Aedile

      Re: Arrows go in quivers, bows have extra strings

      Actually a key logger may be ineffective in swiping passwords from KeePass. In the program you can select auto-type. No actual typing occurs so if a key logger is watching for key presses it will get nothing. Another option is copying the password to the clip board and then pasting it onto the site. The program wipes the clip board after something like 10 seconds so it can't be copied later. This also should defeat key loggers.

      I keep my KeePass files on a usb stick which is only attached to my computer when logging in. Would this exploit be able to still get the info?

      1. Khaptain

        Re: Arrows go in quivers, bows have extra strings

        Yes, becuse it is a DLL exploit and the fact that you run keepass.exe is all that is required on your behalf ( it also requires that the program/hack be in memory)... The physical support has not bearing in the hack.

        In fact that very hack/virus/proof of concept could actually be hiding on your USBKey....just waiting for delivery......

  9. Graham Cobb Silver badge

    Still better than a password-protected MS Office document!

    This is a good wake-up call to those of us who use password managers. The password manager is only as secure as the system it runs on.

    So, when deciding whether to use a web-based or local password manager you have to assess whether your machine or the web company is more likely to be compromised. It is a hard call: the web company have a lot more resources available to protect things, but is a MUCH more valuable target so is under lots of threats; I am careful on my machines but some of them are likely to have significant zero-day vulnerabilities (such as phones).

    It is certainly a reminder to make sure you separate information into separate databases as much as possible, possibly on different systems/services. Certainly keep really critical passwords (personal bank account, maybe domain administrator account) either in your head or, at least, in small databases, so it is less likely you have opened them before you discover the machine/service has been compromised.

    1. Jim 59

      Re: Still better than a password-protected MS Office document!

      So, when deciding whether to use a web-based or local password manager you have to assess whether your machine or the web company is more likely to be compromised...

      Unless you are *paying* the cloud provider to hold your data securely, under a contract with appropriate penalties should there be a security breach, there isn't really any security at all. What I am saying is, the free cloud providers have no interest in your security, and owe you nothing, because you are not paying for the service. Anyone in doubt of that can see the T&Cs.

  10. silent_count

    So this is like the JPG 'virus'.

    It is another permutation of, "if someone has admin on your system, they can do $BAD_THING".

  11. batfastad
    Big Brother

    LastPass? I'll pass.

    It's fine as I use LastPass because it's much easier to just let someone else have all my passwords, all in one convenient place, which is somewhere else, someone else's cloud presumably. They take great care of them for me.

    All your passwords are belong to ------------------------------------>

  12. allthecoolshortnamesweretaken


    I followed the link in the article - I need to give my bike a makeover!

  13. Daniel Voyce

    But for clarification....

    This would only be a problem if you were using NTLM logins with Keepass, surely Password vaults that are protected with only master key wouldnt be vulnerable to this?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022