![]() ![]() The cool customization options in KeePass that people love can also make it vulnerable if not used carefully. The researcher just pointed out an existing vulnerability that has been around for years. So nothing really happened in January with KeePass. To sum it up, KeePass does offer local storage, but if you want easy syncing, you're exposing yourself to more security risks. ![]() Unfortunately, MyKi shut down after being acquired by JumpCloud. For example, the now-defunct MyKi used to store passwords on mobile devices and sync them through relay servers without storing them on the servers. Keep in mind, local storage doesn't mean you can't sync securely. Although basic cloud storage services have security features, they're not as robust as dedicated password storage in the cloud. This puts your passwords at risk, just like with cloud-based password managers. ![]() However, KeePass does have plug-ins that make syncing easier, but using them means trusting a third party to handle your data securely. While it's great that KeePass stores your passwords solely on your PC, manual syncing with another installation can be tedious. Local-only storage has been a popular feature of KeePass, but it comes with some trade-offs. Trusting KeePass means trusting third-party plug-ins This approach, known as Zero Trust, is central to many modern security practices, including cloud-based password managers that authenticate users without actually knowing their passwords. However, in today's security landscape, the idea is to assume that the system is already compromised and find ways to maintain security. He stated that KeePass cannot guarantee security in an insecure environment. He argued that anyone with enough privilege to edit the configuration file can cause even more damage and dismissed the need for a change in KeePass. Security devs should assume that a system is compromisedÄespite the report from Hernandez about a potential attack on KeePass, the creator and founder of KeePass, Dominik Reichl, brushed off the supposed vulnerability. All that is required to carry out this attack is the ability to edit the KeePass configuration file, which can be done either by accessing an unlocked computer and using a text editor or by using a remote access Trojan to do it remotely. Another trigger then uploads this exported file to a server waiting to receive it. This causes KeePass to export the password database to a plain text file without requiring the master password. In short, the attack involves editing the KeePass configuration file to create an action that triggers when the database is saved. Hernandez shared the code for this attack on Github, which can be reviewed by those with technical knowledge. However, KeePass disputes these findings. The National Institute of Standards and Technology took the report seriously and added it to their vulnerability database under the identifier CVE-2023-24055. In January 2023, security expert Alex Hernandez revealed a potential attack on KeePass, where the trigger system could be abused to extract a plain text version of all passwords stored in the database. The KeePass website provides examples of useful triggers, such as backing up the database, exporting it to a secondary format, and syncing it with cloud storage. But triggers can also execute command lines or launch URLs, which is highly desirable for hackers. The majority of actions in KeePass relate to internal operations like importing/exporting the password database or syncing it with a backup file. Triggers can also be set to activate only when specific conditions are met, such as the presence of a particular file or the availability of a remote host. Triggers can be simple events like launching the program, opening a database, or shutting down the program, or more advanced events like time-based triggers or custom button triggers. The customization is done through a system of triggers, conditions, and actions. KeePass is highly customizable, surpassing all other password managers. GHacks Deals -> NordPass: Securely Store, Manage & Autofill Passwords ![]() Although the creator of KeePass hasn't commented directly on this issue, it's still a concern for those who place a high value on the security of their password information. However, there's a potential flaw in KeePass that's recently been uncovered, which could allow an attacker to get their hands on all your locally stored passwords using a basic tool like Notepad. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |