Password managers help users remember countless complicated, unique passwords, but they set up a single point of failure that can be targeted by malicious software. A new tool posted online does exactly that, stealing the treasure trove of usernames, passwords and other sensitive data from the open-source KeePass password manager tool without needing to know the single "master password" that controls a KeePass account.
The tool, called KeeFarce and posted on the code-sharing site GitHub, must first be surreptitiously installed on a targeted system. Once there, it waits until the user launches KeePass and, very importantly, logs into KeePass using his or her master password. The master password decrypts the password database stored on the computer's hard drive and puts in the computer's running memory in plaintext so that KeePass can use the passwords to log into websites and other accounts.
This is where KeeFarce steps in. It uses a classic hacking technique called a dynamic-link-library (DLL) injection to confuse KeePass into exporting the entire plaintext password database as a comma-separated-values (.CSV) file, which can easily be translated into a spreadsheet. KeeFarce doesn't have to know the KeePass master password, and doesn't have to decrypt the stored password database.
KeeFarce was developed by a New Zealand-based researcher and is intended for penetration testers, security consultants who are hired by companies to see how hard it is to break into the companies' computer systems. But putting it on GitHub means that anyone can use it.
The developers of KeePass have previously said that KeePass cannot protect itself from targeted spyware if a computer system is compromised, citing the adage that "if a bad guy can get his software on your computer, it's not your computer anymore." It's possible that other password managers could be compromised in similar ways, provided that the targeted password manager keeps the user logged in.
If users continue to keep their systems updated, secured by antivirus software and out of the physical hands of attackers, they should be able to avoid most infections by KeeFarce, or indeed any malware. And if they're using password managers, they should set time-outs that limit how long a user can be actively logged into the managers.