Well, that's unfortunately a predictable twist.
Put all your valuables in a safe, write down the combination somewhere in the same room and advertise it online... your office will become a hangout for safe crackers.
But good on them for being reactive and implementing improvements.
Comment has been collapsed.
Put all your valuables in a safe, write down the combination somewhere in the same room and advertise it online
To be clear, this vulnerability has nothing to do with that...
A researcher simply discovered that the master password lingers in memory in cleartext longer than it should, due to how the "password textbox" is implemented. To be vulnerable the attacker needs to already have access to your system physically to dump memory (or have remote access which is a big assumption in its self, and if it was the case you have other things to worry about too!)
Which is to say, it is business as usual, an implementation bug was discovered, it will be fixed, no big deal 🤷♂️
(KeePass and KeePassXC both already had security audits done before)
Comment has been collapsed.
I get it and it was lucky it was a researcher who found the vulnerability and not a hacker.
My point was only that those password managers are a big target for hackers. They are as secure as can be but they also are vulnerable for the same reason they exist. People with bad intentions are going to want in
But again, it's a good thing that it happened the way it did and that they were very fast in fixing the issue.
Comment has been collapsed.
yearly penetration parties where safe crackers go and get drunk well cracking safes together
it was on an episode of QI
Comment has been collapsed.
i did not make the name up https://boingboing.net/2009/04/02/a-personal-account-o.html
Comment has been collapsed.
XD all this monkey business!
Comment has been collapsed.
As I understand it, they are not talking about an option in the password manager, but about trojans which typically have remote access and could potentially read the master password from memory like ormax3 explained above.
Comment has been collapsed.
Not as crazy as it may sound, but still bump for visibility
Comment has been collapsed.
OMG the title scarred me... I guess we (and our passwords) are safe though...
Comment has been collapsed.
To put the issue in perspective: I had to dump Lastpass as their DB was compromised in favour of Bitwarden . The latter and Keepass are still one the safest bets according to security guys.
Comment has been collapsed.
So what is the difference between KeePass and KeePass XC?
Comment has been collapsed.
XC is cross-platform, while original Keepass is Windows only.
Comment has been collapsed.
Keeping all my passwords in one basket doesn't sound safe to me. Thus I never used these kind of software.
Comment has been collapsed.
having the same password for all your accounts, never written down only remembered in your head /s 😂
on a more serious note, there are pros and cons to every technique:
https://security.stackexchange.com/questions/3458/password-manager-vs-remembering-passwords
Comment has been collapsed.
:D
I would get their argument if Keepass was proprietary or cloud based..
Comment has been collapsed.
I create my passwords with a combination of characters and only change one specific part of it depending on the service I sign up.
Comment has been collapsed.
I guess you aren't signed up to many services then. I have more than 450 entries in my personal KeePass.
And if one of yours get hacked, all others can be brute-forced.
Comment has been collapsed.
https://www.darkreading.com/application-security/keepass-vulnerability-imperils-master-passwords
National Institute of Standards and Technology entry: https://nvd.nist.gov/vuln/detail/CVE-2023-32784
Statement on problem on GitHub: https://github.com/vdohney/keepass-password-dumper
Comment has been collapsed.