Yes I use (and recommend) the freeware KeePass Password Safe & MiniKeePass (iOS) as a password management vault.
There are lots of other very good applications that take a similar approach. This one works for me as I can keep my database file in use both on Windows and iOS.
Though all that said, I remain intrigued by Master Password.
- Time to replace traditional password managers like KeePass, 1Password, LastPass, et.al.? – TinyApps.org
Anyway, there were some security news blips a while back that painted a picture that KeePass might be expoitable.
- Open source KeeFarce tool loots encrypted passwords stored in KeePass – HelpNet Security News
- KeeFarce extracts KeePass information straight from memory - gHacks Tech News
- Hacking tool swipes encrypted credentials from password manager - Ars Technica
Well sure, if someone already is already running malcious code on your system, it seems obvious they can scrape any data you may access while the database is unlocked.
As Zeljka Zorz said in the close of her HelpNet Security article;
Lest you believe this is the death-knell for KeePass or other password managers, it’s important to know that as helpful as they are, all password managers are unlikely to withstand a targeted attack made with specialized software like KeeFarce (KeePass developers admitted as much).
But, in order to run this software, attackers must either already have access to the target machine, or trick users into giving them access by running malicious software such as remote access Trojans (RATs) or specialized spyware on their machines.
And if they gain access, your machine is not your machine anymore, and they can do pretty much what they want with it – security protections will not last long. So you can continue (or start) using a password manager, but protect your system with security software and be careful about the software you run on it, especially when it comes from untrusted parties.
Enough said.
Claus Valca
No comments:
Post a Comment