Then I would argue this is not a real problem. Or, at least, you're logged out of your Windows account. It seems to me full disk encryption does protect you in case of laptop theft, but only while you're carrying it from one place to another, and it's shut down. I have never used full disk encryption, so I might be missing something obvious.įor the laptop to be protected, you would need to have unmounted your disk before the thief stroke, correct ? If we're talking about a situation where people get their laptops snatched from them while working in public places (and this does happen), the password would have been entered, the disk mounted, and there would not be any lock screen, would there ?Īlso, what is the difference between "lock screen" and "FDE password" ? Are you talking about the Windows lock screen, where you need to enter your Windows user password ? But then, supposedly, the user working at a coffee shop table would be logged into his Windows user account, otherwise how could he work on his stuff ? I'm still trying to understand your point. If it bothers you, I don't know what to tell you, nor what you want to hear. In so so many cases, this is much ado about nothing. In short, the program (and libraries and associated frameworks) are working as intended, to the best of Dominic's ability to use them. Unfortunately, bringing this to any major attention is probably going to freak out people that are not technically adept at discerning programming issues with framework issues that won't affect them. ![]() I believe this 'vulnerability' is real, and for 99.9% of people using KeePass, is not even in the realm of an afterthought. Like passwords, notes could be hidden by default.Īt this point, the decision to continue using KeePass is based on your threat model.ĭo you happen to believe you are under some kind of targeted attack? In most cases, attacking KeePass is not a trivial pursuit, and any attackers would go for something they could exploit far easier, like a browser, or an OS vulnerability. Also, if I want a password, there is no reason to decrypt all notes in the database in the RAM I just want a particular entry. This would allow keepass not to hand over secrets to OS for copy, etc. Keepass should negotiate a special OS privilege and prevent even OS interfering with its memory space (like an isolated VM). We have just seen how Reddit and Linkedin iOS apps capture the clipboards with every stroke.ĭata should remain encrypted in RAM until needed. Soon copies of passwords and notes appear everywhere and some programs will capture secrets. However, notes and passwords made visible, stay in plaintext in process memory even after the databas is closed. If I understood the post correctly, once you open a keepass database, the password field is encrypted in RAM. Would this occur in Linux also and keepassxc? I still use keepass and love Dominik, he is very transparent and all, he replied several times to people in sourceforge pointing this issue, but I'd like this issue to be more known and not hidden by the community. Now, I know that technically It isn't really keepass fault but windows, that's why I'm not blaming Dominik for it, but in my opinion this is still an issue that is definitely worth mentioning on his "Security issues" web page. Even, If windows doesn't cache these passwords, It's still annoying because an attacker can AT THE VERY LEAST, access it a few hours after closing your database. It is kind of dangerous, because windows can cache these passwords somewhere else, allowing an attacker to access your passwords a long time after closing it. Unfortunately, keepass fails to prevent windows from making a copy of your passwords in memory. Preventing a thief or someone seizing your computer from accessing your passwords, when the database is locked/closed.Preventing people from accessing your passwords without compromising your computer (NOT sending your passwords over the internet without your consent, NOT autofilling your passwords in malicious hidden forms, no security flaw allowing to easily decrypt.From a security point of view, keepass only has two duties:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |