Keepass - a further leap ahead with OptionLock

Discussion in 'privacy technology' started by discs, Aug 7, 2012.

Thread Status:
Not open for further replies.
  1. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Thought folks might be interested to see this documented in detail:

    http://securitywatch.pcmag.com/none/301736-password-resets-on-email-key-to-online-compromise
     
  2. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
    After using KeePass for a couple months, i think i'll never have a PC without it . . . :rolleyes: :D
     
  3. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    100% agree! :thumb:
     
  4. discs

    discs Registered Member

    Joined:
    May 17, 2011
    Posts:
    44
    Location:
    UK
    If needed, why isn't an 'OptionLock' in Keepass?

    Hi again,

    For some reason I did not receive updates about this OptionLock thread - and now it has moved onto another subject entirely! So, here I am answering some questions raised, while PMing those whose questions I have answered.

    The developer of OptionLock and I have, on the Keepass forums, asked for the configuration/options of Keepass to be protected while the database is locked - and not left open for manipulation as they are now. After much back and forth,

    My understanding is this: Dominik and Paul (the person who deals with most questions on the Keepass forums) see it as their task to provide a secure password system. As far as they see it it is then up to the user to ensure that no unauthorised access to the system occurs. They for example apply the following principle, as expressed to me by Paul:

    If your machine is compromised by malware [or unauthorised persons] it is no longer your machine and neither are your passwords. KeePass can only try to protect it's own data.

    Their philosophy is more fully covered in references 4 and 5 given at the bottom of the Keepass Security page which point to:

    [4] Scott Culp, Microsoft TechNet Essay, 2000: 10 Immutable Laws of Security. http://technet.microsoft.com/en-us/library/cc722487.aspx
    [5] Jesper M. Johansson, Microsoft TechNet Magazine, 2008: Revisiting the 10 Immutable Laws of Security, Part 1 http://technet.microsoft.com/en-us/magazine/2008.10.securitywatch.aspx.

    It is important to note that Dominik and Paul are meeting their objective. As Keepass currently stands the user's Keepass password data is not under threat. It is secure.

    It is the access and use of the data which is under threat - and Dominik and Paul do not see this as within their remit!

    Needless to say I, and the developer of OptionLock, see things somewhat differently. If Keepass provides the user with secure passwords it should in addition help the user to ensure that the passwords cannot be accessed and used by unauthorised persons or software by enabling a locking of Keepass options.


    Other questions raised about the use of OptionLock

    a. Trusting a plugin such as OptionLock for Keepass:

    Snowden said: I'm hesitant to use any type of plugin that is the master db for all of my passwords although this plugin sounds great....

    The Keepass repository answers this: http://keepass.info/help/v2/plugins.html

    What about the security of plugins? Can't malicious spyware plugins 'inject' themselves into KeePass?

    If plugins can register themselves (i.e. have write access to the KeePass directory), they could also just replace the whole KeePass.exe. It's rather a problem of file access rights, not the plugin system.

    If you worry about this, you can do the following:

    Install KeePass as administrator.
    Write-protect the KeePass directory. Nobody must have write access.
    Log on as normal user (with no administrator privileges).

    This will solve the problem above. Since the KeePass directory is write-protected, no other program can copy files into it. KeePass requires the plugins to be in the application directory. Therefore, plugins cannot inject themselves anymore.

    b. Is OptionLock a leap ahead?

    Monmorency said:

    You must be joking.
    Maybe you can consider KeeFox a leap... but this?

    Get a grip.

    No, OptionLock is not a leap ahead. Keepass is leaps ahead of the competition, and OptionLock provides 'a further leap ahead' by providing needed additional functionality. As for KeeFox, it is a browser extension, and opens up a potential security hole.
     
    Last edited: Aug 22, 2012
  5. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,963
    Location:
    Somethingshire
    Lets keep discussion in one place
     
  6. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
    I got so many forums and game accounts that i can't remember them, specially the nicknames, KeePass has made my life so much easier while checking forums and online games. :D
     
  7. SirDrexl

    SirDrexl Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    556
    Location:
    USA
    I also have added an "Email Address" field to keep track of which email address is associated with each account. It comes in handy if you want to terminate or abandon an email address and need to update your info at certain sites.
     
  8. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    6,039
    Location:
    Parallel Universe
    Same here. :)
     
  9. guest

    guest Guest

    Re: If needed, why isn't an 'OptionLock' in Keepass?

    Could you please explain why KeeFox is a potential security hole and if there is any way to avoid it?.
     
  10. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    6,039
    Location:
    Parallel Universe
    Re: If needed, why isn't an 'OptionLock' in Keepass?

    Because it's a browser add-on. And any add-on opens up a potential security hole. Also whereas KeePass is open source, KeeFox is made by private author.

    Well at least that's what discs was trying to say.
     
  11. guest

    guest Guest

    Re: If needed, why isn't an 'OptionLock' in Keepass?

    KeeFox is open source.
    http://keefox.org/open-source-advantage
    https://github.com/luckyrat/KeeFox

    I guess that a security hole (bug) would be needed in Keefox in order to put in danger the passwords, this or the concept or Keefox is a potential security hole by default.
     
  12. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    6,039
    Location:
    Parallel Universe
    Re: If needed, why isn't an 'OptionLock' in Keepass?

    Hmm....then I'll let discs clear up the potential security hole question.:D
     
  13. discs

    discs Registered Member

    Joined:
    May 17, 2011
    Posts:
    44
    Location:
    UK
    Re: If needed, why isn't an 'OptionLock' in Keepass?

    Hi,

    Keefox is a potentail security hole mainly, yes, by default, because it is a browser add-on.

    There are various levels at which to touch your question, I think.

    Firstly, even Lastpass, with the most highly paid and expert developers managed to have their browser extension compromised so that user passwords could be stolen. To quote from a previous post of mine:

    Browser integration makes password managers, like Lastpass for example, vulnerable - as illustrated by the following:

    The researchers were also able to steal data from LastPass, a password management system, by taking over a different extension and using it to open new tabs. This allowed them to see the password information that LastPass inserted. Though LastPass changed its system so that user information is no longer automatically entered, this still wouldn't protect a user from a hacker who got in through a malicious extension, the researchers say. A hacker would just have to wait until the user opened a new tab. http://www.technologyreview.com/news...n-chrome-os/2/


    I believe this is the most important point. By default, a browser extension is vulnerable because it is part of your browser, and connected to the internet.

    In my setup for example Keepass does not have internet access, and Keepass is itself well protected (my KeePass directory is write-protected - see post #29 above). Actually, my Paypal passwords, Gmail, credit card numbers and bank passwords are the most sensitive part of my setup.

    At the next level, and of less relevance, is how much you trust the developer of Keefox. This operates at 2 levels; Is he honest and true? If the answer is yes, you still have to ask how skilled is he as a programmer in ensuring that Keefox is not vulnerable in a browser - for the task of protecting a browser extension must be quite a challenging programming task, as the Lastpass developers found out.

    Finally, to show that this dicussion is all about trust and making a sound judgement: I do place my trust in Keepass :); that is a decision I have had to make. Similarly, my other most valuable tool for online protection during sensitive transactions is Trusteer Rapport - and I have made a decision to place my trust in it. I use it mainly because Trusteer have direct affiliation with all the banks I use, and are also partners to Paypal and Amazon. Most of our money is managed on these sites. Trusteer Rapport ensures there are no DNS hijacks. apart from providing other quite deep level security during an online transaction. As Wikipedia says on one aspect of the security Trusteer Rapport provides:

    Browser security software: MitB [Man-in-the browser] attacks may be blocked by in-browser security software such as Trusteer Rapport for Microsoft Windows and Mac OS X which blocks the APIs from browser extensions and controls communication. http://en.wikipedia.org/wiki/Man-in-the-browser


    I am not pushing or promoting Trusteer Rapport here - although I consider it one of the best solutions for secure online money stuff (I am not affiliated to them in anyway). I am trying to show why Keepass in itself is not enough for me when I go online. Also, illustrating that it's all about making quite sensitive judgements of trust.

    On a lighter note: I deploy Keepass on other user systems; some users have such a dislike of any '2 or more fingers' keyboard shortcut that Keepass would have been unsustainable for my users - except for the fact that on their systems the global shortcut key can be set to 'F2', for example. This they are quite content with - only 1 finger required you see! Makes them quite happy :).

    Win 7 Home Premium x64; Sandboxie; EMET, Trusteer Rapport; Outpost Firewall Pro.
     
    Last edited: Aug 28, 2012
  14. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Re: If needed, why isn't an 'OptionLock' in Keepass?

    All good points. Regarding the LastPass quote it seems that a simple way to protect against this attack is to open a different browser for banking transactions and not open any additional tabs.
     
  15. privacyrights4all

    privacyrights4all Registered Member

    Joined:
    Aug 29, 2012
    Posts:
    6
    Location:
    United States
    Have any of you tried Dashlane (https://www.dashlane.com)? I think it's the best of all the password manager and personal data vaults out there. The UI is really clean and intuitive, and it's the most secure one out there because you can work completely locally if you'd like (even though if you sync, only AES-256 encrypted data goes up to the cloud), and they don't store any version of your Master Password (not even a hash) anywhere.
     
  16. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    I just had a quick look at their website and android product page. It offers similar functionality to LastPass. With regard to not storing your master password anywhere, that's a good thing if people fully appreciate the implication, ie if they lose/forget the password they lose access to their stored passwords END OF LINE. There is no way around it. Lastpass developed a workaround by offering the option to store a disabled "one time" recovery password locally. They have no record of it, but it gives the user some protection against themselves.

    A problem I have with the android version of LastPass is there's no option for the session to timeout automatically. It looks like when I login to LastPass on my phone it stays logged in indefinitely. I deal with this by only logging in when I specifically need to access a password and then immediately logging out, but that's not convenient. There's also no two factor authentication for LastPass on Android. I don't know if Dashlane is any different in this regard.

    These issues need to be addressed to make password managers safe to use on phones.
     
  17. privacyrights4all

    privacyrights4all Registered Member

    Joined:
    Aug 29, 2012
    Posts:
    6
    Location:
    United States
    Huge issue, for sure. Dashlane's mobile apps -- both on Android and iPhone -- time out automatically. The default is set to log you out every time you exit, or are idle for only a minute or so, but you can alter the settings to make it fit your needs.
     
  18. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    803
    keepass all the way ,sorry but when it comes to my passwords i only trust open source ;)

    p.s : you can use keepass on mobile too
     
  19. discs

    discs Registered Member

    Joined:
    May 17, 2011
    Posts:
    44
    Location:
    UK
    PLUS: to quote from a previous post of mine:

    Keepass as a choice for a password manager is streets ahead of the competition for the following reasons:

    Secure Desktop. None of the run-of-the-mill password managers - Roboform, Lastpass etc. - provide a secure desktop entry of the master password. The master password underpins the security of a password management system. As the article on Wikipedia in its section on vulnerabilities of password managers says, virtual desktop entry of master passwords still leaves the user vulnerable to screen capture of the master password (A secure desktop for entry of the master password protects against this). In my view, most password managers fall at the first hurdle in not properly protecting their users' master passwords.
    Auto-type Obfuscation Most password managers rely on auto-typing (auto-filling) data into login fields. So does Keepass. But auto-typed data can be key-logged. Keepass provides a way around this vulnerability through enabling a use of Two-Channel Auto-Type Obfuscation for data entry at logins: http://keepass.info/help/v2/autotype_obfuscation.html. I do not know of any other mainstream password managers who provide their users with this type of protection.
    No Browser Integration. Keepass does not integrate itself into browsers - instead providing a global key facility for entering login data (which works for browser logins, and for non-browser applications, like Evernote or game sites where login may not be through the browser). Browser integration makes password managers, like Lastpass for example, vulnerable - as illustrated by the following:

    The researchers were also able to steal data from LastPass, a password management system, by taking over a different extension and using it to open new tabs. This allowed them to see the password information that LastPass inserted. Though LastPass changed its system so that user information is no longer automatically entered, this still wouldn't protect a user from a hacker who got in through a malicious extension, the researchers say. A hacker would just have to wait until the user opened a new tab. http://www.technologyreview.com/news...n-chrome-os/2/
    Open Source. It is commonplace for applications that claim to be cryptographically secure to publish the algorithms. Thus everybody has a chance to find vulnerabilities - instead of only the hacker committed enough to reverse engineer closed source applications.​

    The only 'valid' reason I can think of for people to be drawn to Lastpass, Dashlane etc. is ease of syncing. This can particularly be an issue for a user where the password database changes frequently.

    I do know that there are syncing solutions for Keepass. I am unable to provide informed input on Keepass and syncing. Perhaps someone could kindly provide this information so that people need not necessarily be led into compromised solutions for their passwords - and are able to choose the much more secure solution that Keepass offers in protecting them.
     
  20. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    Secure Desktop is ideal, but what about the Edit Entry function in KeePass?
    I don't think that Secure Desktop is in effect during user editing of existing entries, which to me seems like a hole in security. :doubt:
     
  21. discs

    discs Registered Member

    Joined:
    May 17, 2011
    Posts:
    44
    Location:
    UK
    Good point in itself :) - but protection of the master password is in my view the greatest priority.

    None of the other password manager provide the protection you mention either, as far as I know!?

    The obvious solution would be to rely on software like Keyscrambler to encrypt entries while using the 'Edit Entry' dialogue for passwords.

    Because I only use Keepass for a few sensitive entries (Paypal accounts, Amazon, bank accounts and Gmail) I circumvent keyloggers manually as follows:- what I am trying to do is prevent keylogging during 'Edit Entry' of passwords. I learnt something like this manual method from Gizmo's techsupportalert.com for times when I am forced to use a public terminal, particularly in a foreign country.

    • I enter, say, 3 false characters for the password
    • Then I highlight these 3 with a mouse (as one would to copy them)
    • Now I overtype them with the first 3 true characters of the password
    • Then I do the same ( the 3 steps above) for the next three characters of the password - and so on

    Tedious - or I could instal anti-keylogging software such as Keyscrambler - but it hasn't happened yet because it hasn't seemed worthwhile having yet another program on my system.

    But you have made me think about it - thank you :). I will look into Keyscrambler or similar - particularly because I deploy Keepass on other systems which are not necessarily as secure as mine!
     
  22. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    That's one of the primary reasons I augment KeePass with KeyScrambler on my XP box. But I have found that KeyScrambler has some issues on my W7 machine, so I don't use it there.
     
  23. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA


    What exactly do you mean by "Secure Desktop", and can you link to how KeePass implements this?

    Regarding LastPass and protection of the Master Password, it is possible to use two-factor authentication (TFA). This is implemented in a number of ways, my favorite being Google Authenticator on my phone. When using TFA even if the Master Password is stolen it is not enough to access the password "vault".

    I'm all for the LastPass folks providing even better protection of the Master Password - maybe Secure Desktop - but it's not accurate to say there's no protection already available. Unfortunately TFA is not enabled by default though and I think that's a weakness.​
     
  24. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
  25. discs

    discs Registered Member

    Joined:
    May 17, 2011
    Posts:
    44
    Location:
    UK
    For a brief description see 'Enter Master Key on Secure Desktop' on the Keepass Security page http://keepass.info/help/base/security.html - although this will not give you much detail about implementation.

    The simplest explanation for the 'secure desktop' model that I came across (sorry I can't find a link) is that the desktop opens in a totally new process and is cut off from all other programs. It is in effect isolated. It is in this isolated process that you enter the master password in Keepass.

    Another way to approach an understanding of how the 'secure desktop' model operates is probably the secure desktop used in Windows 7 for UAC. See for example an explanation at http://cybernetnews.com/vista-uac-secure-desktop-explained/. There may be more extended explanations on the web.

    (With Keepass, also, the secure desktop has a minor delayed response, and appears with the entire screen temporarily dimmed).
     
    Last edited: Aug 31, 2012
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.