KEEPASS - a further leap ahead

Discussion in 'privacy technology' started by discs, Aug 5, 2012.

Thread Status:
Not open for further replies.
  1. discs
    Offline

    discs Registered Member

    KEEPASS - a further leap ahead with OptionLock

    Recently, Keepass security has been further enhanced.

    Firstly, before I cover the new enhancement for Keepass security, Keepass as a choice for a password manager is streets ahead of the competition for the following reasons:
    • Secure Desktop. None of the run-of-the-mill password managers - Roboform, Lastpass etc. - provide a secure desktop entry of the master password. The master password underpins the security of a password management system. As the article on Wikipedia in its section on vulnerabilities of password managers says, virtual desktop entry of master passwords still leaves the user vulnerable to screen capture of the master password (A secure desktop for entry of the master password protects against this). In my view, most password managers fall at the first hurdle in not properly protecting their users' master passwords.
    • Auto-type Obfuscation Most password managers rely on auto-typing (auto-filling) data into login fields. So does Keepass. But auto-typed data can be key-logged. Keepass provides a way around this vulnerability through enabling a use of Two-Channel Auto-Type Obfuscation for data entry at logins: http://keepass.info/help/v2/autotype_obfuscation.html. I do not know of any other mainstream password managers who provide their users with this type of protection.
    • No Browser Integration. Keepass does not integrate itself into browsers - instead providing a global key facility for entering login data (which works for browser logins, and for non-browser applications, like Evernote or game sites where login may not be through the browser). Browser integration makes password managers, like Lastpass for example, vulnerable - as illustrated by the following:

      The researchers were also able to steal data from LastPass, a password management system, by taking over a different extension and using it to open new tabs. This allowed them to see the password information that LastPass inserted. Though LastPass changed its system so that user information is no longer automatically entered, this still wouldn't protect a user from a hacker who got in through a malicious extension, the researchers say. A hacker would just have to wait until the user opened a new tab. http://www.technologyreview.com/news/424909/cracking-open-chrome-os/2/
    • Open Source. It is commonplace for applications that claim to be cryptographically secure to publish the algorithms. Thus everybody has a chance to find vulnerabilities - instead of only the hacker committed enough to reverse engineer closed source applications.
    • Not a Likely Hacker Target. This is a bit of a 2-edged sword for Keepass - but perhaps not, since the developers' are not, I believe, primarily financially motivated.
      a) Keepass will never become hugely popular because the mega marketing budgets of Roboform, Lastpass etc. will always keep it out of mainstream view; this becomes obvious when reading the popular press or computing magazines, or looking at password manager comparison tables on the web.
      b) Keepass isn't immediately available to the user as integrated with their browser; the public want this option, even though it is insecure by nature - and so the public at large is unlikely to adopt Keepass. Also, for identity information it takes more effort (in my view, worthwhile for the extra security benefits provided by Keepass) to set up Keepass, and this is another barrier to its widespread use.
      c) Keepass stores password data locally - even Roboform is a lesser target than Lastpass because it at least gives the user the option to store locally.
      d) there will always be better and easier hacker targets in a gullible public which responds to marketing-hype, browser-integration and the pretty looking interactives from the larger companies producing and providing less secure password managers - which are not only easier to break into, but provide juicier pickings.

    Now to the enhancement. For me Keepass, as it stands, protects its data extremely well (also see: http://keepass.info/help/base/security.html). But, in one important respect, it fails to ensure that a user is enabled to protect the access and use of their password data by unauthorised persons or software.

    At present it is possible for an unauthorized user/software to access the Keepass configuration/options of the user, and to change the options, even when Keepass has been locked down by the user - and can only be opened for use with a master password. In other words, while locked, the UI still allows access to the Options, Triggers, and various other sensitive menu items.

    Certain options set by the user, if changed without their knowledge while Keepass is locked, could compromise KeePass for the user. For example a user-defined option that Keepass should auto-lock 90 seconds after inactivity could be changed so that Keepass never locks, and is always open, and doesn't need a re-entry of the master password after first use. Keepass will now, without user knowledge, remain accessible for potential use by unauthorised persons and software without the need of a master password.

    Other unwanted and perhaps worse scenarios are possible with other available sensitive options, trigger settings, etc being changed without user authorization.

    With reference to the above concerns about Keepass, a specific plugin, appropriately called OptionLock, has been developed. It ensures that if a user has locked their password database(s) the options cannot be changed without the use of a master password. According to the developer's description:

    OptionLock is a plugin for KeePass 2.x that keeps unnecessary UI elements of KeePass disabled while all documents are locked and also while there are no documents. OptionLock does not disable any UI elements while at least one database is opened and unlocked.

    Full details of OptionLock, and download page: http://www.codeproject.com/Articles/429948/OptionLock-a-KeePass-2-x-Plugin-keeps-UI-disabled. (An attempt to download OptionLock takes one to a sign-in/registration page for The Code Project, because registration is required prior to download, unless you use your Google or Facebook ID to login - in which case there is no need to register).

    Like Keepass, OptionLock is open source and free.

    P.S. I am not the developer of OptionLock! The developer has posted about the new plugin on the Keepass forums https://sourceforge.net/projects/keepass/forums/forum/329220/topic/5495354/index/page/1. I just happen to have an interest in making access and use of Keepass more secure for the user.
    Last edited: Aug 7, 2012
  2. aladdin
    Offline

    aladdin Registered Member

    How one goes to download OptionLock?

    Best regards,
  3. discs
    Offline

    discs Registered Member

    Hi,

    I believe your question may relate not to the download link given above (http://www.codeproject.com/Articles/429948/OptionLock-a-KeePass-2-x-Plugin-keeps-UI-disabled), but to the mechanics of the download - in that the download does not occur automatically after clicking on the download link for the OptionLock zip file, but instead directs you to a sign-in/registration page.

    I believe the download is hosted by a site for application developers called The Code Project. The developer of OptionLock is apparently a member of the project.

    On the OptionLock link given above, when you try to download OptionLock it will automatically take you to a sign-in/registration page https://www.codeproject.com/script/Membership/LogOn.aspx?rp=http%3a%2f%2fwww.codeproject.com%2fArticles%2f429948%2fOptionLock-a-KeePass-2-x-Plugin-keeps-UI-disabled&download=true.

    The easiest way to download is to login to the Code Project with a Google or Facebook ID, in which case no registration is needed.

    Otherwise you will need to register with The Code Project (as you would, for example, with a forum) by providing a user name, email address - which I believe will need confirmation - and a password.

    Once registered with the Code Project you will then be able to log-in as a member, and download OptionLock.

    Hope that clarifies things.
    Last edited: Aug 7, 2012
  4. aladdin
    Offline

    aladdin Registered Member

    Hi Discs,

    True and thanks for your answer. I don't believe many people will want to register or use their Google/Facebook ID to download and then become part of weekly .......

    Can you upload it somewhere, where the members on this site can download without going through this much trouble?

    Best regards,
  5. ronjor
    Online

    ronjor Global Moderator

Thread Status:
Not open for further replies.