Dutch article translated by DeepL: https://www.security.nl/posting/783...or kwetsbaarheid in wachtwoordmanager KeePass https://nvd.nist.gov/vuln/detail/CVE-2023-24055
Again, I think this is being blown way out of proportion. Do as suggested, disable export without password. Disable export altogether, and use an enforced config. Done. Also, above all, don't allow untrusted access to your system. These attacks where done locally, as the article stated. Don't allow local untrusted users. Problem solved. However, if you're really worried about this, KeepassXC does not have this issue.
I think it is great that probably because of the LastPass fiasco more password managers are under review. Wat worries me is that in the default configuration of KeePass an attacker with local access can get your passwords and the creator of KeePass simply answers just secure your system. In the light of all the breaches lately I find that a bit naive. You can solve this with an enforced config but IMO that should be the default configuration.
On that we agree. Still, Keepass is safer than a cloud-based manager. With it you can use a password + keyfile stored in different places.
Does this attacker needs administrator privileges? I think it can cause false sense of security to protect against such an attack.
This is good to know as it is my software of choice. There are not many cross platform - NON CLOUD - options available.
Geez, it's getting a little disturbing--all these revelations about Password Managers of recent late. Well, I see Malwarebytes published a guide on the relative "crackability" of your passwords. https://twitter.com/Malwarebytes/status/1619094170886365190 I used 1Password's generator to get a number of 21-character ones, with special char.s, upper and lower case letters and numbers of course. When my password changes are ironed out, these will be stored offline on my HDD. For now, I am satisfied. Thanks for this news, Gandalf_The_Grey. Turns me right off even considering a Manager.
I can only repeat my advice to use a passphrase with the Diceware method. A good read is the Wikipedia article about password strength, particularly the paragraph about entropy with the table comparing the entropy of passwords and Diceware-based passphrases. Needless to say that this advice applies to your master password as it is much easier to remember than a complex password. A passphrase is not necessary if you let the password manager of your choice create complex and long enough passwords for specific websites/logins.
Any method to have a good password would do. There are many memory/mnemonics methods to remember things. And of course it is different for everybody. My personal root of password managers is KeePass/KeePassXC database. I only need to remember that one password. Password protecting BitWarden was generated and is stored on KeePassXC. It would be inconvenient to access BitWarden by applying password everytime on mobile regardless of Diceware/any other method, so I allow PIN protection as alternative. Remote vault is still protected by password, and not PIN.
Password-stealing "vulnerability" reported in KeePass - bug or feature? 01 Feb 2023 by Paul Ducklin https://nakedsecurity.sophos.com/2023/02/01/password-stealing-vulnerability-reported-in-keypass-bug-or-feature/
I didn't know you could password protect exporting of the password file. I guess this issue is seen as a security problem because you can of course export passwords in plain text. Another option is to protect access to the KeePass folder with a file/folder protection tool.
proper setting to avoid silent export, see image an attacker need to take control of the device, direct access, trojan, whatever. thats why the author do not consider that cve as urgent for keepass. and in case of overtaken device the hacker can place a keylogger and thats it, lost again. the device* is vulnerable and thus lost. ("device" includes a running operating system)
Another good article about this problem is this one which points to a KeePass hardening guide "via a little-known forced configuration file. This feature is primarily intended for network administrators who want to enforce certain settings for users of a KeePass installation, but can also be used by end users to harden their KeePass setup."
