Recent security incidents around password managers such as Bitwarden and 1Password, and a posting last week by independent security researcher Alex Hernandez that the open-source KeePass password manager had a flaw, have sparked discussion in the industry around password managers.
It was reported last week that Bitwarden and 1Password were targeted in Google ads phishing campaigns that aimed to steal user password vault credentials.
And a security breach at LastPass that first came out late last year and a credential stuffing attack at Norton reported in mid-January have illustrated that master passwords used to secure vaults in cloud-based password managers are a potential security risk.
KeePass has been viewed in the industry as less user-friendly than the cloud-based options, but technical users depend on its security because it encrypts all passwords — and the entire database — and is stored locally on a personal computer versus a password vault that’s stored in the cloud.
According to Hernandez’s post, an attacker who has write access to a KeePass configuration file can modify it and inject malicious triggers to obtain the cleartext passwords by adding an export trigger. The victim can then open the KeePass normally, saving changes, for example, and the trigger will execute on background exfiltrating the credentials and ultimately the full database to the attacker’s web server.
Following Hernandez’s post, NIST issued CVE-2023-24055 and the matter is under review.
Dominik Reichl, who developed KeePass and issued its first release in November 2003, said in response that having write access to the KeePass configuration file typically implies that an attacker can actually perform much more powerful attacks than modifying the configuration file. Reichl pointed out that these attacks in the end can also affect KeePass, independent of a configuration file protection.
“These attacks can only be prevented by keeping the environment secure by using an anti-virus software, a firewall, or not opening unknown email attachments,” said Reichl. “KeePass cannot magically run securely in an insecure environment.”
Jack Poller, a senior analyst at Tech Target’s Enterprise Strategy Group, said the fix proposed by a commenter in a SourceForge discussion — asking the user to authenticate before decrypting and exporting the password vault — helps increase the security of KeePass in an insecure environment. Poller said it balances security, usability, and difficulty of implementation.
“As best as I can tell, Dominick believes that if an attacker has access to the user’s PC, the attacker can get access to anything and everything, and thus Dominick should not take any extra steps to prevent the attacker from decrypting the password database,” said Poller. “Specifically, Dominick says ‘KeePass cannot magically run securely in an insecure environment’ – but that’s the opposite of the new paradigm being adopted for cybersecurity strategy: zero trust, where we trust no one, and require continuous authentication and authorization for every transaction. This enables applications to provide the best security possible in a potentially insecure environment. I am surprised and flummoxed by Dominick’s continuing reluctance to make this change.”
Poller added that for the LastPass breach in November, while attackers could access the user’s password database, the attackers didn’t access the user’s encryption keys and thus could not decrypt the database. However, Poller said LastPass only encrypted passwords: website URLs, IP addresses and other data was unencrypted, giving the attackers a tremendous amount of information to build user profiles and start credential stuffing and social engineering attacks, not to mention blackmail material.
“As we suffer more breaches, we’re coming to learn that almost all information is sensitive, and should be encrypted to prevent unauthorized access, especially when exfiltrated” said Poller. “Attackers flock to the most popular vaults, which will have the biggest payday for their efforts to break in. So I’m not surprised that attackers are using sophisticated attacks such as Google ad phishing and typosquatting campaigns to target users of password managers.”