Blog: Opinions

Concerned about KeeFarce? Don’t be. Why you should still use a password vault

Joe Bursell 09 Nov 2015

keefarce

How safe are password vaults/managers? The recent sharing of KeeFarce, a hacking tool for KeePass, saw widespread alarm over whether we should be entrusting these services with our passwords. But let’s not throw the baby out with the bath water. Password vaults are more safe than the alternative which is reusing passwords or using poor passwords.

KeeFarce and other ‘malware’ of its type are definitely a threat in a way that they make it easy to attack tools like KeePass which hold critical information. Someone did all the hard work to make this attack vector very easy to implement. Its success rate, however, is directly related to how exploitable the target workstations are. Anti-Virus, firewalls and security awareness are key to make us safer in this respect.

Simply put, KeeFarce is a case of password + extraction tool = scary. It’s not a weakness in the password database software as such. It’s more a case of given sufficient access, any information can be recovered in a computer. Memory space must be used to store sensitive material; certain users on the system including the operating system’s kernel itself are able to read any memory address which means that in case of compromise this fragment of information can be extracted.

KeePass/KeeFarce explained

KeePass has a mode in which the database is locked after a period of time, effectively wiping the keys from memory once they’re not required. This is a great idea (akin to timing out web application sessions) and minimises the feasibility of this attack in particular. But it’s also a hassle, it interferes with usability, so most people leave it disabled. Our advice? Use 2FA on the password database. This requires the attacker to ensure that both elements were compromised simultaneously (keys and password) to be able to re-open the database.

KeyFarce isn’t really malware; you have to be an admin to get anywhere near using this properly and if you are a privileged user you don’t need these tricks: just use a sniffer, install a certificate, install a key logger etc. and you’re in. There’s definitely been a knee jerk reaction to this tool. The kind of attack I would be seriously concerned about is the kind that exploits weaknesses in the encryption algorithms and makes the database susceptible to brute forcing within a practical time frame.

Vaults are not inviolable

In my opinion, password vaults and managers are still a viable option. But they are not invulnerable. The danger with a password manager is that you are effectively putting all your eggs in one basket so yes, do use them but be careful when selecting the service you use.

It’s important to think in risk terms here. Risk is about likelihood and impact. Whilst the impact of this tool being successfully used to obtain passwords from a vault would be high, the likelihood is low.

Then when you add compensatory controls in place such as Anti-Virus (which will shortly I’m sure have detections for this type of program) and security best practice improvements – most people using password safes are likely to already be thinking differently about security and so are more likely to spot an attack (e.g. phishing) – you end up in a situation where it is unlikely, outside of corporations, that this tool will actually result in peoples password files being dumped.

Conclusion

What is far more likely is that your reused password will be hacked from one site and used on another. I still recommend password vaults and will still continue to use them as the alternative is too much risk for me.

That said a large number of corporates are using KeePass for their server admin functions and should an attacker get leverage in a network and find password vaults in use then they could try to exploit someone to get all the admin passwords. Perhaps it’s time for those organisations to look at other services to manage these.