Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about the risks that you should pay attention to when using KeePass password Manager, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

Brief introduction

KeePass is an open source and free password manager that has been popular since its release in November 2003. As a typical representative of the second generation password manager, KeePass surpasses the previous generation and brings real encryption protection to password management, which can effectively prevent secret disclosure.

After more than ten years of development, KeePass is becoming more and more powerful and has accumulated millions of users. In addition to the earliest supported Windows platform, KeePass has been widely ported to all major platforms such as Linux,Mac,Android,iOS. In Play Store, KeePass2Android, KeePassDroid and other Android transplants have been downloaded more than 1 million.

Risk

Because KeePass is open source and free, a large number of users come here, but they do not understand the prerequisites for the safe use of KeePass. In Password managers aren't all they're cracked up to be. In Here's why, Kayla Matthews introduces that password managers are not unbreakable, warning users not to indulge in fake sense of security. Open source will not give KeePass a golden bell, and it will also face serious risks if it is not used properly.

The vast majority of KeePass products use public storage for database files (with the exception of iOS portals, because iOS does not have public storage). The encrypted database file is easily accessed by other App on the system, and there is actually only one master password away from the leak.

Usually, even if a hacker steals a KeePass database, he still needs to crack the master password in order to steal the password stored in it. If the master password is set to be long, complex, and not reused, brute force cracking is very difficult. But there is one type of App that can easily get the master password: the input method.

Many people will use the third-party input method, and it is no secret that the input method uploads the characters typed by the user to the cloud, so how to improve the input experience? As long as the malicious program that steals the KeePass database can steal the master password from the data of the input method at the same time, it is easy to crack all the saved passwords. Or, viciously imagine, what if a malicious input method steals an KeePass database?

On the iOS platform, due to the limitation of sandboxie, even the input method can not steal the KeePass database, but other platforms do not have this protection.

Isn't there sandboxie on the Android platform?

The Android system does have sandboxie protection mechanism, which can restrict malicious programs from accessing the internal data of App. Unfortunately, several popular transplant versions of KeePassAndroid all store database files in external storage. At the same time, almost all popular input methods App have sufficient permissions to steal passwords:

External storage, you can read KeePass database files

Network, you can send master passwords and database files to the cloud.

If you read KeePass's database and know the master password, then using KeePass's open source encryption algorithm, you can quickly decrypt the saved password. Of course, open source is not a necessary condition, and you can decrypt it immediately by using the KeePass program to open the database and enter the master password on the hacker's computer.

Can those popular input methods be trusted?

As for whether you believe it or not, I believe it or not!

Suggestion

On a platform protected by sandboxie, such as Android, it is very dangerous to keep password databases in external storage. KeePass developers obviously pay more attention to some convenience than to the security of user data. If you still want to use the KeePass password Manager, it is recommended that:

Enable security keyboards on mobile phones such as Xiaomi and Huawei. When entering a password, the secure keyboard will replace the default input method to prevent the password from being stolen by the input method.

The input method is prohibited from accessing external storage.

Disable the networking permission of the input method, or choose an input method that does not have network permission (if you can find it).

Of course, routine security operations are also essential, such as updating system security patches in a timely manner and not installing App from unknown sources.

After reading the above, do you have any further understanding of the risks you should pay attention to when using the KeePass password manager? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.