Gonna take a pass on this one
January 25, 2023 7:20 AM   Subscribe

GoTo, maker of LastPass, has updated their blog with new information regarding a security incident that took place in November 2022, reports The Verge.

From TFA: "We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups. The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information."
posted by slogger (52 comments total) 9 users marked this as a favorite
 
The first four words of this post suggest TFA contains an update regarding the breach that effected LastPass data. It appears not to be. AFAICT there is neither new nor increased concern for LastPass users.
posted by armoir from antproof case at 7:26 AM on January 25, 2023 [14 favorites]


As a (former) user of LastPass, what's new to me in this is that the intruder also got an encryption key.
posted by dbscissors at 7:56 AM on January 25, 2023 [5 favorites]


This sort of thing is one of the reasons I haven't started using a universal password manager.
posted by slkinsey at 8:11 AM on January 25, 2023 [12 favorites]


Right, the fact that they have a key is the new news -- but someone in the Reddit thread says that it's not related to LastPass archives, "only" several other products:
https://www.reddit.com/r/sysadmin/comments/10kp4ye/lastpass_breach_gets_worse/j5stwhs/
posted by wenestvedt at 8:16 AM on January 25, 2023 [2 favorites]


I use and will continue to use LastPass. As armoir from antproof case indicates, the details are very important here. LastPass' design seems to have worked to protect user data, though that does depend on how strong your master key is. My takeaway is that it is advisable to change your key, an inconvenience, but not as major a one as redoing the 100+ passwords I have in my archive.
posted by bonehead at 8:36 AM on January 25, 2023 [1 favorite]


As armoir from antproof case indicates, the details are very important here. LastPass' design seems to have worked to protect user data,

But it didn't. Saved URLs weren't encrypted so now the hackers have info about every site you deem important enough to have accounts on. We haven't seen the effects yet but in many cases just having the URL would be enough to dox people or to force them out of the closet.

The big competitors (1password and bitwarden) encrypt everything so it's a vulnerability exclusive to LastPass. Something they were warned about for years and they did nothing.
posted by simmering octagon at 8:46 AM on January 25, 2023 [22 favorites]


Going to credit the LastPass leak with the combined $2,400 someone tried to charge to two of my credit cards this month in Middle Eastern countries. I might not have stuck them in a secure enough field. But it’s pretty amazing the company is still not offering refunds and has barely communicated with users over the holidays.
posted by johngoren at 8:47 AM on January 25, 2023 [8 favorites]


If I understand correctly: if you change your master key but not the passwords in your archive, then if the entity who stole the vault data manages to crack your vault they will be able to use those passwords. If you change the passwords but not the master key, then if your vault is cracked your new passwords could still be at risk (if they manage to obtain a new copy of the vault, they can just try the cracked master key again).

I'll continue to use LastPass because cycling everything is less of a hassle than switching, but I'm still cycling everything.

(On preview: I'm not concerned about attackers knowing which sites I have accounts on, but of course others' mileage may vary.)
posted by Covert Kaiju at 8:49 AM on January 25, 2023 [1 favorite]


I left LastPass several years ago after they had multiple security breaches. I see that their (or their parent company's) security practices have not improved. Switching to 1Password was very easy – I was able to export and import all of my logins and passwords in one go.
posted by zsazsa at 8:57 AM on January 25, 2023 [1 favorite]


But it didn't. Saved URLs weren't encrypted so now the hackers have info about every site you deem important enough to have accounts on

There’s a world of difference between someone having a list of the URLs where i have accounts, and having the actual authentication credentials for those accounts. Was there rank sloppiness on LastPass’ part? Sure. Is the article about which this post was created in any significant way related to LastPass or last year’s security breach of LastPass user data? Apparently not.

There’s at least one existing thread here on the blue about the LastPass security incident and aftermath.
posted by armoir from antproof case at 9:05 AM on January 25, 2023 [1 favorite]


There’s at least one existing thread here on the blue about the LastPass security incident and aftermath.

Quick search says otherwise?
posted by slogger at 9:23 AM on January 25, 2023


I left Lastpass for the cost reasons and mediocre mobile functionality if you use free versions. Enough free and secure password managers offer unlimited number of devices and excellent interoperability that it didn't make sense to continue using Last. Went to Bitwarden.
posted by shenkerism at 9:30 AM on January 25, 2023 [4 favorites]


There’s a world of difference between someone having a list of the URLs where i have accounts, and having the actual authentication credentials for those accounts.

They may not have the authentication credentials but saved URLs can reveal quite a lot about a user, not exclusive to their username or other information (location, email, etc) as a lot of sites send all sorts of data in the clear after the ? in the URL.

Heck, if they're a not particularly savvy user and have some old FTP URLs in there that they use/used IE for, some of those send username and password in the clear, which is really a bad idea and very dumb, but let's not pretend there's not some substantial risk in unencrypted URLs.
posted by tclark at 9:40 AM on January 25, 2023


They also, I found out, didn't use the current recommended number of PBKDF2 iterations. The more iterations makes it more difficult for an attacker who somehow got your encrypted data to decrypt it; basically you have to redo the encryption algorithm that many times. Current recommendations are in the 200,000 to 600,000 range, where LastPass had a standard of 100,000. It could be changed, but the setting to do this is buried under Advanced Account Settings.

However, as a long-time user of LastPass, my account was helpfully grandfathered in to the old exponentially weaker 5,000 iterations. I should say former user of LastPass.
posted by Superilla at 9:52 AM on January 25, 2023 [6 favorites]


Personally, I would not be following the advice of people who are minimizing the severity of the LastPass breach in this thread. To me, this incident and the way it's unfolding has revealed LastPass to be untrustworthy. You might not be prepared to accuse them of lying, but they are coming very close to the line, which a company that wants you to trust them with some of your most valuable secrets should not be doing. You may not be prepared to say their entire operation is smoke and mirrors, but they've lost encryption keys (!!!), the literal keys to the castle in this kind of business, to a hacker through an online channel.

You are taking risks with your accounts if you continue to use LastPass, till such time as they fix the issues with their systems, which they have been well aware of for years, start being more transparent about their operations, and stop playing fast and loose with the truth. And secure their damn keys properly!

Here's why I say all that. As I understand it, the threat actor that attacked LastPass made off with:
- Some source code
- Usernames and URLs of user-stored entries
- And now, we learn, at least one encryption key

The threat actor also spent approximately 4 days freely roaming one of their development environments, learning who knows what about how their entire company operates, and suggesting that their own internal security monitoring is not up to industry standards.

Access to source code is potentially a very big deal, and LastPass should be more transparent about what the stolen source code did. Armed with the right segments of source code, an attacker could plan a targeted attack much more serious than what has occurred thus far.

LastPass has been drip feeding information about this breach since first revealing it in August 2022. They stated in August that no customer data had been taken, but in November they reversed and said there was (it's almost certain they knew that in August and only publicly stated this fact when forced to). Now they are copping to having at least one *encryption key* stolen. The way they have been revealing this information and reversing previous statements is very concerning. What will we learn next?

The fact that an encryption key for some user data was stolen is an extremely big deal. That should be so close to impossible that you'd need a team of highly-trained Navy SEALS busting down the doors to get to them. Yet here we are.

Also, it is worth remembering that URLs can contain very sensitive information, including account numbers and even access tokens or passwords, depending on how the web site works and how the vault entry was made. See this article for more on that. Note the date: 2017. LastPass has known about this particular issue for around six years and has not fixed it. So, when LastPass was saying their customer data was safe, they were being misleading: they knew full well that URLs were in cleartext.
posted by abucci at 10:27 AM on January 25, 2023 [40 favorites]


At the highest level, since all these systems rely on the user having a strong master password, it's probably a good idea (no matter what system you use) to re-evaluate yours and change if necessary.

The diceware technique is a highly popular one among security experts, and easy to understand and do.
  1. Go find your Yahtzee game with its five dice + cup (although any five dice will do).
  2. Roll the dice and you'll get a five digit number eg: 26352
  3. Go to one of the wordlists made for this purpose: this one by EFF is pretty good. Look up the number you rolled in the list. So my example 26352 = the word faceplate.
  4. Repeat step 2 & 3 at least three times.This will give you four random words which you now use as a single string and memorize the beejeezus out of.
Four random words is incredibly secure. A brute force attack using a single modern CPU would take about 200 years to crack. Five random words is even better, and even math whizzes have a hard time calculating exactly how long this would take to crack.

(Without getting too into the weeds, all this security is based on the assumption that the KDF iteration number that everyone keeps mentioning is set to at least 100,000.)
posted by jeremias at 10:27 AM on January 25, 2023 [8 favorites]


It seems like I’m totally p0wned and I’m going to have to spend the rest of the day changing passwords and MFA setups . This is extremely annoying.
posted by interogative mood at 10:43 AM on January 25, 2023 [1 favorite]


This sort of thing is one of the reasons I haven't started using a universal password manager.

This sort of thing is the central reason why I have always preferred a password manager whose encrypted database is a small, single file that I am solely responsible for propagating and backing up, and whose master key I am solely responsible for storing securely.

I wanted such a manager that would work both on the Linux boxes I prefer for personal use, and on the Windows boxes my professional life used to depend on, so I picked KeePass on Windows and KeePassX on Linux. Both were solid open-source applications that used the same database format and I've been growing my credentials collection in that format for nearly twenty years. There are hundreds of them in there now, some of which will probably be for services that don't even exist any more.

Current weapons of choice are KeePassXC on desktop, KeePassDroid on Android, Dropbox for cross-device sync, and ignoring the entire Apple ecosystem to the greatest extent possible. There will almost certainly always be something free in the iOS app store that understands KeePass databases but Apple has a long history of arbitrarily deleting them and I can no longer be bothered keeping track of what the nicest one available is any more.

I very much enjoy the feeling of being faster than my friend that comes from all my login credentials being long, randomly generated and unique, the high degree of justifiable confidence that I will never lose track of any such credential regardless of corporate whim, and the fact that nobody but me has a complete list of the services on which I have registered accounts.

Privacy is not dead and anybody who tells you it is is trying to sell you something. And although good-enough security is necessarily a bit of a pain in the arse, poor security invites pain that's both far more severe and far more likely. The KeePass application family is good enough, and if you haven't already started using password management software I strongly recommend it.

As for generating a strong master password: if you already have two halfway decent (as in, randomly generated and meaningless) existing passwords that nobody else knows and you can reliably remember, just running them together to make a twice-as-long master password is almost certainly good enough.
posted by flabdablet at 10:44 AM on January 25, 2023 [10 favorites]


I thought of the LastPass incident in the context of the (apocryphal?) Van Halen story about demanding M&Ms in their dressing room, but with no brown ones. The request wasn't really arbitrary. Setting up a big concert stage involves lots of details that could result in serious harm if missed. If the promoter couldn't pay attention to the simple M&M detail in the rider, what else did they not pay attention to?

Any password protection service is really selling trust. If LastPass couldn't pay enough attention to prevent this hack - what else they not paying attention to?
posted by dchase at 10:50 AM on January 25, 2023 [6 favorites]


Four random words is incredibly secure. A brute force attack using a single modern CPU would take about 200 years to crack. Five random words is even better, and even math whizzes have a hard time calculating exactly how long this would take to crack.

I setup my parents' 1Password passphrases by asking them to summarize a family story in just 4-5 words — e.g., "Uncle'sNickname-Airplane-CatName-Polish" for the time my mom's uncle jokingly used their cat to buff my grandfather's airplane. Basically as secure as completely random words but a hell of a lot easier for my parents to remember.

The cat was nonplussed but eventually started to purr. By all accounts he was a very chill cat. And no chemicals were involved so for the cat it was less of an airplane buffing, more of a cat polish.
posted by nathan_teske at 11:03 AM on January 25, 2023 [7 favorites]


kot?
posted by chavenet at 11:06 AM on January 25, 2023


I'm used to appalling secrecy from companies re: security breaches, but I have to admit I'm shocked that the password manager company is this bad about it.
posted by grandiloquiet at 11:08 AM on January 25, 2023 [5 favorites]


This is why open source software is great. I'm another very happy KeepassXC user. My passords are encrypted and stored locally. I back them up with everything else on my machine. A centralized password service doesn't add much value and does add a much larger attack surface.
posted by being_quiet at 11:14 AM on January 25, 2023 [11 favorites]


Was just about to say the same thing. I'm really happy with Keepass.
posted by Foosnark at 11:18 AM on January 25, 2023 [1 favorite]


I switched from LastPass to NordPass, which I got free with NordVPN.

I didn't change all of my passwords, just the ones for anything financial or social, and I went through e-shopping things and changed my passwords and/or removed my credit card info.

I am still worried some jag has my credit card numbers, though.
posted by DirtyOldTown at 11:34 AM on January 25, 2023


Yep, KeePassXC on my Mac (backed up to Dropbox), and...honestly no important passwords saved on my iPhone. Nor in the desktop Chrome browser.

The built-in password manager in my AppleID is pretty good, but I don't trust everything to it.

I do wish there was an iOS KeePassXC client.
posted by wenestvedt at 11:39 AM on January 25, 2023 [1 favorite]


It's clearly time to switch away from LastPass and I'm teetering between switching Bitwarden and 1Password. Can anybody discussion their experience with the quality of their autofill compared to LastPass (in desktop browsers and on Android)?
posted by The Tensor at 12:48 PM on January 25, 2023


I use Bitwarden and it's pretty excellent and great value for money. The autofill in the browser and iOS has never failed me. Highest recommendation.
posted by d_hill at 12:51 PM on January 25, 2023


What exactly is the difference between Keepass and KeepassXC? I've been using Keepass for years but if there's a reason I should switch I'd like to know. I have never been a fan of the idea of storing everyone's passwords in a centralized service, too tempting of a target, which is why I went with Keepass to begin with as opposed to something like LastPass.
posted by any portmanteau in a storm at 12:51 PM on January 25, 2023 [2 favorites]


This sort of thing is one of the reasons I haven't started using a universal password manager.

As an infosec instructor, this is a major reason I am absolutely livid about the LastPass breach. They've fscked up acceptance of what (for most people) is a huge improvement in their personal security.

I sure hope passkeys happen ASAP, and their implementation is not half-assed.

I too use Bitwarden.
posted by humbug at 12:57 PM on January 25, 2023 [3 favorites]


Can anybody discussion their experience with the quality of their autofill compared to LastPass (in desktop browsers and on Android)?

I switched to bitwarden from lastpass a year or two ago. I like the bitwarden autofill on my desktop much better than lastpass. I press "ctrl + shift + l" (ell) and it just does it automatically on all but a few sites (I think some banks might intentionally disable autofilling in which case I copy and paste). On Android it generally works pretty well. Quite a few apps needed to be re-remembered, so I had to manually copy and paste the first time and then update bitwarden to remember it for an app name like com.bank.com (or however android names apps)

The migration was easy from lastpass. Downloaded a database export from lastpass and imported to bitwarden. There were a few issues at the start where lastpass would autofill at www.domain.com and login.domain.com, as an example, but bitwarden would only do www.domain.com. There's an option the dropdown that says "autofill and save" to quickly add the new domain. And you can also specify settings on a per domain basis to autofill all *.domain.com or explicitly just www.domain.com and login.domain.com. I have a couple of domains where I have different logins at different subdomains, and it's great to have it just automatically know which one is correct for each domain.

Oh, and if you have a couple logins at one domain, I just press "ctrl + shift + l" (ell) a couple times to cycle through them autofilling the login prompt. It's great!

I didn't think lastpass was bad when I used it, but I found bitwarden to be better immediately.
posted by msbrauer at 12:59 PM on January 25, 2023 [3 favorites]


I’m still using RoboForm. I like it and am too lazy to switch, but it worries me that recent “best password manager” articles seem to ignore it. It is easy to use across devices and has a useful web dashboard for finding and fixing duplicates, items known to be cracked, etc. Have any of you security pros seen anything to suggest it’s a bad choice? I think I bought it in like 2002!
posted by caviar2d2 at 3:10 PM on January 25, 2023


We haven't seen the effects yet but in many cases just having the URL would be enough to dox people or to force them out of the closet.

It also makes precision password stuffing trivial.
posted by mhoye at 5:27 PM on January 25, 2023


OK… I've been using the free version and I'm not a computer security expert. What's the best way to mitigate this beyond logging out and deleting the program? Change all my passwords?
posted by jabo at 5:36 PM on January 25, 2023


I use 1password and proselytize about it to everyone. If it was just me, I’d still be on KeePass, KeepassX, and KeepassTouch. However, my least secure point then became my family. The open source solutions are just not easy for non-geeks.

Never had an issue with 1password and even got my company to adopt it. Family uses it and it’s easy for them. Best piece of software of the last decade.
posted by herda05 at 5:40 PM on January 25, 2023 [2 favorites]


This was the last straw for me. Just transferred all my stuff to 1pass. Get what you pay for I guess.
posted by Misty_Knightmare at 5:58 PM on January 25, 2023


What exactly is the difference between Keepass and KeepassXC?

KeePassXC is a descendant of KeePassX, which itself started out as a Qt port of KeePass 1.x to non-Windows operating systems but is no longer maintained.

The original KeePass developer was not involved with either of these projects, and eventually built a completely new version of KeePass as a .Net application (KeePass 2.x) which lets it run on non-Windows platforms via the open source Mono implementation of the .Net runtime. Unusually for this kind of project, the 2.x versions do not supersede the 1.x versions and the developer has continued active maintenance of both.

I prefer KeePassXC to KeePass 2.x mainly because .Net is a massive runtime that makes applications built on it noticeably slower to start than Qt equivalents, and because Qt applications are less opinionated about making their UI look like it came from Windows.

KeePass and KeePassXC are both under active development and if you're happy with either I can think of no good reason to switch. It's just nice to know that you could if you had to, and that most of your existing workflows would survive intact.

If you're the kind of super rare software user who has the time and inclination to mess with something as fundamental to your online life as your password manager when not forced to, you might want to take the one you're not using for a spin and see if you prefer it. But there's really no pressing reason to.
posted by flabdablet at 11:15 PM on January 25, 2023 [4 favorites]


Get what you pay for I guess.

KeePass and all of the descendants of it that I have ever relied upon have been free software, both as in speech and as in beer, and I've never felt any need whatsoever to pony up for a proprietary alternative.

I've yet to see a commercial offering in password managers that offers better security or is in any other way better designed. In fact I would go further: if it's putatively security software but the source code is not available, it's highly likely not to be secure, and I remain fundamentally unsurprised every time I read an account of some commercial "security" vendor fucking something up yet again in some spectacularly boneheaded fashion.

When Debian did it it was astonishing. When LogMeIn does it, not so much.
posted by flabdablet at 12:30 AM on January 26, 2023 [3 favorites]


OK… I've been using the free version and I'm not a computer security expert. What's the best way to mitigate this beyond logging out and deleting the program? Change all my passwords?

No longer credentialed, but do have some InfoSec experience. You are only missing one step. Switch to a different password manager and change your passwords in the new password manager, then log out and delete.

Count me among the Bitwarden fans.
posted by a non mouse, a cow herd at 5:57 AM on January 26, 2023 [3 favorites]


Adding on to the advice from a non mouse, a cow herd:

There are two risks to hedge against here: LastPass screwing the security pooch again, and an attacker managing to crack your passwords out of the stolen LastPass customer vaults, then using them to break into your accounts.

The first risk is why to move from LastPass to a different password manager.

The second risk is considerably more annoying to deal with. It does -- I'm sorry! -- mean that it's best to change every single password in your vault after you've switched managers. Also helpful is turning on multi-factor authentication for any account that offers it but you haven't turned it on yet.
posted by humbug at 6:43 AM on January 26, 2023 [6 favorites]


I left Lastpass in December due to this breach. Bitwarden's import tool made it a 10 minute procedure. The switch was seamless, and as a longtime Lastpass user I can say the Bitwarden UI and tools are better.

I have since changed every important password, and am working my way through the rest. Lastpass support was indifferent at best to me contacting them about my breach concerns and flat out refused any refund.
posted by jordantwodelta at 11:51 AM on January 26, 2023 [4 favorites]


The one thing I'm not thrilled with about KeePass is that I have a YubiKey that I'd like to use as an additional authentication method and it can apparently do it via a plugin but it seems like more work than I want to put in. If KeePassXC can do it more or less out of the box then it may be worth switching just for that. Of course there's also the wrinkle that I also use KeePass on my phone and using the YubiKey with that would require me to have a USBA-C adapter on me as well but that would happen either way.
posted by any portmanteau in a storm at 12:41 PM on January 26, 2023 [2 favorites]


What are the pros and cons of 1pass, Bitwarden and KeePass XC?
posted by snuffleupagus at 6:57 AM on January 27, 2023


I have a question:

> Go to one of the wordlists made for this purpose

Isn't a known prepared wordlist that lots of people might use just another vector of attack? It's a long list, and I imagine that the math of trying to brute-force your way through would be big, but they're all English words.
posted by urbanwhaleshark at 10:06 AM on January 27, 2023


Doh, now I wish I'd read the rest of jeremias' comment before jumping in.
posted by urbanwhaleshark at 10:08 AM on January 27, 2023


I will NEVER put my passwords into a cloud-based password manager - there have been too many breaches over the years, this is just the latest/newest.

KeePass and managing my own encrypted file do the job. Sure - I don't get "auto-fill" - but... IMO that is just not worth the possibility of a breach.
posted by rozcakj at 11:08 AM on January 27, 2023 [1 favorite]


Sure - I don't get "auto-fill"

KeePassXC has a browser extension that I use to get that. It works quite well. There's a plugin for KeePass that I believe does a similar job but I have not used it myself.
posted by flabdablet at 12:51 PM on January 27, 2023 [2 favorites]


What are the pros and cons of 1pass, Bitwarden and KeePass XC?

Ease of use is the major selling point for both 1Password and BitWarden.

For me, the main advantage of KeePassXC compared to the other two is that it needs only a simple local file for its passwords database rather than something stored on some unknown computer somewhere else. This make the attack surface for KeePassXC (and KeePass, which works the same way) much smaller.

Given the centrality of my password manager to my online security, for me this is its compelling advantage. I am not willing to rely on the ongoing goodwill of somebody who isn't me for access to something as vital to my online life as my passwords list, especially when that somebody is a corporation; when it comes right down to it I just can't trust "cloud" password managers to anywhere near the extent that I trust KeePass and its descendants.

I'm happy to use a cloud provider like Dropbox as an adjunct to my password manager, helping me replicate my passwords list conveniently and reliably across devices, because I know that if Dropbox fails me I still have all my passwords stored locally and only need to find some other service to sync them with. Plus, Dropbox is mainly used to store stuff that isn't password lists, so it's nowhere near as attractive a target for organized identity thieves as the specialist cloud password management outfits are. Plus, the encryption on a KeePass database is strong enough that I don't actually need to care who else has clandestine access to mine.

I'm all about separation of concerns. KeePassXC is really good at being a password manager; Dropbox is really good at being a cross-device file synchronizer. I remain unconvinced that any single outfit could be as good as either of these at doing both those jobs.

There are people for whom needing to pay attention to ensuring ready access to their own password database, and to keeping it backed up, and to which copy of it is to be treated as the authoritative one at any given time, make using a file-based password manager feel too hard. People like that will generally prefer a one-and-done cloud-based thing that promises to remove those burdens.

Personally I distrust such promises, and think folks do themselves a disservice by not acquiring the skills and habits needed to make looking after their own passwords database and generally backing up their shit non-burdensome. But that's probably just because my own point of minimal discomfort in the security vs convenience tradeoff is further toward the security side than most. Which, in turn, comes from having spent my professional life in software development and therefore having grown keenly aware of just how brittle and fragile the commercial software stacks that so many people get persuaded to rely on actually are.

But even the cloud password managers that strike me as kind of half-assed are going to yield a risk of identity theft many orders of magnitude lower than that incurred by not using any password manager. If you're not currently using a password manager, do. Just pick one from an organization that doesn't have as poor a record for responding effectively to security breaches as LastPass, or as egregious a record for nonexistent user support as Google, or as fanatical a devotion to vendor lock-in as Apple.
posted by flabdablet at 1:58 PM on January 27, 2023 [4 favorites]


Is there any reason to change passwords on site with no financial connection? Thinking of things like message boards, places I've bought things but don't have saved credit card info in, free newspaper "register to read" type things.
posted by sepviva at 9:28 AM on January 28, 2023


I'm not sure about Mac but the Windows version of KeepassXC has the additional layer of security that once you've entered the master password you then need to enter your Windows PIN.
posted by urbanwhaleshark at 7:12 AM on January 31, 2023 [1 favorite]


After all that, now I see a KeePass vulnerability.... Screw it... time to go back to a paper-based little-black-book... This is just too depressing.
posted by rozcakj at 10:32 AM on January 31, 2023


I'm inclined to agree with the developer's position that describing susceptibility to that kind of attack as a vulnerability specific to KeePass is unreasonable.

The attack involves making changes to a configuration file that needs to be stored in the same folder as the KeePass executable in order to have any effect. If KeePass is installed on Windows in the default fashion by its standard installer, then that folder will be a subfolder of C:\Program Files that Windows will protect against being tampered with unless administrative permission is given to do so. And if your computer has been successfully attacked in a way that gives the attacker the ability to work around those restrictions, it's Game Over anyway; your paper-based little-black-book won't protect you against a surreptitiously installed keystroke logger.

All that said: KeePassXC does not, as far as I'm aware, support the same configurable auto-export option, and should work fine with your existing KeePass databases.
posted by flabdablet at 11:26 AM on January 31, 2023 [2 favorites]


« Older Top Escape Rooms   |   the game's map software identifies the UN Buffer... Newer »


This thread has been archived and is closed to new comments