It is not news that a fair amount of threats waits for the user in the vast global network. And it is clear that the best way out is to keep valuable information in encrypted form and protect it with a strong password. But the fact that it is possible to “pull” out in a form of a simple text file all the data from the password manager – the program which encrypts and generates passwords – became a surprise for many. A well-known cross-platform free password manager KeePass appeared to be under the threat.
Password Manager KeePass has demonstrated its vulnerability
This password manager came into service in 2003. At first, there was only a version for Windows, but later the password manager started support of other operating systems: starting from Linux and Max OS X for the desktops and laptops and to the mobile platforms Android and Pocket PC. Until recently KeePass has been considered almost invulnerable and its users could feel safe. If to take into account that it a free cross-platform solution, which had a good reputation for a long time, you can imagine the number of users who have entrusted the storage of their passwords to this program. This problem can touch almost everyone.
Fortunately, the person who discovered the vulnerability is not a hacker. It is a Security Assessment employee Denis Andzakovic. He posted on GitHub a free tool called KeeFarce able to decrypt all data (usernames, passwords, notes) stored in the KeePass Password database. The operating principle of this tool is based on the introduction of the DLL-injection to the victim’s computer.
During the KeePass runtime, an application-cracker exports currently open database decrypts it and creates a text file, which the hacker will be able to pick up later on his own (in the case of physical access to the victim’s computer) or get remotely.
Andzakovic notes that the vulnerability of the KeePass data protection is not a problem only of this program. DLL-injection may be introduced (by using a Trojan virus, for example) into any password manager.
How to protect your data if your password manager was hacked
So how the data protection should be carried out taking into account the identified risks? Which means should we use to secure our data against a password attack? The answer is quite simple and clear to everyone: it is two-factor authentication.
Such means of authentication as tokens, special smartphone applications or one-time passwords delivery via SMS, act as a second “defense line” for the user’s account. Their advantage is that every generated password is valid only for a short period of time. And even if the hacker intercepts OTP password, in a minute he needs to intercept a new one. There are even further ways to secure one-time password. For example, the CWYS function (transaction data signing).
Modern authentication methods can help to protect your account even if somebody stills the password. You need only to set up 2FA (two-factor authentication) on any account, where it is possible. The confidence that the attackers would not be able to take control of your account even if an encrypted password is stolen will offset some time expenditures and inconveniences related to the two-factor authentication.