Password Managers

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,315
Location
Monterey, CA
Not happy, but not planning an exit yet either. If this deal had happened before I bought in I wouldn't have done so. I'm still optimistic that it takes at least a year for them to damage the product or brand enough that I jump ship.
 

Clocker

Storage? I am Storage!
Joined
Jan 14, 2002
Messages
3,552
Location
USA
It seems to me that the weak link in a system like LP is the integration with the browser. Are there any best practices or settings that can be useed to minimize browser related vulnerabilities when using LastPass?
 

Handruin

Administrator
Joined
Jan 13, 2002
Messages
13,197
Location
USA
I don't understand that article or the title is misleading. So if my PC is compromised AND my password database is unlocked I'm at risk?

When it runs on a computer where a logged in user has the KeePass database unlocked, KeeFarce decrypts the entire database and writes it to a file that the hacker can easily access.
 

Will Rickards

Storage Freak
Joined
Jan 23, 2002
Messages
1,987
Location
Here
Website
willrickards.net
My understanding is that yes they still need the keepass database open, which requires the master password.
So in order for this 'hack' to have any effect you would need to leave it open and have your machine hacked in the first place.
It uses simple dll injection, which is a process in windows where you get a running program to load your dll. Then the dll code essentially runs in the process space.
This is similar to hooking up a debugger to the process and then inspecting the memory or causing one of methods to run.

So there is nothing to see here. They just made something you could do already on a compromised machine, easier.

I believe there are things you can do to make code resistant to dll injection. But I'm not sure you can fully protect against it. It is built-in to the windows framework.
 

Clocker

Storage? I am Storage!
Joined
Jan 14, 2002
Messages
3,552
Location
USA
DD - So glad you turned me on to Lastpass. I am so loving everything it offers. It has really made managing passwords so much easier!
 
Top