As the LastPass data breach has shown, threat actors will put in the work necessary to steal these databases, even if it takes multiple attacks to do so and the stolen data is encrypted. While these databases may be encrypted, encryption is crackable given enough time and computing power. Large databases of encrypted passwords stored on remote servers can make for attractive targets. KeePass, which stores encrypted passwords locally on users’ machines, doesn’t have the same potential downfalls as cloud-based password managers. The recent set of attacks on LastPass that ultimately resulted in the theft of users’ encrypted password vaults has sparked increased scrutiny of password managers in general. However, the KeePass developers argue that the possibility for such an attack should not be considered a vulnerability because a threat actor with write access to a computer could steal the user’s passwords in other ways. Threat actors could potentially leverage this trigger to export and access users’ passwords. At the center of this debate is KeePass’ support of triggers, one of which exports users’ password databases. The password manager KeePass is currently the subject of a debate concerning whether or not a particular design decision should be considered a security vulnerability.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |