KeePass Master Password Dumper (for Windows only)

[pp4mnklinux]

KEEPASS, LASTPASS.... PASS WORD ¿?¿?¿?

They can break it.

https://github.com/vdohney/keepass-password-dumper

KeePass Master Password Dumper is a simple proof-of-concept tool used to dump the master password from KeePass's memory. Apart from the first password character, it is mostly able to recover the password in plaintext. No code execution on the target system is required, just a memory dump. It doesn't matter where the memory comes from - can be the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys) or RAM dump of the entire system. It doesn't matter whether or not the workspace is locked. It is also possible to dump the password from RAM after KeePass is no longer running, although the chance of that working goes down with the time it's been since then.

[Jasper]

........this applies to Windows.

This is a Linux forum.

AFAIK the issue can be resolved with the next update.

[pp4mnklinux]

OOps, excuse my enormous error, I thought it could be useful for linux users, because I thought (wrong) keepass could be used in LINUX TOO.

https://www.youtube.com/watch?v=TIHf-X5rDU4

Excuse me again, and delete this post if you consider it incorrect.

Thanks a lot.

........this applies to Windows.

This is a Linux forum.

AFAIK the issue can be resolved with the next update.

[Jasper]

This refers to a vulnerability in .Net (Windows).

[MochiMoppel]

I thought (wrong) keepass could be used in LINUX TOO.

KeyPass appimage for Linux: https://keepassxc.org/download/#linux

[pp4mnklinux]

Translate please

https://blog.elhacker.net/2023/05/vulne ... o-ram.html

It doesn't look Windows only but if I am wrong excuse my error and ignorance.

Cheers.

[sfein1000]

According to makwarebytes
https://www.malwarebytes.com/blog/news/ ... ssword/amp

In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. The first character cannot be recovered. In 2.54, there is different API usage and/or random string insertion for mitigation

It us saying the mast password is stored in memory and the app mentioned will read this info. The memory may get stored on the hard drive (page file or dump) and so can be accessed even after reboot.

Some other reading stated keepass uses its own text entry control in .net and is the cause. Supposedly fixed in v2.54 which is not out yet.

Malwarebytes downplays the risk since someone getting a memory dump from your computer would be noticeable but does state if you are concerned of someone getting your computer and doing this, they offer some suggestions.

As for keepassxc, that is a totally different application which reads and writes keepass database files. But it uses a different set of source code and they state are not at risk.

Sounds like risk is if you've used keepass. Switching to keepassxc won't help unless you change your master password.

Since keepass is windows only, this sounds like a windows exploit unless this can be mimicked in wine.