Skip to main content

This huge password manager exploit may never get fixed

It’s been a bad few months for password managers — albeit mostly just for LastPass. But after the revelations that LastPass had suffered a major breach, attention is now turning to open-source manager KeePass.

Accusations have been flying that a new vulnerability allows hackers to surreptitiously steal a user’s entire password database in unencrypted plaintext. That’s an incredibly serious claim, but KeePass’s developers are disputing it.

A large monitor displaying a security hacking breach warning.
Stock Depot / Getty Images

KeePass is an open-source password manager that stores its contents on a user’s device, rather than in the cloud like rival offerings. Like many other apps, however, its password vault can be protected with a master password.

Recommended Videos

The vulnerability, logged as CVE-2023-24055, is available to anyone with write access to a user’s system. Once that’s been obtained, a threat actor can add commands to KeePass’s XML configuration file that automatically export the app’s database — including all usernames and passwords — into an unencrypted plaintext file.

Thanks to the changes made to the XML file, the process is all done automatically in the background, so users are not alerted that their database has been exported. The threat actor can then extract the exported database to a computer or server they control.

It won’t be fixed

A depiction of a hacker breaking into a system via the use of code.
Getty Images

However, the developers of KeePass have disputed the classification of the process as a vulnerability, since anyone who has write access to a device can get their hands on the password database using different (sometimes simpler) methods.

In other words, once someone has access to your device, this kind of XML exploit is unnecessary. Attackers could install a keylogger to get the master password, for instance. The line of reasoning is that worrying about this kind of attack is like shutting the door after the horse has bolted. If an attacker has access to your computer, fixing the XML exploit won’t help.

The solution, the developers argue, is “keeping the environment secure (by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc.). KeePass cannot magically run securely in an insecure environment.”

What can you do?

password manager lifestyle image
Image used with permission by copyright holder

While KeePass’s developers appear unwilling to fix the issue, there are steps you can take yourself. The best thing to do is to create an enforced configuration file. This will take precedence over other config files, mitigating any malicious changes made by outside forces (such as that used in the database export vulnerability).

You’ll also need to make sure regular users do not have write access to any important files or folders contained within the KeePass directory, and that both the KeePass .exe file and the enforced configuration file are in the same folder.

And if you don’t feel comfortable continuing to use KeePass, there are plenty of other options. Try switching to one of the best password managers to keep your logins and credit card details safer than ever.

While this is undoubtedly more bad news for the world of password managers, these apps are still worth using. They can help you create strong, unique passwords that are encrypted on all your devices. That’s far safer than using “123456” for every account.

Alex Blake
Alex Blake has been working with Digital Trends since 2019, where he spends most of his time writing about Mac computers…
This is the one password manager I recommend using over 1Password
Keeper and 1Password websites appear in a split-screen view on a PC monitor.

The best password managers simplify sign-ins while keeping your account information secure. Two of the best solutions come from Keeper and 1Password.

I recently reviewed both solutions, comparing login organization and sharing features, support responsiveness, and overall ease of use to find out which offers the best value for you.
Tiers and pricing
Prices for Keeper and 1Password are shown above in a split-screen view. Digital Trends

Read more
5 password managers you should use instead of LastPass
A person using the 1Password password manager on a laptop while sat on a couch.

When it comes to securing your passwords, LastPass has been one of the top contenders as the best password manager. However, a recent set of high-profile security incidents has made a lot of people a lot less willing to trust it.

If you’re looking for an alternative to LastPass, you’re in the right place. We’ve found five superb password managers that can keep you safe online without the hassle.
1Password

Read more
I reviewed two of the best password managers. Here’s the one I recommend people use
A side-by-side comparison of 1Password and Bitwarden pricing appears on a PC monitor.

If you need more convenience, protection, and cross-platform integration than you can get with your browser’s autofill, you need a premium password manager like 1Password or Bitwarden. I recently reviewed both and put together this comparison to help you pick which works best for you.
Tiers and pricing
A side-by-side comparison of 1Password and Bitwarden pricing. Digital Trends

1Password is only available as a subscription, but Bitwarden has a very good free version. If you don’t want to pay an annual fee to use a password manager, Bitwarden is a great choice.

Read more