Security: Protection from Key Loggers

[t4777sd]

A password database like keepass is extremely vulnerable to a keylogger. If someone logs the password to the program, then the attacker will gain access to all user passwords.

As a result, maybe keepass should improve protection against key loggers? Some ideas I have:

1. As alternative to typing a password, give the users an option to "type" it on a virtual keyboard. In other words, a keyboard image will be shown with keys in a different order. Users may then type or click on the keys to input their password. Since the keys are mapped in a different, random order, it will fool any keylogger. I think keepass has an option similar to this already

2. There may be some platform things that can be done to protect against key loggers? For example, keepass supports secure desktop in windows: http://keepass.info/help/kb/sec_desk.html

There may be options in linux too. I think I have heard about freezing other processes when a particular windows has focus. In this way, the other processes cannot log keys as they are frozen.

[phoerious]

Secure desktops are very platform-specific and on-screen keyboards are very vulnerable to shoulder surfing and extremely inconvenient to use.

Generally, I'm not so sure if it is really worth the effort. Once you manage to install a key logger, you may also install any other kind of malware which we can't protect against. Nothing prevents a malware from simply waiting for you to unlock the database (with whatever clever method you choose) and then copy all the passwords from the unlocked DB (e.g. by simulating key strokes for copying passwords in KeePassXC or simply copying the passwords from the clipboard or your login password fields once you paste them there).

[t4777sd]

I understand its hard due to different platform specific issues, so maybe it is better for people to take efforts on their own platform (such as using some types of jailing or sandboxing in linux when available).

However, regarding the virtual keyboard, that is cross-platform and it does defeat most attacks. It would not be any more subject to over the shoulder attacks than what keepass has now. The reason being that the password is still typed on the keyboard. The primary difference is that the key mapping changes.

As a result, the password cannot be effectively keylogged unless someone was both logging keys and taking video of the screen to get the key mapping (and that type of key logger would be much easier to identify so much less likely it would be out in the wild for long).

[droidmonkey]

Once your system is compromised to this level, you have lost. Full stop. There is nothing we can do to prevent every type of attack. The role of various Host-Based Security Systems is to protect you from a compromising infection and evaluate abnormal application behavior. This is the better choice.

[Throne3d]

I think most platforms provide an on-screen keyboard anyway, which you might be better off using except for the added obscurity that would come with it being implemented through KeePassXC. I'm not sure it's really worth investigating adding a virtual keyboard module.

[phoerious]

Closing this as out of scope. As @Throne3d said, most platforms already have some sort of on-screen keyboard which you can use.

But have a look at #381.

[NN---]

KeePass original has this functionality and it is really missing in KeePassXC.
https://keepass.info/help/kb/sec_desk.html

I understand it is platform specific, you can just put a title explaining that currently it works only in Windows.

[phoerious]

As the linked page explains, this only really protects if the program is running with higher privileges. Using a different desktop with the same user privileges is the same snake oil as Auto-Type obfuscation.

[NN---]

The only difference is that auto-type is not applicable to master password screen.
Do I miss something there?

[phoerious]

Well, if your database is open and unencrypted in memory, it doesn't really matter what part of it you try to protect, does it?

[NN---]

KeePass original tries to have as little as possible unencrypted data in the memory
https://keepass.info/help/base/security.html#secmemprot

[phoerious]

The master key mast be somewhere. It can be in an unswappable and somewhat OS-protected area, but we have the same problem as with DRM: you cannot make things accessible and inaccessible at the same time.

[NN---]

That’s right but you can make it harder accessible.
Many programs have such option for instance cross platform VeraCrypt

[tredondo]

In the light of some attacks publicized since 2018 (example), I'd like to revive this discussion.

The attacks I'm concerned about are general data exfiltration and keylogging attacks. These are more common than attacks specifically aimed at Keepass*, or comprehensive nation-state-level attacks. Generic data exfiltration can be performed by looking at the currently open files (lsof) and phoning them home. Later, the attacker can inspect the harvest, and match recurring keylogged sequences likely to be passwords, with the KeePassXC database file.

on-screen keyboards are very vulnerable to shoulder surfing and extremely inconvenient to use.

Agree that anything on-screen is vulnerable to shoulder surfing. However, that can easily be mitigated by the user combining a few on-screen characters with a typed portion of password. That also addresses the "extremely inconvenient to use" objection.

An on-screen keyboard also defends against hardware keyloggers, and most software ones.

Financial software does offer this option, for example Interactive Brokers Trader Workstation:

Once you manage to install a key logger, you may also install any other kind of malware which we can't protect against.

Obviously the user doesn't choose to install a keylogger.

In the wild, keyloggers are more frequent than other kinds of malware, so an on-screen keyboard would be valuable.

Once your system is compromised to this level, you have lost. Full stop. There is nothing we can do to prevent every type of attack.

No one is requesting preventing every type of attack. As always, there's a balance between security and convenience. The Pareto principle applies in security as well.