New tool decrypts passwords stored in managers

Password managers may be one good way to satisfy the hard-to-guess but still easy-enough-to-remember password conundrum users face. But a hacker’s new tool is a reminder that when you’ve been breached, no password manager or other security measure will be enough to protect you fully. 

KeeFarce is a product of a New Zealand hacker who wanted to show the shortcomings of relying on password managers alone. The app can be run on a user’s system and will decrypt and decipher all the passwords stored on the KeePass password manager.

It converts these passwords to a text file which the attacker can then easily steal. As ArsTechnica observes, similar tools could be developed to go after other password managers as well.

Wait … that’s a lot of conditions

There’s a lot to unpack in that simple description, however:

  1. The hacker needs access to your systems. If you’ve gotten to a point where a hacker has physical possession of or control over your computer, whatever protection you thought you were getting from a password manager is long-since eroded.
  2. KeePass and other password managers aren’t actually being attacked. It’s not the web-facing portals of the password manager that’s weak. In other words, the attacker isn’t going after KeePass on its own, he’s going after KeePass if it’s on a system that’s already breached. If the system is breached, hopefully a user would think to change the KeePass (or other manager) login right away.
  3. KeePass never claimed to protect against this. Quite the contrary – password managers aren’t in the business of protecting compromised accounts. They’re designed in part to help keep your account from being compromised.

Lessons learned

This tool does represent part of a bigger problem for IT, however. It’s not that tools are developed that can in some way be used to attack users. That’s always been the case.

What’s changed is that these tools are now finding their way to other potential hackers much more easily. If you want to attack someone, all you have to do is go to the so-called dark web and swap out some bitcoins for compromised account info or easy-to-use hacking tools or exploit kits.

Best bet: Stress to users that the only way to stay safe is to prevent the initial compromise: And that requires careful browsing and good common sense.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy