Privacy Blog

“By continuing the process of inflation, governments can confiscate secretly and unobserved an important part of the wealth of their citizens.” – John Maynard Keynes, writing about the effects of a seemingly small amount of inflation every year.

Are You Using the KeePass Password Manager? If So, Read This!

A recently released hacking tool silently decrypts all user names, passwords, and notes stored by the KeePass password manager and writes them to an unencrypted file.

The new hacking tool, called KeeFarce, targets KeePass, but there’s little stopping developers from designing similar apps that target virtually every other password manager available today. When KeeFarce runs on a computer where a logged in user has the KeePass database unlocked, KeeFarce decrypts the entire database and writes it to a file that the hacker can easily access.

Similar weaknesses exist in all password managers and is one of the reasons why I have never used a password manager. The idea of keeping all your passwords in one place simply strikes me as a very bad idea. Any password manager automatically becomes a single point of failure. Anyone with the know-how could potentially develop a tool similar to KeeFarce that takes advantage of a compromised computer and, as a result, can extract all of a password manager’s data. There are safer ways to keeping your passwords safe.

Categories: Offline Privacy & Security

2 replies

  1. What “safer ways to keeping your passwords safe” do you suggest?


    • —> What “safer ways to keeping your passwords safe” do you suggest?

      I suggest you not use any method that is also used by thousands of others. In other words, do not use a popular password manager because that will attract hackers. Anyone with some technical skills can create one hack to extract data from a password manager and then use that one hack to steal data from potentially thousands of people who use the same password manager. Instead, I invented my own, unique solution (which I will not describe in detail because I don’t want a potential hacker to figure it out and then steal my data).

      However, I will offer a few suggestions of what NOT to do:

      1. Never store all your passwords in one place. You don’t want a hacker to crack open one file and then see everything. Spread the passwords around in different places. Never use a password manager that stores all your passwords in one place.

      2. Never, ever store your passwords in plain text. Encrypt them. There are dozens of encryption programs available today and most of them are available free of charge. Obtain one. (Make sure you can decrypt the info on your cell phone or tablet when needed as well as on your primary computer, however. Several encryption programs work on multiple platforms.)

      3. Never, ever store any passwords in a file called PASSWORDS.TXT or any other obvious name. Make multiple files (I store them in different subdirectories) where you can easily remember where you put them. Use file names of ILTSTW.ENCRYPTED or something similar. (ILTSTW is an abbreviation I can remember: it stands for “I Like To Surf The Web.” However, don’t use my example. Use some other sentence that you can remember.) If I want to store my password for Facebook, I might store it in /Documents/Facebook/Temp/ILTSTW.ENCRYPTED. The password for Gmail might be stored in /Documents/Gmail/Temp/SP.ENCRYPTED (“SP.ENCRYPTED” might stand for “Secure Password.”) Use your own naming scheme, not my example.

      4. Don’t store the actual password. Instead, store a hint to something you can remember. Example: perhaps your grandfather was born in the town of Greenville so you decide to use a password of “Greenville.” (This is a weak password but works as an example.) Don’t store the password of “Greenville.” Instead, store the following sentence: “Granddad’s place of birth.” If a hacker ever does manage to decode your encrypted file that contains your password hint, he still won’t know the actual password without searching for old birth records.

      5. Don’t use short passwords. My example of “Greenville” above is too short and too easily hacked. Instead, you might store the following sentence: “Granddad’s place of birth” which is a memory jogger for a password of “Greenville-Greenville-County-SC-May-23” which reminds you of the true password showing that granddad was born in the city of Greenville which is in Greenville County, South Carolina and he was born on May 23. (I assume you can remember your grandfather’s birthday.)

      These are a few simple examples. I suspect you can invent more.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.