Last used password pattern is leaked in configuration

keepassxreboot / keepassxc

KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.

https://keepassxc.org/

Other

20.83k stars 1.44k forks source link

Last used password pattern is leaked in configuration #6684

Open ret2src opened 3 years ago

ret2src commented 3 years ago

Very low severity and hard to exploit, but nevertheless something that could be improved from a security standpoint:

As a user with access to the KeePassXC desktop application I am able to generate passwords without first unlocking a database.
The password pattern that is preselected when doing this is based on the last password pattern that was used in the application:

An attacker with access to the application could find out the password pattern that was last used and use this information to generate custom password lists. This is especially useful if a user always uses the same pattern for passwords. However, since the generated passwords are random anyway, this might not be an issue after all.

Suggested fix: Always fall back to a default password pattern unless a database has been unlocked.

Fixing this issue could decrease the convenience of the built in password generator for some users.

droidmonkey commented 3 years ago

I like your solution and I agree with the assessment. This is one of those settings that I've wanted to move internal to each database for a while now. That goes along with custom password profiles saved at the database level.

AlexisOsmont commented 1 year ago

Hello, I am in a Master's degree in cybersecurity and my final project with my group is to contribute to some security issues on opensource projects, i would like to contribute to this issue, is it still open/available ? Thank u.

ret2src commented 1 year ago

Hi @AlexisOsmont,

last time I checked (a few weeks ago), this was still an issue with the release available in the Arch repositories. So, I think it's still open. It would be great if you could fix it. ~~Without having looked at the code: I think fixing this issue won't be too complicated!~~ Having re-read the proposed fix by @droidmonkey makes me revise this last statement. It might actually be complicated if you want to move the setting to the database file. Even if you store the setting in a cache file for each database, you'd have to make sure that it's encrypted and can only be accessed by the owner of the database file. Otherwise, you'll immediately leak the pattern to disk.

droidmonkey commented 1 year ago

I think there are better issues to work on from a security or usability aspect

AlexisOsmont commented 1 year ago

Thank you for your answers, we are always open to proposals.