Word – Does Keepass protect passwords from malicious software like viruses


If a computer got infected with a virus or a trojan and the user interacted with Keepass, is there a chance that the malicious software would be able to get the password database?

In other words: Does the user have to change all passwords as soon as a virus got detected on the system?

Optional follow-up: How about if browser plug-ins are involved, like Keefox for Firefox?

Best Answer

If a virus is on your computer at the time any program handles sensitive data, you're hosed.

KeePass does as much as it can to protect your passwords from malware, but no solution can be bulletproof; once malware is running on your computer, the machine cannot be trusted. Let's look at some of the security features:

  • Database encryption. Without your keying material (master password and keyfile if you have one), it's not possible to recover the plaintext of the passwords. That means that if a copy of your hard drive is stolen or if you never unlocked the KeePass database, your passwords are safe.
  • Memory protection. KeePass, according to its security page, makes efforts to never leave plaintext in memory. However, when you use a password, the plaintext has to be in memory at least for a short while. Any program running under the same security context as KeePass has access to that memory, and if malware is quick (i.e. designed to do this), it can grab your passwords. Malware running as administrator/root can read (or write!) any process's memory.
  • Alternate desktop. When prompting for the master password, KeePass creates a new desktop and switches your view to it. Normal keyboard hooks installed on the main desktop won't apply to the secure desktop. Again, though, malware running as admin can do anything, including inspecting other desktops or hooking events at a lower level. (Your OS obviously knows what keys are typed.)
  • Plug-in authentication. KeePassRPC requires that plug-ins identify themselves to KeePass. There doesn't, however, appear to be any way to stop malicious programs from talking like a valid client (sending the same authentication responses) but doing bad things with the data it gets. Again, rootkits or malware running as admin could just grab the passwords while their plaintext is in memory.
  • Cryptographic self-tests. When KeePass starts up, it makes sure that encryption functions work correctly by putting some constant data in and verifying the output. That's nice, but sophisticated rootkits would just produce the right results while squirreling the plaintext away.

If you did unlock the database while malware was present, you should definitely change your passwords.

Related Question