A recently released hacking tool dubbed as KeeFarce silently decodes all usernames, passwords, and notes stored by the KeePass password manager and writes them to a file. While KeeFarce targets KeePass, there is little that can stop the developers from creating similar apps that target almost every other password manager available today. Hackers and professional penetration testers can run it on computers that they have already taken control of. They can can execute the KeeFarce tool on a computer where a logged in user has unlocked the KeePass database. Under this condition, KeeFarce is able to decrypt the entire password archive and write the information to a file. To be fair with the KeePass developers, the users have been long warned that no password manager can secure passwords on an infected computer. In spite of this, over the past week, KeeFarce has been creating interest among hobbyists and security professionals in huge part due to the lack of difficulty and convenience it provides. “Indeed, if the operating system is owned, then it’s game over,” Denis Andzakovic, a researcher at Security Assessment and the creator of KeeFarce, told Ars. “The point of KeeFarce is to actually obtain the contents of the password database. Say a penetration tester has achieved domain admin access to a network but also wants to obtain access to networking hardware, non-domain infrastructure, etcetera. The tester can compromise a sysadmin’s machine and use the tool to swipe the password details from the KeePass instance the sysadmin has open.” When master password keys and other sensitive data are stored in computer memory, KeePass provides process memory protection that encodes them. This prevents malicious apps from scraping random access memory and bringing back the credentials. However, KeeFarce is able to bypass the process memory protection implemented by the KeePass password manager, as it extracts the passwords from the database by injecting a dynamic link library code. The injected DLL is able to invoke an existing function in KeePass that exports the contents of a currently open database to an external file in CSV format. The extracted data is in clear text and includes user names, passwords, notes, and URLs. KeeFarce works against KeePass 2.28, 2.29 and 2.30 running on Windows 8.1 (32 and 64 bit), it should also work on older Windows machines. The DLL injection is a common process to allow programs to interoperate, but it could be abused to insert malicious code in the context of a running application. However, in the event of a compromise, it can also streamline the process of collecting sensitive data and sending it to the attacker. If KeeFarce was folded into Metasploit or other hacker frameworks, it could end up being very scary. To manually run KeeFarce on a compromised computer, theThe current features in Metasploit can already be used, said Andzakovic. Tools like KeeFarce reminds us that password managers could represent a single point of failure that could be exploited with severe repercussion by hackers. However, if they are used in the correct way, they provide more benefit than risk, as the password manager lets average people to create and store virtually crack-proof passcodes that is only one of its kind for every site. Further, if the account holder has used the same password on other sites, it helps in preventing a breach on one site from contributing to account hijacks on other sites. While password managers have their benefits, it is also important for people to understand that there are some risks that password managers can do nothing to make it less severe, of which to start with is password theft from a compromised computer. However, it looks like KeeFarce is here to ensure that nobody forgets it.