Unless we are a human supercomputer, remembering a different password for every different site is not an easy task.
But to solve this problem, there is a growing market of password managers and lockers, which remembers your password for every single account and simultaneously provides an extra layer of protection by keeping them strong and encrypted.
However, it seems to be true only until a hacker released a hacking tool that can silently decrypt and extract all usernames, passwords, as well as notes stored by the popular password managerKeePass.
, the hacking tool is developed by Kiwi hacker Denis Andzakovic
and is available on GitHub
for free download.
Hackers can execute KeeFarce on a computer when a user has logged into their KeePass vault, which makes them capable of decrypting the entire password archive and then dumping it to a file that attackers can steal remotely.
How Does KeeFarce Work?
KeeFarce obtains passwords by leveraging a technique called DLL (Dynamic Link Library) injection, which allows third-party apps to tamper with the processes of another app by injecting an external DLL code.
The injected code then calls an existing KeePass export method to export the contents of a currently open database, including user names, passwords, notes, and URLs to a clear-text CSV file.
The key takeaway here is:
KeyFarce is just a password extraction tool that could work perfectly like a password Stealer for remote hacking when combined with a computer malware.
If that happens, it is game over as you’ll have much bigger things to worry about since most of your data is generally logged in already.
While KeeFarce is specifically designed to target KeePass password manager, it is possible that developers can create a similar tool that takes advantage of a compromised machine to target virtually every other password manager available today.
Original Post: http://thehackernews.com/2015/11/password-manager-hacked.html