KeeFarce extracts KeePass information straight from memory

Password managers are the way to go when it comes to keeping accounts and information secure on virtually any system. They allow you to create secure passwords for any service, and many even improve the login process by auto-filling information or logging you in automatically.

As long as the underlying system or device is not compromised, they do offer a high level of protection.

A newly released hacking tool highlights that the protection that password managers offer becomes void when a system is compromised. While that is not a new finding, the new tool may raise awareness for the issue.

KeeFarce is a free program for Windows that enables you to extract KeePass 2.x information from memory. This includes the username, password and urls in cleartext among other things. The information is saved to a csv file in the Windows appdata folder automatically when it is run.

mod apk


The program uses DLL injection “to execute code within the context of a running KeePass process”. Additional information about the process are provided on the project’s GitHub page.

KeeFarce needs to be run on a computer system the attacker has access to. This can be a compromised system for example, and highlights why the issue is not limited to the password manager KeePass.

Considering that local access is required for the attack, virtually any password manager running on the system is vulnerable to similar attack forms.

The owner or user of the system needs to have KeePass open for the attack to be carried out successfully. It won’t work if the password database is locked as KeeFarce won’t be able to extract information from it in this case.

Since most password managers are kept open all the time, it highlights why it may not be a good idea after all.

So how can you protect your data against this attack form?

Since it works only on compromised systems, making sure that yours is not compromised is enough to protect your data from the attack.

Since it affects all password managers in theory running on the system, there is little that you can do about it if your system has been compromised.

I like to lock the KeePass database automatically after a certain period in which it has not been used. While this won’t prevent remote attacks from being carried out against the database if a system has been compromised, it may help prevent others from running the program locally.

You may enable the feature under Tools > Security > Lock workspace after KeePass inactivity.

lock workspace keepass

Closing Words

A compromised password manager can be a catastrophic event considering that it puts a user’s online presence up for grabs. An account could use the data to take over a user’s online life, and it would take serious effort on part of the user to regain control over stolen account accounts again.

A compromised system without password managers is in no way better off considering that keyloggers and other malicious software can grab passwords and information from the system as well. (via Ars Technica)


Article Name

KeeFarce extracts KeePass information straight from memory


Martin Brinkmann


The proof-of-concept program KeeFarce allows you to extract KeePass information straight from memory on Windows devices.

About Martin Brinkmann

Martin Brinkmann is a journalist from Germany who founded Ghacks Technology News Back in 2005. He is passionate about all things tech and knows the Internet and computers like the back of his hand. You can follow Martin on Facebook, Twitter or Google+

You are here: Home > Security > KeeFarce extracts KeePass information straight from memory

This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at