KeePass security local malware

Yes - if the malware included a keylogger, for example, it could simply read the master password when you typed it in. The only real way to prevent that would be to have KeePass be the only software running, on a verified secure computer (e.g. no hardware keyloggers, no VMs, etc.) which would somewhat defeat the purpose of having passwords to hand.

However, the same malware would also be able to read the master password for a cloud based database, when you opened it. It's not specific to local database files. In fact, it could take a less invasive piece of malware to do that - if you've installed a dodgy browser extension and view your passwords through a web site, it would be able to see what you typed in the browser, but (probably) not what you typed into any other program.

If you're using a system which has malware on, assume it can do anything you can do - if you can read a file, so can the malware. If you can contact a specific server, so can the malware. If you can disable your AV software, so can the malware. It might need to get details off you in order to do it (e.g. passwords), but the key is to avoid getting it on the system, rather than trying to ensure that every single piece of software detects the presence of it.


When your computer is compromised, pretty much any defense on it should be considered broken. Security threat models consider this as an out-of-scope scenario - barring very few exceptions (e.g., the very purpose of your software is to be the last-line of defense).

That said, password managers (like KeePass) that store the password database locally do resist a compromise to some extent - by encrypting the database using strong measures. If you configure it as intended (e.g., use a strong master password + a keyfile that you don't store locally) it will resist bruteforce and dictionary attacks. It will even resist capture of passwords from clipboard if you only use the auto-type feature. The clipboard exposure can also be limited to single use and within just a few seconds.

However, it cannot resist keyloggers because that is an environmental problem outside KeePass. The environment is given to KeePass - not something it can control. It is possible for a keylogger to capture the master password as you type it and call home to report it - along with the KDB / KDBX file and any associated key file.

I wouldn't expect every software to resist every possible attack (somewhat like looking for a panacea). I would consider password managers - especially KeePass / KeePassX as very good for what they do.


It's worth mentioning that there are settings inside KeePass to help restrict what malware (and you) can do. This lets you, for instance, prevent malware from simply exporting your entire database by injecting a few keystrokes.

It's not a failsafe, but it gives you more of a buffer between when you get infected and when you actually realize you've been infected.

Policy Dialog in KeePass 2.x

(Screenshot is from KeePass 2.36)