This is an interesting scenario and the answer really boils down to “it depends”.
I use LastPass, a KeePass equivalent. I keep it logged in all day …. and again, I don’t.
Become a Patron of Ask Leo! and go ad-free!
Vault-specific malware
To directly address your question, the only malware that would be helped by keeping a password vault open, in my opinion at least, would be malware that is specifically targeted at reading the contents of that specific password vault.
By that I mean malware that is looking specifically for KeePass. If it finds KeEPass installed and open, it might start sucking up the contents somehow.
I am not aware of any such malware at this time.
There are easier ways for malware
To be honest, I really don’t think malware writers need to bother with that. If you’ve gone so far as to allow malware on your machine in the first place, it’s much easier and much more productive for that malware to simply record what you’re doing.
I hear a lot of people saying that using a password vault doesn’t use keystrokes, making them safer.
True enough, but these tools still use something to get the password into the forms and whatnot it’s filling out; and what we tend to call “keylogging” software is actually capable of logging much more than just keystrokes. It’s very possible for malware to log any of the ways that a password vault might transfer the password information on your behalf.
So, in my opinion, keeping a password manager open doesn’t really make you any more vulnerable to malware.
It could, however, make you vulnerable to something else.
A “friend” walks into a room
The scenario I’m thinking of is when you walk away from your computer, or worse, if your computer is stolen when you’ve left it in this state.
Anyone can walk up to your computer and just start using your password vault. Say you’re working on your laptop at Starbucks, you close the lid and go to the the bathroom, and when you come back it’s gone. It’s quite possible, common even, that when the thief opens the lid everything is still there, running and ready, including your opened password vault.
So, if that’s a concern, then yes, absolutely, leaving a password vault open does add to the risk.
My solution is actually very simple. At home, where the risk of someone I don’t trust using my machine is low, I’m signed into LastPass pretty much all day. On my laptop, I’m not. In fact, I have LastPass configured there to automatically log me out after some period of inactivity. I consider that security so important that I also have two-factor authentication turned on in LastPass. On that laptop, I need both my password and a security code from my mobile phone in order to be able to log in to LastPass at all.
I have a basic paranoia about leaving my laptop on a table in a coffee shop when I go to the bathroom, and worrying about someone logging on to my accounts while I’m away is probably only number 2 on my worry list.
I will not leave my laptop alone. I’ll take it with me to the restroom if needed.
Hi Leo,
If a keylogger can capture LastPass (or similar) filling out your login form, why LastPass does offer an on-screen keyboard to fight that kind of malware? Are you saying that the on-screen keyboard is useless with the latest types of keylogger? Or maybe using the on-screen keyboard is different from LastPass filling out the form?
An on-screen keyboard can be captured by a keylogger. Please see Is there a way to bypass keyloggers?
Password safes are not intended to combat malware. If you have malware on your machine (keyloggers are only one kind) then all bets are off. Anything can be recorded.
Password safes are designed to let you security keep track of lots of different complex passwords.
I see… that’s really annoying!
Thanks for your reply
PS. That’s a great site, keep going man!