Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Is It Safe to Stay Logged in to My Password Vault?

//
I have and use KeePass with Windows 7. I open KeePass in the morning and I leave it open all day. Does this make it unnecessary for malware to determine my KeePass password in order to see my password file? Is keeping KeePass open a security risk? 

This is an interesting scenario and the answer really boils down to “it depends”.

I use LastPass, a KeePass equivalent. I keep it logged in all day …. and again, I don’t.

Become a Patron of Ask Leo! and go ad-free!

Vault-specific malware

To directly address your question, the only malware that would be helped by keeping a password vault open, in my opinion at least, would be malware that is specifically targeted at reading the contents of that specific password vault.

By that I mean malware that is looking specifically for KeePass. If it finds KeEPass installed and open, it might start sucking up the contents somehow.

I am not aware of any such malware at this time.

There are easier ways for malware

I SpyTo be honest, I really don’t think malware writers need to bother with that. If you’ve gone so far as to allow malware on your machine in the first place, it’s much easier and much more productive for that malware to simply record what you’re doing.

I hear a lot of people saying that using a password vault doesn’t use keystrokes, making them safer.

True enough, but these tools still use something to get the password into the forms and whatnot it’s filling out; and what we tend to call “keylogging” software is actually capable of logging much more than just keystrokes. It’s very possible for malware to log any of the ways that a password vault might transfer the password information on your behalf.

So, in my opinion, keeping a password manager open doesn’t really make you any more vulnerable to malware.

It could, however, make you vulnerable to something else.

A “friend” walks into a room

The scenario I’m thinking of is when you walk away from your computer, or worse, if your computer is stolen when you’ve left it in this state.

Anyone can walk up to your computer and just start using your password vault. Say you’re working on your laptop at Starbucks, you close the lid and go to the the bathroom, and when you come back it’s gone. It’s quite possible, common even, that when the thief opens the lid everything is still there, running and ready, including your opened password vault.

So, if that’s a concern, then yes, absolutely, leaving a password vault open does add to the risk.

My solution is actually very simple. At home, where the risk of someone I don’t trust using my machine is low, I’m signed into LastPass pretty much all day. On my laptop, I’m not. In fact, I have LastPass configured there to automatically log me out after some period of inactivity. I consider that security so important that I also have two-factor authentication turned on in LastPass. On that laptop, I need both my password and a security code from my mobile phone in order to be able to log in to LastPass at all.

5 comments on “Is It Safe to Stay Logged in to My Password Vault?”

  1. I have a basic paranoia about leaving my laptop on a table in a coffee shop when I go to the bathroom, and worrying about someone logging on to my accounts while I’m away is probably only number 2 on my worry list.

  2. Hi Leo,

    If a keylogger can capture LastPass (or similar) filling out your login form, why LastPass does offer an on-screen keyboard to fight that kind of malware? Are you saying that the on-screen keyboard is useless with the latest types of keylogger? Or maybe using the on-screen keyboard is different from LastPass filling out the form?

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.