back to article Windows 10 bundles a briefly vulnerable password manager

Google Project Zero's Tavis Ormandy has turned up a howling blunder in a password manager bundled with Windows 10. On Friday, Ormandy publicly disclosed the bug, which lies not in the Microsoft operating system but in an included third-party Keeper password manager. He wrote: “I've heard of Keeper, I remember filing a bug a …

  1. Anonymous Coward
    Windows

    The very idea!

    "Posting the patch, the company noted that a victim would have to be lured to an attacker's site, while logged into the browser extension."

    And after all, what sort of Windows user would ever turn on a password manager approved by MS? And then compound that error by following dodgy links?

    Oh wait...

    1. Captain DaFt

      Re: The very idea!

      Really! It's not like anyone ever got an email that said something like, oh say,

      "Your KatZ VidZ account is in danger of expiring! [Click Here] to verify your password and details Immediately!"

      Nope, never happened!

    2. Anonymous Coward
      Anonymous Coward

      I'd rather know

      How to get rid of it from the Windows 10 machines in my Office.

      1. bombastic bob Silver badge
        Linux

        Re: I'd rather know

        "How to get rid of it from the Windows 10 machines in my Office."

        1. Go to linuxmint.com, get latest DVD image

        2. Save important files to external USB drive

        3. Insert LINUX MINT (Cinnamon or Mate *) install DVD

        4. Boot from DVD, install Mint, wiping out EVERYTHING Win-10-nic and replacing it with something worth having.

        5. Restore important files from backup. Install additional software (like Libre Office, firefox, thunderbird) as needed.

        * NOTE: KDE is an acceptable alternative to Cinnamon or Mate

        also worth noting: the win-10-nic replacement process (with Linux Mint) will likely take LESS TIME than trying to fix the average Win-10-nic computer...

        1. wallaby
          Trollface

          Re: I'd rather know

          Noooooooooo

          and step that far back in time - please !!!!

          rather an etch a sketch, looks better than a Linux desktop

          as purposefully crass and pointless as the post that spawned it Bob

        2. EJ

          Re: I'd rather know

          Do you have to specify anything special when you burn the DVD? I seem to remember potentially having to designate the disc as an .iso image in the past. Asking for a friend...

          1. Anonymous Coward
            Anonymous Coward

            Re: I'd rather know

            @EJ

            Possibly. Depending on what OS and/or burning software you're using, you sometimes have to select Burn From Image, or Burn ISO, etc. I would recommending "burning" the ISO to a USB flash drive, using something like Rufus (if using Windows):

            https://rufus.akeo.ie/

            It makes installation pretty snappy.

            Alternately, for DVD burning, something like ImgBurn:

            http://www.imgburn.com/

            or Active@ ISO Burner:

            http://lsoft.net/iso_burner.aspx

            Hope this helps...

      2. inmypjs Silver badge

        Re: I'd rather know

        "How to get rid of it from the Windows 10 machines in my Office."

        Open a window and throw.

      3. Anonymous Coward
        Anonymous Coward

        Re: I'd rather know

        Just because your computer has Windows on it does not mean you can throw it out of one ;)

  2. Jim Mitchell
    WTF?

    The marketing for "Keeper - Password Manger & Secure File Storage" on the Windows store is writing checks they will never be able to cash:

    "Keeper is the leading password manager and digital vault for businesses and individuals." Eh, then how come I've never heard of it? And...

    "Now it's your turn to experience Keeper's impenetrable security."

    Yeah, um, no.

  3. Ken Moorhouse Silver badge

    If Keeper lets it slip through...

    ...then look out for it at the back of the net.

  4. Anonymous Coward
    Anonymous Coward

    This could all be avoided if you just use the same password for everything and keep it on a post it note on your monitor.

    1. Timmy B

      "This could all be avoided if you just use the same password for everything and keep it on a post it note on your monitor."

      I am far more secure. My passwords are all Pa$$w0rd. So easy to remember I don't need to use a post it note.

      1. VinceH
        Pint

        And if you do forget it, you could just ask us commentards for a reminder. Genius!

        Genius, I tell you!

        1. Timmy B
          Pint

          "Genius, I tell you!"

          It took me all year but I finally came up with the good ideas....

  5. Khaptain Silver badge

    Which version of Windows 10

    I read that is a MSDN version but which one exactly, is it a developers preview or an existing version ?

    It's not in 1703 or 1709 or at least not in any of the versions that I currently run.

    Never heard of "Keeper" before this post... Seems strange that MS would include a 3rd part app like this.

    1. Timmy B

      Re: Which version of Windows 10

      I agree - I just installed an MSDN copy of 10 Pro and no sign of it there. I can only find references to the original story. Do we have any 3rd party sources to confirm this? There is a Keeper enterprise that seems to be able to install keeper automatically. I wonder if this is actually what happened.

      1. Snorlax Silver badge

        Re: Which version of Windows 10

        I'm guessing this guy signed into his Microsoft account and pulled down his 'purchased' apps from the Microsoft Store, because I can't see this bundled in any of the publicly available ISOs I've tried.

    2. Nick L

      Re: Which version of Windows 10

      Likewise, I cannot find this bundled on any version of Windows 10...

    3. Adam 52 Silver badge

      Re: Which version of Windows 10

      "Seems strange that MS would include a 3rd part app like this."

      Not at all strange. The home editions of Windows 10 advertise or auto-install all manner of rubbish. I think mine's currently plugging Minecraft in an animated icon.

  6. Piro Silver badge

    Windows 10 is basically malware.

    The only passable version is LTSB, which basically gives you an ugly, slightly less responsive version of Windows 7.

  7. EnviableOne

    I hate the way MS bundle apps in w10, any major update and it takes a day to weed out all the new useless stuff they added and get rid of the associations it set-up to get my system running again.

    Keeper was in the last two updates, but its not been on my machine for more than a couple of days.

    you would have thought MS would have either gone with one of the big ones or bought keeper and secured it before bundling it with W10

  8. Mark Manderson

    pfft who needs pwd managers

    just change all passwords to be "incorrect" then each website tells you what it is when you get it wrong......

    :D

    1. bombastic bob Silver badge
      Happy

      Re: pfft who needs pwd managers

      well, I'll put in a good word for KeePassXC <-- the C language version that doesn't need MONO nor ".Not"

  9. Aaiieeee
    Angel

    Ahh

    Keeper makes me think of the game Dungeon Keeper which was my favourite game for a number of years.

    1. Mandoscottie
      Thumb Up

      Re: Ahh

      @Aaiieeee

      Check out Dungeons II and 3

      http://store.steampowered.com/app/493900/Dungeons_3/

      even some of the old Dev Team.

  10. Snorlax Silver badge

    Where Is It?

    I’ve just installed W10 1709 16299.125 and there’s no sign of ‘Keeper’.

    Can the author verify what build the guy who reported this issue was using?

    It’s available as a download from the Windows Store, but it doesn’t exist for me as a stand-alone program or Edge extension on a fresh install..

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like