13

Am I safe using keepass for generating passwords? For example my accounts, am I safe using a keepass generated password? Could my future keepass master-keys be safely generated in keepass? What method is used? Keepass 2.30 for Windows and Linux.

Thanks, Irrationally Paranoid Keepass User.

keepass_fan
  • 358
  • 2
  • 7
  • 1
    Safe against what kind of attack scenario? – Philipp Dec 13 '15 at 02:12
  • I would rule out malware since they would have my passwords anyway. I am wondering if someone knowing a password was generated in keepass if that would make guessing it easier to crack than a bruteforce? – keepass_fan Dec 13 '15 at 02:18

1 Answers1

19

tl;dr: Yes, it's reasonably safe.

When an attacker knows you use KeePass, then they might also assume that you use the standard settings for the password generator. That tells them the length and the character set [a-zA-Z0-9]. This makes it slightly easier to crack than if the length would not be known and if they would expect that you also use special characters. But even with that knowledge, the generated passwords are still far, far too strong to brute-force.

But how exactly are the passwords generated? If it would be a predictable pseudorandom number generator, that might be an attack point.

Looking at the sourcecode of KeePass 2.30, the password generator seems to be implemented in KeePassLib\Cryptography\PasswordGenerator\PwGenerator.cs. It uses the class CryptoRandomStream from KeePassLib\Cryptography\CryptoRandomStream.cs with the stream cipher Salsa20 used as a random number generator.

The password generator works like this:

  1. A random number is genrated (PwGenerator.cs line 65). It uses the standard RNGCryptoServiceProvider from the .NET framework (CryptoRandom.cs).
  2. The generated random number is combined with some additional entropy if available. I haven't bothered to find out where this entropy comes from (usually unpredictable user behavior like mouse movement or keypresses are used for this), but apparently it isn't assumed that entropy is always available.
  3. A SHA256 hash is generated from the random value with entropy (CryptoRandomStream.cs line 114-118).
  4. That hash is used as encryption key for a Salsa20 stream cypher (CryptoRandomStream.cs line 119).
  5. The stream cipher is used as a random number generator by repeatedly feeding its output as its input (Salsa20Cipher.cs line 176-196).

To predict a password, one would need to crack Microsoft's cryptographic random number generator and predict the entropy (if used).

Alternatively, if someone would crack the Salsa20 cipher, one could predict a password from the previous password. According to Wikipedia "As of 2015, there are no published attacks on Salsa20".

Best regards, Irrationally Diligent Software Developer.

Adam Matan
  • 1,237
  • 2
  • 11
  • 14
Philipp
  • 48,867
  • 8
  • 127
  • 157