7

I've been using KeePass for years, and I have a lot of accounts. I need to access them anywhere I work, so I store one copy of my database on a portable hard drive.

The drive isn't encrypted. The database is encrypted using AES-256 with millions of encryption rounds, but I only use a single password to open it.

The password is a combination of uppercase and lowercase characters, numbers and special marks, and is based on a number of random, unrelated words.

I've lost the drive. Should I worry about the database being cracked?

LQ2'
  • 71
  • 3
  • Change all your passwords just to be on the safe side. – André Borie Apr 08 '16 at 09:31
  • @AndréBorie I'm changing them just to be sure. – LQ2' Apr 08 '16 at 09:39
  • Even if this could be cracked at some effort would the attacker have the motivation to do this? For example does the drive have a label on it saying passwords for nuclear launch codes? I'm guessing not so why would someone put in all the effort to potentially get not much? – Dane Apr 08 '16 at 09:40
  • @Dane to be honest I doubt the random person who finds the drive will ever know what a "kdbx" file is, but in security we can't rely on that and we need to make sure. Changing the passwords is the best solution. – André Borie Apr 08 '16 at 09:44
  • I agree, but the user asked should I worry about the database being cracked. – Dane Apr 08 '16 at 09:45
  • Isn't it a major "selling point" of these sort of password storages that I don't have to worry about this scenario? Assuming I have a good master password of course. – axl Apr 08 '16 at 11:05

1 Answers1

10

TL;DR: You can relax - your database is absolutely secure.

Technical details:
The encryption used by KeePass is not broken as of today. Brute-Forcing the AES-256 key is infeasible. Assuming your password has more than about 80 bits of entropy the millions of key derivation rounds render brute-forcing the password infeasible, too.

The entropy of your password depends on how well you chose your words. Lets do another example:
You chose 5 distinct words. The attacker must assume a set of about 7000 english words to not miss one of your words. The words alone make up for 10^19 possible combinations. Lets further assume you changed two letters per word to a number or a special character. You chose numbers similar to the letter and random special characters from a set of 10. The letter exchange alone makes up for (13 * 13)^5 = 137 * 10^9 possible combinations. All in all, that is about 1,3 * 10^30 possible combinations; equivalent to about 100 bits of entropy.

Brute-Forcing 100 bits is not completely impossible imo (128 is considered impossible pre-quantum; but 100 to 128 is a huge step). That effort is far beyond feasible for anyone else than large governments or enterprises. Unless you are Edward Snowden (which i am sure you are not since you asked this question), no one will go through that pain.
The large number of derivation rounds add to that, even.

marstato
  • 2,237
  • 14
  • 11
  • 1
    Assuming the attacker knows it's a KeePass database, what about dictionary-based attack against the password? I did split the words used in the password. – LQ2' Apr 08 '16 at 10:23
  • I updated my answer – marstato Apr 08 '16 at 10:41
  • Your explaination about the password entropy is quite useful. But do you think a custom word transformation rule (other than changing letters into symbols) adds a lot of entropy? – LQ2' Apr 08 '16 at 11:45
  • Transformation rules/procedures **do** add significant entropy (in the example above, 66 bits without transformation). But most transformation are very common and predictable (e.g. `s` to 5, `i` to 1, `S` to `$`...). Any serious password cracker will attack such common mutations specifically and thus almost completely screw the trick. I`d go with one or two more words (7 words => 82 bits) – marstato Apr 08 '16 at 11:53