0

I'm trying to store passwords more securely in my department. I was thinking about using Keepass, giving each of my colleagues a personal password database and require a simple password (they won't agree to use anything remotely complicated) and a keyfile to unlock it.

My first idea was to store each password database locally, in their respective computers and the keyfile/s in our company server.

Is it wise idea? Which alternative would be best? Which alternative would be better, given my team's reluctance to use strong passwords for the databases?

2 Answers2

1

You should consider what you are trying to accomplish by storing each particular part in some specific location, and then proceed accordingly.

The password database file itself is important but not sensitive, particularly because it is encrypted. In the ideal case, having access to that file does not gain you any particular abilities. It changes often, and thus needs to be backed up regularly; as such, it should be included in your regular backups.

The key file is sensitive as well as important. Without it, the password database file is meaningless, as the key file effectively forms a part of the master passphrase used to unlock the password database. However, it changes very rarely, and can for all intents and purposes be considered static, so doesn't need to be backed up on a particularly regular basis.

The passphrase as entered by the user is sensitive and important, for the same reasons that apply to the key file. It's also not stored on a computer, but rather (hopefully) exclusively in the user's brain. The user can change it if they want to, but they are responsible for making sure that they remember it.

Only all three parts together are actually meaningful. You can't do anything with any one of these without the other two, and you would be hard pressed to do much of anything with any two of these without the third.

It's a bad idea to keep the key file in the same location as the password database, unless of course the password database master password is sufficiently strong that it alone provides good protection against an attacker and the key file is really only icing on the cake. From what you say about using "a simple password", this does not appear to be the case in your situation.

Hence, we can conclude that in your scenario, most of the security is in the key file, which is slightly augmented by the master passphrase. Thus, the key file must be protected to high standards.

Given this, I would probably do pretty much the opposite of what you propose:

  • Store the password database on the local host, or possibly on a central server. Set up file system and (if applicable) network share ACLs to restrict access to each password database to its owner. Make sure it is included in regular backups.
  • Store the key file on a central server. Set up file system and (if applicable) network share ACLs to restrict access to each key file to its owner. Make sure it is not included in regular backups. Consider setting up audit logging for both successful and failed access attempts.
  • Set as high a passphrase key derivation iteration count as your users will tolerate. Aim for several seconds on the client machines, if that is acceptable. Keep in mind that a serious attacker will likely use passphrase hashing implementations that are far more optimized.
  • Keep backup copies of the key files somewhere. Individual, sealed envelopes in a bank safety deposit box, maybe? (In this case, the bank would keep a separate audit log which can likely be called upon in case of suspicion of unauthorized access. They won't be able to tell you what a person did, but they should be able to tell you who had access.)

This isn't perfect, mainly because the protection offered by what only the owner of the password database has access to (the master password) is so weak. But if your users can't be bothered to use secure master passphrases, it's probably about the best you can do.

Of course, you need some mechanism for handling scenarios where people get run over by a bus. That, however, is outside of the scope of an individual password manager, and is something you need regardless, so I won't discuss that further here.

user
  • 7,670
  • 2
  • 30
  • 54
0

Even if you store the password databases locally, consider a daily backup of them. Keeping them on the server doesn't give you any privileges. Accessing password still needs the master password, which only the owner knows. But if they lose the database, you are in for a real hassle.

The idea seems good, but don't force such a policy for every credential. Less important accounts like many websites logins can be stored in the browser and limit using KeePass to services like cPanel, emails, SSH...

Michael
  • 2,391
  • 2
  • 19
  • 36
Xaqron
  • 306
  • 1
  • 10