20

In my personal life, I use KeePassX to generate/store all my passwords. I have seen some people use a password protected OneNote section.

Does the password protected OneNote section provide a comparable level of security to KeePass? Or is the password protection a farce?

Anders
  • 64,406
  • 24
  • 178
  • 215
pat
  • 211
  • 1
  • 2
  • 5
  • 18
    Without knowing any specifics, I assume KeyPass is better because it is software that is written for security, while for OneNote it is just an addon. But I would say that anything that helps the ordinary user pick random high entropy passwords and stops password reuse is a good thing, even if the security is only descent and not perfect. Do not let perfect be the enemy of the good. – Anders Nov 03 '16 at 15:25
  • 8
    OneNote (like all Microsoft products) includes some sort of telemetry. It's probably not an issue for normal usage but for passwords it can still be catastrophic. – André Borie Nov 04 '16 at 10:35

5 Answers5

43

As far as storage is concerned, I think that any correctly encrypted file will have same level of security. The problem is that passwords are meant to be used, and then dedicated password vaults have more features:

  • ability to simulate key presses to avoid storing the password in the clipboard - and additionaly allows to use them on poorly designed web site that disallow to paste in the password field
  • even if the clipboard is used, it is cleaned after a short time to prevent the password to be inadvertantly pasted in a wrong place
  • some password managers include a password generator (keypass does) able to generate random passwords with high entropy - resistant to dictionary attacks

For all those reasons, I think that a good password manager is better than a simple encryted file, even if the crypto engines are equivalent.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • 5
    "passwords are meant to be used" This. Until OneNote has Control+Alt+A that autotypes passwords based on program/website/etc? No competition... Dropbox + Keepass (or similar setups) is easily the win. – WernerCD Nov 03 '16 at 18:33
  • Some other features of Lastpass (not sure if KeePass has them also): *Online storage of (encrypted) passwords *Phishing protection by only filling out passwords for the correct domain *Automatic update of passwords when changing passwords *Two-factor authentication *Phone-app support – BlueRaja - Danny Pflughoeft Nov 03 '16 at 22:28
  • 1
    @BlueRaja-DannyPflughoeft keepass just stores it in an encrypted file, however it is relatively easy to put that encrypted file on a dropbox share for online storage.Most of the rest depends on how you configure it, the key can be generated from data unique to a specific windows domain user account, a random key file on a usb stick and your password you enter there and then if you wanted to go that far. Or you could just use a password. – ewanm89 Nov 04 '16 at 00:53
  • IMHO this does not answer the question. Is OneNote as secure as KeePass or not? I don't see that from your answer. – Thomas Weller Nov 04 '16 at 12:29
  • 3
    Leaving a password in the clipboard is a security problem. Having to retype by hand password in web application that prevent pasting causes normal users to choose not too complex passwords. The storage has same security level, but the usage has not. – Serge Ballesta Nov 04 '16 at 12:33
  • 5
    Paranoid me thinks that KeePass not having an online service is an advantage. I *know* my file can't be read by the online backup service I use (OneDrive) instead of just having to believe the claims of LastPass/1Password. – Robert Fraser Nov 04 '16 at 17:26
  • The KDF used to strengthen the master password can differ in strength. – CodesInChaos Nov 04 '16 at 20:40
  • Also, I highly doubt that OneNote will have any kind of memory protection, to prevent from directly reading the contents of the passwrond directly from RAM, while other password managers (like Keepass) may have some protections against such accesses. – Ismael Miguel Nov 05 '16 at 13:44
17

A brief look out there says that it uses AES, which is robust and the exploit tools I see look like they are doing dictionary and brute force attacks, rather than attacking something systematically broken.

However, KeePass/LastPass/similar tools are specifically designed to deal with the situation. They support multi-factor/2-factor authentication, which is a bonus. I'd still recommend these tools over OneNote password protection just because of nice integrations and ease of use, but I don't see a security issue there.

crovers
  • 6,311
  • 1
  • 19
  • 29
  • 7
    Good answer! I also found that at least the [2016 Mac version uses AES-128](https://support.office.com/en-us/article/Learn-more-about-password-protection-in-OneNote-2016-for-Mac-c899633e-0e6b-4a8b-b5ae-a517006ad1bb). But what key stretching does it use? That might be an important difference. – Anders Nov 03 '16 at 14:21
  • 4
    *"key stretching"* That's the big one. The key derivation function ideally should take 50-500ms (depending on user's hardware) to convert the password into a key, so to be brute-force resistant. However, there's no guarantee that they took this particular detail seriously. – 700 Software Nov 03 '16 at 14:24
  • It is a good point. I'd hope they'd use something standard (PBKDF2, etc) but you never know. – crovers Nov 03 '16 at 14:26
  • 3
    AFAIK LastPass doesn't encrypt the whole file, just the passwords, so it leaks information about which site you registered an account and usernames. (At least it used to do this time ago). – Bakuriu Nov 03 '16 at 16:25
  • 2
    "it uses AES" - what is it? KeePass or OneNote? – Thomas Weller Nov 04 '16 at 12:30
  • 1
    @Anders KeePass2 uses a custom iterated KDF based on AES with a relatively high iteration count (AFAIR the default is 1 second on the hardware you create the password database on). I'd judge it as stronger than PBKDF2-HMAC-SHA-2 with the same computation time (since it takes advantage of the AES-NI instructions) but weaker than scrypt with high memory use. – CodesInChaos Nov 04 '16 at 20:43
9

Apart from the usability concerns mentioned by @Serge Ballesta in his answer, the following security problems arise:

  • KeePass has a well documented security. They document the Key Derivation Function they use and the encryption technology used
  • KeePass is Open Source software, which means that you can verify that there is no backdoor in the software
  • A KeePass database stays on your local drive, unless you put it actively onto some cloud storage. Automatic synchronisation might not be desirable for very sensitive data, like passwords.
Community
  • 1
mat
  • 1,243
  • 7
  • 14
  • 2
    "*KeePass is Open Source software, which means that you can verify that there is no backdoor in the software*" - citation needed. Apart from the 'can't prove a negative' thing, by the rule that "you shouldn't trust yourself to implement your own crypto", surely "you shouldn't trust yourself to verify existing crypto"? The properties that make it hard to write correctly, implies you need similar skills to verify that it is correct, doesn't it? – TessellatingHeckler Nov 04 '16 at 00:55
  • 5
    @TessellatingHeckler: Being a bit more generous, one could suppose that the "you" is the general you in that statement. In other words, someone can audit the software but that doesn't necessarily have to be you, specifically. – Dietrich Epp Nov 04 '16 at 03:25
  • 2
    @DietrichEpp Email two people about a task and see how often both will say "*I thought {other person} would do it*". I, too, like to assume that someone else is doing the complex, high skill, low reward, time consuming, thankless task, and it's fine. But the way that "*someone could hypothetically check for problems*" is used as if it carried the weight of "*someone specific _has_ checked for problems and it's fine*", is a bit weird to me. "*Critics liked this book*" is a convincing selling point. "*Someone, somewhere, could hypothetically read this book*" should not be. – TessellatingHeckler Nov 04 '16 at 03:52
  • 3
    @TessellatingHeckler: You may be interested in this: http://www.ghacks.net/2016/07/22/keepass-password-manager-icode-audit/ Obviously, the fact that it is open source doesn't mean that it *has* been audited, but it does make it much easier to audit. – Dietrich Epp Nov 04 '16 at 04:39
  • 7
    Open-source means the risk if including a backdoor is much higher - it's a lot easier to get caught. So it's reasonable to assume that reduces the chance of open-source software having backdoors, even if you don't have the skills to verify it. – Tgr Nov 04 '16 at 05:19
  • The big advantage of a keypass database being stored locally is that you can use it without a connection. I sync mine over dropbox so it's on my phone. Some of the machines at work are in a basement with no phone signal. I can read relevant passwords off my phone and retype them. Visiting your lastpass account online from an untrusted machine would be a silly thing to do. – Chris H Nov 04 '16 at 09:56
  • 1
    @Tgr Unless the very fact that everyone relies on open source to provide this kind of security in fact makes it *less* likely for anyone to look for a backdoor, because obviously there's no backdoor - it's open source, anyone could find it. You know, the usual "shade under the lamp" thing. And from what you see all around the internet, this might very well be the case - why do the fruitless, hard work, when you're already assuming someone else did it? :D Mind you, there *are* people who do this kind of thing for fun (or a living, if you can get paid), but that's still a limited resource. – Luaan Nov 04 '16 at 13:12
  • It is not *that* hard to check a code base for backdoors. Example: I once wanted to use some ToDo-List app (android), but wantd to be sure that it did not "phone home". It also had some synchronization features (with a flag), and I wanted to be 100% sure it did not ever synchronize. I was easily able to get the source code, compile it, then basically do a "Ctrl-F" style search for any methods somehow relating to network traffic, and basically ripping said functionality straight out (by naively commenting out any pertinent areas). The same would be quite straightforward for KeePass, which ... – AnoE Nov 05 '16 at 14:06
  • ... should have no reason whatsoever to use any networking code at all. Look for "#include " where xyz is the kind of functionality you are interested in, and you get a pretty good idea where to start. Granted, this is not foolproof, and a malicious open source developer surely has ways to get beyond obvious and somehow still get through; and you would probably have to invest more effort in finding whether they have crypto backdoors (i.e., encrypting stuff for backdoor keys). But if they did, and somebody noticed, you can be sure it would be known quickly and widely. – AnoE Nov 05 '16 at 14:07
  • @AnoE KeePass includes built-in support for WebDAV, so it actually does have a reason for networking code. Perhaps an argument could me made that such functionality should have been implemented in an addon, but that's not the current situation. – Bob Nov 06 '16 at 22:52
  • @Bob, that's what I mean - if I do not agree with it having WebDAV support, I'm free and able to rip that functionality out pretty easily by a more or less mechanical process. – AnoE Nov 06 '16 at 23:17
2

A password manager and a simple encrypted database/textfile/whatever is roughly equivalent for threats which are most relevant to the average user (assuming the encryption was done decently, e.g. using a sufficiently slow method): attacks based on password reuse (ie. someone sets up a honeypot website or breaks a weakly guarded site and tests the collected usernames+passwords against gmail) and low password enthropy (ie. the password can be guessed by generating a huge list of password-like strings and trying every one of them).

The big difference is against threats where your computer is partially compromised: for example, someone installs a keylogger (good password managers can auto-type using a mix of copy-paste actions and simulated keypresses which makes it hard to log), or they spray liquid nitrogen on your computer and rip out the memory chips while you are on the toilet (good password managers avoid keeping unencrypted copies of the passwords in memory).

All in all, if there is no strong reason against it, you should use a proper password manager such as KeePass (or OnePass or LastPass). If you find some other random password generation + encrypted storage method fits your workflow better / is easier to explain to your grandma, use that and don't worry about it too much. Stealing your password from one site and reusing it at another has a fairly high chance of happening, while getting infected with a keylogger is much less likely if you use an antivirus and common sense (and if you do get infected, passwords won't be your biggest problem - it will be credit cards or identity theft).

Tgr
  • 668
  • 3
  • 11
0

I would suggest creating your own password generator, i.e. if u know how to create a simple Access database, I have done it, and I can choose the number of each type of characters or numbers or extended chars that it would take, then jumble {rearrange} them up, maybe more than once if u like, and then save it in your database for each site u want to create. However, u have to secure this database so that no one can find it on your HD or maybe store it in a flash drive. Regards.

Jegajothy
  • 1