18

Currently I'm using KeePass as my sensitive data manager. I use just a main password to encrypt the database, but it is not very secure: 9 characters, lower letters and numbers mix with no meaning. Something like bwkvu5m8i

I want to increase the security of the database, without sacrificing usability much.

The only additional option in KeePass is to use a key file, which I can store on an external USB flash drive and plug it into the PC whenever I want to unlock the database. Knowing myself I will probably keep it plugged in 24/7, thus not being much different than storing the key file on the internal hard drive.

So are there any other options that doesn't make using KeePass very cumbersome?

My main concerns are keyloggers or trojan horses - I am an advanced user and would definitely not open any unknown files, regardless of their origin, but still I'm have the fear of being compromised. Is that even possible?

Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
user2247336
  • 183
  • 1
  • 4
  • Maybe you should be looking for apps that use smartcards. – ott-- Sep 22 '13 at 23:21
  • 3
    Do not fixate yourself upon complex passwords. Simple password can be equally secure. See here: http://www.explainxkcd.com/wiki/index.php/936:_Password_Strength – schmijos Apr 17 '14 at 09:25

6 Answers6

16

There's no way to sugar-coat this one. A malware/keylogger installed on your computer means that your passwords are exposed. That's it, there's no way around it.

A malware/keylogger will log your master password, intercept the clipboard, somehow access the decrypted database in memory, etc.

Adi
  • 43,808
  • 16
  • 135
  • 167
13

There are ways to increase the difficulty of retrieving the KeePass master password, such as setting it to allow entry on the secure desktop only.

To prevent someone from getting your KeePass database file and performing brute force on it, you can also increase the AES iteration count that KeePass does during the master password derivation process, so as to increase the effort require to brute force the master key should your database be exfiltrated.

There is also an option to set two channel obfuscation during auto type when KeePass does the typing of the username and password for you. It should prevent crude key loggers from retrieving the specific password you use for that site.

To prevent malicious access to the KeePass database (and your decryption passphrase, since you need to type it in plaintext somehow...and that can be intercepted if your computer is compromised) in the first place, keep your computer secure. You know the drill: install and update your AV software, keep your computer OS and software updated, have a firewall, review logs regularly etc.

Finally, increase the entropy and length of the master password used. Instead of 9 characters, how about 13+? Instead of just lower letters only, what about including uppercase and even a special character or two too? The more unpredictable and longer your password is, the longer it will take for your attacker to brute force the database master key.

Nasrus
  • 1,250
  • 12
  • 13
  • 1
    I am very proactive at keeping my machine secure, but you never know. I've always wondered if a Windows machine that is fully updated and secured by AV + Anti malware can get infected, without human error? I remember long time ago back in the Windows 98 days there were viruses like Blaster and Sasser that were able to infect a machine automatically, without the user actually doing anything. So If I don't open any unknown files can I get infected? – user2247336 Sep 23 '13 at 11:43
  • Its hard to say really. Even if you go only to legit sites they could be infected with malware surreptitiously inserted by crackers. Even your friends could send you files that are legit with a legit context, but have been infected with malware because their computer is infected by it. And then there are zero-days etc. So keeping your machine secure can reduce, but not completely eliminate, your chances of infection. – Nasrus Oct 08 '13 at 13:59
  • 2
    The number one thing to protect against offline attacks (a stolen database, but not a stolen passphrase) is increase the AES iteration count. File->Database Settings->Encryption, hit the timer that will set it to "one second" worth of computation on your current hardware, and then INCREASE it by a factor of 5 to 10; it's no big deal to wait 5 or 10 seconds ONLY after entering your password (or saving a change), but it decreases the rate at which an attacker can attempt to guess your passphrase. This is ESPECIALLY important when your passphrase is weak, as it may buy you time after a leak. – Anti-weakpasswords Feb 08 '16 at 01:38
7

You could try to set up some kind of OTP Solution additionally to the password you store in keepass or as a substitute.

A rather affordable one could be yubikey (http://www.yubico.com/products/yubikey-hardware/yubikey/).

You can do stuff like exchanging a linux PAM with a yubico one and use a yubikey to logon to a linux box and so forth...

This is not advertising, rather an affordable otp example. Maybe not a solution for every keepass usecase but if you store system credentials in keepass you could add a layer of security to them....

Edit: Also as mentioned use a lot more than 9 digits. Use something long and complex which is still good to type, like a long sentence with some extra special characters in it. Dont do simple stuff like swapping an e with a 3. There are bruteforce plugins for that kind of stuff. Just add random sings at the end/beginning and or middle...

Edit2: just found this: http://keepass.info/help/kb/yubikey.html see the otp part at the end. I cannot promise you that this is a proper and secure otp implementation and that the plugin is without flaws. However the theory sounds good and its a good starting point to do some research on it or look for some alternatives like this.

Edit3: a free alternative to yubikey would be google authenticator app for ios or android which should work fine with keepass OtpKeyProv plugin according to http://mx.thirdvisit.co.uk/2014/01/02/getting-the-otpkeyprov-hotp-plug-in-to-work-with-google-authenitcator/

(again i cannot promise that the OtpKeyProv implementation is flawless....)

Sameer Alibhai
  • 103
  • 4
Sebastian B.
  • 571
  • 3
  • 7
  • Very good suggestions. Thank you. I have some questions though: when using a Yubikey does the Keepass database know about it? Or simply put if somebody steal my database and know my master password, will they be able to open it without the Yubikey? If not then I assume some additional encryption information is added to the database? – user2247336 Sep 24 '13 at 00:19
  • 2nd Question: Do you know if I can protect myself from losing my Yubikey? For example when using Google Authenticator I have an Authentication key or a QR code backed up, so if I lose my phone I can setup the authenticator again and gain access to my accounts. Can I print something on a piece of paper, so if I lose my Yubikey I can re-gain access? Do I need to buy another Yubikey or can use something else to gain access until my new Yubikey arrives? Thank you for your time :) – user2247336 Sep 24 '13 at 00:19
  • I think there is still a recovery mode where you can access the database with a recovery/master password. However you could set a ridicules long one (as you use an otp to access keepass) which you store somewhere in printed form in a safe or another safe place. Depending on how paranoid you are this might or might not be an option ;) – Sebastian B. Sep 24 '13 at 17:56
  • Regarding Backup: YubiKey seems to be just a cheap openauth hardware implementation. The Yubico website says its possible to order identical keys for backup purposes so you can keep one safe. Also it might be possible to set up an identical google Authenticator token as Backup/alternate Token. You can probably direct those questions to the OtpKeyProv developer or the SourceForge forum. – Sebastian B. Sep 24 '13 at 17:59
7

One of the attacks is registering a debugger for KeePass.exe which would completely replace KeePass.exe with something else, potentially a very good copy that I don't recognize. Others are keyboard loggers.

I did the following to prevent access to the main KeePass database:

  • download the KeePass source
  • remove the mobile version (because that one didn't compile on my PC)
  • make some changes, e.g. change the background color and add an icon, so that I can distinguish my own version from others
  • rename the executable so that it is not affected by a generic debugger attack
  • add some characters of the password in code, so that a keylogger never gets the complete password
  • Change the file extension from .kdbx so that someone watching file accesses cannot find out that this is a KeePass variant and someone scanning the disk will also not find it.
  • Replace all "KeePass" strings in code
  • Compile the new version
  • Do not install it, use a portable USB version only
  • Turn on secure password prompt

Although I can not update KeePass easily any more, I still think I have a more secure version which is less attackable. Someone would need to create an attack just for my own version, which is unlikely.

You could also:

  • change the file format a bit, e.g. write additional bytes at the beginning, so that the file is harder to detect by signature scanners.

So now the main KeePass database password is quite secure, it's still possible to access passwords that are copied from KeePass into other applications. An attacker can quickly pop up an invisible window and then activate KeePass again. KeePass will then use the invisible window to paste the password to. Even dual-channel auto-type can hardly prevent this attack, especially if the invisible window passes the data on to the correct window, so you won't notice it.

While I've not implemented a counter-measure for that, I guess I'd do the following:

  • output the window title of the window that KeePass will use to paste passwords to
  • detect short periods of time that KeePass goes into background. Even if you press Alt-Tab twice very fast, there should be ~100 ms between a deactivation and an activation of KeePass

An idea which probably needs administrator rights and needs more Windows Internals knowledge than I currently have:

  • Suspend all programs (or almost all, perhaps keep some Windows executables running) except your modified KeePass and the target program. After pasting the password, un-suspend them. Attackers that e.g. poll the clipboard should be bypassed. Not sure for other notification types like keyboard hooks.
Thomas Weller
  • 3,246
  • 3
  • 21
  • 39
4

Which is your main threat?

  1. For most it might me trojan / keylogger software looking for easy money. Some keyloggers detect when you open Keepass and then steal password and database.

    • Secure your computer. Offline device/phone could be option.
    • Avoid writing information you will remember. You can write email1 or companyemail2 instead of your actual email.
    • Write password always with help of mouse and in wrong order. This will block simple keylogger.
    • A keyfile might block simple keyloggers.
    • Keepass and database inside offline virtual machine would block average keylogger from stealing database.

  2. Someone wants to go through effort to brute force your database or database is in public.

    • Choose long random password and use keyfile.
Cmazay
  • 49
  • 1
0

Nasrus has given pretty good suggestions.

Additionally; I don't know if you are already doing that way, but you can use KeePass on a Linux machine which would be safer.

Ubuntu or Debian would be fine, but if you are very concerned, you can try Tails which aims at preserving your privacy and anonymity by focusing on the security.

Kerim Oguzcan Yenidunya
  • 456
  • 2
  • 9