119

How easily could someone crack my keepass .kdbx file if that person steals the file but never obtains the Master Password?

Is this a serious threat, or would a brute force attack require massive computing time?

Assume a password more than 10 characters long with randomly distributed characters of the set including all letters, numbers and most non-alphanumeric keyboard symbols.

steampowered
  • 1,817
  • 3
  • 15
  • 14
  • 9
    If you're *really* paranoid, you could drop the .kdbx file in a Truecrypt volume for extra safety. – Iszi Jul 06 '12 at 20:28
  • Since the KeePass source code is open, it should be possible use it to implement a recovery tool that's a bit smarter than just trying passwords one by one. I remember that there was one tool around, but I've forgotten the name. Maybe Mr. Google can help... –  Jun 23 '13 at 18:06
  • talking about million years, i guess the data will be useless after 5 years... or may be less.. – Ahmed Sep 28 '13 at 23:45
  • 1
    @Iszi If you're really paranoid, you want never put all your eggs in one basket! – F. Hauri - Give Up GitHub Sep 29 '13 at 08:54
  • 3
    @F.Hauri In a sense, putting the KDBX file into a TrueCrypt volume *is* putting your eggs into more than one basket - in this case though, the baskets are inside each other. – Iszi Sep 30 '13 at 13:43
  • 1
    if moores law is correct, then every 18 months, in general terms a computer gets twice as fast,, in 50 or 60 years you end up with a number with 14 or 15 numerals,,ie 1, 2, 4, 8, 16, do that 50 times or 50 years,, a password you make now cant be cracked for 50 million years,, but a computer in 50 years will crack it in a second – scott Dec 09 '12 at 00:33
  • If you log keyboard strokes or are able to intercept (and proxy) the USB keyfob you use ... it can be almost instantaneously. Just a reminder: Don't discount other attack vectors. – Dan Esparza Mar 30 '16 at 13:47
  • 3
    See this recent article; someone was able to make use of Hashcat, along with their GPU, to crack a kee-pass DB in just 12 minutes. Full guide included for your own tests: https://www.rubydevices.com.au/blog/how-to-hack-keepass ; To answer your question I'd say it is a serious threat. Hashes can always be broken, more or less, given enough time and computing power. – schizoid04 Aug 06 '17 at 06:00
  • 4
    @schizoid04 they used a dictionary attack. I wonder what the original password was? (didn't see the original pw in the article) Obviously a weak password will invalidate the strength of the keepass security scheme. My original question specified "randomly distributed characters" for the pw. – steampowered Aug 06 '17 at 14:15
  • @steampowered the password was `password123` – the reader had to do the attack as an exercise. – Socowi Aug 21 '17 at 19:54

2 Answers2

152

KeePass uses a custom password derivation process which includes multiple iterations of symmetric encryption with a random key (which then serves as salt), as explained there. The default number of iterations is 6000, so that's 12000 AES invocations for processing one password (encryption is done on a 256-bit value, AES uses 128-bit blocks, so there must be two AES invocations at least for each round). With a quad-core recent PC (those with the spiffy AES instructions), you should be able to test about 32000 potential passwords per second.

With ten random characters chosen uniformly among the hundred-of-so of characters which can be typed on a keyboard, there are 1020 potential passwords, and brute force will, on average, try half of them. You're in for 1020*0.5/32000 seconds, also known as 50 million years. But with two PC that's only 25 million years.

This assumes that the password derivation process is not flawed in some way. In "custom password derivation process", the "custom" is a scary word. Also, the number of iterations is configurable (6000 is only the default value).

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • 71
    +1 for the "with two PC that's only 25 mi..." – woliveirajr Oct 29 '11 at 05:24
  • 2
    You just killed my hopes in recovering the password of my own Keepass store in at least a few days... I especially loved the 25 million year thing, but that would just work if both are trying different offsets, otherwise they'd just do the same work twice... just sayin'. :D –  Mar 15 '12 at 18:46
  • 20
    @DoNuT If it's your own password, you don't have to brute force it. You will have a LOT of information about what kind of passwords you keep, do you put numbers in, do you remember any specific characters (or password length)? All of them can be used to bring down the time immensely. It only takes 25 million years if you want to break someone else's password (and they can't even be "social-engineered"). – recluze Mar 22 '12 at 02:59
  • 5
    Keepass has an excellent feature where you can set the number if iterations based on how many your CPU can perform in 1 second. So this means that *you* wait 1 second for it to decrypt your data, but it limits brute-force attacks to 1 per second, which would discourage most attempts. – Simon East Sep 03 '13 at 10:25
  • 8
    This answer does not demonstrate knowledge of how fast KeePass passwords can be cracked in practice. The answer also ignores GPUs. – Aleksandr Dubinsky Oct 30 '15 at 19:47
  • 1
    @AleksandrDubinsky Ok, so let's assume GPUs and some slick optimizations can increase performance by an order of magnitude. That's *still* 2.5 million years. And even then, only if you're using 2 PCs. – Iszi Nov 18 '15 at 20:13
  • @Iszi I simply observed that the answer is low on information. – Aleksandr Dubinsky Nov 22 '15 at 10:24
  • 1
    @Tom Leek , Can you update this 25 million year thing with current technology ? Say using clusters ? – Dexter May 14 '16 at 06:56
  • 1
    @Dexter The use of a "cluster" is just throwing more hardware at the problem. 50 million years with one computer would be approx one year with 50 million computers (some assumptions, e.g. that you can evenly distribute the work... and that you have access to that many powerful computers). If you want more modern AES-NI figures, [2x-5x](https://calomel.org/aesni_ssl_performance.html). Overall, maybe 10 million computer-years. – Bob Nov 06 '16 at 23:04
  • For some extra security, Keepass allows you to automatically calculate the amount of iterations in such a way that it takes exactly one second on the current computer to open or save the database. That's well within acceptable time limits and makes brute forcing completely infeasible. – Hugo Jun 12 '19 at 22:18
-8

You are right it takes long time. But don't forget, that you don't need to try every password combinaten. If you hit the correct one you are done. So you don't really need 50million years. And you have a lot more options than using 2 quadcore PCs. You can use a Amazon Cloud based Cluster and can start 5000 High CPU instances. Of course this is expensive but you don't need to buy 5000 HighEnd Computer so it decrease the price dramaticly.

But i don't know how long you will bruteforce that by using a Cluster. And of course you are rigt that is takes long time for a normal PC today.

Skylarkx2k
  • 15
  • 18
    a) 50 million years is the *average* time to crack, so we've already factored in the fact that you might get it on the first day. (You might just as likely also get it on the last day of the 100 millionth year.) b) With 5,000 PCs you get the average down to 10,000 years, which is scant consolation. – Graham Hill Nov 06 '12 at 11:51
  • 26
    Back of an envelope, using ec2 GPU instances it would cost about $2 Billion dollars for 50 Million years of CPU time (per GPU core). You would really have to be worth hacking for that much money. – Jeremy French Nov 26 '12 at 14:40
  • 2
    @JeremyFrench Cheaper to hire a honey trap spy. [Or to buy a wrench](https://xkcd.com/538/). – gerrit Jul 11 '19 at 08:50