3

Is it a safe practice to sync with a Keepass database that is stored on an off-site server?

Database is accessed primarily through my Android running 4.4.2. I access/sync my Keepass database by accessing my Dropbox through the Dropbox app via the KeepassDroid app. I haven't been doing this over a VPN, as Bitmask has stopped working for me ever since the latest update.

schroeder
  • 123,438
  • 55
  • 284
  • 319
user117619
  • 99
  • 1
  • 8
  • I'm at a loss as to why someone would down vote this question. Any help understanding this would be very much appreciated. – user117619 Jul 22 '15 at 22:47
  • 1
    I think some more information about your environment might help. Who owns the hardware at the off-site location? Is it some cloud solution (dropbox/googledrive)? Is the database only syncing through a VPN? Is the database publicly accessible? Providing this type of information will help people understand your current situation and what you're specifically trying to accomplish. Have a look at [this question](http://security.stackexchange.com/questions/45272/storing-keepass-database-in-cloud-how-safe), it might provide some answers for you. – JekwA Jul 22 '15 at 23:23

1 Answers1

0

Are you worried that someone may break your AES/Rijndael 256-encrypted database? If your key sucks, then yeah, you should be worried.

It's always good to elaborate what your fears are.

If you're afraid that a government agency may have the resources to compromise your KeePass database - I wouldn't be worried about that, they have other ways to get what they need.

If you think a hacking group is looking to break your precious database of cloudy accounts, then it's more likely that you become a victim of a drive-by (e.g. malware on your droid).

In all cases, the baddies will go after the lowest hanging fruit, and in this case it's not the KeePass database - it's as solid as you need it to be. However, your Android may not be as solid as you think. The endpoint is usually the weakest link, especially if it's a phone.

Milen
  • 1,148
  • 6
  • 12
  • 1
    Milen, ever since I was hacked and saw video of myself in the privacy and sanctity of my own home, video that was taken without my knowledge or consent, I have tried to be ultra vigilant about security. For instance, I no longer use any Google products if I can help it, root all my phones so I can run afwall+ and snoopsnitch, remove or tape over any webcams, remove microphones and gps units etc., etc. I even have difficulty communicating with loved ones, as I'm sure my attackers worked on the three hops principal and compromised their phones and computers, so they could watch me. – user117619 Jul 26 '15 at 02:41
  • So saying, my ultimate purpose in asking the the things I do here, is due to me running into an idea and wondering if it could be used to reinfect me, thus keeping the creepy as hell surveillance going. Ultimately, I would like to meet some people in real life who would help me learn how to mitigate threats to my privacy. Of course, I could just move to a cabin somewhere completely off the grid, but I shouldn't have to do that, since I've done nothing wrong. I also think a move like that would basically be akin to admitting defeat; something I'm not willing to do. – user117619 Jul 26 '15 at 02:49
  • I should add that it sucks to feel like people are always potentially watching you, and is t precisely the reason I now use TAILS for the majority of online activity. Yes, my passwords for everything now are 20+ random characters, numbers and symbols. I use linux now instead of windows. And I'm still, always afraid that some jerks with a voyeuristic bent are watching everything I do. I mean, I know that's probably not the case but I try to operate as though it is the case. – user117619 Jul 26 '15 at 02:57
  • Ive admitted myself to various Psych wards four times due to suicidal ideation over having been shamed to the extent I was, and am currently in counseling trying to deal with the most private and intimate parts of my life being thrown out in public. So, I've outlined my fears and activities that are a direct result of having been DoXed. What do you think I should do to keep myself safe and my privacy intact? – user117619 Jul 26 '15 at 03:05
  • For someone to watch you over a webcam, they must have compromised your device/endpoint. That rarely has anything to do with KeePass, unless you have remote access details to your home computer/network/storage/etc. This goes beyond the scope of the original question, but I would say that it's unlikely that KeePass is your problem. An attacker would compromise the weakest link in your security, and it seems that one or more of your hosts have been compromised. Google and other cloudy services aren't inherently insecure, the way we use them makes them insecure. – Milen Jul 26 '15 at 05:14
  • To add - I'm sorry to hear that your security has been compromised. Personally, I don't do anything "special" when it comes to my own info security. I could have very easily been in your situation. Nobody's perfectly safe, even the most security conscious people, you have to make just one tiny mistake, and you'll be out of luck. Certainly, it doesn't mean that you should stop being security conscious and take all reasonable measures. But you must assume that by using electronic devices your privacy is at risk. There are far worse things in life than being watched. Good luck and God bless. – Milen Jul 26 '15 at 05:26
  • I realize that keepass wasn't my problem. My attackers installed a RAT, ala Remote Control Systems which had a keylogger, which is how my Google account was compromised etc. At the time of the attack, I was blissfully unaware of all this malware/spyware etc., and was far more concerned with reading about philosophy than I was about the fact that I used the same password for everything. It has been a real eye opening experience to try to learn about what I should do for security and why, in such a short time. Any, "I wonder's", now automatically get at least a startpage query at the least. – user117619 Jul 26 '15 at 05:26