29

I keep my KeePass .kdb database in a remote location, and I never overwrite the old versions, I just append the date to the new version which I'm uploading. So it looks like this:

db.kdb_2015-01-01
db.kdb_2015-02-01
db.kdb_2015-02-04
db.kdb_2015-04-01
db.kdb_2015-05-02
....

There's a couple of dozens of these. All have same passphrase, and there's a slight difference between two successive ones. I keep them in case one day I notice I deleted/edited something I shouldn't have.

So is a group of very similar .kdb files with same passphrase easier to "crack" than just one?

Dominykas Mostauskis
  • 499
  • 5
  • 7
  • 3
    Pretty clever risk analysis: cryptography weakens with volume, as secret weakens with use. – dan Aug 01 '15 at 19:21
  • 1
    If that was unsafe, I would consider it to be a design flaw in KeePass. There are numerous ways older versions of the encrypted password storage could leak. (Sectors which are freed but not overwritten, wear-leveling, remapped sectors, backups, file stored on a network share, etc.) The only safe assumption to make when designing a password manager is that the adversary receives a copy of every revision of the encrypted storage as soon as a change has been written. – kasperd Aug 01 '15 at 22:15
  • You do realize KeePass keeps a history of your old passwords inside the database as well? For that purpose there is no need to keep multiple version of the database. – Jeff Aug 02 '15 at 08:22
  • @Jeff, yes I do, it does not keep the edits though. – Dominykas Mostauskis Aug 02 '15 at 09:12
  • 3
    @DominykasMostauskis what version are you using? My version 2.29 keeps a history of every single edit I make. You are probably using the Classic version? When you switch to the professional version (just as free) you get the full history. – Jeff Aug 02 '15 at 13:25
  • @Jeff, you are right, I neglected to mention I'm using 1.x. I've switched to the first version, because I found it more portable. Can't remember the details exactly, but when I was switching to Linux often, I had problems using the 2.x version .kdb files. – Dominykas Mostauskis Aug 03 '15 at 10:21

3 Answers3

29

Short answer:
it's probably fine, but make sure to regularly delete really old files.

Long answer:
There is a few reasons why it could be a problem. To illustrate some cases, let us assume an attacker gets hold of all these files, rather than just one (i.e., the most recent one). What could cause your approach to be less secure? Here are some hypothetical possibilities (that could become real in the future):

  • There was a vulnerability in an earlier version of KeePass, which was since patched, but that stored data in an insecure way. This could lead to the passwords up to that version being compromised, while deleting the older ones would have no effect.

  • KeePass encrypts the passwords, but has some cryptographically weak way of storing the passwords. For example, lets say it does not use randomized encryption. This means that an information leak exists: the attacker could see when accounts were added or removed, by looking at the difference between files (assuming the order of the passwords remains the same).

The KeePass wikipedia page only says that AES or TwoFish can be used as cyphers. These can be considered secure, but the bigger question for the above is how they are used. There are many more potential cryptographic vulnerabilities that could exist (just look at the problems we saw in recent years with SSL/TLS). However, those are likely to be theoretical in nature, and likely to affect both the case where you only have one file, and the case where you have multiple. Thus, unless you're storing extremely sensitive passwords, keeping a few backup files probably doesn't hurt.

Rens van der Heijden
  • 615
  • 4
  • 8
  • Do you have a reference for the bug? I could only find a reference to a trojan injection bug. – l0b0 Aug 01 '15 at 22:44
  • 1
    @l0b0, I believe that he is referring to a hypothetical bug or flaw. (or a potential undisclosed zero-hour), rather than an actual known bug. – Stack Tracer Aug 02 '15 at 02:16
  • Yeah, that was a hypothetical example, which is fitting here because we're talking about old files being preserved, which might be vulnerable against bugs that are found in the future. I'll clarify the answer. – Rens van der Heijden Aug 02 '15 at 14:09
  • I don't think Keepass encrypts the password at all - if it did store it in any form, that would be a substantial security concern. It uses the password and/or key file to generate a hash, which is then used as encryption key for the database. – Kevin Keane Aug 03 '15 at 02:57
  • 1
    @KevinKeane I assume the answer was talking about encrypting the stored passwords (note the plural). These *must* be available in plain text -- that's the point of a password mnanager. – Chris H Aug 03 '15 at 09:24
18

Let us assume that the attacker knows that the passphrase for all the database files are the same. What you have in mind is a two time pad attack, when we have multiple ciphertexts encrypted with the same key.

Fortunately, modern ciphers such as AES which is used by KeePass are designed to be resistant against such attacks. AES is even used to encrypt HTTP packets through SSL/TLS. Each time you browse a website securely, thousands of these packets are encrypted using the same session key, then transmitted. Attackers can easily sniff these packets and they know that all of these packets are all encrypted using the same key, however they are still unable to crack it. This shows that such ciphers are resistant against such attacks.

One example of a cipher that is weak against such an attack is the famous one time pad. Hence the name, you are not supposed to reuse the pad. However, there is no such restriction when dealing with modern ciphers.

limbenjamin
  • 3,944
  • 50
  • 72
  • 1,281
0

Let's assume that Keepass is not 100% secure (a safe assumption since nothing is 100% secure). If an attacker has one copy of your Keepass database, that's all he has to work with.

If an attacker has two different copies of your Keepass database, the attacker may be able to attack:

  • The latest copy.
  • The earlier copy. Presumably, this will not be easier, but you do not know that.
  • The difference between the two.

Now if the attacker also knows when you signed up for Ashley Madison (or Gawker or any other site that has been hacked), the hacker may be able to find the Keepass file created just before and the one just after you signed up, identify the difference, and will have a good idea of the plain text of the difference. That is likely to make breaking the encryption substantially less hard (hopefully still hard enough, but it can still help the attacker a lot).

Kevin Keane
  • 1,009
  • 7
  • 8
  • "identify the difference, and will have a good idea of the plain text of the difference." I really hope you are wrong. Wouldn't it be trivial to randomize the order on each save? I'm just speculating, I've no knowledge of KeePass innerworkings. – Dominykas Mostauskis Aug 03 '15 at 10:23
  • A chosen/known plain text attack is one of the basic things a cipher designer consider and is certainly not a weakness of AES or TwoFish. In fact like @limbenjamin said above, AES is even used to encrypt HTTP which has completely predictable headers. More generally a good block cipher will protect both the plain text and the key from any possible "reverse engineering". – billc.cn Aug 05 '15 at 14:52
  • 1
    This reads as speculation, seemingly based on the assumption, "The more information an attacker has to work with the easier the attack is, regardless of other factors." This assumption is not true; the cryptographic method used *is* a factor which affects the ease of an attack, regardless of the quantity of information available. – Wildcard Jan 08 '17 at 13:05
  • @Wildcard Of course other factors play a role, but it is equally true that having more information also makes an attack easier. A cryptographic method may be able to minimize the benefit. It also matters if the additional information is related or not. Example: assume you have two identical Keepass databases encrypted with two different passphrase. Having double the information means that the attacker has twice the chance of guessing the right passphrase (which of course may still be minuscule if he has to brute-force the passphrase, or make a big difference if he can use a dictionary). – Kevin Keane Jan 09 '17 at 21:00