Solved

how secure is keep pass manager

Posted on 2014-12-19
8
257 Views
Last Modified: 2014-12-26
Hi,
Just curious...  How secure is the encrypting file when using a password manager such as keep pass?   The file itself has protection but what would prevent someone from using a script for guessing the master file through the manager program?
0
Comment
Question by:snoopaloop
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 24

Accepted Solution

by:
Eirman earned 167 total points
ID: 40510294
I presume that you are referring to KeePass

I had a good look at it, and it looks very secure to me.  The key security features are ....
AES encryption to encrypt its password databases,
SHA-256 password hash, protection against dictionary and guessing attacks & in-memory protection & More

If you are worried about a keylogger capturing your master password, then you should follow normal security practices that are described in many articles here on EE .... make sure you have anti-virus & anti-malware actively running, use a router, even if you only have one PC and don't use an account with admin privileges unless you need to.

You could always use truecrypt as an extra layer of security ...
https://www.grc.com/misc/truecrypt/truecrypt.htm
0
 
LVL 24

Expert Comment

by:Eirman
ID: 40510305
Just to be on the safe side, I'd recommend using the sourceforge link for downloading the program.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 167 total points
ID: 40510413
TC is abandoned, but resurrected with CipherShed: https://ciphershed.org/ https://twitter.com/TrueCryptNext
KeePass had a DLL issue in 2.1 something and prior. All password managers are subject to possible brute force attacks: http://www.openwall.com/lists/john-users/2013/04/12/2 
Secure is a relative term, but as with most things security related, it depends on the weakest link. If your AV doesn't catch that particular keylogger that day, it's not keepass' issue, it was the weakest link. If you used version 2.11 and something took advantage of the dll hijacking exploit, then keepass was the weakest link. Or you get the Citidel virus: http://arstechnica.com/security/2014/11/citadel-attackers-aim-to-steal-victims-master-passwords/ 

I use a PWD Manager, i happen to like PasswordSafe, but it's no better or worse than most others. I have to make sure my other activities do not lessen the security of the manger. I would suggest you not use an online one however, rather I will never use a cloud based one, I've seen how bad people make cloud software.
https://agilebits.com/onepassword not for me -> http://arstechnica.com/security/2013/04/yes-design-flaw-in-1password-is-a-problem-just-not-for-end-users/
-rich
0
Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

 
LVL 1

Author Comment

by:snoopaloop
ID: 40510495
Maybe I should toss the file extension to make it a more ambiguous file for whatever manager I use.
0
 
LVL 24

Expert Comment

by:Eirman
ID: 40510528
I totally agree with richrumble regarding the cloud ..... I only use it for backup.
I create an encrypted container (with bestcrypt) and split it into suitably sized chunks *.001 *.002 etc and upload.

Removing the file extension (or making up your own) then right-clicking and using "open with"
would certainly hide the file from malicious programs.
http://www.thewindowsclub.com/remove-click-context-menu-items-editors
0
 
LVL 55

Assisted Solution

by:McKnife
McKnife earned 166 total points
ID: 40510705
"How secure is my keepass password database against brute force attacks?" - is this what you are asking? http://keepass.info/help/base/security.html#secdictprotect fully answers it: very secure on windows at least. But it holds also a hint on improving it, in case you  are using that database on a pc and not on a weak portable device such as an old tablet. Read it.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40510739
>Maybe I should toss the file extension to make it a more ambiguous file for whatever manager I use.
A virus like Citadel goes after the running process, and lays in wait until it's launched. I suppose you could rename the exe first, but it's a strawman/security through obscurity method.
Having a manager is fine, knowing the weakest links in your security will help keep the passwords secure.
Close the manager when your done using it, or have it close automatically if it supports that.
Have a look at a few of my articles here:
http://www.experts-exchange.com/Security/Misc/A_15519-How-to-make-stronger-and-longer-passwords.html
http://www.experts-exchange.com/Security/Misc/A_12386-How-secure-are-passwords.html
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
The passwords and the manager aren't your weakest link often, it's the security of the party your using more times that not.
-rich
0
 
LVL 1

Author Comment

by:snoopaloop
ID: 40519299
thanks!
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question