Solved

how secure is keep pass manager

Posted on 2014-12-19
8
252 Views
Last Modified: 2014-12-26
Hi,
Just curious...  How secure is the encrypting file when using a password manager such as keep pass?   The file itself has protection but what would prevent someone from using a script for guessing the master file through the manager program?
0
Comment
Question by:snoopaloop
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 23

Accepted Solution

by:
Eirman earned 167 total points
ID: 40510294
I presume that you are referring to KeePass

I had a good look at it, and it looks very secure to me.  The key security features are ....
AES encryption to encrypt its password databases,
SHA-256 password hash, protection against dictionary and guessing attacks & in-memory protection & More

If you are worried about a keylogger capturing your master password, then you should follow normal security practices that are described in many articles here on EE .... make sure you have anti-virus & anti-malware actively running, use a router, even if you only have one PC and don't use an account with admin privileges unless you need to.

You could always use truecrypt as an extra layer of security ...
https://www.grc.com/misc/truecrypt/truecrypt.htm
0
 
LVL 23

Expert Comment

by:Eirman
ID: 40510305
Just to be on the safe side, I'd recommend using the sourceforge link for downloading the program.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 167 total points
ID: 40510413
TC is abandoned, but resurrected with CipherShed: https://ciphershed.org/ https://twitter.com/TrueCryptNext
KeePass had a DLL issue in 2.1 something and prior. All password managers are subject to possible brute force attacks: http://www.openwall.com/lists/john-users/2013/04/12/2 
Secure is a relative term, but as with most things security related, it depends on the weakest link. If your AV doesn't catch that particular keylogger that day, it's not keepass' issue, it was the weakest link. If you used version 2.11 and something took advantage of the dll hijacking exploit, then keepass was the weakest link. Or you get the Citidel virus: http://arstechnica.com/security/2014/11/citadel-attackers-aim-to-steal-victims-master-passwords/ 

I use a PWD Manager, i happen to like PasswordSafe, but it's no better or worse than most others. I have to make sure my other activities do not lessen the security of the manger. I would suggest you not use an online one however, rather I will never use a cloud based one, I've seen how bad people make cloud software.
https://agilebits.com/onepassword not for me -> http://arstechnica.com/security/2013/04/yes-design-flaw-in-1password-is-a-problem-just-not-for-end-users/
-rich
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 1

Author Comment

by:snoopaloop
ID: 40510495
Maybe I should toss the file extension to make it a more ambiguous file for whatever manager I use.
0
 
LVL 23

Expert Comment

by:Eirman
ID: 40510528
I totally agree with richrumble regarding the cloud ..... I only use it for backup.
I create an encrypted container (with bestcrypt) and split it into suitably sized chunks *.001 *.002 etc and upload.

Removing the file extension (or making up your own) then right-clicking and using "open with"
would certainly hide the file from malicious programs.
http://www.thewindowsclub.com/remove-click-context-menu-items-editors
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 166 total points
ID: 40510705
"How secure is my keepass password database against brute force attacks?" - is this what you are asking? http://keepass.info/help/base/security.html#secdictprotect fully answers it: very secure on windows at least. But it holds also a hint on improving it, in case you  are using that database on a pc and not on a weak portable device such as an old tablet. Read it.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40510739
>Maybe I should toss the file extension to make it a more ambiguous file for whatever manager I use.
A virus like Citadel goes after the running process, and lays in wait until it's launched. I suppose you could rename the exe first, but it's a strawman/security through obscurity method.
Having a manager is fine, knowing the weakest links in your security will help keep the passwords secure.
Close the manager when your done using it, or have it close automatically if it supports that.
Have a look at a few of my articles here:
http://www.experts-exchange.com/Security/Misc/A_15519-How-to-make-stronger-and-longer-passwords.html
http://www.experts-exchange.com/Security/Misc/A_12386-How-secure-are-passwords.html
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
The passwords and the manager aren't your weakest link often, it's the security of the party your using more times that not.
-rich
0
 
LVL 1

Author Comment

by:snoopaloop
ID: 40519299
thanks!
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
OnPage: Incident management and secure messaging on your smartphone
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question