Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

how secure is keep pass manager

Posted on 2014-12-19
8
Medium Priority
?
266 Views
Last Modified: 2014-12-26
Hi,
Just curious...  How secure is the encrypting file when using a password manager such as keep pass?   The file itself has protection but what would prevent someone from using a script for guessing the master file through the manager program?
0
Comment
Question by:snoopaloop
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 24

Accepted Solution

by:
Eirman earned 668 total points
ID: 40510294
I presume that you are referring to KeePass

I had a good look at it, and it looks very secure to me.  The key security features are ....
AES encryption to encrypt its password databases,
SHA-256 password hash, protection against dictionary and guessing attacks & in-memory protection & More

If you are worried about a keylogger capturing your master password, then you should follow normal security practices that are described in many articles here on EE .... make sure you have anti-virus & anti-malware actively running, use a router, even if you only have one PC and don't use an account with admin privileges unless you need to.

You could always use truecrypt as an extra layer of security ...
https://www.grc.com/misc/truecrypt/truecrypt.htm
0
 
LVL 24

Expert Comment

by:Eirman
ID: 40510305
Just to be on the safe side, I'd recommend using the sourceforge link for downloading the program.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 668 total points
ID: 40510413
TC is abandoned, but resurrected with CipherShed: https://ciphershed.org/ https://twitter.com/TrueCryptNext
KeePass had a DLL issue in 2.1 something and prior. All password managers are subject to possible brute force attacks: http://www.openwall.com/lists/john-users/2013/04/12/2 
Secure is a relative term, but as with most things security related, it depends on the weakest link. If your AV doesn't catch that particular keylogger that day, it's not keepass' issue, it was the weakest link. If you used version 2.11 and something took advantage of the dll hijacking exploit, then keepass was the weakest link. Or you get the Citidel virus: http://arstechnica.com/security/2014/11/citadel-attackers-aim-to-steal-victims-master-passwords/ 

I use a PWD Manager, i happen to like PasswordSafe, but it's no better or worse than most others. I have to make sure my other activities do not lessen the security of the manger. I would suggest you not use an online one however, rather I will never use a cloud based one, I've seen how bad people make cloud software.
https://agilebits.com/onepassword not for me -> http://arstechnica.com/security/2013/04/yes-design-flaw-in-1password-is-a-problem-just-not-for-end-users/
-rich
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
LVL 1

Author Comment

by:snoopaloop
ID: 40510495
Maybe I should toss the file extension to make it a more ambiguous file for whatever manager I use.
0
 
LVL 24

Expert Comment

by:Eirman
ID: 40510528
I totally agree with richrumble regarding the cloud ..... I only use it for backup.
I create an encrypted container (with bestcrypt) and split it into suitably sized chunks *.001 *.002 etc and upload.

Removing the file extension (or making up your own) then right-clicking and using "open with"
would certainly hide the file from malicious programs.
http://www.thewindowsclub.com/remove-click-context-menu-items-editors
0
 
LVL 57

Assisted Solution

by:McKnife
McKnife earned 664 total points
ID: 40510705
"How secure is my keepass password database against brute force attacks?" - is this what you are asking? http://keepass.info/help/base/security.html#secdictprotect fully answers it: very secure on windows at least. But it holds also a hint on improving it, in case you  are using that database on a pc and not on a weak portable device such as an old tablet. Read it.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40510739
>Maybe I should toss the file extension to make it a more ambiguous file for whatever manager I use.
A virus like Citadel goes after the running process, and lays in wait until it's launched. I suppose you could rename the exe first, but it's a strawman/security through obscurity method.
Having a manager is fine, knowing the weakest links in your security will help keep the passwords secure.
Close the manager when your done using it, or have it close automatically if it supports that.
Have a look at a few of my articles here:
http://www.experts-exchange.com/Security/Misc/A_15519-How-to-make-stronger-and-longer-passwords.html
http://www.experts-exchange.com/Security/Misc/A_12386-How-secure-are-passwords.html
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
The passwords and the manager aren't your weakest link often, it's the security of the party your using more times that not.
-rich
0
 
LVL 1

Author Comment

by:snoopaloop
ID: 40519299
thanks!
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question