[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

how secure is keep pass manager

Posted on 2014-12-19
8
Medium Priority
?
271 Views
Last Modified: 2014-12-26
Hi,
Just curious...  How secure is the encrypting file when using a password manager such as keep pass?   The file itself has protection but what would prevent someone from using a script for guessing the master file through the manager program?
0
Comment
Question by:snoopaloop
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 24

Accepted Solution

by:
Eirman earned 668 total points
ID: 40510294
I presume that you are referring to KeePass

I had a good look at it, and it looks very secure to me.  The key security features are ....
AES encryption to encrypt its password databases,
SHA-256 password hash, protection against dictionary and guessing attacks & in-memory protection & More

If you are worried about a keylogger capturing your master password, then you should follow normal security practices that are described in many articles here on EE .... make sure you have anti-virus & anti-malware actively running, use a router, even if you only have one PC and don't use an account with admin privileges unless you need to.

You could always use truecrypt as an extra layer of security ...
https://www.grc.com/misc/truecrypt/truecrypt.htm
0
 
LVL 24

Expert Comment

by:Eirman
ID: 40510305
Just to be on the safe side, I'd recommend using the sourceforge link for downloading the program.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 668 total points
ID: 40510413
TC is abandoned, but resurrected with CipherShed: https://ciphershed.org/ https://twitter.com/TrueCryptNext
KeePass had a DLL issue in 2.1 something and prior. All password managers are subject to possible brute force attacks: http://www.openwall.com/lists/john-users/2013/04/12/2 
Secure is a relative term, but as with most things security related, it depends on the weakest link. If your AV doesn't catch that particular keylogger that day, it's not keepass' issue, it was the weakest link. If you used version 2.11 and something took advantage of the dll hijacking exploit, then keepass was the weakest link. Or you get the Citidel virus: http://arstechnica.com/security/2014/11/citadel-attackers-aim-to-steal-victims-master-passwords/ 

I use a PWD Manager, i happen to like PasswordSafe, but it's no better or worse than most others. I have to make sure my other activities do not lessen the security of the manger. I would suggest you not use an online one however, rather I will never use a cloud based one, I've seen how bad people make cloud software.
https://agilebits.com/onepassword not for me -> http://arstechnica.com/security/2013/04/yes-design-flaw-in-1password-is-a-problem-just-not-for-end-users/
-rich
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
LVL 1

Author Comment

by:snoopaloop
ID: 40510495
Maybe I should toss the file extension to make it a more ambiguous file for whatever manager I use.
0
 
LVL 24

Expert Comment

by:Eirman
ID: 40510528
I totally agree with richrumble regarding the cloud ..... I only use it for backup.
I create an encrypted container (with bestcrypt) and split it into suitably sized chunks *.001 *.002 etc and upload.

Removing the file extension (or making up your own) then right-clicking and using "open with"
would certainly hide the file from malicious programs.
http://www.thewindowsclub.com/remove-click-context-menu-items-editors
0
 
LVL 58

Assisted Solution

by:McKnife
McKnife earned 664 total points
ID: 40510705
"How secure is my keepass password database against brute force attacks?" - is this what you are asking? http://keepass.info/help/base/security.html#secdictprotect fully answers it: very secure on windows at least. But it holds also a hint on improving it, in case you  are using that database on a pc and not on a weak portable device such as an old tablet. Read it.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40510739
>Maybe I should toss the file extension to make it a more ambiguous file for whatever manager I use.
A virus like Citadel goes after the running process, and lays in wait until it's launched. I suppose you could rename the exe first, but it's a strawman/security through obscurity method.
Having a manager is fine, knowing the weakest links in your security will help keep the passwords secure.
Close the manager when your done using it, or have it close automatically if it supports that.
Have a look at a few of my articles here:
http://www.experts-exchange.com/Security/Misc/A_15519-How-to-make-stronger-and-longer-passwords.html
http://www.experts-exchange.com/Security/Misc/A_12386-How-secure-are-passwords.html
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
The passwords and the manager aren't your weakest link often, it's the security of the party your using more times that not.
-rich
0
 
LVL 1

Author Comment

by:snoopaloop
ID: 40519299
thanks!
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This blog will spread awareness about Dropbox. We have given the statements based upon our experience. Along with this, there is a section of some new plans that should be added in Dropbox this year. This will make the storage service enhanced from …
There's never been a better time to become a computer scientist. Employment growth in the field is expected to reach 22% overall by 2020, and if you want to get in on the action, it’s a good idea to think about at least minoring in computer science …
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Get the source code for a fully functional Access application shell with several popular security features that Access VBA application developers desire, but find difficult or impossible to figure out how to code. You get the source code for managi…
Suggested Courses

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question