Solved

how secure is keep pass manager

Posted on 2014-12-19
8
253 Views
Last Modified: 2014-12-26
Hi,
Just curious...  How secure is the encrypting file when using a password manager such as keep pass?   The file itself has protection but what would prevent someone from using a script for guessing the master file through the manager program?
0
Comment
Question by:snoopaloop
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 23

Accepted Solution

by:
Eirman earned 167 total points
ID: 40510294
I presume that you are referring to KeePass

I had a good look at it, and it looks very secure to me.  The key security features are ....
AES encryption to encrypt its password databases,
SHA-256 password hash, protection against dictionary and guessing attacks & in-memory protection & More

If you are worried about a keylogger capturing your master password, then you should follow normal security practices that are described in many articles here on EE .... make sure you have anti-virus & anti-malware actively running, use a router, even if you only have one PC and don't use an account with admin privileges unless you need to.

You could always use truecrypt as an extra layer of security ...
https://www.grc.com/misc/truecrypt/truecrypt.htm
0
 
LVL 23

Expert Comment

by:Eirman
ID: 40510305
Just to be on the safe side, I'd recommend using the sourceforge link for downloading the program.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 167 total points
ID: 40510413
TC is abandoned, but resurrected with CipherShed: https://ciphershed.org/ https://twitter.com/TrueCryptNext
KeePass had a DLL issue in 2.1 something and prior. All password managers are subject to possible brute force attacks: http://www.openwall.com/lists/john-users/2013/04/12/2 
Secure is a relative term, but as with most things security related, it depends on the weakest link. If your AV doesn't catch that particular keylogger that day, it's not keepass' issue, it was the weakest link. If you used version 2.11 and something took advantage of the dll hijacking exploit, then keepass was the weakest link. Or you get the Citidel virus: http://arstechnica.com/security/2014/11/citadel-attackers-aim-to-steal-victims-master-passwords/ 

I use a PWD Manager, i happen to like PasswordSafe, but it's no better or worse than most others. I have to make sure my other activities do not lessen the security of the manger. I would suggest you not use an online one however, rather I will never use a cloud based one, I've seen how bad people make cloud software.
https://agilebits.com/onepassword not for me -> http://arstechnica.com/security/2013/04/yes-design-flaw-in-1password-is-a-problem-just-not-for-end-users/
-rich
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 
LVL 1

Author Comment

by:snoopaloop
ID: 40510495
Maybe I should toss the file extension to make it a more ambiguous file for whatever manager I use.
0
 
LVL 23

Expert Comment

by:Eirman
ID: 40510528
I totally agree with richrumble regarding the cloud ..... I only use it for backup.
I create an encrypted container (with bestcrypt) and split it into suitably sized chunks *.001 *.002 etc and upload.

Removing the file extension (or making up your own) then right-clicking and using "open with"
would certainly hide the file from malicious programs.
http://www.thewindowsclub.com/remove-click-context-menu-items-editors
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 166 total points
ID: 40510705
"How secure is my keepass password database against brute force attacks?" - is this what you are asking? http://keepass.info/help/base/security.html#secdictprotect fully answers it: very secure on windows at least. But it holds also a hint on improving it, in case you  are using that database on a pc and not on a weak portable device such as an old tablet. Read it.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40510739
>Maybe I should toss the file extension to make it a more ambiguous file for whatever manager I use.
A virus like Citadel goes after the running process, and lays in wait until it's launched. I suppose you could rename the exe first, but it's a strawman/security through obscurity method.
Having a manager is fine, knowing the weakest links in your security will help keep the passwords secure.
Close the manager when your done using it, or have it close automatically if it supports that.
Have a look at a few of my articles here:
http://www.experts-exchange.com/Security/Misc/A_15519-How-to-make-stronger-and-longer-passwords.html
http://www.experts-exchange.com/Security/Misc/A_12386-How-secure-are-passwords.html
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
The passwords and the manager aren't your weakest link often, it's the security of the party your using more times that not.
-rich
0
 
LVL 1

Author Comment

by:snoopaloop
ID: 40519299
thanks!
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question