Improve KeePass security with this simple configuration change - harlan4096 - 05 February 23
Quote:KeePass, like many other password managers, relies on a primary password that protects the entire database of passwords and information. If an attacker manages to obtain that single password, all other passwords and information is unlocked.
The password manager stores its database locally, which means that users do not have to worry about server breaches that steal password vaults, like the recent LastPass incident. Some KeePass users host their password files in the cloud, which opens up the possibility of the password database being copied again through server-side attacks.
Brute force attacks are still very common when it comes to cracking encrypted password databases. Most attackers use dictionaries for that, which contain hundreds of thousands or even millions of common passwords. Real brute force attacks are expensive, as every combination of characters needs to be tested.
Considering that passwords may consist of uppercase and lowercase letters, digits and symbols, this soon gets way to expensive in most cases.
Increasing KeePass security
The primary key that unlocks the KeePass database is of utmost importance. If it is weak, chance is high that a potential attacker may be able to brute force or even guess it.
KeePass users have two main options at their disposal to increase the security of the account. The first is the master password itself. Increasing the length of the password improves the security exponentially.
While that means having to memorize a new password, it is the best option to improve the security of the password database.
To do so in KeePass Password Safe, unlock the password database with the master password and select File > Change Master Key using the menu at the top.
Type the new primary password in the master password and repeat password field and select OK to complete the process.
Note that it needs to be longer than the old to improve security. Also, using a combination of letters, digits and symbols is recommended.
The Key Derivation settings
The second option that KeePass users have is to change the key derivation function and make changes to its number of iterations.
KeePass supports several, including Argon2d, Argon 2id and the classic AES-KDF.
If AES-KDF is selected, KeePass users may either want to increase the number of iterations from the default 60,000 to a higher value, or switch the function to Argon2d instead.
Higher iterations extend the time it takes to enter the password linear. While that may add a small delay to the user's own opening of the password database, it makes brute forcing attacks more expensive as it takes longer to test each password.
Select File > Database Setting and then Security to display the current configuration of the database that is open in KeePass.
The key derivation function lists the function that is used. AES-KDF displays just the number of iterations below, which users may want to increase to 600,000.
KeePass users may also switch to using Argon2d instead, which promises even better protection against brute force attacks.
...
Continue Reading
|