Your KeePass file might not be as safe as you think, but it is easy to protect yourself with this simple settings change that does not require creating a new kdbx file. This helps make your KeePass file more secure by deterring dictionary and brute force attacks.
The setting is called ‘Key Transformation’, accessible in KeePass under File > Database Settings… > Security. This screenshot is of version 2.x, but 1.x also has this feature (minus the helpful one second delay button).
What it does is run the master key through N rounds of encryption before applying it. The higher the N, the more time it takes your CPU to process through all the rounds of encryption. The default is 6000 which takes less than a millisecond for a modern CPU to churn through. My setting is in the high 7 figures, and takes about one second. That is a delay I can live with each time I attempt to open my KeePass file. In fact it kind of feels good to be reminded the program is doing extra work to protect me.
The reason for introducing a delay is to slow down a brute force attack to the point it is unfeasible in this lifetime. A brute force attack starts by trying every character (A-Z, a-z, 0-9, symbols), then every two character combination (aa, ab, ac…), then every three character combination (aaa, aab, aac), and so on. A related approach, called a dictionary attack, loops through a dictionary and tries all words and various combinations of words with different delimiters. Eventually these approaches will find the master password. However, when N is a high enough number, it will cost the attacker one second per attack (per CPU), which is a serious roadblock.
If your password is sufficiently strong, say 30 random characters including A-Z, a-z, 0-9, and 10 different possible symbols, that is 72 characters to draw from. That results in 72^30 = 5.24e+55 possible combinations! Only an attacker with a huge number of CPUs or a huge amount of time would be able to check all combinations. I doubt this little technique would deter high level national security organizations with billions of dollars in funding. However, I have a strong sense that a high N would deter script kiddies and cracking programs.
As CPUs get faster, N needs to increase to offset the time it takes to attempt a single crack at the master password. I plan to increase the value every time I get a new machine.
What the ‘average’ user sets their password to:
You know it really isn’t very hard to achieve ‘better than average’ password security. Most people use the password ‘password’ or ‘123456’, and tend to use the same password for all their accounts.
Going beyond just a strong password:
A full proof password may not be enough. Wired did a thorough write up on how a weak password and social engineering combined with a basic flaw in processes at Amazon and Apple lead to journalist losing his entire online identity. That is why I always setup the extra identity verification questions under my account. I never use the same Q&A twice. I also use three different emails: personal, work, and private / banking. That way even in the worst case scenario where a hacker is able to trigger password resets and get into accounts the scope of the damage is limited.
What is KeePass?
For those who don’t know, KeePass is a FOSS program for managing passwords. One ‘master’ password gets you into all your other passwords. It can easily generate strong passwords. In fact, I don’t even know some of my passwords since they were generated inside KeePass with the ***’s showing. From there I pasted the value it made into whatever website’s sign-in form I was at. I then immediately make a secure backup of the KeePass file so I don’t lose that new password. The coolest thing is the Ctl+V feature that will tab back to the previous window, paste your username, tab, paste your password, and then hit enter to submit the form.
I’ve been using KeePass to manage my passwords for almost a decade. What I really like about it is how portable it is between Linux, Mac, and Windows. It also has ports to all manners of tablets and smart phones – but I would never put such a sensitive file on something that doesn’t have an encrypted drive.
Is KeePass secure?
I have not read the source and can’t vouch for it. I just know a lot of other software professionals who also use it. The fact that it is open source makes me feel better about it. It does encourage temporarily putting passwords into the system clipboard, which is arguably an insecure spot. Typing a complex password has its downsides too a) it takes time, and b) keystroke listeners would be able to pick them up.
Here is an interesting article about someone who was tasked with cracking a KeePass file. The article doesn’t say how they cracked it, but the YouTube video comments say they “found it written on a piece of paper.”
So the moral is, KeePass is as insecure as its operator is careless.