Cracking KeePass

by JL Beeken on 5-22-2008

KeePass Password SafeFor the past couple of months, at least 30 people having been showing up at JLog every week asking how to crack KeePass. I don’t know if you’re wondering if it’s possible or if you’re hoping I can tell you how to do it.

So, for the 30 who will be showing up every week forevermore if this present rhythm continues, I will tell you everything I know.

The whole purpose of KeePass is that it cannot be cracked.  Nevertheless, it can’t be better than your password.  If someone can get your master password they can have access to your database.

Other than that, according to their documentation, and I quote, “the sun will go nova before you have decrypted the database”.  The master password and the database contents are encrypted with an algorithm similar to what’s used in banks.  Your password is encrypted while KeePass is running.  Clipboard contents are set by default to clear in 10 seconds.  There are no leftover software bits around your computer that anyone could use to break in.  It’s Fort Knox, Stonehenge and the Great Wall of China rolled into one. There is no back door in.  Either you have the password, or you don’t.

Pick a good master password.  At least 12 mixed characters; upper-case, lower-case and numbers.  If you want to be even more secure, throw in a few symbols off the top row of your keyboard.  Be as obscure as possible.  In other words make up a phrase, don’t just pick keys in order off the keyboard or a single word that can be found in a dictionary.

The only place I wrote down my master password is amongst my legal papers, in case of my accelerated decline or sudden demise.  No-one in my house is interested in finding it.  I don’t carry it around out of the house anywhere except in my mind.

The only other place I keep the master password is in a portable clipboard extender on a thumb-drive so I can paste it from there into KeePass on my C-drive and not have to type it in every time.  This is for use only at home.  Copy and paste is safer than typing in case of keyloggers.  (I’m not an expert in this field but I think.)

How To Change Your Master Password

You can change your master password anytime by logging in with your present password and then clicking ‘Change Master Key’ in the File menu. It will ask you for a new password. Write it down somewhere!

If you’re still not satisfied you can also make a key-file to work instead of or in combination with your master password. A key-file is a random block of text that you create by clicking your keyboard or moving your mouse around randomly.  It produces a paragraph of characters that you couldn’t memorize in 20 years, nor would you want to, so wherever you put it you’d better not lose it.

But, please be my guest, go read their documentation and put your mind at rest.  Honestly, I know nothing.

{ 7 comments… read them below or add one }

Volkan 1-09-2011 at 4:57 AM

yes it can be better than your password :)

keepass uses key strengthening. (cannot remember which algorithm now, but something like PBKDF2 or etc)

while keepass calculates the key from your password, it iterates this process thousands of times. this iteration is computing expaneive operation and takes time. this is key strengthening, you can Google it.

in simple it means:

if the iteration takes 2 seconds (i don’t know exactly), then every password trial in a bruteforce attempt takes 2 seconds; which makes brute force impossible and which strengthen your password too much.

(of course using a 3 letter password is still a boob)

Reply

Aldo 9-21-2012 at 3:48 AM

“It’s Fort Knox, Stonehenge and the Great Wall of China rolled into one.”

Errrrr…. right.

I suggest you look up Stonehenge on Wikipedia, or even just take a cursory glance at a photo of it, before you use it in any further comparisons.

Reply

JL Beeken 9-21-2012 at 9:29 AM

Wow. I thought my use of the English language was pretty good; at least I’ve been told.

I’m quite aware of what Stonehenge looks like. When I think ‘Stonehenge’ I think along the lines of ‘unyielding’. There you go. Check your dictionary/search your brain. And good heavens, get a life.

Reply

NSA guy 12-11-2013 at 9:38 AM

Hey I work for NSA and I find this article hilarious!

Reply

JL Beeken 12-11-2013 at 11:09 AM

Since you probably know more about password security than the average person it might be interesting and useful to hear something besides a statement of your emotional condition.

Reply

NSA Guy 1-29-2014 at 7:34 PM

All your passwords belong to us!

Reply

JL Beeken 1-29-2014 at 7:43 PM

Oh good. If someone hacks my bank account I’ll know it’s you.

Reply

Leave a Comment

Powered by sweetCaptcha


Previous post:

Next post: