KeePass Security: Keep Your Passwords Safe

by JL Beeken on 3-14-2008

KeePassYou may recall I recently explained how to use KeePass. It’s pretty simple, I think you would have found.

For security, I also suggested putting a copy on a flash-drive that you can travel with so you have a spare away from your home. This is good for a couple of reasons. If something happens to your home, you’ve got all your important numbers with you. If you were to be traveling and lose your wallet you’d have all your card numbers with you so you can cancel them quickly. Might as well toss all your emergency banking phone numbers in KeePass too so they’re handy. Where to call when you lose things.

Since KeePass is only about 1 MB you might be tempted to put other things on the flash-drive.  Personal photos might be OK; bank statements, mother’s maiden name, maybe not so good. Think about it. Not having a devious mind I have to concentrate really hard to think what bits and pieces devious people can put together to come up with what.

People have been asking how secure KeePass actually is.  Read Cracking KeePass and you’ll know everything I know.  You can also read the pages on KeePass Features and root around on the web for articles on passwords.  Even if you start out knowing nothing, in a short time you’ll know something.

I had a chance to be tested under pressure, although it wasn’t on the day’s agenda.  I was just going out to do some errands.  I dropped my flash-drive into a deep pocket as I was leaving my house.  I ran my errands and then I came home.  As I usually do I emptied out all my pockets into a big pile. No flash-drive. I searched all the pockets again, my hat, my car, down to the toes of my boots and I phoned all the places I’d just been to.  No flash-drive.

I did not panic.  Too much.  This is not a James Bond movie where everyone in our small village has password-cracking software built into their wrist-watch.  The first thing I did though, using KeePass on my hard-drive, was change all my financially-related passwords.  After a little more thought I called my banks and canceled my credit cards.  Panic can make a person brain-fogged.  There’s scientific studies about that.  An hour later I called the banks again and canceled my debit cards.  I changed all the passwords that could lead to any kind of trouble, started into the list of less critical ones and by that time it was about midnight.

Then something else crossed my mind:  How long would it take to crack the Master Password and get into the main vault anyway?  I found some tables showing how long it would take to violate various password types of varying lengths by brute force.  My 13-character Master Password tested out at somewhere between 300 and 1,500 years on a single computer.  Only 30 years on a room-full.  RainbowCrack cannot crack the algorithm used by KeePass so that wasn’t an issue.  So it looked like even my minor panic wasn’t worth it.  I just got a complete set of new debit and credit cards for my trouble.  But I hardly ever believe anyone about anything unless I check it out myself.  So I installed some password-cracking software.

It’s beyond me.  I opened the help menu and immediately went googly-eyed.  Cracking passwords looks like hard work. People who do it regularly say that cracking simple passwords is easy and cracking strong passwords is impossible. KeePass shows password security-level on a scale of red to green, based on how they designed the software and the hash algorithms they use to encrypt the database.  They know what that means.  I don’t have to.

Password Quality, KeePass Security

Because I had a good scare I changed my Master Password (pass-phrase) to 18 mixed characters.  It’s probably overkill.  Depending who you read they say anything over 10, 12, 14 or 15 characters is beyond cracking.  On the other hand it’s the only password I have to remember and it’s protecting all the others, so is there really such a thing as too much?

As long as you have a strong Master Password, your vault can not be entered and that’s all that matters.  You could lose flash-drives all over town and it wouldn’t matter.  Not that I’m suggesting it.  But it comes down to time.  It gets to where the amount of time it would take to scan all the possible hashed passwords is astronomical, and will not happen in your lifetime or even future generations. (I knew there was a genealogical connection in here somewhere.)

They say 20-40% of people use insecure passwords and people who hack large “protected” databases usually come out with that percentage of usable records.  When it’s 100,000 records, that’s quite a few.

KeePass will generate good strong passwords for you, keep them safe and free your mind for other things.
I believe.

Other notes:  Version 2 requires .NET framework which may not exist on some computers, so if that’s an issue for you or might be when traveling use Version 1.

I also came across this in the KeePass documentation:

If you are using KeePass on PC only, it is highly recommended to increase the number of key transformation rounds. You can change the number in the database options dialog. Right of the field for the rounds, you’ll find a button. When clicking this button, KeePass computes the rounds number that leads to a 1-second delay. Waiting 1 second at database opening isn’t a problem, but for an attacker of course it is. But, the number can be freely set to a number of your choice. The button only should give you a rough idea how many rounds can be computed in 1 second on your computer.

I have no idea what that means, but if you look under File/Database Settings you’ll find this screen.  Click the clock.

KeePass Security

Perhaps loose flash-drives are not a good idea either.  I got a replacement one that has a key ring on the cap that’s permanently attached to my car keys.  When I go out, the empty cap reminds me to fetch the other half from my computer.

{ 3 comments… read them below or add one }

Miguel Febres 5-07-2010 at 9:22 AM

You can use the following script to test the security of your keepass database:

http://www.q-protex.com/software/password-recovery/keepass-self-bruteforce

Reply

drifter 9-23-2011 at 5:23 AM

That works for KeePass 1.x. For KeePass 2.x, there’s KeeCracker:

http://keepass.zxq.net/

Reply

drifter 1-01-2014 at 3:48 PM

Hi! I am the developer of KeeCracker. Thank you for using it. I am now officially hosting it at the following address:

https://code.google.com/p/keecracker/

Reply

Leave a Comment

Powered by sweetCaptcha


Previous post:

Next post: