keepass best practice

Discussion in 'other software & services' started by lodore, Jul 4, 2011.

Thread Status:
Not open for further replies.
  1. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    Hello,
    ive just started using keepass.

    I have choosen the option to need a file as well as a password and put the file in a separate location to the database.

    Im trying to work out the best way to secure the database so i can use keepass with my laptop.

    the best way of thought of so far is to put the database on one usb stick and then put the other file on another usb stick. i could also put the two files in excryped rar files and just extract them when needed but it does seem a bit paranoid.

    im wondering how other keepass users handle this situation.
     
  2. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    A couple of comments:

    1. The password + file approach is definitely the way to go. The rate that some GPUs can brute force passwords now this approach is needed

    2. You could store the file in a Truecrypt container, with the container set to automount at logon and auto-dismount at log-off. Coupled with that, ensure that your PC requires a password to log in to all accounts. That way, if your computer is stolen and the thief attempts to hack into your account, they'll take the usual approach of rebooting to hack through your user account password. But when they do, the Truecrypt container will have automatically dismounted.

    With this approach you can also store all private/confidential data in the truecrypt container to protect it if your PC is stolen.
     
  3. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    Hello Scoobs72,
    thanks for your input.
    the only problem i see is that someone could use an offline cd to remove my password then login and the true crypt volume will be mounted upon login.
     
  4. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    No, you still need to enter your Truecrypt password on login. It just pops up the dialog box for you to enter the password.
     
  5. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    I used to use KeePass before switching to LastPass. KeePass is simple, yet very handy and effective. I never used the Key File option. Just a good password for the master password.

    I would say that if you are using a good master password and the Key File, that should be enough. I agree that for better safety, keeping the Key File physically separate from the database would be a good idea.

    FWIW, I sincerely question the general use of (or even availability of) GPU password hacking. IMO, that's a ways away.

    One other thought would be to keep at least 2 copies of both the database and the Key File. USB drives are like all other drives. They go bad from time to time.

    **EDIT**

    I learned that GPU hacking tools are definitely available and can be put into use by fairly knowledgeable users. But I still don't believe they are common among many users though...
     
    Last edited: Jul 7, 2011
  6. carlito77

    carlito77 Registered Member

    Joined:
    Aug 4, 2010
    Posts:
    8
    I use keepass, great program, but to my surprise, I found a flaw. My browser of choice is Opera. Opera stores my keepass passwords in the wand.dat file. Though this file is encrypted, you can easily get a wand.dat decryption program like PassView and it bears your passwords for all to see. Hence, I stopped using wand to save passwords except for a few forums. I'm sure other browsers have similar features.
     
  7. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Wand.dat is nothing to do with Keepass. Wand.dat is simply Opera's password store. I don't understand why you think this has anything to do with Keepass.
     
  8. carlito77

    carlito77 Registered Member

    Joined:
    Aug 4, 2010
    Posts:
    8
    Scoba, I didn't say that wand.dat has anything to with keepass. I just said that it stores keypass passwords .
     
  9. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    IMO, it's critical to disable ALL password managers that are part of browsers. (I can't imagine a worse place to keep one's passwords!) By default, they are always on or at least in the ask to remember passwords mode.

    My method is to only allow the password manager (such as KeePass or LastPass) to remember/use the passwords. Then issues like the wand.dat will not happen.
     
    Last edited: Jul 7, 2011
  10. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    im not 100% sure how lastpass works. it says its works on multiple platforms and you can sync it but it also says the file is only on your computer.

    surely if someone managed to hack your lastpass account they can access all your passwords? thats really not good.

    btw i found out a strange issue with keepass. if i move the key file after its created and try to open the vault from that location it says the file is unreadable. if i put the file back to the original location it works.
     
    Last edited: Jul 7, 2011
  11. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    Sounds like a good thing?? It must remember the file location/path to keep tampering to a minimum.
     
  12. tlu

    tlu Guest

    You might want to read what I wrote elsewhere on http://forums.informaction.com/viewtopic.php?f=8&t=5928&hilit=lastpass#p27740 and http://forums.informaction.com/viewtopic.php?f=8&t=5928&p=28163&hilit=lastpass#p28163
     
  13. layman

    layman Registered Member

    Joined:
    May 20, 2006
    Posts:
    217
    It might prevent tampering, but it also limits the usability of the password db. What if you want to propagate the db to multiple machines? In practice, this does not increase security, it forces people to the less secure alternative of NOT using the keyfile.

    Sometimes really bad design decisions are made in the name of security. A good example is Fidelity's Web site which doesn't play well with password minders. Fidelity Support's response is that this makes their site more secure and customers should manually enter their ID and password. Of course, most customers quickly change their password to something short and easily typed/remembered. What do you call design decisions that have the inverse of the intended effect? Boneheaded.
     
Loading...
Thread Status:
Not open for further replies.