KeePass configuration

I'm a couple of days into trying out KeePass... I like it a lot. And I have some general questions.

Do you guys tend to keep the GUI open while you're online? It's a PITA to close it and have to renter the master password when I need to open it again. But I see that Lock Workspace feature, and it makes me think that the devs believe there is a security concern to keep it open?

Another question involves Key files. I've read some guys saying that a master password & key file combo is the way to go. And it looks like a user can either pick a key file himself or let KP create a key file. What puzzles me is if I select one, isn't it encrypted by the program? How does that happen? I must be missing something there. And I am assuming that if a user allows KP to generate the key file, that it is encrypted.

It seems to me that the two best steps a user can take with KP to thwart keyloggers, are:

1) two-channel auto-type obfuscation and
2) enter master key on secure desktop.

But I wonder if there is a way to determine if secure desktop is working?

One other question for now... is KP designed to both open a website and fill in the username/password fields at the same time? Because so far, I have just been able to get it to log in (Perform Auto-Type) after I have opened the webpage myself. When I included the url in there, nothing worked right.

Oh yeah, one more... are the icons limited to those that are in the KP GUI, or can a user import icons that are native to each respective sites, like the Wilders icon and the BBR icon, etc.

Any input appreciated.

 

This has to be determined by your situation. Are you using a "shared" computer? If no, do you have "snoopy" family members/roommates to worry about if your computer is powered up and your away from it?? If still no then i wouldn't worry about using that feature.

Can't help you here as i feel a "strong" master password is enough.

Just tested this against the spyshelter keylogging test and it "passed" Without the secure desktop feature enabled, it "failed"!

It still appears to be a 2 step process but keepass "can" open the website. Just right click on the entry/mouse over "urls" and select "open in browser". Then right click again and select "auto-type".

Right click on the entry and select "edit". You will see "icon" and the icon image used beside it. "Click" the image and a screen will open giving you the ability to add a custom icon. Just tried it successfully

 

Hey tobacco

I totally didn't see the custom space for icons, til you pointed it out. I made it work too, but I was hoping the program would pick up on native (for want of a better term) icons that go with each website, like browser bookmark icons. Instead, to make it work, I had to do a screen capture of the Wilders icon, and then one for the Sandboxie forum, etc, but it ends up looking okay...


Thanks for the help!

 

Yes! That works, but for me, with * one little added step. Just prior to right-clicking and selecting Perform Auto-Type, I have to click on the text field where the username and password are going to be entered, otherwise the operation does not go through.

Same kind of thing happens on the Wilders login page, in the User Name space, the words User Name appear, and I have to click on that space to make it go away prior to selecting Perform Auto-Type in KeePass.

 

Yes, you have to take focus on the username field. By the way I prefer CTRL + V, as soon as you click on the username field after clicking on the URL, it is a bit faster.

A key file is just another password but in a file, so for a hacker it is a little harder to get, unless he can access your computer, so it does not have to be encrypted.

 

I usually close it and open it every time I need a password, but I don't keep too many passwords stored in KeePass, so it's not a major inconvenience for me. The reason for the Lock Workspace feature or for closing KeePass is that in order to give you access to all your passwords all the time, it needs to cache the passphrase or the decrypted information in the memory, and this can be dangerous in some situations.

Actually, as far as I know a keyfile is used to add more entropy to the passphrase, effectively making it stronger. The key file that is generated by the program contains random data, it is not encrypted. If you are using a file of your own, it will not be encrypted, KeePass is just reading data from it.
As for the password & key file combo, theoretically it is more secure than a simple password in the event of keylogger, because the attacker will have access to your passphrase, but not your keyfile. However, if an attacker decides to steal your passwords, he also needs a way to get the encrypted file containing all your passwords. If he finds a way to get files from your computer, the keyfile will not give you additional security, because the attacker might steal your keyfile as well.

 

If you use firefox as your main browser then I recommend using the keefox plugin, it allows auto fill on websites, password generation and allows you to save the favicon on websites automatically.

The GUI security I have set to lock workspace after 600 seconds (10 mins), as soon as user is locked, switched, suspended or remote control mode is changed and my screensaver is set to kick in after 1 minute of been idle with password resume which doesn't give anybody much chance to get to my passwords.

 

if you want favicons for websites such as wilders you could use http://www.getfavicon.org/ instead of having to do a screencap then import it in to keepass

 

Personally I wouldn't do this as it runs the risk of a browser exploit turning into a hack of your passwords. I like to keep as much separation as possible between my Keepass passwords and my browsers. But each to their own.

 

That makes it two of us.

 

Thanks, poison! That works great.

 

I reccomend setting the number of rounds to a 1 second delay or a little hire. This greatly reduces the likely hood of a brute force attack against the encryption keys. (although unlikely to begin with). If an attacker knows you use 'x' number of rounds than all he has to do is repeat the bruteforce that same 'x' number of times. If the number of round is unknown he could never (in theory) break it. That said AES 256 can't be broken anyways but it is a good precaution to use.

 

One of the first things I did when looking around in the Database Settings was to click on the 1 second delay link in the key transformation section. This is supposed to compute the # of rounds that lead to a delay of 1 second on your computer. The resulting number was 2,123,520. I can't say that I fully comprehend what all that means, however.

 

From reading the keypass documentation my understanding (which may be wrong) is that the number or rounds is how many times the encryption key is encrypted with your password. So in your case it is encrypted 2,123,520 times with your password. So the first time you have your key this is encrypted with your password (I.E if your key is the letter "A" and the encrypted with you password it becomes the letter " W"), the next time the letter "W" is encrypted with your password and becomes "L". It is far more complicated than that but that is the principal behind it.

It is basically encrypting the key and re-encrypting each previous outcome that number of times (2,123,520). Decrypting means using your password to decrypt each outcome that number of times (2,123,520)

 

Doesn't that sound, uh, extraordinarily sufficient?

 

For me, the "Windows User Account" is clearly the best password. You don't have to remember it, and it can't be stolen. It just depends on whether other people have access to your PC while you are logged on. And if you want to copy your database to another PC, you can temporarily use a simple password and then change it back to User Account.

Keepass is a great program, but I still find LastPass to be more useful, and more reliable, since you can get to your LastPass vault from any PC.

 

no way i'm storing my passwords in the cloud.
and i like Keepass or precisely because it is not a browser addon like Lastpass.

 

I just performed a full-system backup with Acronis True Image, and a question came to me.

What happens if, after creating a backup image, I change my KeePass master password, then at some point I restore that backup image?

I'm guessing that the restored image contains a copy of the old (changed) KeePass database, and I will be out of luck unless I recall what the old password is.

 

that's correct.

 

I just discovered a bug of sorts in KeePass.
Actually it's probably not a bug, but just the way the program works.

The issue is due to using two-channel auto-type obfuscation.
And in fairness, KeePass does warn that auto-type obfuscation may not work with all windows.

The problem occurred because Hotmail has a 16-character limit on passwords. Since that fact is not very well publicized, some users may not know it. I certainly didn't. Hotmail simply ignores anything more than 16 characters. So a user could forever use a 19-character password and never know the difference... that is, until they try entering it with KeePass and two-channel auto-type obfuscation.

Like I say, I had a 16-character password, and to strengthen it, I added 3 characters to it. I added them in the middle.... abcdefghijklmnop became abcdefghXXXijklmnop. The reason I mention that I added them to the middle is because if they had been added to the end, Hotmail would not have recognized any difference between the old and the new and would have prompted me to that effect.

Anyway, logging into Hotmail manually with the 19-character password works fine... because Hotmail ignores the last 3 characters.
But when attempting to use the same 19-character password in KeePass to login to Hotmail using two-channel auto-type obfuscation, it won't work.

It took me awhile to figure out what was happening. And I have confirmed that using auto-type and the 19-character password without obfuscation does work in KeePass. It's just the obfuscation method, and how KeePass fills in the data field, I suppose, that is preventing it from working.

I bet there are a few Hotmail/KeePass users out there trying to figure that one out.

 

Perhaps another KeePass user could weigh in on this for me.

I am unclear on the security/validity of a key file, particularly given the explanations I have been studying in the KeePass key file documentation, which I quote below:

So, which is it? Key files are stronger than passwords, but they are easy for malware/attackers to find. That sounds like any strength benefit of a key file is negated by the inability to keep it a secret.

KeePass seems to think both in conjunction are the best, but when used individually, they say key files are better. I'm using the master password only, and feel the protection is very adequate, but the KeePass documentation is confusing to me.

 

I also only use the password but I think the "key" point of the key file is that, as stated, it can be placed on a USB drive and then the USB drive either kept on your person or secured somewhere away form the computer. If the USB drive with the file isn't with the computer when someone attempts to get into Keepass then they would be out of luck.

 

That's a good method, Firebytes.

 

I've added KeyScrambler.
Without it (or something similar), what protects when new entries are being created in KeePass?
And for the websites where I can not perform auto-type or drag & drop.
There was a hole in the security.

 

only the paid versions of Keyscrambler protect Keepass.
but you probably know that already.

and the failed drag & drop, it is due to Sandboxie in your case, is it not?
it's not Keepass' fault if the drag & drop does not work.

another app you might want to look into is Password Depot.
it is very good but it is not cheap, unfortunately.