Keepass & Usage Advice requested

Discussion in 'privacy technology' started by SandyD, Oct 17, 2009.

Thread Status:
Not open for further replies.
  1. SandyD

    SandyD Registered Member

    Joined:
    Jun 27, 2008
    Posts:
    11
    I have been using Keepass for a few years now and could not manage my user names, passwords, logins, url without it.
    I have the program installed on my prime pc (80% usage ) and my secondary work station (20%) at a different location and sync the databases manually from time to time.

    I have a strong password but for reasons I forgot do not use a Key file anymore - may have had something to with using keepass at more than one location.

    The above set-up is pretty convenient for me and I am confident that my password is strong enough to withstand "normal" cracks.
    I am just wondering if I am not running a high risk with only having the masterpassword. As long as I keep my pc clean, I guess i am ok. However, if for some reason I did catch a keylogger , I suppose it would take only a day or so for my masterpassword to become apparent. If the bad guys can call home, then my KP database and password would be available - so what steps should I take to prevent that?

    Ideally a solution should be convenient too - it should not get too complicated with respect to access for myself at different locations.

    Hopefully some experts out there can give me some pointers :)
     
  2. I no more

    I no more Registered Member

    Joined:
    Sep 18, 2009
    Posts:
    358
    What you've done is enough. You can't prepare for every possible eventuality. I think you understand the situation pretty well.

    However, I'll add some fuel to the fire. You did mention internet-based attacks, but don't forget about attacks due to physical access, especially at work. It would be much easier for someone to compromise your system with physical access. In order to prevent that you would probably need some disk encryption, either volume or preferably full system encryption. But I won't recommend that because it's not a simple solution.

    Keep in mind that an experienced individual with physical access to an unencrypted machine can pretty much get anything. There's not much that can be done about this.

    Keyfiles are also a good option, as you mentioned. But there is always some risk. All bets are off when malware is allowed on your system, either through physical access or internet-based attacks. I wouldn't worry too much about internet attacks if you have a good antivirus and firewall.
     
  3. SandyD

    SandyD Registered Member

    Joined:
    Jun 27, 2008
    Posts:
    11
    Please correct me if I am wrong - if I wanted to use the keyfile feature for added security, I would have to have the keyfile either stored on both pc or carry around with me on a usb stick.

    Having the key file stored on the actual pc would make that file available too to anyone having access to the data either due to a hack or local access. So the advantage would be somewhat limited?
    Carrying the keyfile on the usb stick limits convenience.

    Is this a correct analysis or am I overlooking something?
     
  4. I no more

    I no more Registered Member

    Joined:
    Sep 18, 2009
    Posts:
    358
    From the documentation:


    So, to really improve security, you would have to carry the keyfile around with you on an external device/disk. And it would have to be a unique file that couldn't be found anywhere else. I guess you could also theoretically store it somewhere online that only you have access to. Then download it when you need it and securely delete (i.e. not just a regular delete but an actual overwrite) it when you're done. But if your computer is compromised, then anything you do online could also be compromised (including any access passwords).

    So, the only guaranteed solution is to always carry it with you.
     
    Last edited: Oct 18, 2009
  5. I no more

    I no more Registered Member

    Joined:
    Sep 18, 2009
    Posts:
    358
    Another thing you might consider is not mixing home and work passwords/data. You might consider two separate databases for home and work.

    The problem is almost always going to be more your work PC than your home PC. If you didn't set it up yourself, you don't really know what's on it. Do other people have access to it? Etc.

    Depending on how much you trust that PC, you might want to consider not accessing certain accounts that aren't necessary for work. Personally, I consider any PC that I didn't set up myself or that other people have access to to be unsecured. And I limit my access accordingly.

    But, then again, you might trust it as much as your home PC. It all depends on the work environment.
     
  6. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    thanks - that makes it much clearer :D
     
Loading...
Thread Status:
Not open for further replies.