KeePass / TrueCrypt best practises?

Ironic Namesake · 7 Feb 2012 at 06:00

I've been doing some reading about where to store passwords etc. recently as I have too many of the damn things and struggle to remember them. A lot of them are saved in Firefox (with master password) but now am looking at putting these onto KeePass. Would just like some suggestions/examples how others are keeping the keyfiles / backups.

I understand the keyfile and backup shouldn't really be in the same place (kind of defeats the point of having them I guess

) what about storing the keyfile and backup database inside a TrueCrypt container, or the database loose and the keyfile only inside a TrueCrypt container? Of course not losing the keyfile is pretty important - I don't want to go around changing all my passwords to something I can never remember without the software and then losing access to the database

Or is a good password alone strong enough and a keyfile a waste of time? According to this link posted in GD recently : https://www.grc.com/haystack.htm it looks that way

Online Attack Scenario:
(Assuming one thousand guesses per second) 7.64 million trillion trillion trillion centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 76.43 billion trillion trillion centuries
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 76.43 million trillion trillion centuries

CaptainCrash · 7 Feb 2012 at 07:20

The KeePass database file is encrypted using AES with a 256-bit key, that's all you really need for any practical purposes (using a strong password, needless to say). Storing it in a TrueCrypt container is overkill IMO, just copy the file somewhere else to back it up.

BTW, you might also find LastPass useful (it integrates into Firefox very nicely using a plugin).

Vimes · 7 Feb 2012 at 07:36

I would not use Lastpass over Keepass and there is a plugin for Firefox for Keepass called Keefox...

https://addons.mozilla.org/en-US/firefox/addon/keefox/

CaptainCrash · 7 Feb 2012 at 07:42

Vimes said:
I would not use Lastpass over Keepass

Why not? I've nothing against KeePass, but LastPass does have some useful extra features... if it's a security concern, LastPass uses client-side encryption, so nothing is ever stored in plaintext online.

Vimes · 7 Feb 2012 at 09:11

The only issue, not sure how valid of a concern it would be, is that Lastpass cannot store the passwords locally, afaik. Whilst it is encrypted it has to be sent and stored remotely. I remember, albeit vaguely, Lastpass having some security issues a while ago but I can't remember how serious it was. However small a risk that is it just adds another layer of potential issues that can be avoided. To me having a on-line central storage of passwords etc is like a red rag to a bull in being a potential target and challenge for those people who are inclined to attempt to compromise them

Keepass does store the encrypted file locally and so no sending or Internet connection is required to access your database of passwords.

I did use and enjoy Lastpass but after finding Keepass and the Firefox plugin Keefox I am more than happy with that combination.

Just found some information about the potential security issues Lastpass encountered...

http://news.cnet.com/8301-1009_3-20060464-83.html

and

http://blog.lastpass.com/2011/05/lastpass-security-notification.html

CaptainCrash · 7 Feb 2012 at 10:28

Fair enough, although if I'm understanding correctly it was only people with weak passwords who would have been at risk, as there was never any danger of the encryption itself being broken.

I guess a local-only solution would restrict any threat to those who have physical access to your PC, but in all honesty I think anyone with the resources to break 256-bit AES would probably have no trouble getting that access if they really wanted it.