Jump to content
AdvancedSetup

Keepass 2.43 Password Safe update

Recommended Posts

Highly recommended tool for securely saving your passwords.

Keepass Password Safe 2.43 update released 2019-09-10

https://keepass.info/news/n190910_2.43.html
https://keepass.info/download.html

Keepass Security
https://keepass.info/help/base/security.html

Make sure you use a strong master password. Personally I'd recommend 128+ bit complexity (but that is way overkill unless some unknown major change in computing power comes along soon)

image.png

 

Then set the key transformation settings (the link below helps provide information on how to choose good settings)
https://pthree.org/2016/06/29/further-investigation-into-scrypt-and-argon2-password-hashing/

Example:
(remember that if you share the database on other devices you'll need a value that allows it to open on the weakest device too. As I don't use mobile and both systems I use are fast I can keep the settings high for both)


image.png

 

KeePass Password Manager: Full Detailed Setup (good video on setup and using Keepass but choose the Argon2 method for Key transformation)

 

Ten Immutable Laws Of Security (Version 2.0)
https://web.archive.org/web/20180529154650/https://technet.microsoft.com/en-us/library/hh278941.aspx

The 10 Immutable Laws

  1. Law #01: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.
  2. Law #02: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
  3. Law #03: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
  4. Law #04: If you allow a bad guy to run active content in your website, it's not your website any more.
  5. Law #05: Weak passwords trump strong security.
  6. Law #06: A computer is only as secure as the administrator is trustworthy.
  7. Law #07: Encrypted data is only as secure as its decryption key.
  8. Law #08: An out-of-date antimalware scanner is only marginally better than no scanner at all.
  9. Law #09: Absolute anonymity isn't practically achievable, online or offline.
  10. Law #10: Technology is not a panacea.

 

 

Edited by AdvancedSetup
updated information

Share this post


Link to post
Share on other sites

The question is not which is better but, whom do you TRUST !

Presumably, if you have a good AV/AM keylogging is not an issue and thus a moot point.  However if you are on a corporate network that enabled and whitelists a Keylogger ( which is legal in the US ) then it is possible that when you data is decrypted from the credential store it may be harvested.  However that points to the fact that one should NOT be doing personal business on the employer provided equipment.

Share this post


Link to post
Share on other sites
1 hour ago, David H. Lipman said:

The question is not which is better but, whom do you TRUST !

Presumably, if you have a good AV/AM keylogging is not an issue and thus a moot point.  However if you are on a corporate network that enabled and whitelists a Keylogger ( which is legal in the US ) then it is possible that when you data is decrypted from the credential store it may be harvested.  However that points to the fact that one should NOT be doing personal business on the employer provided equipment.

^^^^^ 100%

1 hour ago, AdvancedSetup said:

See the 10 Immutable Laws above

 

 

That whole OP is a great write.  I'm pleasantly surprised that the maker of the video went through all of that detail to show a good way to set up the database.  He did a great job (aside from not using Argon2, which the link you provided worked well for me in terms of actually making sense (I live for these computational things).

That being said, since I *do* use mobile, what I typically did in the past was to use the AES-KDF method for transformation, using the 1 second delay test, and then removing a single digit to make it compatible with my (then less powerful) mobile device.  Now, I realize that I need to revisit that and see just how fast my phone can decrypt it using a full 1 second delay - after all, the 1 second delay I'm deriving is on my ancient Core i7 965 EE (yes, first-gen Bloomfield) CPU, and my current phone is a Pixel 2 XL - pretty powerful in terms of a comparison to the phone I had when I first set the delay up (Original Motorola DROID, now a full 8 years old).

And as I use Android, I need to see if the KeePass2Android app can decrypt the database if I set the transformation method to Argon instead of AES-KDF.  I have my work cut out for me this evening.

Thanks again @AdvancedSetup

Share this post


Link to post
Share on other sites

Well familiar with the Gibson one - I've been visiting his site for a very, very long time now (ever since my first ever Click-of-death on an Parallel-port iOmega ZIP drive).  Still use a few of his utilities to this day, including DNS Benchmark and securable.

And attempting to explain PWs and pw security to my parents was a lost cause - until XKCD tackled it not once but twice (that I used).

https://xkcd.com/792/ (with corresponding explanation at https://www.explainxkcd.com/wiki/index.php/792:_Password_Reuse)

and https://xkcd.com/936/ (with corresponding explanation at https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength)

Believe it or not, he does a great job with the second one, but also takes a couple of jabs at both Gibson and Bruce Schneier....or, whoever wrote the wiki explanation article anyway.

Share this post


Link to post
Share on other sites

So, I swapped my database over to using Argon2, with n=m=32 (the value, obviously dif units), and p=4.  On my desktop it takes ~1.6 seconds - but in practice it takes a bit more time, usually above 2 seconds.

That phone up there that I mentioned?  If it is using the same mechanism to decrypt the database, it takes no longer than my desktop does 😛

And as I am about to upgrade my phone in the next month or so to the Pixel 4, I will probably need to revisit this again - and set it to something large like 5-10 seconds on the desktop and see how long the phone takes 😛

Share this post


Link to post
Share on other sites

Not a Google fan and distrusting of their phone but it sure is tempting. Who knows, maybe get one some day

 

Share this post


Link to post
Share on other sites

November makes 9 years I've been using (and abusing / testing / bricking / crackflashing / call it what you will) Android phones.  I'm all in on using Google's (admittedly no so free) services.

I've distanced myself well from Facebook, will never use their mobile apps again and only log in every once and again to check and see what's going on with my fellow classmates - we just had our 30th reunion last year.  So, like once a month, if that, on FB.

But I use Google stuff daily.  Multiple times a day - and that is without even considering anything I do on the phone....

Share this post


Link to post
Share on other sites

Yeah, I don't have anything to hide but still just don't like companies poking around with my data if it can be helped. Sometimes it cannot and it is what it is.

 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.