Password managers really have taken off since 2014. Of course, power users have been using them prior to 2014. One of my favorite password managers is KeePass. It was one of the first ones I used and for good reasons.
Not everyone is confident in choosing this option, however. In this article, we’ll go over a few concerns others have had with the security of KeyPass, and I’ll present why I think these concerns are largely overblown.
You Have Control Over the Security of Your Database
First up, I’ll say that the KeePass database is secure. If you don’t think it is by default, you have the option to increase the security. You can increase the resiliency to brute force attacks by increasing the number of PBKDF2 iterations when deriving the database encryption key from your password.
To review database security options, do the following:
- In KeePass, Click on File.
- Click on Database Settings.
- Click on the Security tab.
Change this to what you like. Some people like to use around 5,000,000 rounds (1s delay). I have seen this in multiple forums and answer sites.
KeePass has a newer database format, KDBX 4. It is pretty beefy. Sure, the database is probably still breakable with enough resources thrown at it, including a proper dictionary or password list. The time and cost to do so aren’t feasible.
KeyPass Has Stood the Test of Time
If you look at the ratings KeePass has received, you can feel very confident in using this offering. Some accolades include but are not limited to:
- 45+ recommendations or awards from websites and magazines.
- Keepass is participating in the EU-FOSSA 2 project, requesting that hackers try to find vulnerabilities.
- Keepass is the recommended password manager of the German Federal Office for Information Security.
- Recommended by the Swiss Federal Office of Information Technology, Systems and Telecommunication, and the Federal IT Steering Unit.
- and many more!
Nearly all password managers have had security issues. KeePass doesn’t store your database so it would be more secure than other mainstream password managers.
As I mentioned previously, security issues pinned to KeePass are mostly overblown. People see issues and make false claims because they don’t understand how attacks work. Most security issues with KeePass involve other factors to be a problem.
To put it plainly, your computer would have to be compromised for KeePass to be compromised. By this point, you would have bigger problems. Hacks would be due to bad cyber hygiene and not KeePass itself.
KeePass has written about KeyFarce, a pentesting tool originally posted on the code-sharing site GitHub. This tool would first need to be installed on the target computer. That’s not all. Once the tool has been compiled, delivered, and installed, the target would need to launch KeePass and log into their database.
Only then, can the tool use a DLL injection to get KeePass to export the entire plaintext password database as a CSV file. Yes, this would be bad for you, but once again, this would require your computer to already be compromised. KeeFarce itself is not an attack. Specialized spyware would be needed for this to be an actual problem.
The Real Problem
The developers of KeePass put this in a simple, yet profound way. KeePass cannot protect itself from targeted spyware if a computer system is compromised. “If a bad guy can install software on your computer, it’s not your computer anymore.”
You would need to make sure of the following:
- Your system is updated.
- You are using good, updated antivirus software.
- Do not install software from untrusted sources.
- Do not click on unknown links and attachments.
- Use a proper firewall.
- Secure your system from strangers.
Not only can you avoid an unwanted installation of security tools, but you can also avoid malware.
For password manager security, review set time outs and clipboard clears. These settings should be enabled by default but it would be good to check your settings to see what the defaults are.
This is the other elephant in the room. Your database security largely falls on how well crafted and secure your master password is. Would it easily be cracked by dictionary attacks?
If you would like additional reading on the security of KeePass, I would recommend Part 1* and Part 2* of these case studies by harmj0y. I very much enjoyed them. They go into way more depth on the security efficacy of KeePass through practical means.
Update: The harmj0y case studies appear to be down. Here’s a link to the slide deck to his presentation on the topic: A Case Study in Attacking KeePass. Also, here are the original blog post URLs in case they return:
Let me know what you like or don’t like about KeePass, and what you think of their security in the comments below!