Practical and Secure use of KeePass

There's no way to sugar-coat this one. A malware/keylogger installed on your computer means that your passwords are exposed. That's it, there's no way around it.

A malware/keylogger will log your master password, intercept the clipboard, somehow access the decrypted database in memory, etc.


There are ways to increase the difficulty of retrieving the KeePass master password, such as setting it to allow entry on the secure desktop only.

To prevent someone from getting your KeePass database file and performing brute force on it, you can also increase the AES iteration count that KeePass does during the master password derivation process, so as to increase the effort require to brute force the master key should your database be exfiltrated.

There is also an option to set two channel obfuscation during auto type when KeePass does the typing of the username and password for you. It should prevent crude key loggers from retrieving the specific password you use for that site.

To prevent malicious access to the KeePass database (and your decryption passphrase, since you need to type it in plaintext somehow...and that can be intercepted if your computer is compromised) in the first place, keep your computer secure. You know the drill: install and update your AV software, keep your computer OS and software updated, have a firewall, review logs regularly etc.

Finally, increase the entropy and length of the master password used. Instead of 9 characters, how about 13+? Instead of just lower letters only, what about including uppercase and even a special character or two too? The more unpredictable and longer your password is, the longer it will take for your attacker to brute force the database master key.


You could try to set up some kind of OTP Solution additionally to the password you store in keepass or as a substitute.

A rather affordable one could be yubikey (http://www.yubico.com/products/yubikey-hardware/yubikey/).

You can do stuff like exchanging a linux PAM with a yubico one and use a yubikey to logon to a linux box and so forth...

This is not advertising, rather an affordable otp example. Maybe not a solution for every keepass usecase but if you store system credentials in keepass you could add a layer of security to them....

Edit: Also as mentioned use a lot more than 9 digits. Use something long and complex which is still good to type, like a long sentence with some extra special characters in it. Dont do simple stuff like swapping an e with a 3. There are bruteforce plugins for that kind of stuff. Just add random sings at the end/beginning and or middle...

Edit2: just found this: http://keepass.info/help/kb/yubikey.html see the otp part at the end. I cannot promise you that this is a proper and secure otp implementation and that the plugin is without flaws. However the theory sounds good and its a good starting point to do some research on it or look for some alternatives like this.

Edit3: a free alternative to yubikey would be google authenticator app for ios or android which should work fine with keepass OtpKeyProv plugin according to http://mx.thirdvisit.co.uk/2014/01/02/getting-the-otpkeyprov-hotp-plug-in-to-work-with-google-authenitcator/

(again i cannot promise that the OtpKeyProv implementation is flawless....)

Tags:

Keepass