6

Over at Does adding two-factor authentication by OTP really make KeePass more secure the top answer unmistakably states that KeePass is not made more secure by using an OTP. I told a friend I was using PasswordSafe instead of KeePass but then he asked how was that any different and I realized that I trusted the PasswordSafe+YubiKey combination to be secure mostly because they have mutual advertising.

The answers to the SE question mentioned above explain why KeePass is not made more secure by 2-factor-authentication (2FA). Can somebody give the same explanation (whether positive or negative) for PasswordSafe?

Sixtyfive
  • 216
  • 2
  • 8
  • I'm not sure what you are asking and the details in your question do not seem to apply to the title question. Can you refine your question a little more? What kinds of differences are you looking for? – schroeder Dec 16 '15 at 15:44
  • Thanks for the comment! Tried to change it to make clear that I'm looking for a "why is this secure when the other is not"... – Sixtyfive Dec 16 '15 at 15:50
  • I would hesitate to trust the answer of the KeePass question since it appears to be conjecture about how the OTP figures into password database protection. I would assume that both the KeePass and PasswordSafe solutions are modifying the password database or the database key in a way so that they are actually adding a layer of protection to the data and not just modifying that particular password manager executable to require a second factor. It would be silly to allow an unmodified executable to bypass that security. Of course, you should be careful about accepting this assumption too. – PwdRsch Dec 16 '15 at 18:10
  • Yes, that's why I thought I'd ask here. Perhaps somebody who is knowledgable enough to read the sourcecode comes along (That's what one of the answers to the KeePass question also claims to have done...) – Sixtyfive Dec 17 '15 at 16:23

1 Answers1

1

When using a YubiKey; PasswordSafe uses a Challenge-Response based on HMAC-SHA1 for the second factor. This functionality is included in the original program with no plugins and there is no recovery method. If you lose the key, you lose your data. I believe this makes it more secure.

Keepass can use OATH HOTP mode (with the OtpKeyProv plugin) and HMAC-SHA1 Challenge-Response mode (with the KeeChallenge plugin). Both of these plugins offer a recovery mode where you can recover the database using a long secret. The security of these systems is only as strong as your ability to secure that secret. It's a long string that you would normally want to store in an encrypted container like a password safe...

Sources:

HackSlash
  • 268
  • 1
  • 10