9

I've read KeePass kinda sorta tries as much as is possible to limit keyloggers (at least on PC).

But since you type in your master database password on many devices many times, there's a huge chance that someone can at one point obtain a snapshot of your key and your database file.

So why not use a combination of a strong passphrase and a one time password algorithm like your bank does, or steam guard, or other OTP keys? (and if you loose your OTP device you would have a printed few otp backup keys)

No? People seem to say "it won't help protect you any better".

Should I install the OTPKeyProv plugin? Does it work on mobile? Does it still also use your passphrase?

Spectraljump
  • 193
  • 1
  • 1
  • 6
  • See also: [Does adding two-factor authentication by OTP really make KeePass more secure](https://security.stackexchange.com/questions/42446/does-adding-two-factor-authentication-by-otp-really-make-keepass-more-secure) – Ajedi32 Jun 30 '17 at 20:33
  • The problem is that when you don't trust the system KeePass runs on, there isn't much you can do to prevent that system from tampering with any authentication method you come up with. – Philipp Jun 30 '17 at 22:17
  • instead of using a software like keepass you might want to take a look at the mooltipass https://www.themooltipass.com/ – cornelinux Jul 01 '17 at 10:55
  • What if you have a keepass server with your database, that requires your pass + OTP to log in? – Spectraljump Jul 01 '17 at 13:23

1 Answers1

4

Nobody has figured out how to involve OTP with encryption that materially improves security.

It's important to remember that KeePass's master password is used to derive encryption key, so it is actively involved in file modification transactions; unlike web service credentials which are only used for authentication, which is simply attached to the transaction. OTP that changes all the time wouldn't be useful for deriving encryption/decryption key.

A place where OTP could be useful is if you use it as a quick unlock solution, where you only need to type master password once at startup, and then you can unlock with shorter password afterwards. But for OTP quick unlock to make sense, it need to be easier to type than just retyping the master password. Also, since quick unlock requires that Keepass caches the master key, for it to be secure, you probably would need an HSM of some sort so other programs can't read off the master key off the Keepass process.

Lie Ryan
  • 31,279
  • 6
  • 69
  • 93
  • What I was more thinking about was the functionality that gmail has: if someone guesses my password, they still can't get to my email without my phone (or a stingray interceptor etc). – Spectraljump Jul 01 '17 at 12:45
  • 1
    Isn't it possible to insert OTP betwen the master key and your passwords or to somehow make it part of the master key? I guess nobody figured out how. – Spectraljump Jul 01 '17 at 13:17
  • @Spectraljump: it isn't impossible to add OTP to encryption, there are many ways to do that, however it just wouldn't add any meaningful security, while making it incredibly inconvenient for users. In fact most schemes for adding OTP to file encryption might actually reduce security rather than improving it. – Lie Ryan Jul 03 '17 at 03:43
  • Maybe I can set up a unix freenas jail that holds my password database and requires both a password and an OTP from my phone to authenticate, like on gmail. – Spectraljump Jul 03 '17 at 06:11
  • 1
    Not true. What you write is correct for TOTP (*time-based* one-time password) algorithms whose codes cannot be predicted in advance, but it is not for OTP in general. HOTP in particular, which is used by the OTPKeyProv plugin, generates codes which change based on a counter value. This counter is generally only incremented after using one code, to obtain the next code. IIUC the plugin pre-generates the next code or next few codes and encrypts some key information which must be used as part of the composite master key; thus without a valid HOTP code you cannot decrypt the database at all. – Ben Jul 04 '17 at 15:06
  • 1
    See https://security.stackexchange.com/a/73802/93625 – Ben Jul 04 '17 at 15:09
  • @Ben: HOTP-imbued encryption is the kind of scheme I meant by "does not materially improves security", while adding significant risks. Imagine you've got your master password and database file stolen, so the attacker also have one copy of your HOTP value at counter N. The raison d'etre of OTP is that if you never detect this breach, the attacker should not be able to use their existing knowledge to decrypt future versions of the database file. Since there is a copy of the HOTP secret in the old database, so the attacker can just use that to generate all future HOTP values. – Lie Ryan Jul 05 '17 at 02:26
  • @Ben: the practical effect is that for encryption, HOTP does not improve security in any attack scenarios compared to using both master password and a keyfile, which is supported natively in Keepass, while it also adds the risk of making access to your own database difficult if the counter gets out of sync. – Lie Ryan Jul 05 '17 at 02:37
  • Forgive me if I'm wrong, but I thought the point of OTPKeyProv was that the secret is *not* stored in the database, but rather is stored on an external device such as a YubiKey? – Ben Jul 05 '17 at 13:35