1

My KeePassX file has a long and strong password.

I've read several articles and discussions about how safe it'll be stored such a file on VPS or cloud service such as Dropbox. There was no consensus in the discussions.

I'm aware of a possibility that storage or my server can be hacked, or a staff member would copy my file to her computer and try to guess my password -- this is what my question is about too.

Finally, how safe is this if my file protected by long enough password by itself not encrypted by some other tool unrelated to KeePassX? If the worst happens -- my file gets stolen by a hacker.

I need a simple and succinct answer without any "if...then", "if not...."

schroeder
  • 125,553
  • 55
  • 289
  • 326
Incerteza
  • 2,207
  • 3
  • 16
  • 22
  • If the password or a simple variant (upper case/lower cased, simple substitutions eg 0 for 0) is on a list of frequently used passwords such as [SecLists](https://github.com/danielmiessler/SecLists/tree/master/Passwords) it is nit really secure against a targeted attack. You need to define the level of attacker, curious friend vs a nation state. – zaph Oct 06 '18 at 17:52
  • Just so you know: "over 10 characters" isn't actually all that impressive. "Over 12" stands a chance of being good, but I'd suggest 16+ for a password manager's master password. – Ben Oct 06 '18 at 18:47
  • 1
    Your exact question has been asked many times and the consensus is always "it's as safe as your master password makes it". – Ben Oct 06 '18 at 19:04

1 Answers1

2

The point of encrypting the key store is that theoretically you should be able to publish the encrypted file to the public and have nothing to worry about.

With that said, all programs have bugs, and to counter that threat it's a good idea to store your key file in an encrypted/protected area such as Dropbox.

While there's a chance Dropbox gets hacked or an employee steals your key store and attempts to hack it, the likelihood is extremely low.

Make sure you're using best practices and you'll be fine.

  • don't reuse the password for encrypting the key store

  • the keystore pass should be difficult to guess

  • use the latest version of the KeypassX program

  • Sign up to haveibeenpwned to be notified about any breaches

Daisetsu
  • 5,120
  • 1
  • 15
  • 24
  • 1. How is Dropbox more secure than any other file on the computer that contains Dropbox? 2. If data (a file, etc) is encrypted with a current cipher such as AES it is secure if the key is not available—obtainable, guessable, brute forcible. – zaph Oct 06 '18 at 17:58
  • 1. Dropbox does nothing to secure files stored on your computer. Dropbox encrypts the files that are physically stored on their server in case they get hacked. 2. Maybe. AES is a cipher, it has several lengths you can use. If you use the minimum or the passphrase used is 'cat' or something guessable then it's not secure because it can be guessed, or with a short key length (a key is NOT the passphrase) it could be compromised. This really should be a separate question. – Daisetsu Oct 06 '18 at 18:01
  • you gave the answer to anything but my question – Incerteza Oct 06 '18 at 19:55
  • Ok, let me make it clear. Even if you don't encrypt the KeypassX file with anything other than the program you are extremely secure. I wouldn't even give it a second thought really. – Daisetsu Oct 06 '18 at 19:58
  • `Even if you don't encrypt the KeypassX` -- how? "if you don't encrypt"? I asked "ADDITIONALLY" or what? There's the master password of my db file in Keepassx, is it what are you talking about? – Incerteza Oct 06 '18 at 20:03
  • You don't need to do anything. Just use KeypassX with the default options and you're fine. You don't need any additional steps. The defaults are very secure. – Daisetsu Oct 06 '18 at 20:05
  • Ok. But then how might I "not encrypt it"? The master password exists always and it's mandatory – Incerteza Oct 06 '18 at 20:05
  • 1
    Keypass encrypts the password store by default. That master password is what's used to decrypt the keystore so you can use it. – Daisetsu Oct 06 '18 at 20:07
  • @Daisetsu I know that I can. I asked `But then how might I "not encrypt it"?` if it's mandatory – Incerteza Oct 06 '18 at 20:09
  • @アレックス you asked in your question about encrypting the file with a separate process. Daisetsu is saying that you do not need to do that. – schroeder Oct 06 '18 at 20:12
  • 1
    I probably said it in a strange way, sorry if this is confusing. If you use keypassx the program **will** encrypt your passwords. This forms a keystore. If that file is stored somewhere other than your local computer some people like to either encrypt it a second time themselves or store it in a cloud service which encrypts files again for their customers. You are safe using keypassx with no additional security concerns provided you have a good password and there is no vulnerability discovered in future. – Daisetsu Oct 06 '18 at 20:14
  • 1
    @Daisetsu 1. At even the minimum key length of 128-bits AES (Advanced Encryption Standard) witrgh a random key can not be brute forced. The entire issue is a good key and keeping the key secure. 2. If a password is used it needs to be used with a key derivation method such as PBKDF2, Argon2i or similar with a CPU utilization of around 100ms. 3. To be really secure keep the password or key on paper in a secure (not fire-proof) safe. – zaph Oct 06 '18 at 21:38