How does a password manager like keepass key file be used to increase the security?

465    Asked by AlexanderCoxon in SQL Server , Asked on Dec 29, 2021

Since the password database cannot be decrypted without the key file, the key file needs to be stored somewhere - much like the password database itself. Why is the key file harder for an adversary to get at than the password database itself?

I read the information presented on Wikipedia regarding KeePass and it states that KeePass Password Safe is a free and open-source password manager primarily for Windows. It officially supports macOS and Linux operating systems through the use of Mono.[2] Additionally, there are several unofficial ports for Windows Phone, Android, iOS, and BlackBerry devices.[3][4][5][6][7] KeePass stores usernames, passwords, and other fields, including free-form notes and file attachments, in an encrypted file. This file can be protected by any combination of a master password, a key file, and the current Windows account details. By default, the KeePass database is stored on a local file system (as opposed to cloud storage)

Answered by Anil Jha

In addition to acting as "something you have", the option to use a KeePass Key File allows for more flexibility in the other two factors ("something you know" and "something you are") without having to explicitly implement such behaviour in the application.


Example 1: "Something you know" could be run through a custom or stronger key derivation function than KeePass (especially v1.x compatible) can support; then loaded in as a keyfile.
Example 2: "Something you are" could be run through a biometric scanner that writes out a biosignature which is then run through a trapdoor function and/or key derivation function to be loaded into KeePass which has no native awareness of biometrics, especially on operating systems with no "TWAIN" equivalent biometric standard.
Example 3: "Something you are" in the more generic sense of prove you are a human* by regenerating the keyfile (or one stage thereof) from a human typing in a CAPTCHA image (or one or another possible successors) stored publicly along with the keystore.
Basically, the keyfile option can act as a generic catch-all for any entropy source you can imagine - within the limit of the underlying keystore encryption scheme (256 bit for KeePass).

Your Answer

Interviews

Parent Categories