其實用Key file 加密, 係咪真係起到保護作用?

依度問既係KeePass依個軟件, 不過如果其他軟件都有用key file依種技術, 可能一樣會有同樣問題

KeePass可以加密你儲存的密碼
佢同時提供幾種方法比你加密, 你可以用其中一種, 或混合多種

最基本係用一個密碼做加密, 除此之外, 你仲可以加多一個key file落去做加密
依個key file除左可以用傳統的key file外, 仲可以用任何檔案, 例如一張jpg, 一個mp3當做key file

但最大問題係, 加左key file, 究竟係咪真係可以加強保護?

首先, 當人地拎到你KeePass個DB file, 好自然就會去搵你個KeePass程式
而KeePass的config file入面, 正正就儲起左你用緊邊個key file

即係話, 當黑客拎到你個DB file, 等同拎埋你個key file
咁有用key file同無用key file, 仲有乜分別?

所以淨低要睇既, 可能就係睇下:
1. 破解一個只用password加密的KeePass DB
2. 同拎住一個key file去破解一個用password+key file加密的KeePass DB
兩者之間既難度有無分別?

本帖最後由 Fanolian 於 2019-3-13 20:45 編輯

KeePass 個help已經有講:
Key files are typically stronger than master passwords, because the key can be a lot more complicated; however it's also harder to keep them secret.


「而KeePass的config file入面, 正正就儲起左你用緊邊個key file」
config file你指KeePass.config.xml?我無用key file,個.xml只係儲住我個db location(因為我Set咗要keepass 記住)。
不過一般嘅電腦安全回應都係,如果人哋可以直接access到你部電腦,到時其實咩保安都無用。

More:http://abp-keepass.sourceforge.net/FAQ.html#should

我見網上都有好多人有你呢個concern:
https://www.google.com/search?q=keepass+key+file+best+practices

TOP

回復 1 #3ldk

added "what u have."



via HKEPC Reader for Android

TOP

無錯, 就係放左係度

        <Defaults>
                <OptionsTabIndex>2</OptionsTabIndex>
                <SearchParameters>
                        <ComparisonMode>InvariantCultureIgnoreCase</ComparisonMode>
                </SearchParameters>
                <KeySources>
                        <Association>
                                <DatabasePath>..\xxx.kdbx</DatabasePath>
                                <Password>true</Password>
                                <KeyFilePath>..\..\..\xxx\xx.xxx</KeyFilePath>
                        </Association>
                        <Association>
                                <DatabasePath>..\..\..\xxx\xxx.kdbx</DatabasePath>
                                <Password>true</Password>
                                <KeyFilePath>..\..\..\..\..\..\..\..\xx.xxx</KeyFilePath>
                        </Association>
                </KeySources>
        </Defaults>

其實我覺得佢最少應該要用條master password encrypt埋個file path和name至岩(如果有用master的話)


"不過一般嘅電腦安全回應都係,如果人哋可以直接access到你部電腦,到時其實咩保安都無用。"
依句說話就唔係幾同意, 電腦系統永遠都會有漏洞, 依類軟件既目的, 就係防止萬一你電腦file外泄, 都仲可以保到你資料安全, 唔係既話, 用PlantText儲就得

TOP

Tools->Options->Advanced(tab)->Advanced(section); un-check "Remember key sources…"
唔剔佢會唔會好啲?但係好似Windows入面依然會有地方記住你開過咩file。

我覺得佢講得幾啱
If your Master Key is a key file only, anyone who has access to your database and key file can access the database.  The key file can only provide security if the database and key file are kept physically separate except when the database is in use.  Hiding the key file on the disk is the same as hiding the house key under the door mat.

TOP

回覆 4# 3ldk


正常黎講, key 係唔應該放埋一齊 ge.....

將條鎖鑰放o係個鎖隔離....咁好難安全 ga wor...

TOP

本帖最後由 sparrow 於 2019-3-15 11:57 編輯

from keepass website:
https://keepass.info/help/base/keys.html
"Do not backup the key file to the same location as the database, use a different directory or disk. Test opening your database on another machine to confirm your backup works. ..."
呢段講得更加明白:
"Location. The point of a key file is that you have something to authenticate with (in contrast to master passwords, where you know something), for example a file on a USB stick. The key file content (i.e. the key data contained within the key file) needs to be kept secret. The point is not to keep the location of the key file secret – selecting a file out of thousands existing on your hard disk basically doesn't increase security at all, because it's very easy for malware/attackers to find out the correct file (for example by observing the last access times of files, the recently used files list of Windows, malware scanner logs, etc.). Trying to keep the key file location secret is security by obscurity, i.e. not really effective."
所以,可以做的:
1. master pw + key file
2. 唔好save history, 但仍然可以通過file access time找出來.
3. db file放hd, master pw放喺大腦內, key file放外置, 要用先插USB, 但都幾麻煩.
4. master pw放喺大腦內, db file和key file放外置, 要用先插USB, 但都幾麻煩.
如果電腦被攻破, 3樣嘢都可能被偷, 又返返去電腦保安問題度, 唔知點搞.
或者可以用linux live usb行keepass, 例如TAILS已帶keepass,保證每次OS都係安全的, 但更麻煩.

TOP

買多部電話 / 平板 / 迷你notebook 負責 Save password , 果部設備個藍芽、WiFI、數據 都全關  .
你部上到網既電腦吾安全既話, 除時人地 keyboard log 或 screen log 咪又係睇晒

TOP

你把 key file 放在同一個地方, 就好似自己貼張寫晒 d password 的 post-it 係 mon 一樣.

那不是個保安系統問題, 而係用戶問題

TOP

見有幾個人講放個key file一齊唔安全點點點

其實我想講, 而家用各種手段要達到既目前, 就係想係安全同方便取個平衡
就用個最常出現既例子, it部可以set個好安全既rule, 密碼最少8個, 要同時有大細階數字符號, 每個月必須轉一次
表面上係好安全, 但實際上做成既影響, 係另到用戶寫低密碼放係枱面, 咁變左更不安全
依D就係典型既IT無考慮用戶實際場景既例子

講真要更安全, 我完全可以用自定format, 自定Algorithm加密, 再係美國起一個server放username, 係日本起個server放password, 人地就算入左兩個server都唔知果D file係乜黎, 亦無從入手如何破解, 又何需借助KEEPASS依種廣為人知的軟件, 比人有機可乘?
但係, 每次login都要麻煩到咁, 又邊會有人做?


所以, 條key放去其他地方云云, 其實有點不切實際
你打開電腦, 就係要用KeePass, 因為你使用電腦過程中, 其中一個經常會做既事就係login, 要用KeePass, 條key當然會係一齊
講真, 唔記錄path, 每次打開lock左既KeePass, 除左要打master password, 仲要選多次key file, 其實已經算係麻煩, 所以更不用說放去其他地方, 每次用unlock KeePass, 要去download/插手指, 然後Lock完KeePass要去delete file/拔手指

即使唔save path其實都唔見得安全, 因為佢依然會記得key file個folder, 當然, 如果佢唔記folder, 每次選擇key file都要重新入folder, 其實都係麻煩

所以用master password加密config file係一個幾理想既解決方法, 係無增加任何麻煩程度下, 提升不少安全性, 只可惜KeePass諗唔到依條橋

--------------

不過, 我以上講咁多, 其實都有少少離題, 因為依類爭論其實意義不大, 安全性同方便性一直以黎都係對立, 只差在由邊個角度出發, 無論偏向邊一邊, 永遠可以拎出一大堆理由去支持

依個主題其實只係想問兩種case的破解難度有無分別?
如果無分別, 其實只用master password就足夠, 直到KeePass有改善方法(例如加密config file)

TOP