Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

The list of recently used key files is a security risk...

J_E
2013-09-19
2013-09-20
  • J_E
    J_E
    2013-09-19

    ... I think.

    If an attacker looks into my keepass.ini he immediatley knows which is my keyfile (KeeKeySourceValue). Assuming he already has access to my PC, it makes the keyfile as good as useless. I could stick with my password only.

    It would be nice to have an option "do not save keyfile history".

    thanks,
    j

     
  • wellread1
    wellread1
    2013-09-19

    The best practice for a key file is to treat it as something you have and use on demand, not as something that is permanently available; e.g. keep the key file on a USB stick and supply it when needed. See the Help documentation for information on why it is pointless to hide the key file location.

     
  • J_E
    J_E
    2013-09-20

    thanks, I agree that obfuscation is never security and that an attacker can find eventually out (altough access times to files can be spoofed, cant they?); but I think this adds another layer of complexity to the task. Just like an onion... If I was better at coding I would add this feature myself.

     
  • wellread1
    wellread1
    2013-09-20

    I think you are missing the larger point; that keeping the key file in proximity to the password database is unsafe. The key file should be physically or virtually separate from the database and should be supplied only on-demand.