Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo


Keyfile + password considered harmful

Bill Rubin
  • Bill Rubin
    Bill Rubin

    I have argued in a different thread ("key loggers") that storing the KeePass keyfile on a portable medium is vulnerable to theft (or, even worse, copying) 24x7, since the storage medium must be kept in a place convenient for frequent use.  I concluded this argument by saying, "If you really think the floppy disk, CDROM, or ordinary memory stick which stores your keyfile is sufficiently secure, then you might as well store your password database there in the clear and get rid of the concept of the master password."

    A person identified as "ifni" responded, "If you are using ONLY the keyfile, then yes, this argument has merit. But KeePass provides for two-factor authentication (something you have and something you know)."  [referring to the master password]

    ifni is repeating an argument I've read many, many times in this forum, and, I have to say, I just don't get it.  I may be wrong, but I suspect that the real reason many people use both a keyfile and a password is that they believe that both their keyfile and their password have important security weaknesses.  If they didn't think that, then why wouldn't they just use the strong authentication factor alone?  It would be much simpler, and just as secure.  To me, using two vulnerable authentication factors amounts to just another case of "security by obscurity".  If your door has a weak lock, you should replace it with a strong lock, not add an additional weak lock.  But many people do exactly that.

    I suspect that many people add a keyfile because they believe their master password is not sufficiently secure.  They probably have good reason to question the security of their master password.  As Bruce Schneier discusses eloquently in "Secrets & Lies", a password that you can remember will be weak, and a password that's strong is too complicated to remember.  If you write down your "strong password" (because it's too complicated to remember), it's no longer "something you know" but becomes "something you have", with all the problems of stealing and copying.

    I agree wholeheartedly with ifni's sentiment (in the previous thread) that too many authentication factors (like something you have, know, and are) provide diminishing returns.  I'd put it even stronger:  Unless you're protecting nuclear secrets, two-factor authentication is probably more than most people are willing to tolerate, and they will find ways to defeat it, thus making the system insecure. 

    My focus in this thread is not to argue against using a keyfile, nor is it to argue against using a master password.  I'm not even arguing that KeePass shouldn't provide the ability to use both at once (because, hey, maybe some of you ARE guarding nuclear secrets).  What I'm suggesting is, "Don't put two weak locks on your door, and think this gives you a strong lock."  Instead, use one authentication factor (keyfile or master password), and take steps to assure that it's strong.

    Id be most interested to know what others think of this analysis.

    Bill Rubin

    • Ifni

      I personally feel that my password is strong enough on its own, so I don't use the keyfile.  However, multi-factor authentication is considered superior to single factor authentication.  I shouldn't have to argue that at all.  the keyfile is really just that - a key.  Just like a physical key, it can be copied, and it can be used without any other requirements.  Is encrypting the keyfile an impovement?  Of course, but an unencrypted keyfile is just as valid and secure as a single factor authentication as your house key is.  In order to use it, they have to have access to (and knowledge of) your keepass database, just as they would have to know the whereabouts of your house in order to use your house key.

      As a reader of Schneier, you are doubtless aware of the many arguments about no single authentication method being foolproof.  The point of multifactor authentication is to mitigate the inherent weaknesses of any one method.  Something you have can be taken.  Something you know can be shared.  Something you are can be stolen or forged (or changed).  Biometrics is popular because most people aren't going to consider cutting your finger off or taking your eyeball out a valid risk in order to gain your secrets.  Usually.  There will, of course, be exceptions, but their rarity is what makes biometrics so secure.  But they are still a weakness of the method.  They can be mitigated by requiring the finger have a pulse and a body temperature, etc.  But the bottom line is that no method is perfect.  You can greatly reduce your threat profile by employing a second or third authentication mechanism.  The more, the merrier.  But like adding deadlocks to a door, there comes a point where you stop seeing significant gain.  And it often occurs well before the point that breaking down the door becomes easier than picking the locks. 

      Every security measure incurs a cost - either in money, resources (storage, processor power, time, etc), or user convenience.  So choosing the right amount of security varies depending on the value of what is being protected, the resources available to expend improving the security, and the frequency of legitimate access.  Most people feel a key is adequate to protect all of the belongings stored in their house.  Why?  Because the likelyhood of theft is often low - they have neigbors that they feel will report suspicious activity and they have insurance to replace the value of anything stolen.  So they have largely mitigated their risk.  Also, with a house full of glass windows, the lock on your door becomes largely irrelevant.  You could add bars to the windows, buy a dog, add an alarm system, even get a security guard to imporve your security, but these are either too expensive (security guard, alarm system), too inconvenient (alarm system, possibly dog), or degrade the aesthetics of the house (bars, possibly dog).

      In fact, Schneier describes choosing security measures in the article at http://www.schneier.com/crypto-gram-0204.html#1.  He mentions a 5 step process to determine if a security mechanism is valid for your use:

      1) What problem does it solve?
      2) How well does it solve the problem?
      3) What new problems does it add?
      4) What are the economic and social costs?
      5) Given the above, is it worth the costs?

      Considering using the keyfile as a second authentication factor, we see these answers:

      1) Passwords are typically weak in order to be easily remembered.
      2) The keyfile is large and random enough to be practically impossible to guess or remember, so it solves the problem quite well.
      3) It can be taken or copied.
      4) You have to have the file stored on a portable medium, which might be costly or inconvenient.
      5) For me, no.  For you, apparently no.  For others?  Obviously so.

      Now, your second to last paragraph says not to defend one or the other, but to describe why two weak mechanisms are better than one strong one.  This depends on the relative weakness of the mechanisms.  Two locks with the keys still in them are abviously weaker than one lock with the key in a secure location, but are two rusty but serviceable locks less secure than one shiny new one?  The point is that as you said when you quoted Bruce - a memorable password is weak, and an unmemorable one will be written down, making it susceptable to a whole new set of problems.  By this reasoning, there is no good password, and therefore using a password is not a valid option.  This is, of course, patently ridiculous, and though I haven't read Secrets and Lies, I have read Bruce, and I suspect that his recommended solution, like many in the security business, is to use a passphrase instead of a password.  This is memorable, but also sufficiently difficult to guess.  I also happen to suspect that he isn't opposed to password storage programs like KeePass for storing strong, unmemorizable passwords, since he was party to the creation of his own program (Password Safe).  So, a good solution (that I believe Bruce would agree with) is to use a passphrase to protect an encrypted store of strong passwords.  He might even argue that that is sufficient and that 2 factor authentication is more than is neccessary for your average user.  For me, it is.  But for me, using a keyfile on an unencrypted disk would also be sufficent.  See, I keep my USB key on my keychain, and if that is suficiently safe for the keys to my house and car, I think it is sufficiently safe for the "keys" to my online information.  However, i have chosen the password over that because a) I feel it is even MORE secure than an unencrypted keyfile on my keychain, and b) I like the portability of KeePass, so my KeePass database lives on that USB key, and having the keyfile and the database on the same USB key would be basically the same as storing your passwords in a plaintext file.

      Someone may steal my keys, but in order for them to use them, they'd have to know where I live or where I parked my car, keys are a partially two-factor form of authentication anyway - what you have (the key) and what you know (where your house/car is).  The same holds with a keyfile on an unencrypted medium - they have the keyfile, but they now have to gain access to the encrypted password store, which requires not only knowledge of its existence, but knowing what program to use and where that file is.  I say this is partially a form of two-factor authentication because the "what you know" component is mostly security through obscurity - the information is fairly easy to find, unlike a decent password.  But the fact still remains, flawed as this mechanism is, it maintains a sufficient comfort level to remain in use.  Should it be improved - certainly.  What has worked in the past isn't guaranteed to work in the future, and being complacent is rarely the best solution to any problem.  However, this is "good enough".  Two factor authentication with two strong mechanisms is better than single factor authentication.  It may be overkill now, but soon may not be. 

      Two weaker mechanisms CAN equate to one stronger mechanism (or even exceed it), and may be less inconvenient to use.  If I have a real problem with remembering passphrases, then remembering the same weak password I've used for years and using a keyfile in addition might be preferred to forcing myself to use a proper keyphrase.  Will it be stronger?  Maybe not.  Will it be "good enough".  Very likely, and I am happy because it works better for ME.

      • Bill Rubin
        Bill Rubin

        Thanks to ifni for a thoughtful, balanced response.  I have to say, I pretty much agree with most of this well-reasoned post.  For the record, here are a few very minor quibbles:

        > multi-factor authentication is considered superior to single factor authentication. I shouldn't have to argue that at all.

        Of course its superior in theory, that is, without considering social issues.  Security geeks, such as all the readers of this forum, may happily use two-factor authentication.  But the vast majority of end users on the Internet today are non-techies and technophobes.  Most of them dont even use one-factor (password) authentication effectively, finding innumerable ways to subvert its intended function.  If it were up to them, theyd probably use zero-factor authentication, the way early Windows machines operated.

        > the keyfile is really just that - a key. Just like a physical key, it can be copied

        In practice, a keyfile is much more vulnerable to copying than a physical key.  A thief generally wont carry a key-grinder in his pocket to make a duplicate key, but he can borrow a memory stick for a few seconds, to plug it into his pocket PC.

        >  are two rusty but serviceable locks less secure than one shiny new one?

        No, but I think a better question is whether two weak locks are better than one strong one.

        > as you said when you quoted Bruce - a memorable password is weak, and an unmemorable one will be written down, making it susceptible to a whole new set of problems. By this reasoning, there is no good password, and therefore using a password is not a valid option. This is, of course, patently ridiculous

        It is ridiculous only in the sense that passwords are the primary authentication mechanism for end users on the Internet.  We have so many Internet passwords that we need to manage them, using an application like KeePass.  But automatic KeePass management makes it possible for all your Internet passwords to be strong, because they no longer need to be memorable.  This is a terrific advantage!  However, if the KeePass database is protected by a master password, the password paradox applies to this master password.  From this viewpoint, KeePass just reduces the problem of keeping all your passwords secret to the problem of keeping the master password secret.  This is a major improvement, but does not, by itself, solve the password secrecy problem.

        Anyway, thanks again to ifni for adding significantly to this discussion.  To me, the main point is that KeePass is an important component of secure password management  but only a component.  Other critical issues include how you manage the master password and/or keyfile, and how you manage password database backups (discussed in previous threads).

        Bill Rubin

        • I think the only weakness in extra protection is inconvenience for the user in that it takes longer to open secure data and it's more costly if any of the extra protection keys are lost or forgotten.  I don't see how more protection can be weaker except in the case where people write passwords down.

          My formula for creating strong passwords that are easy to remember is as follows:

          1) Choose a phrase from a memorable song or book.  For instance "But soft! What light through yonder window breaks?" 

          2) Take the first letters of each word of the phrase.  bswltywb

          3) Symbolize it using memorable conversions.  a->@ s->$ B->8 i->! c->( T->7 E->3 etc.   8$wl7yw8

          4) Add anything else that will not make remembering more difficult.  In this case the phrase is two sentences so I'll add the punctuations.    8$!wl7yw8?

          Try brute forcing that!

          It's probably a good idea to stick to phrases that are less popular.

    • scodan

      Using two-factor authentication, with a key file on a removable medium, is not at all like storing your passwords in the clear on the same removable medium.  Because obviously, in one case, you have only one part (of two) that will open the database, and in the other, you have the whole database itself.

      If you excercise due care in handling the removable media, it helps protect the data against unauthorized access, especially against someone without physical access.  It helps.  It isn't perfect.  Period.

    • Graeme

      A way to write the password down or record it somewhere is to split it in two and put the two halves in obscure places or have a simple mechanism for translating the written down password to the real password.  That way you have a stong password that you don't have to remember.
      e.g. you can record the password as a text string in the midst of a bunch of other text in a file that doesn't even look like text and is in an obscure directory.  No hacker is gonna find that and even if they did, the translation to the real password would still be impossible to work out  e.g. insert 101 in the middle of abcd-+#xyz-alpha-whatever-as-long-as-you-like.  Then delete alpha.


    • If I use a strong password, i.e. made up words that sound easy to remember but aren't found in a dictionary, and numbers, I consider my password strong enough.

      For now, it is.

      I save lots of backups, and I can't guarantee they won't fall into wrong hands. I can't guarantee than 10 years from now, the available computer power won't be high enough to crack a password with a brute-force attack in a reasonable amount of time. e.g. some malicious geek keep the password cracker running in a background, using a tiny fraction of his distributed network's resouces,  and, four months later - here it is ! A lot of sensitive personal info (SSN, many bank accounts) is still going to be sensitive 10 and 20 years from now.

      Of course, there are also key- and screenloggers. Today.

      Now, using that password and keyfile is going to make life a little bit easier - if someone steals my backup file, they aren't likely to also steal my keyfile; same is for the thief who installs a logger on my computer, or a website script that reads my screen content.

      If someone actually steals my PC, in addition to breaking the password, they would have to guess which one of the 60,000 files on it was used as a keyfile.

    • As a semi-novice (that's better than a novice, but not an expert), I would think I could store a simple .txt file on my USB flash drive protected by "Folder Lock" http://www.newsoftwares.net/
      and an anti - key logger app. I load Firefox compact on the USB flash drive with URLs for my bank/credit card sites and the ID, PW, accts numbers in the protected .txt file.

      "Folder Lock" will hide, scramble or encrypt (or all 3) on a USB drive and runs 5 layers of protection.

      If the USB flash drive is lost I don't believe anyone could unlock my .txt. file??

    • Paul

      Truecrypt (http://www.truecrypt.org/) is an open source alternative to Folder Lock.

      cheers, Paul

    • I think, not being a security expert, that password+keyfile is, in the worst case (somebody copies both your database and your keyfile) at least as strong as that very password used alone. I.e. the keyfile will do nothing for them if they don't have the password. The keyfile alone is a weak protection compared to password.

      However, the keyfile (encrypted or not) would be a very good added security measure if someone was to get hold of one of your backups (of course, provided you don't store your keyfile on same backup disk). Or, if someone copied an entire content of your laptop (e.g. it's a work laptop and somebody is doing maintenance on it that you have no control over).

    • Only the unknown is strong! Any password or encryption method is weak because there will always be someone who knows how to crack/unlock the code. But that’s only part of the story.

      The real weakness is the human. We are creatures of habit, repetition, we like to know. We see patterns in things that don't have patterns; it’s our brain trying to make sense of the senseless. We fear discord so we pick passwords that are familiar, we have to recognise a pattern, be it a word, a number, a phrase etc having unordered passwords are not tolerated because they don't fit the pattern making processes the brain demands, so trying to make 'Hacker type' passwords just doesn't work.

      The whole concept of passwords, keyfiles, whatever is weak; it distracts you from the 'backdoor' you can put as many strong locks on a door as you like but do you really think a hacker is going to bother attacking a strong lock when they can just cut a hole in the door and crawl in?

      You can have passwords to protect passwords to protect passwords; why not have a key file and master password on a USB stick and have a password to access the USB stick? if they get the password to the stick or attempt to find it destroys the Keyfile and Master Password of course you'd have a backup stored somewhere, with a password to protect it.

      If you have to protect your information so much I would suggest keeping it in your head and buying a book on how to improve your memory.