Multifactor authentication using USB and KeyPass Password Safe version 2.35?
A lightweight and easy-to-use password manager
Brought to you by:
dreichl
Menu
▾
▴
Hi my first post here, and I have donated to this project. What I am interested in is this scenario, which I have a suspicion is either very easy to do or has not yet been implemented. In the event of the latter can you please direct me to some other software that might have this feature, or a workaround? Or at least consider implementing this useful feature.
The scenario:
Set up a USB having a password that can be somehow used to open KeyPass Password Safe, when the person who has this USB logs into Windows 10 where KeyPass resides.
The USB would also have a Windows 10 password reset disk so the person who has the USB can log into the target PC.
I realize you can probably implement the above in a roundabout manner using private keys and public keys, but I'm wondering if there's an easier way. The person who would have this USB stick is not that computer literate, so the idea is a simple algorithm that they can follow like: insert the USB into the target PC upon bootup, get into Windows (steps omitted), then use the USB (or the contents found in the USB) to get into KeyPass Password Safe which is found on the target PC desktop, once inside KeyPass, you can find all the master passwords for the bank accounts".
I will check for a reply in a week or so.
Hi I think I figured out the limits of KeePass and how to solve my question. What you have to do is set up a master password comprising an image file found on a USB stick. Once this person has the USB stick, and logs into the target PC, they can access the KeePass database stored in the target PC, which can only be opened by reference to the image file on the USB stick, and then the master passwords can be accessed from inside the KeePass program. Problem solved. I will check later to see if anybody else has another solution.
A key file is the correct solution, as you have found.
http://www.keepass.info/help/base/keys.html#keyfiles
Make sure you have a good backup of the file on the USB in case you need it.
cheers, Paul
If by "image file", you mean something like a JPEG, that may not be a good idea, unless you write-protect the file and/or are very diligent with your backups. Many JPEG "viewer" programs will alter the files they display in ways that are imperceptible on screen, but since KeePass isn't "viewing" this file in the normal way, any such change will make your database inaccessible.
KeePass is capable of creating key files that cannot be mistaken for other types of files - but this may be defeating your intent in using an image file. (Dominik, the KeePass author, is not a fan of this sort of obfuscation.)
@T. Bug Reporter - wow, thanks, that's interesting. I do recall JPEG is lossy, and repeated viewings of the same can change it [but I believe this view is mistaken, see below, it's only if you re-save a JPEG does it get corrupted]. What I did for this project is put a JPEG image on a USB stick, then I also added a Master Password to get into KeePass. Then I put instructions on the USB stick on how to access KeePass once you log into the target PC (I also put a Windows 10 password recovery file on the USB stick). Then I gave the USB stick to a trusted person, with instructions. I tested this USB stick and it works fine to get into KeePass. I did not view the JPEG image file with a image file viewer, and based on the below I think for most image viewers it's not a problem (I cut and paste the approved answer, I am assuming it's correct). In any event, I don't think the person safekeeping the USB file intends to view the JPEG image file, but, just to be safe, I might Google how to write protect a USB stick and do that, later.
PS--I assume the .key file is the "other way" of using an image file, I guess I'll research that a bit as well ("KeePass is capable of creating key files that cannot be mistaken for other types of files ...")
Source: http://photo.stackexchange.com/questions/56304/does-simply-opening-and-closing-a-jpeg-file-decrease-image-quality
Q: "Does simply opening and closing a JPEG file decrease image quality?"
Approved (up-voted) Answer:
This is based on a misunderstanding. Loss of quality happens only during the compression that is done when an image is saved as JPEG. But it doesn't matter whether it was edited or not.
So: you will (with some very specific exceptions, see comments) lose quality if you open an image in an image editor and re-save it, even if you didn't make any edits. But if you only open it to display it and then close it instead of saving, then nothing will change.
Last edit: Ed Vaplen 2017-03-22
But my point is that some poorly designed image viewer programs will re-save the files they view without telling you that they're doing it.
If you're counting on an attacker saying "Oh, this is just a JPEG file - it has nothing to do with cracking this password file", that may work, but it may also cause people who are not trying to crack your KeePass file to view the JPEG with one of these bad programs and thereby inadvertently compromise your ability to decrypt your KDBX.
A key file is not an image file like a JPEG; for example, here's the entire contents of a key file I just had KeePass create for me:
The XML "wrapper" is not strictly necessary, so you can use literally any file you want as a key file, but if you use a different file (like a JPEG), you're responsible for ensuring the file doesn't change. I was just trying to warn you that some programs change files without warning anyone that they're doing it, and that by misidentifying your key file as a JPEG or other type, you may inadvertently cause people to corrupt the file in KeePass terms.
Also, JPEG viewers aren't the only culprits; let's say you decide to use a Word document as your KeePass key, but six months from now a new version of Word comes out with a different way of implementing some feature, and Word updates your document to the new way of doing things. To Word the net effect of this change is zero, but there's no such thing a a zero effect change to a KeePass key file.