What's the safest way to use KeePass?
A lightweight and easy-to-use password manager
Brought to you by:
dreichl
Menu
▾
▴
Hello there,
While encrypting is the best way to protect data, I think hackers can also get their hands on the data stream. There is a picture in the attachment that I draw 5 methods that I can follow. If you see a different path than these, I would appreciate it if you inform me. :)
My thoughts:
In the first method, someone who accesses our computer has all the necessary information and can access our passwords.
In method 2 and 3, a hacker has to access both sides to have all the information. However, after he accesses our computer, I think he can access the Cloud if we keep our accounts open all the time.
In the 4th and 5th method, we can set up our own Linux server and require the 2FA method for connection to the server. But I'm not sure if this method will work with SFTP supporting connection Plugins since I haven't tried it yet. With these methods, a hacker really needs to have a good reason to go further.
Now, I know that nothing can be done against copy-paste sniffing, at least for now. However, I am not sure how safe the Plugins for KeePass are. And I would be glad if you could inform me about it. I wouldn't want incoming data to be exposed in RAM or cache. By the way, I think that keeping the Master Password (which was stolen by the Keylogger) and the Key file in the same place is more risky as it completes the missing parts and reveals the password. After that, all that remains is to find the door (database). Even if he cannot access the server, if you download the database to your computer one day, he will. Yes, paranoia.
If you can inform me and correct my mistakes, I will be glad.
I am looking for the safest method to protect my passwords and data. I would be very happy if you tell me what method I should follow, whether there is a better way, and whether I can apply this method with KeePass and its Plugins.
Thanks
Last edit: syswow 2021-01-25
Simply, I want secure access by getting a handshake from the server with 2FA (I'll use Google Auth). Like a server-client connection.
Moving the key file to an encrypted USB is also a solution, but I'm not sure if it can be read by a third party once it's decrypted.
KeePass is a local database and has no provision for 2FA in the way you describe.
Use the database locally and enter your master password on a secure desktop is the most secure, but this still doesn't prevent specialized malware stealing your data.
To use the secure desktop: Tools > Options > Security, Advanced.
cheers, Paul