Is my Keepass passphrase stored on my computer?
A lightweight and easy-to-use password manager
Brought to you by:
dreichl
Menu
▾
▴
Is my Keepass2 passphrase stored on my PC? If so, where?
(Windows 10, Firefox browser)
The password/phrase to unlock your database is not stored anywhere
Thank for your reply. In that case with what is Keepass comparing my passphrase entry at startup?
My understanding is that KeePass uses the master key you enter (which is not necessarily a passphrase, and not necessarily just a passphrase) to try to decrypt your KeePass file, and if the result makes sense, KeePass shows it to you; if the result is gibberish, KeePass tells you the key is incorrect.
Ah. I think I understand that. Thank you.
KeePass does store your passwords in an encrypted file on your PC, or other location of your choice. The default filename (in V2) is "NewDatabase.kdbx".
cheers, Paul
Thank you.
To elaborate on the previous resonses KeePass key management is described here:
https://keepass.info/help/base/security.html
In brief the key used for ecrypting your database is DERIVED from the key you type. It is not used directly to access your database. The initial key is a combination of the pass phrase you type and a key file if you choose to use one. Thiskey is passed through a "key derivation" function. Simplistically this passes the intial key combination (in the most simple case this is the pass phrase you typed) from a one-way function called a hash multiple times. The hash function is a function is a well known function that has been tested by cryptographic specialists to prove it is non-reversible -you cannot derive the initial key from it.
The number of times the hash function is applied is configurable and is intended to deliberately slow down the process so that it takes 1 to 2 seconds. This ensures that attackers would in practice have to attack the derived decrption key directly rather than to attack your initial password through the standard password attack techniques (they could try several million possible passwords per second instead of one every two seconds).
You can shoose both the key derivation function and the number of iterations when you create your password. There are choices for both the key derivation function and the encryption method.
The derived key is the one used to decrypt the database.
The pass phrase you type to open you Keepass database will be discarded once the encryption key has been derived and there is no need to store it anywhere. As an aside no security information such as passwords should ever be stored in your browser. That is what KeePass is for!
That clarifies a lot of things for me. Thank you.
To clarify:
KeePass does actually keep your master-password even after you opened the database, it makes sense since KeePass needs to eventually re-encrypt everything if any changes were made(or to perform other operations).
KeePass keeps your plain-text password in memory protected via DPAPI, you change the options settings to save only the SHA-256 hash of your password(KeePass by default keeps both on RAM)
KeePass doesn't keep your password once it stops running, KeePass never saves your password or actually any sensitive data to disk.
Thanks John. This is getting rather too technical for me I'm afraid. I guess I should just trust the defaults...
Well is KeePass a trusted password manager? for sure.
does it mean it's perfect or that your passswords will never leak? not really.
Focus on other aspects of security, PM is a great first step but don't blindly rely on a single solution and think you're safe against everything.
Last edit: John Jones 2019-08-17
Understood John. Thanks again.