undefined | Better HN

0 pointspwg3y ago0 comments

> and my master password for the vault every time.

Are you using both a master password and the key file?

> Any suggestions to overcome this reduction?

Not and continue to use KeePassXC, as this is inherent in KeePassXC.

Ultimately, your method here relies on:

1) the security of the KeePassXC dbx file's encryption

2) whether there are any known exploits of KeePassXC files

3) whether there are any unknown (except to the attacker) exploits of KeePassXC files

4) the complexity of your 'master password' (if you use one)

5) the complexity of whatever password is used to unlock this 'token' (which is just a KeePassXC "key file").

If, by chance, you used "Password1!" as both your master password and token password, then an attacker is all but 100% certain to open your vault.

If your "password" is available in any of the breech lists, or can be deduced by a hashcat "try variations" run, then an attacker with the hardware, time, and desire would be able to open your vault.

If there is a known, or unknown (except to the attacker), CVE for KeePassXC that results in opening the vault, then you are at risk of having your vault opened.

Ultimately your resistance to attack here comes down to how resistant the KeePassXC vault is to attack.

0 comments

pwgOP3y ago

And, just today, this floats across the HN front page:

https://news.ycombinator.com/item?id=34545010

Click through to the CVE and you will find this:

> NOTE: the vendor's position is that the password database is not intended to be secure against an attacker who has that level of access to the local PC.

By storing your keepassxc file in a public repository you are providing an attacker access that is equivalent to a level of access for which the database is "not intended to be secure against".

This is why doing what you are doing is a very bad idea.

j / k navigate · click thread line to collapse