undefined | Better HN

0 pointsnikcub10y ago0 comments

> Curious, who is "compiling KeePassX for Linux themselves" when it's in the Ubuntu and Debian repos?

It's in the OP:

"I highly recommend using KeepassX as a password manager, secured using a key file and not a password. Also, you should download the source code, compile it (using a Linux machine) and always look over the source code for rogue functions, you CANNOT afford a vulnerability inside the password manager."

0 comments

11 comments · 3 top-level

fauigerzigerk10y ago· 4 in thread

Why is it a good idea to use a key file instead of a password? Any malware I catch could use the key file to access all my passwords or is there something I'm not understanding?

ahartman0010y ago

I'd recommend both, keepass supports that. Keepass supports using a secure desktop to prevent keyloggers[1], but you never know with some of the usb keyboard exploits[2], and good old fashioned looking over your shoulder. While keepass has protection against dictionary attacks[3], why not use a keyfile? you can put it on a flash drive, and now noone can access your passwords without that usb key. (obviously make sure you have multiple copies of your keyfile :)

1. http://keepass.info/help/base/security.html#secdesktop 2. http://arstechnica.com/security/2014/07/this-thumbdrive-hack... 3. http://keepass.info/help/base/security.html#secdictprotect

fauigerzigerk10y ago

>why not use a keyfile?

Because you're always just one burglary away from passwordocalypse?

giancarlostoro10y ago

I would personally use a combination of both. If you keep the key file on a USB thumb drive that you only insert when you need to unlock your files I guess it works out well then.

fauigerzigerk10y ago

That sounds like a better idea, but I still don't really see the upside as compared to remembering one long passphrase.

2 more replies

tombrossman10y ago· 2 in thread

Thanks, I saw that but was hoping people would not actually bother - that's deep into 'tinfoil-hat' territory. If you are already running a Linux distro and trusting the repos for OS updates, it isn't a big stretch to assume their build of the password manager is exactly as safe as the OS updates, and trusting one but not the other is pure folly.

slavik8110y ago

KeypassX 2.0 was in alpha for years (though I never noticed a bug). I don't think it was available in distribution packages until quite recently.

That being said, I'm decent with C++, and yet auditing its code is a little daunting.

wallace_f10y ago

This is also exactly my intuition here, but I'm hoping for others to comment here as well.

elcapitan10y ago· 2 in thread

> always look over the source code for rogue functions

I don't really understand the reasoning behind that - so rather than trusting a proven OS and its packages with lots of eyes on the critical code, I should rather read the code of a cryptographic product and then make a decision based on that? Common advice is not to write crypto code yourself, but reading it and deciding that there might be a backdoor based on gut feeling is right? And having identified some stuff I don't understand, then decide for another program that is goofy but easier to read, and compromise security?

maglavaitss10y ago

It's more about looking over the source code of the KeepassX app and just that (not all applications you use, of course we have to trust some of them), the code changes are (when there are changes) ~10 lines a month, not a huge amount to check.

elcapitan10y ago

What about all its dependencies? What if someone made some unsuspicious changes in a UI library that it uses that have a side effect on the security of KeepassX?

1 more reply

j / k navigate · click thread line to collapse

0 comments

11 comments · 3 top-level

fauigerzigerk10y ago· 4 in thread

Why is it a good idea to use a key file instead of a password? Any malware I catch could use the key file to access all my passwords or is there something I'm not understanding?

ahartman0010y ago

1. http://keepass.info/help/base/security.html#secdesktop 2. http://arstechnica.com/security/2014/07/this-thumbdrive-hack... 3. http://keepass.info/help/base/security.html#secdictprotect

fauigerzigerk10y ago

>why not use a keyfile?

Because you're always just one burglary away from passwordocalypse?

giancarlostoro10y ago

I would personally use a combination of both. If you keep the key file on a USB thumb drive that you only insert when you need to unlock your files I guess it works out well then.

fauigerzigerk10y ago

That sounds like a better idea, but I still don't really see the upside as compared to remembering one long passphrase.

2 more replies

tombrossman10y ago· 2 in thread

slavik8110y ago

KeypassX 2.0 was in alpha for years (though I never noticed a bug). I don't think it was available in distribution packages until quite recently.

That being said, I'm decent with C++, and yet auditing its code is a little daunting.

wallace_f10y ago

This is also exactly my intuition here, but I'm hoping for others to comment here as well.

elcapitan10y ago· 2 in thread

> always look over the source code for rogue functions

maglavaitss10y ago

elcapitan10y ago

What about all its dependencies? What if someone made some unsuspicious changes in a UI library that it uses that have a side effect on the security of KeepassX?

1 more reply

j / k navigate · click thread line to collapse