pull down to refresh
5 sats \ 2 replies \ @0330830bf9 11 Oct 2023 \ on: Do you use a key file in keepassxc? tech
Multi-factor is about something you KNOW and something you HAVE.
A long passphrase eg "The honey badger jumped over the lazy shitcoiner." has sufficient entropy that it doesn't need a file in and of itself.
Backing up the file on a cloud service however negates the HAVE factor. A key file also in the cloud does the same, but knowledge of this keyfile is entropy just like the password.
One could achieve the same ends by obscuring the filetype of the keepass database.
So, there aren't many cases where a long passphrase is made sufficient only by a supplementary file. Odds are it'll just be harder for a deadman to instruct family.
Just use a good long passphrase, because you're only protecting your database with knowledge anyway.
Yes, that's right. You definitely need a complex passphrase with sufficient entropy, but no one is immune to keyloggers, for example. If the passphrase, i.e. the master password, is compromised, the key file will protect against password theft, especially if it is an unremarkable file and only you know that it is the key to the database.
And once again, the key file and the database need to be stored in different places, as do multiple backups, even when considering the cloud. One of the backups of the key file can be stored in the cloud, but the other backups should be stored on offline media. So the ownership factor remains, even if the key file is lost in the cloud.
reply
keyloggers
Very true, and I assume everything is keylogged... and that the NSA has enough Bitcoin so it's better for them not to sweep ours.
But if your keystrokes are exfiltrated, so to would your keyfile under such assumptions. Even if it's stored separately, it's read in the same place.
My point was that it's an extension of the key in all but the rarest circumstances.
Nesting would be an interesting option for the truly paranoid. Ex: A passphrase protected keypass file that, contains yet another keypass file, that is itself keyfile protected for use on a separate airgapped system... that should at least be a moderate inconvenience to a backdoor attacker.
reply