Keepassxc synchronize password#
Adding a YubiKey keeps your database secure even if your actual password gets leaked somehow.As an attacker, you are probably better off guessing the transformed 256-bit AES key instead. Used in combination with a strong password or passphrase and Argon2 as your KDF, it makes your database very resilient against any kind of brute-force attack.
It adds 160 pseudo-random bits to your password, which on its own is already stronger than most users' passwords (especially considering that most passwords are vulnerable to dictionary attacks).Using a YubiKey in this way is not a hazard, but actually offers some unique security benefits: So, this is where I think that, although his technical description is correct, Jeffrey's conclusion is wrong.
Keepassxc synchronize Offline#
So, a YubiKey for your KeePassXC database isn't really a second factor in the sense of authentication (we are doing offline encryption, not online authentication after all), but it definitely makes your key stronger. This response is then used to enhance your decryption key by hashing and transforming it together with your password and (optionally) your key file. KeePassXC presents a (pseudo-)random challenge (the database's master seed, which changes every time you re-encrypt, i.e., save your database) to the YubiKey and gets a unique response in return.
The YubiKey is used in a mode which is slightly different from what it was designed for. The answer by Jeffrey from 1Password is technically accurate. KeePassXC developer here, I got directed to this thread and want to add some remarks. So, is it reasonable to use a hardware security key for KeePassXC if you already use a strong master password? However, change every time you save your database.Īssuming an attacker has access to my KeePassXC database and perhaps even installed a keylogger on my system, the additional YubiKey is useless in this case, am I right here? Qualify as a separate second factor, since the expected responseĭoesn't change every time you try to decrypt your database. Sense, it makes your password stronger, but technically it doesn't Generates a challenge and uses the YubiKey's response to thisĬhallenge to enhance the encryption key of your database. Strictly speaking, it's not two-factor authentication. KeePassXC supports YubiKeys for securing a database, but KeePassXC supports the so called "HMAC-SHA1 Challenge Response mode".ĭoes KeePassXC support two-factor authentication (2FA) with YubiKeys? To further improve security, I thought about buying a YubiKey to have 2-Factor-Authentication. At the moment, I am using KeePassXC with a relatively strong master password.
0 kommentar(er)
