Open tmsg-gh opened 7 months ago
droidmonkey
commented
7 months ago A bug should be filed with KeePass for allowing such a configuration to even happen in the first place. That is an obvious security issue that a hapless user could inadvertently expose themselves to.
tmsg-gh
commented
7 months ago I disagree as I don't think this is a KeePass bug as such.
I don't know what Dominik thinks about this area but if you start to put restrictions for length and/or content of keyfiles, where do you stop?
KXC will gladly create a database with a keyfile of length one. Yes, one is clearly safer than zero... but not that much safer :-/
And KXC doesn't even spit out a warning re "an obvious security issue that a hapless user could inadvertently expose themselves to."
droidmonkey
commented
7 months ago I was going to say the lower limit should be 256-bits. That is the key size for the overall AES algorithm and we hash the contents of the file using SHA-256. Certainly not an unreasonable minimum.
@phoerious
tmsg-gh
commented
7 months ago My main point was and is (and I am not totally sure you've fully taken that on board) that a user who's possibly not very interested in the technical details of encryption will probably find it very hard to accept that a perfectly valid KeePass database can't be opened in KXC. This simply should not happen and I for one would start to ask myself whether KXC can be trusted to open valid KeePass databases, no matter what.
The point here is precisely that because of the very nature of password managers people rely on them and must be absolutely sure they'll work when they need them, come what may.
droidmonkey
commented
7 months ago I am not arguing that point, we should support (and then warn the user of the problem) 0-byte key files. I am also saying this should NOT be possible if the KeePass KDBX spec was more strict.
Either way, this is a very niche problem. This issue requires a user to not only setup a key file (rather rare) but also choose a 0-byte file for their key file and not use a KeePass generated key file.
tmsg-gh
commented
7 months ago I am also saying this should NOT be possible if the KeePass KDBX spec was more strict.
Well, a strict(er) and enforced KeePass policy re these things would be better from a purely technical POV. OTOH, I don't know how many databases I've created over the years with just one or two characters as password (for testing, not in real life :-/) and I'm grateful that the various programmes and apps I use aren't forcing me to use a longer PW just as a matter of principle. A minor point but pertinent point IMHO: devs tend to wildly underestimate what (mis-)use their apps are subjected to by users, both from ignorance or boneheadedness and also for implementing "clever" kludges/hacks... BTDT.
droidmonkey
commented
7 months ago A short password is one thing (which we now warn you about in upcoming release), however, an empty keyfile is an outright vulnerability. An empty file produces the same easily guessed hash (obviously) and is an easy mistake to make accidentally. That is not desirable at all.
tmsg-gh
commented
7 months ago To play devil's advocate, what's more secure?
droidmonkey
commented
7 months ago They have the same security, or should I really say the same entropy.
tmsg-gh
commented
7 months ago Again, I disagree. An attacker w/o further knowledge about a KeePass database can't say whether the master key is just a PW or a PW + keyfile combo and if the latter, which keyfile. (I should perhaps add that in production systems I never, ever store the keyfile location anywhere. This adds a bit of inconvenience but it's safer.)
droidmonkey
commented
7 months ago You are conflating the process of brute force guessing with the randomness (entropy) of the database key. If an attacker is truly coming at this with zero knowledge, the password you conceived will prevent success if the database is using Argon2 with reasonable values (1 second delay). Adding a key file of any length adds another 10,000 years to the first 10,000 years.
However, a zero-knowledge attack is entirely unlikely. The more likely scenario is that attacker has intercepted your password in some way, key logger for example, or is guessing from a known list of your favorite passwords. They must then guess the remaining aspects of your master key. Having a zero-byte key file offers you zero protection in this case as that would be (or should be) the first guess in a brute force attack.
tmsg-gh
commented
7 months ago This veers dangerously close to being off-topic :-) Anyway, your argument, taken to its logical conclusion, means that a master password offers no protection at all because you firmly assume an attacker will know or be able to guess it anyway.
key logger for example
I am in the business since the end of the '70s and have yet to see a keylogger on any of my machines.
from a known list of your favorite passwords
Anyone who uses a PW manager to securely store their favourite passwords and then reuses one or more of them as the master passwords needs their brain checked.
Adding a key file of any length adds another 10,000 years to the first 10,000 years.
Hear, hear.
Overview
I have tested a few corner cases re compatibility between various KeePass-compatible programmes and apps. KeePassXC won't open a database if a keyfile is defined but it's empty (ie a zero byte file). KeePass (and some other programmes) can open such databases. KeePass can also create them (I have not tested this with all apps).
We can discuss for hours about whether empty keyfiles make any sense at all but that's beside the point: I think KXC should be 100% compatible with any valid KeePass database.
Steps to Reproduce
Expected Behavior
KXC opens the database.
Actual Behavior
It doesn't open the database.
KeePassXC - Version 2.7.6 Revision: dd21def Distribution: AppImage
Qt 5.15.2 Debugging mode is disabled.
Operating system: Debian GNU/Linux 12 (bookworm) CPU architecture: x86_64 Kernel: linux 6.1.0-10-amd64
Operating System: Linux Desktop Env: XFCE Windowing System: X11