reply on: Do you use a key file in keepassxc? \ stacker news ~tech

10 sats \ 1 reply \ @Monotone OP 11 Oct 2023 \ parent \ on: Do you use a key file in keepassxc? tech

Yes, that's right. You definitely need a complex passphrase with sufficient entropy, but no one is immune to keyloggers, for example. If the passphrase, i.e. the master password, is compromised, the key file will protect against password theft, especially if it is an unremarkable file and only you know that it is the key to the database.

And once again, the key file and the database need to be stored in different places, as do multiple backups, even when considering the cloud. One of the backups of the key file can be stored in the cloud, but the other backups should be stored on offline media. So the ownership factor remains, even if the key file is lost in the cloud.

5 sats \ 0 replies \ @0330830bf9 11 Oct 2023

keyloggers

Very true, and I assume everything is keylogged... and that the NSA has enough Bitcoin so it's better for them not to sweep ours.

But if your keystrokes are exfiltrated, so to would your keyfile under such assumptions. Even if it's stored separately, it's read in the same place.

My point was that it's an extension of the key in all but the rarest circumstances.

Nesting would be an interesting option for the truly paranoid. Ex: A passphrase protected keypass file that, contains yet another keypass file, that is itself keyfile protected for use on a separate airgapped system... that should at least be a moderate inconvenience to a backdoor attacker.