Can someone explain me the KeePassXC properties?

Decryption Time
image
What’s the recommendation for decryption time, and what should I be concerned about it when choosing X Speed vs Y Speed. And Is there any danger for higher speeds depending of my machine hardware?

Database Format
image
Should I be concerned about about database formats when using a password manager, and why?

Key Derivation Function
image
What is exactly the key derivation function, and what it does?

Transform rounds, memory usage and Parallellism
image
What they does? (except by memory usage), and why is it matter to have a choice to choose how many memory usage in this case, what’s the difference?

Security Key File
image
Which one is the best, why and what should I be concerned about it.

I formated the topic to make it easily to someone who have the same doubts to learn about it either. I appreciate everyone’s time whose answer the topic.

I can comment on a few things:

Regarding Decryption Time there isnt any significant noticeable difference between the max settings and the default so I decided to leave it at the max settings since it claims to offer better protection. Not sure if this is an indication of my master password length or the number of actual passwords the database is protecting.

For the Database Format I keep this on the default 4 since I need some interoperability with my synced database and my phone.

About the Key Derivation and Transform Rounds, I leave it at what is recommended. I think it likely pertains on how the password itself is encrypted within the database file. An expert on cryptology would probably give you a better answer. Its up to you what kind of encryption tech you want on your DB.

As with the Security File and Yubikey option: These things are for when you require a file or in the case of, Yubikey an extra hardware for you to open a database with in addition to your password. In the scenario that your database gets stolen and the attacker knows your master password, opening the DB will fail without the security file. Having a file is more convenient and portable, in cases where you cant use a hardware token like the Yubikey. Having a file is significantly easier to steal and useful in devices with a locked port (or a theoretical portless, wifi/LTE only device). Yubikey on the otherhand is useful against physically distant attackers (like foreign APTs for instance) who is very much unlikely to steal your stuff especially in these pandemic times.

2 Likes

tl;dr

  • Decryption time: Set it to more than 1 second.
  • Database format: Use kdbx 4.
  • KDF: Set it to Argon2.
  • Transform rounds, memory usage and Parallellism: Click on the 1s delay button.
  • Security Key File: Primarily use a security token (e.g., YubiKey) if possible. You can set a key file, however, there are several risks here (e.g., accidentally modifying or deleting the file).

Long answers:

The decryption time option is for artificially slowing down decryption. High values like 2 or 3 seconds render brute-force attacks on your database inefficient. The main goal is to slow down guessing-based attacks. Low values like less than 1 second help attackers, so keep it as high as possible.

Use kdbx 4. kdb and kdbx 3.1 are legacy formats of KeePass. There is no reason for using it when you create a fresh password database. For the complete changelog, see KDBX 4.

A KDF derives a cryptographic key from a secret, e.g., a password (user input → KDF → cryptographic secret). For example, your WiFi likely uses WPA2-PSK for security. In this scenario, you enter a pre-shared key in the form of a password. However, WPA2 applies the key derivation function PBKDF2 to derive cryptographic keys from your password that are actually used afterward. Some key derivation functions also apply key stretching. Key stretching is used to make brute-force attacks more difficult by increasing the time it takes to test each possible key. The overall goal of a KDF is to improve the cryptographic strength of the secret supplied by users.

Nowadays, you should use Argon2. Argon2 is the winner of the Password Hashing Competition that evaluated several key derivation functions.

These are more possibilities to artificially slowing down decryption. You can click on the 1s delay button to force a 1s delay customized to your hardware. Paranoid users can set longer delays, of course.

  • YubiKey Challenge-Response: Using this feature, KeePassXC and the YubiKey share a secret. When you decrypt your database, KeePassXC sends a challenge to the YK. The YK calculates its response based on the shared secret and the challenge, and sends the response to KeePassXC. KeePassXC conducts the same operations, compares the response, and unlocks the database. A benefit is that the secret is securely stored in your YubiKey, so an attacker can hardly retrieve it from there. On the other hand, you can loose your security token, so you might have to buy and configure a second one as a backup.
  • Key file: A key file is similar to your password. You can just create a file on your system and provide it as a password. In this case, the security is similar to storing a password in cleartext on your system. When you accidently modify or delete the key file, you loose this “password.” Furthermore, it is easier to copy a file from your system than retrieving a secret from a YubiKey.

In summary, use a YubiKey (or similar security tokens) if possible, and set a strong master password.

3 Likes

look to be honest with you i never used keepass (i’m using bitwarden) but i still want to help tho so here is a video by Techlore hope it helps: https://invidio.us/watch?v=sePT9AZauWs

I use Keepass Password Safe https://keepass.info/

I am not sure what the difference is with KeepassXC and Keepass Safe.

It certainly looks familiar, but I mostly see KeePassXC on the various distro’s own repo versus the vanilla keypass.

  • KeePass: The original KeePass Password Safe. It is open-source software, audited (see also EU-FOSSA), but originally developed for Windows. It comes with many plugins and various security features. Nowadays, you can use KeePass on Linux and macOS, too.
  • KeePassX: It was originally a Linux port of KeePass. However, there is no development for more than 3 years. So don’t use it.
  • KeePassXC: It started as a fork of KeePassX. So KeePassXC is a fork of a Linux port of KeePass. It is also open-source software, and it comes with cross-platform support and similar security features. While KeePassXC and KeePass use the same file format .kdbx, there are some incompatible features like the support for security tokens (challenge-response).
  • KeeWeb: This is another KeePass-compatible password manager in development. It is also open-source software and comes with cross-platform support since it uses JavaScript, WebCrypto, and WebAssembly. There is an Electron app, and you can it install as a Nextcloud app.

“What should I use?”: I used KeePass for many years, but recently migrated to KeePassXC. Both projects are solid password managers that offer modern cryptography and are in development. On the other hand, KeeWeb can be interesting for people who want to access their password database on multiple devices.

3 Likes

I used KeePass on Windows for many years too.

These points make me still using Windows. It have a very good trigger too and:

But it can’t work smooth 100% like on Windows

@Yog3lUs1voxJI8sAdgHO

I’ve used Keepass Safe on Windows in the past and now Manjaro Linux. I see no difference in performance on either operating system.

It lack

  • Auto-Type Obfuscation
  • Triggers
  • Placeholders

and many more

@Yog3lUs1voxJI8sAdgHO

It works for me. I use Keepass Safe with xdotool
I am interested in trying KeepassXC.