If the attacker has your computer, then they now have ' the thing you own'. KeePass can generate key files for you, however you can also use any other, already existing file (like JPG image, DOC document, etc.). The ability to unlock the password database by using any supported USB or Bluetooth device as an authorisation dongle, without a master password requirement. One-time-passwords work well for server authentication because both client and server end-points are considered secure and the attacker needs ' something you own' as well as ' something you know'. For opening a database file, all components of the master key are required. This master key can consist of multiple components: a master password, a key file and/or a key that is protected using the current Windows user account. If the KeePass file is still interoperable with other KeePass programs, then you gain nothing from using a one-time-password in this fashion. Your KeePass database file is encrypted using a master key. If the attacker has access the device storing the KeePass installation and files, the security re-collapses to the security of the normal password on its own. Security from a one-time-password comes from two parties knowing the same key and counter - HOTP(Key,Counter) - while an attacker doesn't know the key. ![]() However to generate the next password on the device, the plugin would require either a secret stored on the device or the normal password for the KeePass file. Presumably the plugin uses OATH HOTP where the KeePass file or master key is re-encypted after each access with the next one-time-password. Security remains the same + extra cognitive overhead.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |