Author

Topic: How safe is it to store a KeePassX file on dropbox? (Read 4451 times)

legendary
Activity: 1148
Merit: 1008
If you want to walk on water, get out of the boat
Yes you are right. But i was speaking in general, in case someone decide to put the wallet.dat in dropbox
hero member
Activity: 530
Merit: 500
When you put something online, expect everyone accessing it, especially if you put online your wallet! That's why if you put online something you MUST encrypt it.

Just to reiterate though; Wuala and LastPass use client side encryption. It's the same as if you first encrypt your files manually and then put them on Dropbox. You just skip the manual part of it.


legendary
Activity: 1148
Merit: 1008
If you want to walk on water, get out of the boat
When you put something online, expect everyone accessing it, especially if you put online your wallet! That's why if you put online something you MUST encrypt it.

So incase dropbox is hacked or there is a bug or whatelse, the hackers just get an encrypted file.
sr. member
Activity: 350
Merit: 251
as far as security goes, dropbox is a joke, one time for like an hour, you could literally log on to the website without a password. not only that, but your files are not really "encrypted" so you only can access them. the dropbox staff is able to access them, if there were really secure, that would not be possible.
sr. member
Activity: 349
Merit: 250
I actually switched from Dropbox to  https://spideroak.com/ when the multiple security issues with Dropbox came to light.
full member
Activity: 189
Merit: 101
since my almost brandnew mac crashed (with my non backuped keepassx-files)
I was wondering how safe it is in your opinion to store such a file in dropbox.

Well... I am not sure that the KeePassX author follows the same implementation as the KeePass authors... if he does then it should be rather secure (assuming a hard to guess and long keyphrase).

http://keepass.info/help/base/security.html

I maintain my main KeePass on a windows machine (using the 2.0 database style) then I export out a 1.x database style to use with my mac (and KeePassX). You *can* run KeePass (the actual .net application) on mac with mono... but it is not as elegant as KeePassX in normal usage.

If you are really worried you can always store the KeePassX data base in an encrypted image, then store that image on dropbox!

http://support.apple.com/kb/ht1578

legendary
Activity: 1148
Merit: 1008
If you want to walk on water, get out of the boat
Just keep your damn coins stored offline in a USB. What is so hard about that?
Nice, so if the usb die, you lose everything.

An encrypted file is SAFE if you encrypt it in the right way and use a good password.

Then you can upload it everywhere, dropbox, email, skydrive or whatelse and then you won't lose it.

KeePass encrypted file should be safe if you use a good password, that's the whole point of keepass after all, having an encrypted database. So you should be safe putting it on dropbox, even if someone steal it they won't be able to decrypt it
You can save it to 2 different USB'S if you are superstitious about it breaking. Sure good encryption is important, but you are only setting yourself up for failure when you are putting your money in the hands of other people...

Just my honest opinion...
Good encryption+good password=other people have an useless file
hero member
Activity: 530
Merit: 500
how is this positive:

Beyond being susceptible to XSS attacks, LastPass doesn't even use HSTS, which means that man-in-the-middle (MITM) attacks are also rather easy to pull off.

It's very hard for us to recommend LastPass as a password manager when further vulnerabilities will almost certainly be found. For the time being, you should check out KeePass, an offline password manager that, for now, is a lot more secure than LastPass.

Sorry, I kind of assume that people read the whole articles.

Quote
Update: LastPass has now implemented HSTS and a few other features to make their website and browser add-ons a lot harder to attack in the future. Hooray!

... which is still irrelevant, since the attack would not compromise your passwords. Read up on the LastPass security model, a lot of security researchers have already. The article author isn't one Smiley
legendary
Activity: 1764
Merit: 1015
Just keep your damn coins stored offline in a USB. What is so hard about that?
Nice, so if the usb die, you lose everything.

An encrypted file is SAFE if you encrypt it in the right way and use a good password.

Then you can upload it everywhere, dropbox, email, skydrive or whatelse and then you won't lose it.

KeePass encrypted file should be safe if you use a good password, that's the whole point of keepass after all, having an encrypted database. So you should be safe putting it on dropbox, even if someone steal it they won't be able to decrypt it
You can save it to 2 different USB'S if you are superstitious about it breaking. Sure good encryption is important, but you are only setting yourself up for failure when you are putting your money in the hands of other people...

Just my honest opinion...
full member
Activity: 182
Merit: 100
how is this positive:

Beyond being susceptible to XSS attacks, LastPass doesn't even use HSTS, which means that man-in-the-middle (MITM) attacks are also rather easy to pull off.

It's very hard for us to recommend LastPass as a password manager when further vulnerabilities will almost certainly be found. For the time being, you should check out KeePass, an offline password manager that, for now, is a lot more secure than LastPass.
hero member
Activity: 530
Merit: 500

That article is positive, not negative, for LastPass Wink Quick architecture explanation: They don't store your passwords. They don't have your passwords.

legendary
Activity: 1148
Merit: 1008
If you want to walk on water, get out of the boat
Just keep your damn coins stored offline in a USB. What is so hard about that?
Nice, so if the usb die, you lose everything.

An encrypted file is SAFE if you encrypt it in the right way and use a good password.

Then you can upload it everywhere, dropbox, email, skydrive or whatelse and then you won't lose it.

KeePass encrypted file should be safe if you use a good password, that's the whole point of keepass after all, having an encrypted database. So you should be safe putting it on dropbox, even if someone steal it they won't be able to decrypt it
full member
Activity: 182
Merit: 100
Use http://lastpass.com for passwords and http://wuala.com for files. Both encrypt client-side and are thus provably secure.

Dropbox is a joke.


Thanks for the Wuala tip. but lastpass...? I don't know.

http://downloadsquad.switched.com/2011/02/27/lastpass-xss-vulnerability-found-website-and-browser-add-ons-af/2


So, back to the question. How secure is the encryption of a keepass password database?
legendary
Activity: 1764
Merit: 1015
Just keep your damn coins stored offline in a USB. What is so hard about that?
hero member
Activity: 530
Merit: 500
Use http://lastpass.com for passwords and http://wuala.com for files. Both encrypt client-side and are thus provably secure.

Dropbox is a joke.
legendary
Activity: 1937
Merit: 1001
Afaik they use AES-256 standard so it should be safe for a while, maybe there's a bug in the implementation though... check the source if you don't trust it.
full member
Activity: 182
Merit: 100
I personally assume that anything I put on dropbox isn't 100% safe.
It's just a matter of time until somebody figures out a weakness in the system even if its temporary.

I don't assume Dropbox to be secure at all. Just a few hours after the Goxed-incident dropbox let their guard down for full two hours. I consider Dropbox to be extremley UNsafe.

What I meant was how secure you guys think the encryption of the keepassx database is?
(using an extra safe master-password of course)

full member
Activity: 147
Merit: 100
I personally assume that anything I put on dropbox isn't 100% safe.
It's just a matter of time until somebody figures out a weakness in the system even if its temporary.
full member
Activity: 182
Merit: 100
Hi Guys (and gals),

since my almost brandnew mac crashed (with my non backuped keepassx-files)
I was wondering how safe it is in your opinion to store such a file in dropbox.

(not using a keyfile but only using a master key word)?

Any ideas?
Jump to: