Do not use default options for the scrypt utility and keepass2!
Here is example with more secure options:
$ sudo apt-get install scrypt $ scrypt enc -M 1073741824 -t 200 secret.txt encrypted.scrypt
If you have several GB of free memory you can increase the memory usage several times.
My tests confirm that the "-t" parameter is not working correctly - it takes less than 200 seconds to derive the key from your password.
Archiving private keys - TLDR version
Learn more about key stretching.
Keepass2 have the option to specify how slow should be the KDF. Click on "1 second" and then add one zero at the end of the number (10 seconds). This will slow down the opening of the database. However, it will also slow down the saving.
After I tried to open the database made by Keepass2 with KeepassX I noticed that KeepassX is opening the database much faster than Keepass2 (it takes part of the second compared to 10 seconds with KeePass2). This means that you get false sense of security when your KDF hardness is set to 10 seconds (5701900 on my computer) with Keepass2, because with the most efficient algorithm it takes less than a second (I don't know how efficient is the algorithm used by KeepassX, but it's obviously very efficient compared to KeePass2).
Comments
Post a Comment