this post was submitted on 25 Jun 2023
21 points (100.0% liked)

Cybersecurity

5677 readers
110 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

Notable mention to [email protected]

founded 1 year ago
MODERATORS
 

Is it insecure to upload Keepass database to Google Drive, Dropbox or any other file service in the cloud?

I've read this answer in Security Stackexchange: https://security.stackexchange.com/a/45337

So, I feel kinda confident if a put a big number of PBKDF2 iterations, like 10.000.000, it should be OK.

My master password is based on diceware, but is not very very long because I need to remember it.

What do you people think about this?

top 13 comments
sorted by: hot top controversial new old
[–] [email protected] 11 points 1 year ago* (last edited 1 year ago) (4 children)

Syncthing solves this problem for me without my keyring being exposed to any outside servers.

[–] [email protected] 4 points 1 year ago

wooo didn't know about that. I'm going to read about it. If it doesn't require a home server, it suits my needs

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago)

Turns out this was exactly what I needed. I have no idea Syncthing was a thing. So, thanks a lot.

[–] [email protected] 3 points 1 year ago

Syncthing is great. Servers are overrated anyway, I would rather everything be peer-to-peer wherever possible. Currently working on a script to integrate calcurse with DecSyncCC so I can keep my calendar synced between my laptop and phone without a server!

[–] [email protected] 3 points 1 year ago

This is my solution as well.

[–] [email protected] 5 points 1 year ago* (last edited 1 year ago) (1 children)

I keep mine in the cloud but I also have a key file attached to it. That is not kept in the cloud so at least I have some security if the cloud service gets hacked and my password is 57 characters long.

[–] [email protected] 2 points 1 year ago (2 children)

I get it. But if I have to carry the key file everywhere to every device, I can just carry the database file.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

There are two advantages of using the cloud for the database while keeping a key file out of it.

  1. It's a backup that's not on any of your own devices.
  2. Your devices sync with little effort. Save the file on one device, and the others have the new database automatically (when using common cloud storage providers that sync)
[–] [email protected] 1 points 1 year ago

Understandable. I don't go very many places so this way is most convenient for me. For your situation I'm not real sure what would be the best practice for you, but I will be keeping an eye on this thread if someone has a better answer

[–] [email protected] 5 points 1 year ago

I use KeePass and keep my database in the cloud. I use a key file that is never stored in the cloud in addition to my master password. You get a cloud backup of your database, and updates will sync to your devices if your cloud provider has a client that does that.

I actually don't sync it directly to my phone. I download a copy as needed. I also don't add passwords on my phone to my main database. I use a separate database for logins I create on my phone and import them once in a while on my PC. This is because Google Drive's sync on Android has been unreliable for me, though I haven't tried again in years.

I use KeePass DX on Android because it has a nice virtual keyboard so you don't have to use the clipboard, which is insecure. It also has a better UI with fingerprint unlocking.

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago)

I thought the better KDF was Argon2d because it's stronger against GPU attacks.

https://keepass.info/help/base/security.html

[–] [email protected] 3 points 1 year ago (1 children)

Does it have to be in "the cloud" or just accessible multiple places? I have a nextcloud instance running that's locked down but allows sharing with my android phone. For other computers it's on a network share and if off site I can connect over Wireguard to my home network to get access.

[–] [email protected] 2 points 1 year ago

It does not have to. But I kinda hate sysadmin stuff, so I'm looking for convenience.

load more comments
view more: next ›