Security of KeePass and Yubikey OATH-HOTP

How secure is KeePass in addition with a Yubikey with OATH-HOTP?

I read in Yubikey with KeePass using challenge-response vs OATH-HOTP that with OATH-HOTP there isn´t added a real second factor.

But what I don´t understand is that without the plugin and only with the master password I can´t open the database. The only way I see is to open the database with the “recovery” key.

So I think with OATH-HOTP you can use longer password (master password + OTPs) because you have to memorize a shorter master password. Thereby the security is increased if you use a long “recovery” key for OATH-HOTP.

Is that right?

Continue reading Security of KeePass and Yubikey OATH-HOTP

Hackaday Prize Entry: A Very Small Password Keeper

One of the more popular security builds in recent memory is USB password vaults. These small thumb drive-sized devices hold all the passwords you have to deal with, and are locked behind a authentication code on the drive itself. For their Hackaday Prize entry, [Miguel] and [Noel] asked how inexpensively one of these devices could be made. The answer, coming in the form of their Memtype project, is very inexpensively.

The Memtype project is based on the cheapest and most simplistic USB implementation on the planet. It’s built around an ATtiny85 and V-USB‘s software only implementation of a USB keyboard, …read more

Continue reading Hackaday Prize Entry: A Very Small Password Keeper

KeePass update check MitM flaw can lead to malicious downloads

Open source password manager KeePass sports a MitM vulnerability that could allow attackers to trick users into downloading malware disguised as a software update, security researcher Florian Bogner warns. All versions of KeePass, including the latest, are vulnerable. The team developing the software is aware of the flaw (CVE-2016-5119), but they currently have no intention of fixing it. “KeePass 2’s automatic update check uses HTTP to request the current version information,” Bogner has discovered. “An … More Continue reading KeePass update check MitM flaw can lead to malicious downloads

Password manager: should key file be stored on a different device than password db file (even if master pw used)?

Does it defeat the purpose of a key file to store it in the same location as the password database? What if a master password is needed also?

For example I save my .kdbx to dropbox as a means to backup and was wondering if I… Continue reading Password manager: should key file be stored on a different device than password db file (even if master pw used)?