this post was submitted on 25 Jun 2023
3 points (100.0% liked)

Cybersecurity

5671 readers
154 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

Notable mention to [email protected]

founded 1 year ago
MODERATORS
 

Is it insecure to upload Keepass database to Google Drive, Dropbox or any other file service in the cloud?

I've read this answer in Security Stackexchange: https://security.stackexchange.com/a/45337

So, I feel kinda confident if a put a big number of PBKDF2 iterations, like 10.000.000, it should be OK.

My master password is based on diceware, but is not very very long because I need to remember it.

What do you people think about this?

top 3 comments
sorted by: hot top controversial new old
[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

I thought the better KDF was Argon2d because it's stronger against GPU attacks.

https://keepass.info/help/base/security.html

[–] [email protected] 1 points 1 year ago

I use KeePass and keep my database in the cloud. I use a key file that is never stored in the cloud in addition to my master password. You get a cloud backup of your database, and updates will sync to your devices if your cloud provider has a client that does that.

I actually don't sync it directly to my phone. I download a copy as needed. I also don't add passwords on my phone to my main database. I use a separate database for logins I create on my phone and import them once in a while on my PC. This is because Google Drive's sync on Android has been unreliable for me, though I haven't tried again in years.

I use KeePass DX on Android because it has a nice virtual keyboard so you don't have to use the clipboard, which is insecure. It also has a better UI with fingerprint unlocking.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Syncthing solves this problem for me without my keyring being exposed to any outside servers.