Are default settings enough or should be modified?
Keepassxc database settings
- Thread starter Parkinsond
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
Well where do you store your database?
If you store it locally then no need to worry at all.
Default database encryption settings provide a high level of protection against decryption - and it is adequate for cloud storage (OneDrive Personal Vault).
NOTE: Even though there are database encryption customizations available in the KeePassXC software, if the user's custom settings result in a borked database then expect the KeePassXC team on GitHub to not be supportive. The argument "Well, you included the ability to customize database encryption. I (We) expect you to sort out this problem." will fall on deaf ears.
COMMON SENSE: Always first create a database using the Default database settings before creating a new one with customized encryption settings.
TIP: Store your KeePassXC databases within OneDrive Personal Vault. Enable MFA (both Authenticator app and Windows Hello) in your Microsoft Account. I won't write a lengthy set of details here. One can use the mobile phone OneDrive app and KeePassium app to use their database on their mobile devices. Microsoft's security in OneDrive is as good as it is going to get without spending a lot more money.
As far as I know, KeePass (the original) is very secure, and KeePassXC is even more secure by default, so it is more than enough.
Even if it is stored online, it is very well encrypted. I have stored it on my OneDrive account, and it syncs automatically, so there is no need to worry as long as the password is strong.
If you're storing the database online then you'd better use a key file alongside the master password.
Bitwarden Comparison
Comparatively, Bitwarden uses (but for Argon2id):
Passphrase Cracker Comparison
Also for comparison reason, this "cracker" cost calculator may be helpful:
As long as you use an equivalent entropy password (randomly-generated), I think the setting is "beyond reproach."
Of course, if all those AI data centers become bankrupt and sell password cracking services below capital cost, all bets are off.
Consider Increasing Memory (m parameter)
PS: On the other hand, the strength of a memory-hard KDF comes from the fact that a GPU has a massive number of cores but comparatively little RAM for those cores. The goal is to increase the memory in the KDF to max out the memory usable by the cores. For example, with the NVIDIA GeForce RTX 5090, which has 21,760 cores and 32GB of memory:
Comparatively, Bitwarden uses (but for Argon2id):
- m = 64MB
- t = 3
- p = 4
Passphrase Cracker Comparison
Also for comparison reason, this "cracker" cost calculator may be helpful:
- For a randomly-generated 4-word passphrase (EFF long word list), the Bitwarden config is estimated to cost $US 61M to crack.
- For a randomly-generated 4-word passphrase, if we use your config (but for Argon2id), this is estimated to cost $US 776M to crack.
As long as you use an equivalent entropy password (randomly-generated), I think the setting is "beyond reproach."
Of course, if all those AI data centers become bankrupt and sell password cracking services below capital cost, all bets are off.
Consider Increasing Memory (m parameter)
PS: On the other hand, the strength of a memory-hard KDF comes from the fact that a GPU has a massive number of cores but comparatively little RAM for those cores. The goal is to increase the memory in the KDF to max out the memory usable by the cores. For example, with the NVIDIA GeForce RTX 5090, which has 21,760 cores and 32GB of memory:
- If m = 64MB, you can use 500 sets of cores to check 500 passwords in "one round."
- If m = 1GB, you can use only 32 sets of cores to check 32 passwords in "one round."
Last edited:
Keepassxc has the option to change from Argon2d to Argon2id; I was asking about the default settings to find out if switching to Argon2id is more secure.
I do not use the "basic" KDF (used by 7Zip) as it is the weakest compared to Argon, or even Serpent (of PeaZip).
I use password only, but it is labeled secure by both Keepassxc and Bitwarden password generator website.
I used to change the memory fo PeaZip when creating password protected pea file from 64 MB (default) to 1 GB (which increases the time for encryption and decryption on my PC from 2 seconds to approx 16); should I do the same for Keepassxc?
They advertise Argon2d as good for GPU cracking, and Argon2id as hybrid resistant to both GPU cracking and side-channel cracking (presumably a malware trying to find information leaks from your KDF computation). I personally thought either option was okay, but I picked Argon2id (for KeepassXC) because Bitwarden chose it, and there are more posts (around Bitwarden) discussing it.
Basic KDF for password managers recommended by NIST includes 600,000 rounds of PBKDF2. Both configurations of Argon2 that we talked about already exceed that.
I won't argue with you about how secure your password really is. You should know, though, if you argue with a password entropy geek, only "cryptographically" random generation counts for anything to get reliable password entropy. That means either a random alphanumeric (including special characters) password or a random passphrase.I would. If it takes too much time, reduce the rounds. The recommendation for tweaking Argon2 parameters is to maximize memory usage, increase the rounds to extend the time, and increase parallelism to reduce the time (you can increase it up to the number of cores multiplied by 2, usually).
Agree, but such randomly created password is almost impossible to memorize, especially for someone with Parkinson disease
I have to create it myself to be able to recall.After increasing memory from 64 to 1024 MB and threads from 2 to 8, and clicking benchmark for 1 second, I got rounds reduced from 38 to 2; is 2 good or better to re-increase it? and increase to how much?
For transparency, mine is set to Argon2id, t=5, m=1024Mib, p=8.
I would set t to at least 3 to match a standard doc. I in fact would set t to as much as I can stand waiting for the unlock. Currently, my unlock time is around 2s on the PC.
For Bitwarden with "lesser" configuration, on the slowest device (Android), the unlock takes 3 seconds.
ps: edited to filter out more sensitive info.
Last edited:
Such settings have increased unlocking time from 1 to approx 6 seconds, which I find reasonable.
I hope just reading the configuration will discourage all those who try to crack your KeepassXC vault! May the force be with you.
And he is storing the vault offline
Uninstalled KeepassXC; needs VCRedist and I do not like apps with extra dependency.And he is storing the vault offline
Credentials in doxc file stored in Pea file encrypted by triple alogrithm (AES, Twofish, and Serpent 256) using scrypt as KDF.
Btw a password manager provides protection against many scenarios.
Of course, it has a stronger KDF (Argon 2), but scrypt is not weak either.
I do tend to agree with @Divine_Barakah. KeePassXC's main reason for being is to protect your credentials against different scenarios that could compromise your secrets. Other methods are obviously possible, especially if you avoid malware, phishing, scams, and users' mistakes.
Keepassxc uses AES 256 and Argon2; PeaZip uses AES 256 also (in addition to two extra encryption alogrithms) and scrypt (the second rank in strength for KDF after Argon2, both are stronger than PBKDF2 used by 7-Zip and Winrar).
You may also like...
-
-
Huorong Internet Security v6.0.7.12 (Modified Setting)- Started by janx
- Replies: 22
-
Multron WinCleaner - Advanced Database-Based Cleaner- Started by Dexter_Morgan31
- Replies: 13
-
What does Kaspersky's default deny/zero trust mode do and how to set it properly?
- Started by nonamebob567
- Replies: 1
-
Why does NanaZip use different default settings for archiving compared to 7-Zip?- Started by lokamoka820
- Replies: 5