Securing KeePass with a Second Factor

Cybercriminals are now stealing password managers so it’s time to make them more secure. You can check out this article for details about how it’s being done.

I wrote this up as a guide to help friends secure their password manager by implementing a second factor. The second factor will come in the form of a USB token that you insert into your computer when you need to run the password manager. If your password manager database and master password gets stolen by Citadel or anything else, criminals won’t be able to open the database without the physical USB token you have in your possession.

Two popular password managers are currently being stolen based on the article above — Password Safe and KeePass. There is a nice walkthrough on Yubico’s website on how to enable YubiKey for Password Safe here. YubiKey can also be used to secure LastPass, Passpack, and others.

Getting YubiKey and KeePass to work was a little tricky so I’ll be describing my experience here.

Requirements
1. YubiKey made by Yubico

What’s great about the YubiKey hardware is that it supports a number of use cases such as computer logins, disk encryption, and web applications like WordPress, Google, and others. Unfortunately, not all YubiKey hardware supports all applications so be sure you pick up the right YubiKey hardware.

There are basically two types of hardware and the one you want to get to protect KeePass will either be the Standard or Neo version. The FIDO U2F Security Key doesn’t appear to support the protocol we need.

2. YubiKey Personalization Tool

This software program will allow you to configure your YubiKey. We will be configuring the second slot since the first slot is apparently reserved according to Yubico’s website — “Re-programming your YubiKey’s 1st configuration slot will overwrite the YubiCloud configuration, and you cannot undo this action!”

3. KeePass Professional Edition

You may need to install Microsoft .NET Framework 2.0+ if it’s not installed already.

4. KeePass plugin

You have a choice between two different security models — One-Time Pad (OTP) and Challenge-Response. Here are the links to the KeePass plugin that you’ll need:

OtpKeyProv
KeeChallenge

If you decide on the OTP method, you can follow the instructions on Yubico’s website. It works but I had trouble. I had it generate three sets of OTP values which required three button presses on the YubiKey. Using the YubiKey Neo version, it worked most of the time. With the YubiKey Standard version, it rarely worked for some reason. I think it has something to do with how quickly you can press the button to generate the values. Tinkering with the OtpKeyProv settings (e.g. counters, look-ahead windows) did not yield consistent results but YMMV.

I opted for the Challenge-Response method via KeeChallenge which I’ll be describing here. With KeeChallenge, I didn’t have any problems like I did using the OTP method.

The KeeChallenge plugin can be downloaded directly from here. You will also need to download the latest YubiKey-Personalization release (download both Windows 32- and 64-bit versions) from Yubico. This was the part that I got hung up with but a helpful tip on a discussion board provided the solution.

Setting Up YubiKey
Install and run the YubiKey Personalization Tool then plug in the YubiKey into an available USB port.

2014-11-26_01

Click on the Challenge-Response menu item at the top then click on the HMAC-SHA1 button.

2014-11-26_02

Click on the Configuration Slot 2, ensure user input is required, and the fixed 64-byte input is selected. Click on Generate then on the Write Configuration buttons. You should get feedback that the configuration change was successful.

2014-11-26_03

Make sure you copy and backup the secret key you generated! You will need this to setup KeePass as well as to regain access to your database should YubiKey fail for some reason. Store this in a safe place, preferably printed on paper and definitely not stored on the same computer that you’ll be using KeePass on.

If you want to set up multiple YubiKeys to work with the same KeePass database, just use the same secret key and write the change to the configuration.

That’s it for the YubiKey setup.

Setting Up KeePass and KeeChallenge
Download KeePass as well as the KeeChallenge plugin and Yubico’s YubiKey-Personalization release.

Install KeePass and go to the folder. Copy over the files and folders from the KeeChallenge plugin into the KeePass folder so it looks like this (the items in red belong to KeeChallenge):

2014-11-26_04

Open the folder called “32bit”. See those DLL files? Replace them with the ones from the YubiKey-Personalization files you downloaded (the DLL files are located in the bin folder). Do the same for the 64-bit files.

Start KeePass and create or open an existing database.

2014-11-26_05

Click on File > Change Master Key. Enter a new master password (twice). Click on the “Key File / Provider” checkbox and choose “Yubikey Challenge-Response”. Click on OK.

2014-11-26_06

You will be asked for the secret. Paste the secret key you generated when you configured your YubiKey.

2014-11-26_07

You will then be prompted to plug in your YubiKey if it’s not in already.

2014-11-26_08

Tap the button on your YubiKey when you see this prompt on the screen.

2014-11-26_09

Setup is done!

Usage and Recovery
To use KeyPass going forward, enter the password and ensure the Key File option is checked and set to YubiKey Challenge-Response.

2014-11-26_10

Insert your YubiKey and tap on the button to log in.

2014-11-26_11

You’re in!

2014-11-26_12

If you lose your YubiKey, it broke, or you just can’t log in using it for whatever reason then unplug it, enter your password, and click OK. You will see this prompt. Choose “Recovery Mode”.

2014-11-26_13

Enter the secret key and click OK.

2014-11-26_14

And you’re back in!

2014-11-26_15

You can feel a little more at ease now while shopping online!

This entry was posted in Awareness and tagged , , , , . Bookmark the permalink.