Red face here, I may have unwittingly exposed my KeePassXC database file. I know this is encrypted but in case it is being cracked while I type, is there anything I can/should do to minimise the possible damage?
If your password database was cracked/exposed, you need to change all passwords for all entries in the database as fast as possible. Dependend on the number of entries…this can take some time, but there is no other possibility.
As time is critical in such case, i would start with important stuff like banking/social security/… accounts going down to lower important stuff like normal forums/game/… accounts. You need to make a quick check for yourself which accounts are the most important/critical for you and start with the ones which pose the most damage to you if compromised.
Also check all services/pages/entries which had the password stored for unusual occurances/changes.
Such a situation is a good possibility to setup 2FA for services/accounts which support it to minimize future damage.
If your password database was really cracked, you need to setup a really strong master password for the next database.
If you exposed the database by accident, well you can only slap yourself and try to avoid it in future.
1 Like
Many thanks for the reply. It was my pCloud account that I think has been compromised and I confess I have a copy of the KeePassXC database file in my pCloud account but I am hoping it is encrypted so should not be accessible immediately.
I had rather assumed I should be changing passwords. I believe most important accounts already have 2FA but I shall go through them now, which will take a while.
My KeePassXC login is protected by a long passphrase but does not have 2FA. Can I apply that for the future and how does this work when I have the app opened on my desktop?
I am now running the flatpack version and am not yet used to it having previously used the appimage version.
I would not worry if your KeePassXC database file is encrypted by a long enough password of (better) a passphrase. From the FAQ:
The database is encrypted with either the industry-standard AES256 or the Twofish block cipher and the master password is strengthened by a configurable number of key transformations to harden it against brute force attacks.
AES-256 is considered strong enough at least as long as quantum computing is not making large progress.
I use password and keyfile. Keyfile should be present on all systems to which this database is synched. Of course, you should not upload the keyfile to the same location where your database is uploaded if you share the database between multiple locations. Storing the keyfile on a removable drive is probably the best from security PoV.
You can also use security token if it is supported by all applications you use.
I am not sure I understand your concern. Any solution that shares the database between multiple systems at the end works by uploading the database to the publicly reachable location. If you could guarantee that your database will never be exposed you would not need to encrypt it in the first place.