If the attacker has your computer, then they now have ' the thing you own'. KeePass is an open-source password manager that does all the things you’d expect a password manager to do at the very least it stores all websites and service credentials in a highly-encrypted vault that can only be unlocked with one Master Password, which becomes the only password you need to remember. One-time-passwords work well for server authentication because both client and server end-points are considered secure and the attacker needs ' something you own' as well as ' something you know'. If the KeePass file is still interoperable with other KeePass programs, then you gain nothing from using a one-time-password in this fashion. If the attacker has access the device storing the KeePass installation and files, the security re-collapses to the security of the normal password on its own. Security from a one-time-password comes from two parties knowing the same key and counter - HOTP(Key,Counter) - while an attacker doesn't know the key. However to generate the next password on the device, the plugin would require either a secret stored on the device or the normal password for the KeePass file.
Presumably the plugin uses OATH HOTP where the KeePass file or master key is re-encypted after each access with the next one-time-password.
Security remains the same + extra cognitive overhead.
0 kommentar(er)
