1) If you mean could they crack your keypass file where you keep all your passwords:
Presuming you're using the program well, that's possible but very unlikely. There are reasons to believe this would be more difficult than attacking any of your normal passwords individually though:
- The database for your passwords is not stored on a server they're likely to have been compromised, (it's a local file on your machine unless you place it somewhere else or your machine itself is compromised.)
- By having only one database, you can use an approach like a long diceware pass phrase. Which would allow you to generate a password for the database that's likely to be far harder to guess than any individual password that you might otherwise have used for the sites in the database.
- It's plausible to direct more processing towards making dictionary and guessing attacks against your database's password harder than a server would be likely to direct towards each individual user's password.
In case
2) If you mean could they crack the password for the website that you keep in the keypass file, by attacking the hash that they got from the server attack:
Theoretically, yes. However, again, there are several qualities in favour of the keepass approach:
- Generation is automated. People are usually bad at generating hard to guess passwords. We think that we're making something hard to guess by inserting letters and numbers into a few words and then going 'presto!' but in reality we tend to follow fairly common patterns in what words we pick, what letters we replace, and so on. We also tend to duplicate them across sites.
- Remembering and entry are automated. (We tend to be bad at remembering things that don't follow common patterns.) Thus making these generated passwords more practical to use.
Those two factors combined address the main weaknesses of passwords. It's not something innate about the database that does this, mind. You could do much the same yourself if you had a perfect memory, or a notebook, and were willing to sit there throwing dice to get a good entropy source. However, I've yet to meet a human who remembers a significant number of dice-generated pass-phrases for all their accounts, and writing your passwords down represents its own potential problems (loss, compromise, speed of entry when reading the things.) The way to bet is that this is going to give you a harder to attack password than you'd come up with by yourself.
They also reduce the impact of a compromise. If a password for a site is compromised, then that compromise is limited to that website, and relatively easily rectified as compared to a more general breach if you reused your passwords.
For instance, my hacker news password until shortly before this post was:
But that's worthless information now. I told my password prog to generate another string, and now it's something else. Took less than a minute.
#
Of course, if your keepass vault itself is compromised, then you may be dealing with a worse situation. However, considering the general weakness of passwords, and the degree to which they get duplicated, and the additional security features around things like banks that protect some of the more vital stuff, I'm not sure that even putting all your eggs in one really well guarded basket makes you significantly more vulnerable if it is broken into.
But regardless, the cost of attacking an individual user goes up dramatically, whereas the rewards don't seem to scale in line with that. If someone thinks you're interesting enough to attempt to compromise your computer, get the database, and then invest resources in guessing your database password... you've probably got more serious problems anyway.
In case
1) If you mean could they crack your keypass file where you keep all your passwords:
Presuming you're using the program well, that's possible but very unlikely. There are reasons to believe this would be more difficult than attacking any of your normal passwords individually though:
- The database for your passwords is not stored on a server they're likely to have been compromised, (it's a local file on your machine unless you place it somewhere else or your machine itself is compromised.)
- By having only one database, you can use an approach like a long diceware pass phrase. Which would allow you to generate a password for the database that's likely to be far harder to guess than any individual password that you might otherwise have used for the sites in the database.
- It's plausible to direct more processing towards making dictionary and guessing attacks against your database's password harder than a server would be likely to direct towards each individual user's password.
In case
2) If you mean could they crack the password for the website that you keep in the keypass file, by attacking the hash that they got from the server attack:
Theoretically, yes. However, again, there are several qualities in favour of the keepass approach:
- Generation is automated. People are usually bad at generating hard to guess passwords. We think that we're making something hard to guess by inserting letters and numbers into a few words and then going 'presto!' but in reality we tend to follow fairly common patterns in what words we pick, what letters we replace, and so on. We also tend to duplicate them across sites.
- Remembering and entry are automated. (We tend to be bad at remembering things that don't follow common patterns.) Thus making these generated passwords more practical to use.
Those two factors combined address the main weaknesses of passwords. It's not something innate about the database that does this, mind. You could do much the same yourself if you had a perfect memory, or a notebook, and were willing to sit there throwing dice to get a good entropy source. However, I've yet to meet a human who remembers a significant number of dice-generated pass-phrases for all their accounts, and writing your passwords down represents its own potential problems (loss, compromise, speed of entry when reading the things.) The way to bet is that this is going to give you a harder to attack password than you'd come up with by yourself.
They also reduce the impact of a compromise. If a password for a site is compromised, then that compromise is limited to that website, and relatively easily rectified as compared to a more general breach if you reused your passwords.
For instance, my hacker news password until shortly before this post was:
4ea3a70a8361ab5d2006fbe0f98b52f2bcc6512a866e9ddaf2e9ea951d01dbed
But that's worthless information now. I told my password prog to generate another string, and now it's something else. Took less than a minute.
#
Of course, if your keepass vault itself is compromised, then you may be dealing with a worse situation. However, considering the general weakness of passwords, and the degree to which they get duplicated, and the additional security features around things like banks that protect some of the more vital stuff, I'm not sure that even putting all your eggs in one really well guarded basket makes you significantly more vulnerable if it is broken into.
But regardless, the cost of attacking an individual user goes up dramatically, whereas the rewards don't seem to scale in line with that. If someone thinks you're interesting enough to attempt to compromise your computer, get the database, and then invest resources in guessing your database password... you've probably got more serious problems anyway.