What are the possible threat models when it comes to saving all credentials (passwords, TOTP and passkeys) into a single .kdbx database? This is assuming that:
The master password is very strong.
The .kdbx file is never exposed to the internet (always kept offline).
Only two devices have access to this database
iPhone with KeePassium
Linux computer with KeePassXC.
I can only think of two models:
The database AND master passwords are (somehow) exposed.
One of my two devices (iPhone and Linux) are compromised with Malware.
I’m not too worry about (1) as I always keep the database offline and share it between iPhone and Linux through USB cable. However, (2) is where I’m wondering if keeping all credentials separate would even make a difference.
If my iPhone gets compromised, I doubt having TOTP and passwords in separate apps will mitigate anything as the malware can just get the info from both apps. So there is no much difference in keeping TOTP, passwords, and passkeys in a single database on my phone.
In the case of my Linux machine being compromised, then the malware can just wait until I decrypt the database and log everything (then I’m screwed). However, even if I have TOTP or passkeys on a separate device (e.g., my phone), couldn’t the malware just wait until I login to the sites and copy my password, TOTP code and passkeys when I have to enter them? Would it make any difference if I had MFA on a different device even?
I guess what I’m trying to ask: Is threat model (2) even relevant when it comes to storing all credentials into a password manager? I feel like once one of my devices get compromised (with remote or physical access) then it’s game over and there is no way for me to mitigate it, so I might as well keep all credentials into a single database. Also, what other thread models am I missing here?
The point of your password manager is to allow you to use all your passwords while remembering one master password. If it’s encrypted (it is) and synced offline via USB then someone mostly needs full access to your device before it’s a problem (getting either both the file and ability to decrypt or bypassing the manager to access the info after the password is used), either that or directly target you as a person rather than going after the device.
Questions:
How likely are either of those three things?
Do you have any passwords where, if one of those three things happened, you would not be able to deal with the consequences? What specifically would you not be able to deal with that you need to prevent?
If you can’t answer those then keep doing what you’re doing.
Off-topic but if these are your only 2 copies I strongly suggest creating a third backup on a flash drive stored somewhere away from your home.
If instead you stored your passkeys on actual hardware (smartphone or security keys) malware generally shouldn’t be able to retrieve your private key. Attackers can sit in as a man-in-the-middle for as long as your device is compromised but they’d lose that ability once you remove the malware which sometimes might be as simple as restarting your phone.
Similar to passkeys stored on hardware, they can sit in as a MITM on your laptop but lack the actual secrets (stored on iPhone, YubiKey, etc) to gain persistent access to your accounts thus making the account compromise temporary. In a world where they retrieve all your credentials (which is trivial if it’s all in 1 database) they may be able to steal your accounts without any hope of you recovering them.
That’s if I store the passkeys on devices separate from my iPhone (like a YubiKey) but if my passkeys are stored in Apple’s password manager on my phone then malware can get the secret, couldn’t it?
I see, so I guess I confused temporary access with permanent access. Now I’m wondering if I should sacrifice the convinience of having all credentials in a single database or separate them (password on .kdbx, TOTP on Ente Auth on iPhone, and Passkeys on iPhone) for a feeling of increased security (I don’t know how likely it is for my computer to get compromised).
I was thinking of getting a physical key but it seems like a pain to always keep in hand and making sure to have backup copies and so on. Also, sadly my phone doesn’t have USB-C so I can’t even use it on both PC and phone .
Passkeys can be stored in a secure element so it should be well protected against malware. I believe Apple now defaults to storing passkeys in their password manager to provide better portability but you might still have the option to store it on hardware instead.
Similar to the advice I gave before, if you go this route be sure to have multiple devices with registered passkeys for all your important accounts, ideally one of which should be stored away from home.
Storing everything in 1 database means you don’t really have true 2nd factor forms of authentication, but whether you should make a change is entirely up to what you feel is necessary for your threat model.
Assuming Apple still allows you to store passkeys on hardware, a YubiKey could just be your backup passkey device so simply having your phone would suffice. Backups are a pain but you can limit them to your most important accounts and just store less important account passkeys on KeePass.
YubiKey also works with NFC so I think it should support both an iPhone and PC. I personally use an adapter as sometimes NFC is unreliable on my phone.
I just tested trying to save a passkey offline on my iPhone. It forces me to either (a) use another device (physical key or a device running iOS 16 or later), or (b) turn on iCloud Keychain. I would rather save it on a physical key than having it on the cloud and dealing with a cloud breaches.
Be aware that data on flash drives that aren’t used frequently can degrade. It’s never happened to me but what I’ve read is that data can corrupt and degrade even as early as 2-4 years in if it’s not being powered on in a location with high humidity.
I did a little research into this and came across archival grade DVDs if this is a concern. Just thought you may want to know. Currently I am using an old school hard drive that’s not powered on as frequently as my understanding is that it’s not as vulnerable to degratation
.