[Discuss] KeePassX

[Edward Ned Harvey (blu)]

Most password-based offline encryption products don't give you any knowledge or control over the key derivation process.  They have some number of rounds, perhaps 16,000, hashing the salt...  which is very ineffective.  I was greatly pleased to see KeePass has a "one second" button to derive the number of rounds, and it turns out to be approx 10million for a typical PC.  Any product that uses a significantly smaller number of rounds in their key derivation process will not be effective in thwarting even an unsophisticated brute force password hack.  And even so, if your memorized password isn't randomly generated, long and complex, it's probably not effective anyway.

I find, it's tough enough, to type a long complex password on a computer.  It's far, far worse on a phone.

I am a great fan of BioWallet.  You "sign" the screen with your finger.  Your name, a random word, whatever.  It works best for handwritten words, and doesn't work so well for geometric shapes, drawings, patterns.  It performs bioinformatic analysis on your gesture, to either unlock or not unlock the encryption key.  

I have gone through the exercise before, of telling people my biowallet password, and have them try getting in.  They fail.  Because their handwriting doesn't match mine.  I write it on a piece of paper so they can attempt to forge my handwriting.  They fail because they're writing it too big, too small, too far off to one side or up or down, too fast, or too slow.  They only succeed if I show them myself signing the screen, then hand it to them to copy, and we pass it back and forth numerous times repeating and practicing copying my handwriting.

This is way more user friendly than typing a long complex random password on a phone keyboard.  Hence, IMHO, it's also much more secure.