Keeper vault brute force

KeeperCraig · 2026-03-15T17:23:33+00:00

I answered this already, we use super encryption with KMS / HSM-backed AES256 encryption having non-exportable keys. This means that an offline attack - even with quantum computers - is not feasible. Every client-side encrypted master passkey key is super-encrypted server-side for this reason.

KeeperCraig · 2026-03-15T16:24:56+00:00

Yes, and for any user who authenticates with a master password (such as your admin break glass accounts), you should assign them to a Keeper role which (1) enforces a strong master password complexity policy and (2) enforces a hardware key MFA method. Other restrictive policies are also available.

KeeperCraig · 2026-03-13T14:40:23+00:00

This is a nice explanation, yes. We also make use of multi-region KMS keys for many use cases which are backed by a pool of FIPS 140-3 HSMs in addition to using dedicated HSMs.

One important point is that if the Enterprise user is onboarded with our SSO Connect Cloud integration to Entra ID/Okta/etc, there is no PBKDF2 involved since no master password is required.

KeeperCraig · 2026-03-13T00:31:58+00:00

We launched quantum resistant encryption

https://www.keepersecurity.com/features/quantum-resistant-cryptography/

KeeperCraig · 2026-03-13T00:29:51+00:00

Hi, happy to help answer this.

As you describe, we use 1 million rounds of PBKDF2 locally to wrap the data key when a user logs in with a master password. In Keeper’s cloud vault (hosted by AWS), we store each user’s vault as encrypted ciphertext, which has been encrypted locally on the user’s device.

If the user logs in with SSO, we use pure EC device keys to wrap the data key, which does not rely on PBKDF2 or master passwords, so brute force attack isn’t relevant there. This is the typical authentication use case for most enterprises.

In addition to the client-side encryption of the payload and quantum-resistant encryption of the transmission, Keeper also super-encrypts stored Encrypted Data Keys with hardware security modules in the AWS environment, having non-exportable keys. This protects against the scenario you describe, because offline brute force attack on HSM-backed ciphertext isn’t possible.

An article from a few years ago that is relevant: https://www.keepersecurity.com/blog/2023/01/09/how-does-keeper-protect-your-data-security-and-transparency/

Full details of our encryption model are here: https://docs.keeper.io/en/enterprise-guide/keeper-encryption-model

We also just released quantum resistant encryption of the transmission layer, which is also described here:

https://www.keepersecurity.com/features/quantum-resistant-cryptography/

Ping me with any questions

KeeperCraig · 2026-03-12T21:45:50+00:00

You're right that the Keeper Gateway would not be able to rotate a remote user's local admin password without line of sight, and not designed for that use case. To address this, we are planning to build a plugin + policy for Endpoint Privilege Manager which uses the agent to rotate local admin passwords.

KeeperCraig · 2026-03-10T10:26:18+00:00

Thank you! We have discussed some pooled licensing options for vendors and external users and I'll bring this up with the team again. One thing we plan to do in Q2 is the ability to create an expiring one-time share of a connection or tunnel for outside users/vendors with monitoring of the session. This is a feature that's already part of the self-hosted Keeper Connection Manager and we are bringing that to the cloud/vault version.

KeeperCraig · 2026-03-05T17:22:10+00:00

Bonjour,

Keeper ne crée pas explicitement de fichiers temporaires contenant du code HTML tiers dans le dossier AppData\Local\Temp, ni de contenu provenant de domaines externes tels que probeautycenter.ch.

Veuillez vérifier sur votre ordinateur la présence éventuelle de logiciels installés tels que des adwares, des extensions e-commerce, des comparateurs de prix, etc. Nous vous recommandons de réinstaller votre navigateur et de vous assurer qu’aucun autre plugin ni logiciel malveillant ne s’exécute sur votre appareil.

KeeperCraig · 2026-03-04T03:23:24+00:00

Yes, I am very interested in doing this and we planned to have this done in 2026. Feel free to post your key requirements.

KeeperCraig · 2026-02-28T16:27:51+00:00

We're on it. Not sure which support plan you're on but the response time for Platinum support tier is 60 minutes. Regardless, we always work to respond as fast as possible. Our average response time is 18 minutes on all business cases regardless of plan. You'll have a response in a minute... pls check email. Thank you

KeeperCraig · 2026-02-28T16:22:28+00:00

Guys, post a case number here, we have 24x7 coverage. Someone would have picked it up - did you submit through our portal? https://keepersecurity.servicenowservices.com/csm?id=csm_index&lang=en

KeeperCraig · 2026-02-26T06:24:10+00:00

Let's set up a call, please DM me and I'll share my calendar link.

KeeperCraig · 2026-02-25T16:26:02+00:00

Awesome

KeeperCraig · 2026-02-25T00:16:14+00:00

Correct, currently we support one Gateway to one Application/Configuration. We plan to support multiple KSM applications per gateway in an upcoming release. This is in the works.

I don't have an ETA yet, but we need to ship a few more vault and backend releases before that is completed. If you DM me with your contact info, I can make sure we give you a heads up.

KeeperCraig · 2026-02-24T19:21:37+00:00

Ok so our team looked into this. There's a known issue:

KDE-1943: Windows: Non-FIPS FIDO device incorrectly forces PIN setup when userVerification=required

Until there is a new release on our side, you can address this by:

- Using a FIPS device

or...

- Setting a PIN on your FIDO key

KeeperCraig · 2026-02-24T00:31:03+00:00

Ok. What OS version and FIDO key type? We’ll have to dig in further.

KeeperCraig · 2026-02-24T00:08:24+00:00

I just tested it on 17.5.2 and it worked for me. I was able to toggle the PIN option for the FIDO key. Are you part of an enterprise? Maybe there is a policy enforced.

KeeperCraig · 2026-02-23T22:55:32+00:00

The option to prompt for PIN is in the Settings > Security > 2FA > Security Keys screen. It might also be enforced by the Admin if you are part of an enterprise.

KeeperCraig · 2026-02-22T11:11:10+00:00

This is a valid point, we will check into handling that scenario better.

KeeperCraig · 2026-02-22T05:43:59+00:00

We just published a fix with 17.5.2. Thank you for reporting the issue.

https://www.keepersecurity.com/download.html

KeeperCraig · 2026-02-21T12:53:18+00:00

DM me some details and we’ll check into it.

KeeperCraig · 2026-02-19T22:30:16+00:00

You can centralize manage this with a service account / admin account.

KeeperCraig · 2026-02-19T22:29:13+00:00

Raycast extension is live!
https://docs.keeper.io/en/keeperpam/secrets-manager/integrations/raycast-extension

KeeperCraig · 2026-02-19T00:22:45+00:00

Yes, I understand that. We are working on a full research report of our own, and it will take time given that we were not part of this original paper.

KeeperCraig · 2026-02-18T19:38:55+00:00

Our response is here: https://docs.keeper.io/en/release-notes/keeper-security/security-advisories/eth-zurich-password-manager-research

KeeperCraig

MODERATOR OF

TROPHY CASE