Security = simply password + Yubikey

[thyxNY]

I wonder what is the security of keepassxc database with the Yubikey key. If I use a simple password such as aaa + Yubikey key (HMAC-SHA1 response = 20 ASCII characters) is this the same as using a strong 23-character password?

Does the creation of a simple password + Yubikey create a very difficult (even unbreakable) password?

Is there any article where is explained how password, key file and hardware key are used to secure the database? Is it secured by a concatenation (password & key file & HMAC-SHA1 response) ?

[phoerious]

The 3-character password adds almost no entropy, so you are basically relying on the YubiKey alone. The YubiKey response is (neglecting SHA-1 collisions) as secure as the SHA1 secret, which is 20 bytes. Since those 20 bytes are usually generated by a strong PRNG, we can assume they possess a full 160 bits of entropy. That is more secure than most passwords, but doesn't fill the full AES-256 key space, so adding a strong password on top can improve the security, although not strictly necessary.

You should further keep in mind that you could lose your Yubikey or it could get stolen, whereas a password is only in your head and would need a heavy wrench for extraction.

[thyxNY]

One more question. Do I understand correctly that the algorithm uses password+file+HMAC1 merge to unlock the database?

[phoerious]

All individual key components are hashed together and transformed to derive the actual AES encryption key.

[thyxNY]

OK thank you!