From this article, it sounds like they have a very specialized GPU-accelerated brute force mechanism for local database backups?
Assuming they have something like rainbow tables for short passwords on all of these managers, it still seems like it would take a very long time to correctly guess longer master passwords (say 20+ characters). No?
Because Google's cached pages still try to load images, scripts, and CSS from the original domain, meaning they are almost always completely useless unless you wait long enough for the header to switch to text-only view to appear.
Forgive the naive question, but would 2FA completely mitigate this attack, assuming that the org trying to access a key vault did not have access to the 2FA device?
No. This article describes an attack where the user has already gained access to the encrypted database, which assumes they have already subverted 2FA.
Not really, the databases are designed to be effectively public information. The security comes from the encryption, not OS-level file permission controls!
I'm confused since the article never highlights any of the facts about the strength of the master password used to protect the vault. Of course a weak master password can easily be broken with an offline GPU accelerated attack.
A question: does anyone have any idea why is it so much slower to crack Rar5 and Office 2016 than these password databases? What sort of magic sauce are they using to reduce the amount of guesses/second?
No magic, just a bigger number of hash iterations.
I have setup my KeePass to use around 100 mil iterations. It takes 1 second to validate the password on the CPU, on a GPU it will be maybe 100-1000 tries per second.
The idea you can put a number on how many guesses/second you can make on a keepass database at least is silly - that number is _configurable_! There's even a button in the UI which tunes that value to an estimated amount of time on the user's current hardware, so it's hardly an esoteric option.
MS word, by comparison, does not offer this option, and so they simply default to something sanely high.
> The idea you can put a number on how many guesses/second you can make on a keepass database at least is silly - that number is _configurable_!
I understand this.
I was asking because the article says "[lastpass and 1password] are still nearly an order of magnitude less secure than, say, Microsoft Office 2016 documents, but even this level of security is much better than nothing.".
That, to me, implied that Office (and Rar5) were using some different - and much better! - algorithm that made guesses more expensive.
If indeed it is just a matter of more hashing rounds, then that sentence and the graph are very misleading and borderline FUD.
This article is nothing but marketing fluff promoting the author’s software. It’s an offline brute-force attack against encrypted database files that of course works if you have a weak master password, but is otherwise useless.
They test an old version of Keepass with an old KDF (they recently switched to Argon2 which is much more resistant to GPU/ASIC attacks. Additionally KeepassDroid is intended to use vaults synched to the device via Google Drive, Dropbox or whatever, so having the vault in private storage makes no sense!
They didn't 'switch' over. The KDBX 4 format introduces Argon2 as a possible KDF, in addition to AES-KDF which has been the dominant KDF in KeePass and its implementations.
Even the project with most contributors - KeePassXC, doesn't yet support KDBX 4, and work on it doesn't look like its moving either[1]. Most other implementations also don't support KDBX 4 format.
So they're brute forcing the master password for these databases. Why should I be worried if I'm using a non-dictionary multi-word passphrase as my master password?
"Different password managers employ different approaches to security. As an example, LastPass generates the encryption key by hashing the username and master password with 5,000 rounds of PBKDF2-SHA256, while 1Password employs even more rounds of hashing. This is designed to slow down brute-force attacks, and it almost works. Granted, these are still nearly an order of magnitude less secure than, say, Microsoft Office 2016 documents, but even this level of security is much better than nothing." I'm guessing they meant more secure then Office 2016.
No, per the included graph, brute forcing Office 2016 allowed them fewer guesses per second. Whatever its hashing algorithm, it's stronger than that being used by the password managers.
So what. I use 1Password, which the article says holds to 95,000 passwords per second with one GPU. So if say my password is 10 characters, only alphanumerical (a-zA-Z0-9) without any symbols, it takes this one GPU 6210/95000 = 8834730167035.16 seconds or ~280,000 years to try all combinations. Even with 1000 GPUs and technical progress, easily more than a lifetime.
As my pass phrase is significantly stronger than that, I'm absolutely not worried..
Only to put the site into some context, Elcomsoft is a known provider of "password breakers" for several programs, nrmally used for digital forensics.
This does not equate to "attack" or "remote attack".
It is mainly about having (legal) access to a seized storage device and trying to extract from it as much information as possible.
Although using the single NVIDIA GPU of a "normal" desktop is possible, normally some specialized hardware is needed/used (usually arrays of GPU's) to achieve a relatively high brute force attempt rate, something like :
For instance:
commonChars of 1password of password length 20 will take 255,421,331,666,477,399,723,386 years, 3 months, 18 hours, 38 minutes, 39 seconds time
Well, this is the maximum amount of time, it could take considerably less than this, unless your password happens to be the very last one it tries to crack.
You can use keepass to benchmark your CPU in how many iterations should be used. I did the one second delay and divided it by ten so that I can use it on my phone without a huge delay. (2 500 000 iterations)
31 comments
[ 3.9 ms ] story [ 79.2 ms ] threadAssuming they have something like rainbow tables for short passwords on all of these managers, it still seems like it would take a very long time to correctly guess longer master passwords (say 20+ characters). No?
Doesn't this hark back to "If the attacker has local access, it's already game over"?
http://keepass.info/help/base/security.html
A question: does anyone have any idea why is it so much slower to crack Rar5 and Office 2016 than these password databases? What sort of magic sauce are they using to reduce the amount of guesses/second?
I have setup my KeePass to use around 100 mil iterations. It takes 1 second to validate the password on the CPU, on a GPU it will be maybe 100-1000 tries per second.
MS word, by comparison, does not offer this option, and so they simply default to something sanely high.
I understand this.
I was asking because the article says "[lastpass and 1password] are still nearly an order of magnitude less secure than, say, Microsoft Office 2016 documents, but even this level of security is much better than nothing.".
That, to me, implied that Office (and Rar5) were using some different - and much better! - algorithm that made guesses more expensive.
If indeed it is just a matter of more hashing rounds, then that sentence and the graph are very misleading and borderline FUD.
Nothing to see here, move along.
They test an old version of Keepass with an old KDF (they recently switched to Argon2 which is much more resistant to GPU/ASIC attacks. Additionally KeepassDroid is intended to use vaults synched to the device via Google Drive, Dropbox or whatever, so having the vault in private storage makes no sense!
Even the project with most contributors - KeePassXC, doesn't yet support KDBX 4, and work on it doesn't look like its moving either[1]. Most other implementations also don't support KDBX 4 format.
[1]: https://news.ycombinator.com/item?id=14634253
"Different password managers employ different approaches to security. As an example, LastPass generates the encryption key by hashing the username and master password with 5,000 rounds of PBKDF2-SHA256, while 1Password employs even more rounds of hashing. This is designed to slow down brute-force attacks, and it almost works. Granted, these are still nearly an order of magnitude less secure than, say, Microsoft Office 2016 documents, but even this level of security is much better than nothing." I'm guessing they meant more secure then Office 2016.
As my pass phrase is significantly stronger than that, I'm absolutely not worried..
This does not equate to "attack" or "remote attack".
It is mainly about having (legal) access to a seized storage device and trying to extract from it as much information as possible.
Although using the single NVIDIA GPU of a "normal" desktop is possible, normally some specialized hardware is needed/used (usually arrays of GPU's) to achieve a relatively high brute force attempt rate, something like :
https://www.shellntel.com/blog/2017/2/8/how-to-build-a-8-gpu...
For instance: commonChars of 1password of password length 20 will take 255,421,331,666,477,399,723,386 years, 3 months, 18 hours, 38 minutes, 39 seconds time
Well, this is the maximum amount of time, it could take considerably less than this, unless your password happens to be the very last one it tries to crack.