Author Topic: Encrypt PasswordMaker.rdf  (Read 855114 times)

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3348
    • http://passwordmaker.org/
Encrypt PasswordMaker.rdf
« on: November 27, 2005, 05:26:42 PM »
Please add a vote from Gerry Miller of Saskatoon, SK, Canada for "capability to encrypt passwdmaker.rdf...This file is normally left "wide open" since it can be read by any text editor, or notepad for that matter. Leave the capability to export in standard format as well."

Thanks,
Eric
p.s. if you want to split this into a separate post, that's fine.

Offline Tyrantmizar

  • Sr. Member
  • ****
  • Posts: 307
    • http://tyrantmizar.blogsome.com/
Encrypt PasswordMaker.rdf
« Reply #1 on: November 27, 2005, 05:56:56 PM »
Quote
p.s. if you want to split this into a separate post, that's fine.

I will, if only to leave it more open to discussion.
...
And the discussion begins:
I'm interpreting this as: This would only encrypt the passwordmaker.rdf file that is in someone's profile.  Exporting the file would remain the same.  

Right?

Of course, we could encrypt the export, but then all passwordmaker files would have to share the same encryption keys.  If someone broke the encryption, we would be back at square one.  We might as well leave the exports as normal text.

Oh, and this has been added to the FRL.
« Last Edit: November 27, 2005, 05:57:11 PM by Tyrantmizar »
Tyrantmizar
- <a href="http://tyrantmizar.blogsome.com/">Check out my blog</a> (shameless plug :P)
- Lord of the Feature Requests / Enhancements Forum - BWAHAHAHAHA!!!!
- Lord of the other one, the [url=http://forums.passwordmaker.o

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3348
    • http://passwordmaker.org/
Encrypt PasswordMaker.rdf
« Reply #2 on: November 27, 2005, 07:37:39 PM »
Quote
This would only encrypt the passwordmaker.rdf file that is in someone's profile.
Yes.

Quote
Of course, we could encrypt the export, but then all passwordmaker files would have to share the same encryption keys. If someone broke the encryption, we would be back at square one. We might as well leave the exports as normal tex
Not necessarily. The encryption key can be your master password. So we could provide the option to export the file both as plain text and encrypted text. The encrypted version would be useless without the master password (encryption key).

What do you think?

Quote
Oh, and this has been added to the FRL.
Thanks.
« Last Edit: November 27, 2005, 07:49:54 PM by Eric H. Jung »

Offline tanstaafl

  • Administrator
  • *****
  • Posts: 1361
Encrypt PasswordMaker.rdf
« Reply #3 on: November 30, 2005, 11:45:51 AM »
Quote
Quote
Of course, we could encrypt the export, but then all passwordmaker files would have to share the same encryption keys. If someone broke the encryption, we would be back at square one. We might as well leave the exports as normal text
Not necessarily. The encryption key can be your master password. So we could provide the option to export the file both as plain text and encrypted text. The encrypted version would be useless without the master password (encryption key).

What do you think?
I think that is the perfect solution.

Thanks Eric...

Offline Tyrantmizar

  • Sr. Member
  • ****
  • Posts: 307
    • http://tyrantmizar.blogsome.com/
Encrypt PasswordMaker.rdf
« Reply #4 on: November 30, 2005, 11:08:49 PM »
Quote
Quote
Of course, we could encrypt the export, but then all passwordmaker files would have to share the same encryption keys. If someone broke the encryption, we would be back at square one. We might as well leave the exports as normal tex
Not necessarily. The encryption key can be your master password. So we could provide the option to export the file both as plain text and encrypted text. The encrypted version would be useless without the master password (encryption key).

What do you think?

Sound good.
Tyrantmizar
- <a href="http://tyrantmizar.blogsome.com/">Check out my blog</a> (shameless plug :P)
- Lord of the Feature Requests / Enhancements Forum - BWAHAHAHAHA!!!!
- Lord of the other one, the [url=http://forums.passwordmaker.o

Offline BHiko

  • Jr. Member
  • **
  • Posts: 11
Encrypt PasswordMaker.rdf
« Reply #5 on: January 28, 2006, 06:27:52 PM »
Using the Master Password as an encryption key introduces a new risk:
if the Master Password is weak, eg 2 letters, it is possible to do an exhaustive search until a valid PasswordMaker.rdf is found, revealing the Master Password in a new way, just by using the encrypted PasswordMaker.rdf and the decrypting algorithms (which are not and cannot be secret).
This might be a feature of course: users could have a solution when they forget their master password.

Offline BHiko

  • Jr. Member
  • **
  • Posts: 11
Encrypt PasswordMaker.rdf
« Reply #6 on: January 28, 2006, 06:39:10 PM »
Considering, it might not be a big extra risk: the same method to find the master password also exists if you know the contents of the PasswordMaker.rdf file and a generated password.
So, one day, the FAQ "What if I forget my Master Password?" may change in:
Quote
There is a tool that exhaustively searches for you Master Password given a generated password. The processing time required depends on the quality of the hints you provide. If you still have your PasswordMaker.rdf file and only doubt on a few characters of your Master Password, you are lucky
  :)

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3348
    • http://passwordmaker.org/
Encrypt PasswordMaker.rdf
« Reply #7 on: January 29, 2006, 09:47:27 PM »
Quote
Using the Master Password as an encryption key introduces a new risk: if the Master Password is weak, eg 2 letters, it is possible to do an exhaustive search until a valid PasswordMaker.rdf is found, revealing the Master Password in a new way, just by using the encrypted PasswordMaker.rdf and the decrypting algorithms (which are not and cannot be secret)
The answer here is either choose a long, difficult master password or to not use the master password as the encryption key. I will make the latter optional. In other words, you will be able to choose a different password with which to encrypt passwordmaker.rdf (if you want it encrypted at all).
« Last Edit: January 29, 2006, 10:00:13 PM by Eric H. Jung »

Offline billybob

  • Newbie
  • *
  • Posts: 8
Encrypt PasswordMaker.rdf
« Reply #8 on: February 23, 2006, 10:56:42 AM »
Add a big vote for me too.

I am surprised that this file is unencrypted.  I noticed in the FAQ which claims that a major feature is the enormous search space created by 9 variables:
    * character set
    * which of nine hash algorithms was used
    * date counter (if any)
    * username (if any)
    * password length
    * password prefix (if any)
    * password suffix (if any)
    * which of nine l33t-speak levels was used
    * when l33t-speak was applied (if at all)

which is awesome, but all of these user choices are stored out in the open.  If your computer is compromised, you are left only with the master password as defense.  Unfortunately, I bet most people's master password wouldn't take too long to crack using brute force methods.

Of course, storing this file in the open makes the program a dangerous place to store fixed passwords.  I know you are aware of that.   http://forums.passwordmaker.org/index.php?showtopic=363

Offline Romeo

  • Hero Member
  • *****
  • Posts: 561
    • http://www.wprus.com
Encrypt PasswordMaker.rdf
« Reply #9 on: February 23, 2006, 02:15:37 PM »
Billybob, you say:
Quote
If your computer is compromised, you are left only with the master password as defense.
I am not sure that I understand encryption a hundred percent, but I am fairly certain that the only thing needed to undo the encrypted rdf file would be the master password.  So, in other words, the only thing between you and the hacker is still the master password, even if the rdf is encrypted...
It is impossible to create a fool-proof system, because fools are ingenious.

Offline tanstaafl

  • Administrator
  • *****
  • Posts: 1361
Encrypt PasswordMaker.rdf
« Reply #10 on: February 23, 2006, 04:11:25 PM »
Quote
Add a big vote for me too.

I am surprised that this file is unencrypted.
Hi billybob, your vote has been recorded.

Quote
Quote
If your computer is compromised, you are left only with the master password as defense.
I am not sure that I understand encryption a hundred percent, but I am fairly certain that the only thing needed to undo the encrypted rdf file would be the master password.
Actually, above Eric says he would allow one to use a different password, which I think is the best option anyway (especially for me, since I use different MPs for certain accounts)...

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3348
    • http://passwordmaker.org/
Encrypt PasswordMaker.rdf
« Reply #11 on: February 23, 2006, 04:39:06 PM »
Romeo is right--an attacker would still only be one password away from determining all of your settings. Granted, with AES-256 encryption it could take him lifetimes to determine that password...

Quote
Unfortunately, I bet most people's master password wouldn't take too long to crack using brute force methods.
I hope you aren't right. It would be very sad indeed if people went through the trouble of using PasswordMaker only to choose a weak master password.

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3348
    • http://passwordmaker.org/
Encrypt PasswordMaker.rdf
« Reply #12 on: February 23, 2006, 04:41:03 PM »
By the way, you are encouraged to use free encryption tools like TrueCrypt to secure the settings file before encryption is natively supported. This should alleviate your concerns, BillyBob.
« Last Edit: February 23, 2006, 04:41:26 PM by Eric H. Jung »

Offline billybob

  • Newbie
  • *
  • Posts: 8
Encrypt PasswordMaker.rdf
« Reply #13 on: February 23, 2006, 07:22:03 PM »
Quote
By the way, you are encouraged to use free encryption tools like TrueCrypt to secure the settings file before encryption is natively supported. This should alleviate your concerns, BillyBob.
I totally agree with you about TrueCrypt.  One of the essential programs.  I have it installed on every computer I work on.  Its especially valuable to me on my USB stick for my personal data and portable apps.  I have left that damn thing behind so many times it is a wonder I still have it. :)

Quote
Hi billybob, your vote has been recorded.
Hi tanstaafl.  Thanks. :)

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3348
    • http://passwordmaker.org/
Encrypt PasswordMaker.rdf
« Reply #14 on: February 23, 2006, 08:38:51 PM »
I forgot that you can't (yet) choose the drive/path of your settings file -- it's always stored in your browser profile. That means you must tell Firefox/Mozilla/Netscape/Flock to create profiles on your TrueCrypt volume. That's not very flexible, but at least you'll get the benefit of encrypting history, cookies, and cache, too.
« Last Edit: February 23, 2006, 08:39:17 PM by Eric H. Jung »

PasswordMaker Forums

Encrypt PasswordMaker.rdf
« Reply #14 on: February 23, 2006, 08:38:51 PM »

 

anything