Author Topic: Cracking the Master Password (Read 7168 times)

Butthead · « **on:** September 20, 2005, 04:49:19 AM »

If someone steals your "passwordmaker.rdf" file then couldn't they just crack your master password using dictionary or dictionary permutation?

Eric H. Jung · « **Reply #1 on:** September 20, 2005, 02:17:16 PM »

No--passwords aren't stored there, only settings are. Passwords aren't stored anywhere.[/i] They are calculated as needed.

Further (as discussed in the FAQ), if someone gets your generated passwords by some other means, dictionary attacks don't work because the passwords are heavily[/i] salted.

Regards,
Eric

Gunny · « **Reply #2 on:** September 20, 2005, 02:42:29 PM »

If I choose to store my Master Password to disk, is the password stored in the passwordmaker.rdf file? Is it always a bad idea to store my master password to disk?

Eric H. Jung · « **Reply #3 on:** September 20, 2005, 05:14:53 PM »

Hi Gunny,

Quote

If I choose to store my Master Password to disk, is the password stored in the passwordmaker.rdf file?

If you're using the PasswordMaker Browser Extension and choose to store the master password, yes, it's stored in passwordmaker.rdf (PasswordMaker for Konfabulator and PasswordMaker Online store it in different places).

Quote

Is it always a bad idea to store my master password to disk?

Only you can decide that. From the FAQ, "[if stored to disk], your master password is stored using 256-bit strong encryption". But it's important to realize that the decryption key is also stored in that file, so it's not too difficult to decrypt if you know about cryptography.

Hope that helps,
Eric

Butthead · « **Reply #4 on:** September 21, 2005, 08:32:09 PM »

Quote

No--passwords aren't stored there, only settings are. Passwords aren't stored anywhere.[/i] They are calculated as needed.

Further (as discussed in the FAQ), if someone gets your generated passwords by some other means, dictionary attacks don't work because the passwords are heavily[/i] salted.

Regards,
Eric

If the "passwordmaker.rdf" stores all the settings and someone steals it, couldn't they just load it up into PasswordMaker and start inputting Master Passwords using a dictionary attack? If they selected one of the sites listed in the "passwordmaker.rdf", couldn't they just try Master Passwords until it generated one that works?

Eric H. Jung · « **Reply #5 on:** September 22, 2005, 12:32:59 AM »

Quote

couldn't they just load it up into PasswordMaker and start inputting Master Passwords using a dictionary attack?

First: dictionary attacks only work with poorly-chosen passwords. Don't choose a master password susceptible to this kind of attack. Second: how would the cracker automate the input of a million-word dictionary into PasswordMaker?

Quote

If the "passwordmaker.rdf" stores all the settings and someone steals it,

Why did you let him steal it? Why isn't your network and/or physical access to your PC secure? Why didn't you encrypt the file using OS-level encryption, as discussed in the faq?

Quote

couldn't they just try Master Passwords until it generated one that works?

You're assuming all people store usernames in the passwordmaker.rdf. Not all people do. How are you going to get usernames? A password is no good without a username.

If someone holds my mother at gunpoint, tells me he'll kill her if I don't reveal my Gmail username and password, aren't I vulnerable?

PasswordMaker Forums · « **Reply #5 on:** September 22, 2005, 12:32:59 AM »

Author Topic: Cracking the Master Password (Read 7168 times)

Butthead

Gunny

Butthead

PasswordMaker Forums