PasswordMaker Forums
Firefox/SeaMonkey/Mozilla/Netscape/Flock Browser Extension => Feature Requests / Enhancements => Topic started by: klepto on June 12, 2006, 06:31:44 AM
-
Hello,
I've been using your program diligently for a few months now and imported/exported with no problem.
For years I had used firefox password manager but I would like to use yours permenantly. I've read the
todos but I didn't see it. Import firefox passwords so I can be done with it once and for all.
Btw. How safe is the .rdf file? Let's say someone wanted to reverse engineer it to gain the master password.
Just curious.
Thanks for this great program, and I also use your foxyproxy for with tor/privoxy.
I'd like foxyproxy to be able to use proxy for all except selected urls =)
-
Hi Klepto,
Import firefox passwords so I can be done with it once and for all.
There is currently no way to do this automatically.
Btw. How safe is the .rdf file? Let's say someone wanted to reverse engineer it to gain the master password.
This depends on which hash algorithm you've chosen and the complexity of the master password. However, regardless of which algorithm you've chosen and the complexity of the master password, it can be shown through a mathematical proof that many lifetimes of computing power would be needed to reverse engineer your master password from the (salted) hash.
Regards,
Eric
-
Oh, and if you save the master password to disk, they have access to it.
-
And if you don't save it to disk, the only way to possibly guess or brute force it would be if they have the settings (rdf file) AND a password generated by those settings. Those aren't stored anywhere. So the rdf file alone is worthless, except it gives a hint which pages you use. IF you store your own passwords in the rdf file, those are encoded by a standard encryption and COULD be guessed/brute forced to find the master password, if someone knows how to do it efficiently.
So in any case, don't choose a master password that is too weak, like "qwerty" or "12345", to give some really bad examples.
-
the only way to possibly guess or brute force it would be if they have the settings (rdf file) AND a password generated by those settings.
Most definitely untrue.
IF you store your own passwords in the rdf file, those are encoded by a standard encryption and COULD be guessed/brute forced to find the master password, if someone knows how to do it efficiently.
Again: not true. Do a little research on message digests/cryptographic hash algorithms, it only takes 10 minutes. You will learn that knowledge of one or more hashes does not help in any way to determine the input to the algorithm or other possible hashes (outputs).
If you referring to the passwords stored when using "Other auto-populate fields", then yes, these can be deciphered because they are not generated with hash algorithms...they are user-generated and encrypted with symmetric encryption. However, native passwordmaker-generated passwords are effectively uncrackable using current technology and reasonable time constraints. This is all covered on the main website and the FAQ.
-
Import firefox passwords so I can be done with it once and for all.
There is currently no way to do this automatically.
Eric - are you interested in this as a FR (personally I'm not, but can see where others might be)? If so I'll add it...
-
You can add it and if people start voting for it, then we'll consider it. Obviously, add a vote for it from klepto.
-
Again: not true. Do a little research on message digests/cryptographic hash algorithms, it only takes 10 minutes. You will learn that knowledge of one or more hashes does not help in any way to determine the input to the algorithm or other possible hashes (outputs).
[...] However, native passwordmaker-generated passwords are effectively uncrackable using current technology and reasonable time constraints.
Sorry I didn't make myself clear enough. I do know a bit about cryptography, and I was not referring to any kind of reverse algorithm. That's why I said 'could' instead of 'can'. It all depends. And this is all assuming that your settings (cookie or rdf file) and at least one stored or generated password are revealed.
I was referring to running a dictionary through the algorithm (guessing) or running all possible combinations of letters, numbers and symbols, starting with short passwords through it (brute force). A fast modern PC can easily calculate about 10 million passwords per second and compare the hashes. So as an example a mixed password of length 6 (letters (upper and lower) and numbers) takes 90 minutes to find, if you make the length 8, it takes 250 days. But if it's only 8 lowercase letters, it's done in 6 hours. And these are random letters, it's no dictionary word.
A supercomputer (or a cluster) checks up to a billion passwords per second, distributed.net's project reached 76 billions/sec once. You do the math.
This applies to almost every kind of encryption, although for example MD5 is much faster to calculate (150 MB/sec) than SHA-512 (8 MB/sec), so every example has to be taken with care. Rijndael and RipeMD-160 compute at about 30 MB/sec and Sha-1 at 50 MB/sec (in this context an 850MHz x86). Btw, the plain passwords are encrypted in Rijndael in the rdf file, if I'm not mistaken, that's why I include it here.
Maybe you want a recommendation, but it all depends on whether you want just some general protection, or if you fear someone might want to use all his resources to crack your password. If you really want to be on the secure side, either take care that you never store any settings anywhere, or use a master password of at least length 10, with digits, letters and a symbol. If you do it this way, every argument about your passwords being secure hold.
But even if you use PasswordMaker in a normal way even with a relatively weak password, the risk you're taking is quite small, and by using the generated passwords you're much safer than almost all of the other internet users. Unless someone personally attacks you.
This is all covered on the main website and the FAQ.
I'm actually thinking of proposing (and writing) a new section concerning general concerns about internet security, passwords, cryptography and the like, and how PasswordMaker fits into this. Most information I find is either too general ("If you use this, you're safe"), too scary (worst case scenarios) or too technical (like wikipedia) to be useful, so I want to come up with something new. Suggestions etc. are welcome of course.
-
You do the math.
OK, let's do it together.
The master password and password character set both support the full UTF-8 character set. This means there are hundreds of thousands of possible glyphs for each password position (due to multiple writing systems... Latin, Cyrillic, Arabic, Chinese, Japanese, etc (sorry, no Egyptian hieroglyphs in Unicode )).
For the moment, let's "do the math" for an American PasswordMaker user. Let's suppose he speaks English as his first language and uses an US 104-key keyboard... so no umlauts, diacritical marks, euro symbol, British pound symbol, etc. in his characters. In fact, let's say he leaves the character set as the base93 ASCII characters which PasswordMaker uses as its default but simply rearranges their order. He also chooses an 8-character master password from the same base93 character set. So we have:
master password combinations = 93^8 = 5,595,818,096,650,401 (over 5 quadrillion)
character set combinations = 93^93 = 1.1719638492654442104175825877512e+183Adding these together we have... well let's just say 1.1719638492654442104175825877512e+183. Now let's be optimistic for the attacker and say we expect the brute force attack to find a match after iterating through just 50% of the combinations. 1.1719638492654442104175825877512e+183 divided by 2 is 5.859819246327221052087912938755e+182 according to my Windows calculator.
A fast modern PC can easily calculate about 10 million passwords per second
5.859819246327221052087912938755e+182 / 10,000,000 = 5.859819246327221052087912938755e+175 seconds or 1.8581364936349635502561875122891e+168 years.
A supercomputer (or a cluster) checks up to a billion passwords per second
5.859819246327221052087912938755e+182 / 1,000,000,000 =
5.859819246327221052087912938755e+173 seconds or 1.8581364936349635502561875122891e+166 years.
distributed.net's project reached 76 billions/sec once
5.859819246327221052087912938755e+182 / 76,000,000,000 =
7.7102884820095013843262012352039e+171 seconds or 2.4449164389933730924423519898541e+164 years.
This is longer than the current lifetime of the universe. Even if you started the attack during the big bang (http://en.wikipedia.org/wiki/Big_bang) (approx 13.7 billion years ago), you wouldn't be anywhere near finished today.
Note this assumes the user doesn't use modifier, suffix, prefix, leet, and that he doesn't use non-English characters. If he did, solving the problem would take even longer. Please let me know if my math is incorrect--math was never one of my strongpoints, so I wouldn't be surprised if I did something wrong.
I'm actually thinking of proposing (and writing) a new section concerning general concerns about internet security, passwords, cryptography and the like, and how PasswordMaker fits into this. Most information I find is either too general ("If you use this, you're safe"), too scary (worst case scenarios) or too technical (like wikipedia) to be useful, so I want to come up with something new. Suggestions etc. are welcome of course.
This would be most welcome! Do you have scp access to the website so you can make changes?
-
OK, let's do it together.
Great, thanks, now my head hurts...
-
You can add it and if people start voting for it, then we'll consider it. Obviously, add a vote for it from klepto.
Done...
-
Still waiting for someone to check my math!!
-
Still waiting for someone to check my math!!
Just trying to follow what you wrote made my head hurt - if I tried to CHECK your math, it would probably explode!
-
Tha't's OK. Thanks for trying. Maybe Thibros will give it a whirl. My biggest assumption is that someone chooses a cryptographically secure random master password. Most people don't do this; they choose their pet's name, so dictionary-based bruce-force attacks cut the 50% estimate of all permutations down tremendously. This is how the engima was cracked in WW2.
-
I will check your math soon. Well, my "you do the math" was meant ironically, but since we started, this might get interesting. I'm actually very busy at work now, even on the weekends, but this will be a nice change to think of something else.
The story of cracking the enigma was a bit more complicated, as I recall, but you're right, most people choose also "qwerty" or "12345" or "password" as their password. My first password I ever used was "thibros", of course. Back in 1988, don't use it any more.
We both made quite a few assumptions, and different ones, that's why our results are different. But let me get back on this tomorrow, I hope.
-
OK, let's do it together.
OK.
As for your calculation, you'd have to multiply the master password combinations and character set combinations instead of adding them, giving you a total of 93^101 = 6,55...e+198 = about 2^457 combinations (as comparison, the universe consists of about 2^250 particles).
A number with 198 digits is quite difficult to comprehend, no wonder it's giving people headaches, so I'm looking at a few common scenarios, and give some examples too, so anyone interested in this can understand it.
Let's look at your example first, and make it specific. So there's Alice and Eve, and Eve doesn't like Alice (we don't know the reason, but I suspect it has to do with Bob ). Eve knows that Alice is using PasswordMaker, knows that she isn't using leet or other modifications, only a personalized character set (Alice might have mentioned that in a forum), so Eve sets up a forum on her site and gets Alice to register. Now Eve has a generated password, let's say it is "Aa1!Bb2#", so we have something to work with. She now ponders on how to get the master password, so she gets herself a super computer, and someone to write her a program so it can check a billion passwords per second with the following settings:
No leet, Hash: SHA-256, URL: eve.com, length 8, all other fields empty.
The script permutes the full 93 characters in the master password and charset fields in all lengths.
Eve is prepared to wait a long time, but after only two months (statistically) the scripts ends with a solution, maybe:
Character Set: zbA2Y17B#0!%a
Master Password: qwerty
(you can check this at http://passwordmaker.org/proto/passwordmaker.html (http://passwordmaker.org/proto/passwordmaker.html), it does generate the password Aa1!Bb2#)
Another two months later, the script puts out another solution, maybe:
Character Set: bH(XaBK&2Aqaz#!xe&iI1v8G
Master Password: 12345
or:
Character Set: xxx#xB2axAxb!1xx
Master Password: password
What happened? Which one is Alice's master password, qwerty or 12345 or 'password'? This is something called "collision" in cryptography, different input values generating the same output value. And there is no way for Eve to find out which one is the right one, without further information.
The calculation Eric made is leaving out one important variable, or rather assume it to be pretty high while it's normally quite low: the length of the generated password. In this example it is 8.
This leaves only 93^8 (= 2^36) combinations for generated passwords, while the input is 2^457. So each generated password has 2^421 master password/charset combinations that generate it. Eve would either need a generated password of length 100 or more, or 13 different generated passwords of length 8, to narrow down the collisions to a reasonable amount, from which to choose the right one, maybe one where the charset is in sort of an order (ABCDE…). But in this case it really does take the ridiculous amount of time we calculated.
I obviously constructed these collisions, which is very easy. In the last example you can substitute every x in xxx#xB2axAxb!1xx with any other character, so that gives you a quadrillion collisions, and they all generate the password in question.
So I think we all agree that Eve needs a different approach. Let's assume Alice and Eve aren't stupid, have computer knowledge and some resources. Eve tries to send Alice a keylogger, a custom script not noticed by virus protection, if Alice installs it and doesn't have a good firewall, she's out of luck. But Alice doesn't install anything unknown.
Alice will be pretty secure as long as Eve doesn't get physical access to the machine Alice is working on. But once Eve does, maybe even by sneaking into her home, opening the PC and making a copy of the hard disc, she'll have much more to work with. And maybe Alice wouldn't even find out that she's been compromised.
Assuming the drive wasn't encrypted, Eve now has copies of about everything. She's only interested in PasswordMaker stuff, so now everything depends on how much information Alice has put into it. If Alice has stored her Master Password in the rdf file, or if she has used the same password for the remote server or stored in a field in any other account, then it's over. Eve has won, because she will try those first. So let's assume the master password is unique and never stored anywhere.
Now Eve has access to all the settings, including charset and all stored passwords. All she has to do now is a brute force attack over the master password, still assuming she has at least one generated password of at least the length of the master password.
Now it all depends on the complexity of the master password. Assuming it's not a dictionary word but doing a search over 96 characters, we'd get (at a billion passwords/sec, if it's a slower workstation, you just add a zero or two):
length: time
5: 8 seconds
6: 14 minutes
7: 21 hours
8: 84 days
9: 23 years
10: 2138 years
( time = 96^length / 1,000,000,000 )
So, to sum it up, a weak master password isn't a problem as long as settings aren't revealed. But once someone knows them PLUS a password generated by them AND has the knowledge and means to crack it, then a weak password increases your risk.
There would be an easy way to add much more security, by adding a new field "recursive encryption", a number that states how many times the generated hash (or password) is fed back into the hash algorithm to create a loop. If it's for example 1000, it would take 1000 times the amount of time to crack it, with everything else revealed. You could choose an even higher number for more security when you use a dictionary word, but it'll slow down the generation (which is desired, so the attacker will have trouble too).
-
Hi Thibros,
I'm not sure how to respond to your analysis. It makes a lot of assumptions, such as:- the user has a keylogger installed
- the user's settings have been stolen by the attacker
- the user uses has a weak master password (you yourself have advocated in the past for the use of a sentence-derived, lengthy master password)
- the attacker knows one or more generated password
- did I miss any assumptions?
In a similar vein, given the following assumptions, I can successfully rob the Fort Knox Gold Bullion Depository (http://en.wikipedia.org/wiki/Fort_Knox_Bullion_Depository) without ever getting caught:- I possess the magical Ring of Gyges (http://en.wikipedia.org/wiki/Ring_of_Gyges)
I guess what I'm trying to say is nothing in our world is ever completely and entirely secure, not even PasswordMaker. There are only degrees of security. As I've said numerous times over the years in these forums, security and convenience are at odds with eachother. The more convenience you demand, the less security you enjoy.
-
I wouldn't call those assumptions, I'd call them vulnerabilities.
Well, my analysis has two parts. The first part makes none of these 'assumptions', and shows that the user is perfectly safe because if the settings are not known, there are MANY possible settings that generate a specific password.
But if by any means the settings have become known, those vulnerabilities increase the risk to certain threats. In any case, the risk probably isn't high, it depends on the kind of threat. And the biggest threat is usually that of a personal attack by someone who knows you.
I'm really not trying to scare anyone, I just think there are some misconceptions about security in general, and a general lack of interest. We could have encrypted emails for maybe ten years now, but appearingly nobody wants to use it. Some kind of better security can also be convenient, and PasswordMaker can help.
-
note to self: don't make eve mad