Author Topic: Cracking the Master Password  (Read 5851 times)

Butthead

  • Guest
Cracking the Master Password
« on: September 20, 2005, 04:49:19 AM »
If someone steals your "passwordmaker.rdf" file then couldn't they just crack your master password using dictionary or dictionary permutation?

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Cracking the Master Password
« Reply #1 on: September 20, 2005, 02:17:16 PM »
No--passwords aren't stored there, only settings are. Passwords aren't stored anywhere.[/i] They are calculated as needed.

Further (as discussed in the FAQ), if someone gets your generated passwords by some other means, dictionary attacks don't work because the passwords are heavily[/i] salted.

Regards,
Eric
« Last Edit: September 20, 2005, 02:18:52 PM by Eric H. Jung »

Gunny

  • Guest
Cracking the Master Password
« Reply #2 on: September 20, 2005, 02:42:29 PM »
If I choose to store my Master Password to disk, is the password stored in the passwordmaker.rdf file?  Is it always a bad idea to store my master password to disk?

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Cracking the Master Password
« Reply #3 on: September 20, 2005, 05:14:53 PM »
Hi Gunny,

Quote
If I choose to store my Master Password to disk, is the password stored in the passwordmaker.rdf file?
If you're using the PasswordMaker Browser Extension and choose to store the master password, yes, it's stored in passwordmaker.rdf (PasswordMaker for Konfabulator and PasswordMaker Online store it in different places).

Quote
Is it always a bad idea to store my master password to disk?
Only you can decide that. From the FAQ, "[if stored to disk], your master password is stored using 256-bit strong encryption". But it's important to realize that the decryption key is also stored in that file, so it's not too difficult to decrypt if you know about cryptography.

Hope that helps,
Eric

Butthead

  • Guest
Cracking the Master Password
« Reply #4 on: September 21, 2005, 08:32:09 PM »
Quote
No--passwords aren't stored there, only settings are. Passwords aren't stored anywhere.[/i] They are calculated as needed.

Further (as discussed in the FAQ), if someone gets your generated passwords by some other means, dictionary attacks don't work because the passwords are heavily[/i] salted.

Regards,
Eric
If the "passwordmaker.rdf" stores all the settings and someone steals it, couldn't they just load it up into PasswordMaker and start inputting Master Passwords using a dictionary attack?  If they selected one of the sites listed in the "passwordmaker.rdf", couldn't they just try Master Passwords until it generated one that works?

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Cracking the Master Password
« Reply #5 on: September 22, 2005, 12:32:59 AM »
Quote
couldn't they just load it up into PasswordMaker and start inputting Master Passwords using a dictionary attack?
First: dictionary attacks only work with poorly-chosen passwords. Don't choose a master password susceptible to this kind of attack. Second: how would the cracker automate the input of a million-word dictionary into PasswordMaker?

Quote
If the "passwordmaker.rdf" stores all the settings and someone steals it,
Why did you let him steal it? Why isn't your network and/or physical access to your PC secure? Why didn't you encrypt the file using OS-level encryption, as discussed in the faq?

Quote
couldn't they just try Master Passwords until it generated one that works?
You're assuming all people store usernames in the passwordmaker.rdf. Not all people do. How are you going to get usernames? A password is no good without a username.

If someone holds my mother at gunpoint, tells me he'll kill her if I don't reveal my Gmail username and password, aren't I vulnerable?

PasswordMaker Forums

Cracking the Master Password
« Reply #5 on: September 22, 2005, 12:32:59 AM »