current community

your communities

more stack exchange communities

Stack Exchange
tour help
Take the 2-minute tour ×
Information Security Stack Exchange is a question and answer site for Information security professionals. It's 100% free, no registration required.
up vote 0 down vote favorite

If someone uses a password manager and tries to organize the credentials well, doesn't that make attacks easier?

Let's assume an attacker has the encrypted credentials available for offline attacks, and the attacker knows which software was used to save the data, and that he also knows what the credentials are used for (websites like Google, Facebook, Amazon, et. al.).

Does this knowledge make the attack easier? Can it be prevented, or at least made significantly harder? If so, how do password suites try to prevent this?

A simplified example: I have an Amazon account, and I store my credentials in a password manager. They are well organized and named, i.e. "Amazon", which is on the top of the list because it's sorted alphabetically. An attacker now steals my encrypted credential store, and begins a brute-force attack.

If the first few bytes (e.g. header + 30) don't turn out to include the string "Amazon" appended with whatever the password suite uses as a delimiter, the attacker could stop trying to decrypt my password with his current guess. This potentially reduces the time needed to crack the password, if only linearly.

I don't know much about encryption. Any advise regarding my choice of words is appreciated. Even spelling and grammar.

share|improve this question
1  
If you are using some form of password store, you should be able to use very long and random strings- knowing the metadata should then not affect the strength of the cipher - it sounds like you are describing the user choosing a weak password, not a weak system. –  Eric G Apr 18 at 13:11
    
The strength of the chosen password does not matter for my question –  danielcw Apr 19 at 0:56
    
The strength of the password is all the matters. The small amount of time needed to sort and order data is relatively inconsequential. The attacker likely will write a script to just extract the hashes from the storage format if the encryption is per entry and not on an entire db. If the entire DB is encryptedm like in KeePass, you can't pull out individual entries because the raw file is nonsensical without the key. –  Eric G Apr 19 at 18:28
    
Sorry, but I think you missed the point of my question. Maybe I should have phrased it better. The point is: does knowing the metadata make it easier to get the key –  danielcw Apr 21 at 9:35
add comment

2 Answers

up vote 3 down vote

I use KeePass Password Safe. This password manager stores all passwords (and related metadata) in a AES-256 encrypted database. When the correct key(s) is (are) provided, the entire database is decrypted and ready for use.

So besides a quality cipher, it's crucial that sufficiently strong keys are used. Provided that's the case, the time needed to perform a brute force or dictionary attack rises exponentially with the length of the key(s).

KeePass makes brute-forcing the password database harder (take more time) by encrypting the key N rounds. The recommendation is to choose the value N so that decrypting takes around 1 second on typically used hardware, which makes brute-force and dictionary attacks take N times longer to complete. On recent hardware, N is usually larger than 10 million.

See KeePass Security for additional information.

share|improve this answer
    
Question: "KeePass makes brute-forcing the password database harder (take more time) by encrypting the database N rounds" Does the whole database have to be decrypted each round, or can an attacker just decrypt the first few bytes for each round, i.e. the first n bytes, where bytes is either cypher-block-size or even freely chosen by the attacker? –  danielcw Apr 19 at 0:58
    
@danielcw KeePass encrypts the key N rounds, not the database. I've edited my answer to reflect this. Thanks for pointing out. –  Steven Volckaert Apr 19 at 5:27
add comment
up vote 0 down vote

[Disclosure: I work for AgileBits, the makers of 1Password]

As Steven correctly pointed out, some password managers encrypt the entire database as a whole, so virtually no metadata is available to an attacker who captures that. There are two limitations of that sort of design

  1. It is that it is hard to provide either web browser integration

    You can't easily find which item you need until you decrypt the entire database

  2. Synching becomes difficult, as you may need to re-encrypt everything when a single item changes.

how do password suites try to prevent [attacks based on revealed titles and URLs]?

Metadata in 1Password version N, where N < 4

Traditionally password managers which provided browser integration or efficient data synchronization typically left things like the title and the URL associated with an item unencrypted. 1Password 3 (and prior) did this and we documented this fact from the outset.

I can't really speak of how other password managers managed this, but I will hint that not everyone has been as forthcoming in their documentation as we have been.

Metadata in 1Password 4

We have solved this problem. We encrypt "overview" information (including item title and URL) with one set of keys, while the details of each individual item remains encrypted with unique keys per item. There is still some very limited metadata which is exposed, and this, again, is fully documented.

share|improve this answer
    
"some password managers encrypt the entire database as a whole, so virtually no metadata is available to an attacker" My original question wasn't about attackers getting the metadata (early), but using the metadata to tell, if he is guessing the right key. –  danielcw Apr 19 at 1:06
    
Ah I answered the wrong question. If I (finally) understand, then you are really asking about known plaintext attacks. That is, if the attacker knows what some portion of the decrypted data should look like, then does that give the attacker an advantage. Short answer: Not since Enigma. Modern crypto systems are designed to resist known plaintext attacks. –  Jeffrey Goldberg Apr 24 at 1:06
    
"Plaintext attack", that is the missing keyword. Yeah, this is more or less exactly what I meant. –  danielcw Apr 25 at 16:32
add comment

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.