SoftwareGeek's Guide to Computer Security

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
mark_in_denver
Posts: 142
Joined: Thu Feb 26, 2015 8:36 pm

Re: SoftwareGeek's Guide to Computer Security

Post by mark_in_denver »

international001 wrote: Sun Jan 22, 2023 7:35 pm
StrongMBS wrote: Sun Jan 22, 2023 12:05 pm
The KDF provides protection for brute-force and dictionary attacks. By increasing the Iteration Count it increases the computational power and time needed for each Master Password try. The down side is the delay for the user to open their vault which depends on the device they are using.
Thanks for the explanation

So then the # of iterations is just making the KDF computationally difficult. They could just as well come up with a more computationally complex KDF, no?. Even if the KDF is completely known (same of # of iterations known). I guess just changing the number of iterations is more practical

In all these brute force attacks, why is not practical to lock out the user after N failed attempts?
How would that even work, the bad guy has the encrypted database. Iterations isn't magic, it's just cycling the hash again and again, until it reaches the en count. Hashing is fast, the purpose of iterations is to eat up time by cycling it on purpose. Using a higher count value on a few accounts is meaningless, using a higher count value on hundred of thousands of accounts makes it much more difficult for the bad guys.
Last edited by mark_in_denver on Sun Jan 22, 2023 11:57 pm, edited 1 time in total.
Northern Flicker
Posts: 12316
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

Brute force attacks generally are offline attacks on a file of password hashes obtained during a breach. You want your password to be robust enough that the lag between the breach and its announcement gives you enough time to change the password before the compromised cryptohash is cracked.
My postings represent my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
Northern Flicker
Posts: 12316
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

mark_in_denver wrote: How would that even work, the bad guy has the encrypted database. Iterations isn't magic, it's just cycling the hash again and again, until it reaches the end. Hashing is fast, the purpose of iterations is to eat up time. Using it on a few accounts is meaningless, using it on hundred of thousands of accounts has huge impacts.
The worst case time to do a brute force search of the keyspace is proportional to the size of the keyspace times the time to compute the 1-way hash. The average case time is proportional to half of that for a random password. Iterating the encryption algorithm k times increases either time by a factor of k.
My postings represent my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
mark_in_denver
Posts: 142
Joined: Thu Feb 26, 2015 8:36 pm

Re: SoftwareGeek's Guide to Computer Security

Post by mark_in_denver »

Northern Flicker wrote: Mon Jan 23, 2023 12:03 am
mark_in_denver wrote: How would that even work, the bad guy has the encrypted database. Iterations isn't magic, it's just cycling the hash again and again, until it reaches the end. Hashing is fast, the purpose of iterations is to eat up time. Using it on a few accounts is meaningless, using it on hundred of thousands of accounts has huge impacts.
The worst case time to do a brute force search of the keyspace is proportional to the size of the keyspace times the time to compute the 1-way hash. The average case time is proportional to half of that for a random password. Iterating the encryption algorithm k times increases either time by a factor of k.
Yes, I understand. My point was if I have 100,000 accounts, the time it takes to crack will be 100,000*k longer. If I only have ten accounts with similar password hash complexity as the 100,000 accounts it will only take 10*k longer. Iterating works to prevent a wholesale theft.
Northern Flicker
Posts: 12316
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

For any one password, it takes k longer. If you set 10M iterations (k = 10M), the time to crack your password by brute force is increased by a factor of 10M. This applies equally to 1 or 100,000 passwords. But do online password safes encrypt each individual password separately? Doubtful.

Keepass encrypts an entire file using a block cipher. I use 12M iterations because I don't mind waiting the 5 seconds that takes on my laptop. Whatever machine is used, the encryption or decryption takes 12M times longer, which is how much longer a brute force attack or even a differential cryptanalytic attack would take.

A password safe is not hashing passwords. It must encrypt them so that it can decrypt as needed. Iterating the encryption function makes more sense for an offline safe. These will encrypt the whole file, not individual passwords, and the user can decide how long and how much CPU to use when setting the iterations. Iterations increase the cost and time to crack it in proportion to the number of iterations.

An online safe also would have the server CPU(s) consumed by the iterations for normal operation of the password safe.
My postings represent my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
teamDE
Posts: 463
Joined: Tue Jun 28, 2016 9:16 pm

Re: SoftwareGeek's Guide to Computer Security

Post by teamDE »

Northern Flicker wrote: Sun Jan 22, 2023 11:54 pm Brute force attacks generally are offline attacks on a file of password hashes obtained during a breach. You want your password to be robust enough that the lag between the breach and its announcement gives you enough time to change the password before the compromised cryptohash is cracked.
Isn't changing your master password useless after a breach because they already have your encrypted vault which was encrypted at the time with the master password at the time?
mark_in_denver
Posts: 142
Joined: Thu Feb 26, 2015 8:36 pm

Re: SoftwareGeek's Guide to Computer Security

Post by mark_in_denver »

teamDE wrote: Mon Jan 23, 2023 1:25 pm
Northern Flicker wrote: Sun Jan 22, 2023 11:54 pm Brute force attacks generally are offline attacks on a file of password hashes obtained during a breach. You want your password to be robust enough that the lag between the breach and its announcement gives you enough time to change the password before the compromised cryptohash is cracked.
Isn't changing your master password useless after a breach because they already have your encrypted vault which was encrypted at the time with the master password at the time?
It is unless you believe that they could "decrypt" your master password, and use that to log in. However changing your master password is very easy and even changing a upper case letter to lower case results in a completely different hash. So it makes sense esp if you're using a subpar password.
However if you do that and have one time codes, you'll have to generate new ones.
teamDE
Posts: 463
Joined: Tue Jun 28, 2016 9:16 pm

Re: SoftwareGeek's Guide to Computer Security

Post by teamDE »

mark_in_denver wrote: Mon Jan 23, 2023 3:42 pm
teamDE wrote: Mon Jan 23, 2023 1:25 pm
Northern Flicker wrote: Sun Jan 22, 2023 11:54 pm Brute force attacks generally are offline attacks on a file of password hashes obtained during a breach. You want your password to be robust enough that the lag between the breach and its announcement gives you enough time to change the password before the compromised cryptohash is cracked.
Isn't changing your master password useless after a breach because they already have your encrypted vault which was encrypted at the time with the master password at the time?
It is unless you believe that they could "decrypt" your master password, and use that to log in. However changing your master password is very easy and even changing a upper case letter to lower case results in a completely different hash. So it makes sense esp if you're using a subpar password.
However if you do that and have one time codes, you'll have to generate new ones.
Yes, I meant useless only in the sense that changing your master password won't help protect your encrypted vault if they already have their hands on it. The vault is encrypted with whatever the password was at the time it was encrypted and that won't change. Hopefully the pass word manager hosts/company purge old encrypted vaults when you update.

It's certainly a good idea to changes the password in general after a breach.
Northern Flicker
Posts: 12316
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

teamDE wrote: Mon Jan 23, 2023 1:25 pm
Northern Flicker wrote: Sun Jan 22, 2023 11:54 pm Brute force attacks generally are offline attacks on a file of password hashes obtained during a breach. You want your password to be robust enough that the lag between the breach and its announcement gives you enough time to change the password before the compromised cryptohash is cracked.
Isn't changing your master password useless after a breach because they already have your encrypted vault which was encrypted at the time with the master password at the time?
You have to change the master password first, then all of the passwords that were in the vault.
Last edited by Northern Flicker on Mon Jan 23, 2023 6:05 pm, edited 1 time in total.
My postings represent my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
Northern Flicker
Posts: 12316
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

Another important security issue not discussed above concerns web browser usage. Web browsers are among the most vulnerable parts of your system. Their normal mode of operation is to invite code and data produced by complete strangers in far away places onto your machine. On top of that, a web browser is a complex software system with substantial potential for design flaws and bugs. If that isn't enough, the way the supplier monetizes the browser is by connecting to a large number of sites you never asked or authorized to be connected to.

When connecting to a web browser, all instances of browsers windows and tabs should be shut down and at the very least cookie data cleared. Running private browser sessions or other configurations that clear browser data on exit is a good idea to reduce the risk of cross site scripting attacks. Once all browser processes, windows, and tabs are closed, open 1 browser window to use to connect to a financial services provider or other purveyor of sensitive data or activity.

A useful (but not mandatory) strategy is to have one browser platform you use to login to financial and other sensitive accounts, and another for everything else.
My postings represent my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
teamDE
Posts: 463
Joined: Tue Jun 28, 2016 9:16 pm

Re: SoftwareGeek's Guide to Computer Security

Post by teamDE »

Northern Flicker wrote: Mon Jan 23, 2023 5:46 pm
teamDE wrote: Mon Jan 23, 2023 1:25 pm
Northern Flicker wrote: Sun Jan 22, 2023 11:54 pm Brute force attacks generally are offline attacks on a file of password hashes obtained during a breach. You want your password to be robust enough that the lag between the breach and its announcement gives you enough time to change the password before the compromised cryptohash is cracked.
Isn't changing your master password useless after a breach because they already have your encrypted vault which was encrypted at the time with the master password at the time?
You have to change all of the passwords that were in the vault as well as the master password.
I don't think we're understanding each other.

January 1st, my password is "ilovemydog". My password manager uses cloud sync and so my vault, which is encrypted using my weak password, is now on their servers.

January 5th, my password manager company gets hacked and the hackers steal/copy my encrypted vault. For all time, they possess a version of my vault that was encrypted with my weak password. This is a problem.

January 10th, I realize my PM company was hacked and change my master password. This does nothing for my vault that is possessed by the hackers. Yes it's a very good idea for other reasons, for example I don't my account to have a weak master password, but it does nothing for the vault that they already possess.
Northern Flicker
Posts: 12316
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

Correct, we are not understanding each other. In response to your online password service being breached, you should take the following steps in the given order:

1. Change the master password of your vault. Alternatively, establish a new vault with a different service or software app with a different master password. This step is done first in case the attackers recover your master password by some method.

2. Change all of the passwords stored in the original vault at the services where they are used to authenticate and in the vault you will use moving forward, whether or not the vault will be at the breached service.
My postings represent my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
international001
Posts: 2524
Joined: Thu Feb 15, 2018 7:31 pm

Re: SoftwareGeek's Guide to Computer Security

Post by international001 »

softwaregeek wrote: Mon Dec 19, 2022 1:21 pm
Please note, if your password is less than 12 characters, I'm just going to crack it with my desktop computer and a 'rainbow table' I download off the pirate bay. Probably 30 minutes, it's just a snack. It doesn't matter how good you think your password is, or where you store it, I'm going to own it. Then I'm going to 'stuff' your password across 1000 sites to see where you've reused it, using an automated script. Total elapsed time, 2 minutes of work, 45 minutes of processor time.
Can you explain how you came with 12 characters? From what I see, rainbow tables of 1 TB go up to 8-9 characters
Would that include the SALT?

https://freerainbowtables.com/
StrongMBS
Posts: 51
Joined: Sat Jan 14, 2017 2:38 pm

Re: SoftwareGeek's Guide to Computer Security

Post by StrongMBS »

Northern Flicker wrote: Mon Jan 23, 2023 8:04 pm Correct, we are not understanding each other. In response to your online password service being breached, you should take the following steps in the given order:

1. Change the master password of your vault. Alternatively, establish a new vault with a different service or software app with a different master password. This step is done first in case the attackers recover your master password by some method.

2. Change all of the passwords stored in the original vault at the services where they are used to authenticate and in the vault you will use moving forward, whether or not the vault will be at the breached service.
Great advice but first no matter what password manager you are using check to see what the Key Derivation Function they are using and make sure it is secure enough. For many PMs (Password Manager) this is the PBKDF2-HMAC-SHA256 iteration count. Most PMs in 2022, not just LastPass, had recommendation or had it set to ~100,00 well below the 2021 OWASP recommendation of 310,000. BTW OWASP sometime this month just updated their Password Storage Cheat Sheet increasing the PBKDF2-HMAC-SHA256 iterations to 600,000 based on testing from the latest GPUs in December 2022.
https://cheatsheetseries.owasp.org/chea ... Sheet.html

LastPass has taken some criticism, for good reason, for not updating accounts with the latest iteration count as they had changed their best practices over the years from 1 to 50 to 500 to 5,000 to 100,100. But it seems they are not the only PM (I believe Bitwarden is another offender) so everybody needs to check this.

Keeper has this set to 1,000,000 now and I have my LastPass also set to this value with no issues so far on any notable login delay. When time permits, I will increase it to see when it becomes a problem.
StrongMBS
Posts: 51
Joined: Sat Jan 14, 2017 2:38 pm

Re: SoftwareGeek's Guide to Computer Security

Post by StrongMBS »

Northern Flicker wrote: Mon Jan 23, 2023 8:04 pm Correct, we are not understanding each other. In response to your online password service being breached, you should take the following steps in the given order:

1. Change the master password of your vault. Alternatively, establish a new vault with a different service or software app with a different master password. This step is done first in case the attackers recover your master password by some method.

2. Change all of the passwords stored in the original vault at the services where they are used to authenticate and in the vault you will use moving forward, whether or not the vault will be at the breached service.
You are correct changing your master password now does not protect the stolen vault, there is nothing now you can do about it. But depending on the technique used to crack your stolen vault your master password could now be known.

If you do not change your master password, your online account/vault is vulnerable to possible compromise depending on if you have 2FA and what kind. And yes, who would use an online password manager without any 2FA see this story: https://www.darkreading.com/remote-work ... ompromises

Although the risk of SMS sim swap is often overblown if a threat actor had your master password and that was the only thing in their way to get into your online vault with all your new password that would be a candidate for the effort.

Personally, I would never use a password manager with online access without phishing-resistant MFA (e.g., FDIO2 security keys). Luckily the LastPass instance I must use is in an enterprise setting with federated login using SSO-SAML/Provisioning-SCIM (like any secure enterprise password manager environment should be) so it is not dependent on the 2FA of the password manager.
mark_in_denver
Posts: 142
Joined: Thu Feb 26, 2015 8:36 pm

Re: SoftwareGeek's Guide to Computer Security

Post by mark_in_denver »

StrongMBS wrote: Tue Jan 24, 2023 12:23 pm
Northern Flicker wrote: Mon Jan 23, 2023 8:04 pm Correct, we are not understanding each other. In response to your online password service being breached, you should take the following steps in the given order:

1. Change the master password of your vault. Alternatively, establish a new vault with a different service or software app with a different master password. This step is done first in case the attackers recover your master password by some method.

2. Change all of the passwords stored in the original vault at the services where they are used to authenticate and in the vault you will use moving forward, whether or not the vault will be at the breached service.
You are correct changing your master password now does not protect the stolen vault, there is nothing now you can do about it. But depending on the technique used to crack your stolen vault your master password could now be known.

If you do not change your master password, your online account/vault is vulnerable to possible compromise depending on if you have 2FA and what kind. And yes, who would use an online password manager without any 2FA see this story: https://www.darkreading.com/remote-work ... ompromises

Although the risk of SMS sim swap is often overblown if a threat actor had your master password and that was the only thing in their way to get into your online vault with all your new password that would be a candidate for the effort.

Personally, I would never use a password manager with online access without phishing-resistant MFA (e.g., FDIO2 security keys). Luckily the LastPass instance I must use is in an enterprise setting with federated login using SSO-SAML/Provisioning-SCIM (like any secure enterprise password manager environment should be) so it is not dependent on the 2FA of the password manager.
I use a complex matter password, so what exactly are the techniques used to crack AES?

Frankly I'm not worried at all about my LP vault out in the open.
Northern Flicker
Posts: 12316
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

Once an online password manager (or any other service where you have an account) has been breached by attackers, you have to assume that any piece of data you ever gave them, including your login password, may have been compromised.

For all you know, the attackers were in the system for a month monitoring all sorts of things in cleartext form.

Cryptography like AES-256 would not be attacked head on. It is the protocols and processes wrapped around it that are your concern.
Last edited by Northern Flicker on Tue Jan 24, 2023 2:59 pm, edited 1 time in total.
My postings represent my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
Northern Flicker
Posts: 12316
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

StrongMBS wrote: Great advice but first no matter what password manager you are using check to see what the Key Derivation Function they are using and make sure it is secure enough. For many PMs (Password Manager) this is the PBKDF2-HMAC-SHA256 iteration count. Most PMs in 2022, not just LastPass, had recommendation or had it set to ~100,00 well below the 2021 OWASP recommendation of 310,000. BTW OWASP sometime this month just updated their Password Storage Cheat Sheet increasing the PBKDF2-HMAC-SHA256 iterations to 600,000 based on testing from the latest GPUs in December 2022.
This is an argument against proprietary password safes of any kind and sticking to open source ones that are open to the scrutiny of the global security community. Reading an article about one issue to verify is not the equivalent of a thorough vetting of the product, and that requires more than one looker-- an entire community of lookers is beneficial. This does not mean that an open source password safe cannot be breached.
My postings represent my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
Topic Author
softwaregeek
Posts: 940
Joined: Wed May 08, 2019 8:59 pm

Re: SoftwareGeek's Guide to Computer Security

Post by softwaregeek »

international001 wrote: Tue Jan 24, 2023 11:03 am
softwaregeek wrote: Mon Dec 19, 2022 1:21 pm
Please note, if your password is less than 12 characters, I'm just going to crack it with my desktop computer and a 'rainbow table' I download off the pirate bay. Probably 30 minutes, it's just a snack. It doesn't matter how good you think your password is, or where you store it, I'm going to own it. Then I'm going to 'stuff' your password across 1000 sites to see where you've reused it, using an automated script. Total elapsed time, 2 minutes of work, 45 minutes of processor time.
Can you explain how you came with 12 characters? From what I see, rainbow tables of 1 TB go up to 8-9 characters
Would that include the SALT?

https://freerainbowtables.com/
8-9 characters will get you one for free. Pay enough and you can get a better one. Password cracking as a subscription service is a thing. There are also tables that focus on longer, lower entropy passwords and Leetcode substitutions.

I am aware of scripts that take leaked passwords - eg, Welcome1 and manipulates it in various ways to try Welcome2, Welcome3, Welcome!, elcome1W, etc.
Topic Author
softwaregeek
Posts: 940
Joined: Wed May 08, 2019 8:59 pm

Re: SoftwareGeek's Guide to Computer Security

Post by softwaregeek »

Northern Flicker wrote: Tue Jan 24, 2023 2:48 pm Once an online password manager (or any other service where you have an account) has been breached by attackers, you have to assume that any piece of data you ever gave them, including your login password, may have been compromised.

For all you know, the attackers were in the system for a month monitoring all sorts of things in cleartext form.

Cryptography like AES-256 would not be attacked head on. It is the protocols and processes wrapped around it that are your concern.
Agree. 20+ years ago in grad school I was told that 90% of broken encryption was due to implementation errors.
mptfan
Posts: 7061
Joined: Mon Mar 05, 2007 9:58 am

Re: SoftwareGeek's Guide to Computer Security

Post by mptfan »

softwaregeek wrote: Mon Dec 19, 2022 1:21 pm Please note, if your password is less than 12 characters, I'm just going to crack it with my desktop computer and a 'rainbow table' I download off the pirate bay. Probably 30 minutes, it's just a snack. It doesn't matter how good you think your password is, or where you store it, I'm going to own it.
It is my understanding that reputable password managers salt passwords before they are hashed, and that rainbow tables are useless against salted password hashes. Am I correct?
Last edited by mptfan on Tue Jan 24, 2023 5:37 pm, edited 1 time in total.
StrongMBS
Posts: 51
Joined: Sat Jan 14, 2017 2:38 pm

Re: SoftwareGeek's Guide to Computer Security

Post by StrongMBS »

mark_in_denver wrote: Tue Jan 24, 2023 2:19 pm
StrongMBS wrote: Tue Jan 24, 2023 12:23 pm
Northern Flicker wrote: Mon Jan 23, 2023 8:04 pm Correct, we are not understanding each other. In response to your online password service being breached, you should take the following steps in the given order:

1. Change the master password of your vault. Alternatively, establish a new vault with a different service or software app with a different master password. This step is done first in case the attackers recover your master password by some method.

2. Change all of the passwords stored in the original vault at the services where they are used to authenticate and in the vault you will use moving forward, whether or not the vault will be at the breached service.
You are correct changing your master password now does not protect the stolen vault, there is nothing now you can do about it. But depending on the technique used to crack your stolen vault your master password could now be known.

If you do not change your master password, your online account/vault is vulnerable to possible compromise depending on if you have 2FA and what kind. And yes, who would use an online password manager without any 2FA see this story: https://www.darkreading.com/remote-work ... ompromises

Although the risk of SMS sim swap is often overblown if a threat actor had your master password and that was the only thing in their way to get into your online vault with all your new password that would be a candidate for the effort.

Personally, I would never use a password manager with online access without phishing-resistant MFA (e.g., FDIO2 security keys). Luckily the LastPass instance I must use is in an enterprise setting with federated login using SSO-SAML/Provisioning-SCIM (like any secure enterprise password manager environment should be) so it is not dependent on the 2FA of the password manager.
I use a complex matter password, so what exactly are the techniques used to crack AES?

Frankly I'm not worried at all about my LP vault out in the open.
As Northern Flicker point out above most would not attack AES-256 head-on by running thru the Encryption Key space. Although I could get lucky if I guessed at random and hit your encryption key, in case I would not know your password though.

More than likely, I would attack the mechanisms that were used to derive your encryption key (i.e., Derived Key) from some Secret Value (i.e., Master Password).
A simple model would be:
Master Key = Master Key Function (Master Password, other stuff)
Derived Key = Key Derivation Function (Master Key, Salt, Iteration Count, other stuff)
Encrypted Vault = Encryption Function (Vault, Derived Key, other stuff)

From my understanding the only thing the threat actor does not know in the LastPass case is your Master Password (i.e., your Secret Value). If you Master Password was a 256-bit random value, we could skip the derived key step but that is not the case here and seldom is.

The type of Key Derivation Function (KDF) used, and its iteration count defines how much and what type of compute power and equivalent cost it takes to calculate the Derived Key. Every year this number changes as new silicon is produced, OWASP calculation for PBKDF2-HMAC-SHA256 from 2021 sure 310,000 to now in 01/2023 600,000. So, if you were lucky enough to have the LastPass new default of 100,100 it is already almost 6 times easier than it is recommended.

The next issue is what is the true entropy of your Master Password. This is a much harder value to calculate. First the threat actors have seen all of the same schemes from generating password as you have and worst, they have also seen what people really create using these schemes.
They already know the typical replace characters with numbers and symbols idea. Along with adding special charters and numbers to your words which most people only add these to the beginning or end. So, the threat actor’s algorithm incorporates these ideas significantly reducing the true entropy of a "complex" password.

If you are confident that your complex master password has true entropy (BTW these are not the same thing) then don’t change your master password and any of the passwords in your vault but you are the except to the rule from what I have been exposed to.

One other point is that the threat actors have enough data to triage the stolen vault based some of the unencrypted data values (e.g., URL, IP address) and your email address and iteration count. So, if the treat actor thinks your vault has high value, they can spend more effort in cracking it.
StrongMBS
Posts: 51
Joined: Sat Jan 14, 2017 2:38 pm

Re: SoftwareGeek's Guide to Computer Security

Post by StrongMBS »

Northern Flicker wrote: Tue Jan 24, 2023 2:56 pm
StrongMBS wrote: Great advice but first no matter what password manager you are using check to see what the Key Derivation Function they are using and make sure it is secure enough. For many PMs (Password Manager) this is the PBKDF2-HMAC-SHA256 iteration count. Most PMs in 2022, not just LastPass, had recommendation or had it set to ~100,00 well below the 2021 OWASP recommendation of 310,000. BTW OWASP sometime this month just updated their Password Storage Cheat Sheet increasing the PBKDF2-HMAC-SHA256 iterations to 600,000 based on testing from the latest GPUs in December 2022.
This is an argument against proprietary password safes of any kind and sticking to open source ones that are open to the scrutiny of the global security community. Reading an article about one issue to verify is not the equivalent of a thorough vetting of the product, and that requires more than one looker-- an entire community of lookers is beneficial. This does not mean that an open source password safe cannot be breached.
Hmm not sure how you make the jump from my post to the proprietary vs open-source argument since the part of my post you cut off, pointed out that Bitwarden had the same issue as LastPass in not updating established account to the new best practices for iteration accounts.

Never mind the possible “Bitwarden design flaw: Serverside iterations” as discussed here: https://palant.info/2023/01/23/bitwarde ... terations/
And here: https://news.ycombinator.com/item?id=34497898
I guess “the scrutiny of the global security community” missed those.
mark_in_denver
Posts: 142
Joined: Thu Feb 26, 2015 8:36 pm

Re: SoftwareGeek's Guide to Computer Security

Post by mark_in_denver »

StrongMBS wrote: Tue Jan 24, 2023 4:39 pm
mark_in_denver wrote: Tue Jan 24, 2023 2:19 pm
StrongMBS wrote: Tue Jan 24, 2023 12:23 pm
Northern Flicker wrote: Mon Jan 23, 2023 8:04 pm Correct, we are not understanding each other. In response to your online password service being breached, you should take the following steps in the given order:

1. Change the master password of your vault. Alternatively, establish a new vault with a different service or software app with a different master password. This step is done first in case the attackers recover your master password by some method.

2. Change all of the passwords stored in the original vault at the services where they are used to authenticate and in the vault you will use moving forward, whether or not the vault will be at the breached service.
You are correct changing your master password now does not protect the stolen vault, there is nothing now you can do about it. But depending on the technique used to crack your stolen vault your master password could now be known.

If you do not change your master password, your online account/vault is vulnerable to possible compromise depending on if you have 2FA and what kind. And yes, who would use an online password manager without any 2FA see this story: https://www.darkreading.com/remote-work ... ompromises

Although the risk of SMS sim swap is often overblown if a threat actor had your master password and that was the only thing in their way to get into your online vault with all your new password that would be a candidate for the effort.

Personally, I would never use a password manager with online access without phishing-resistant MFA (e.g., FDIO2 security keys). Luckily the LastPass instance I must use is in an enterprise setting with federated login using SSO-SAML/Provisioning-SCIM (like any secure enterprise password manager environment should be) so it is not dependent on the 2FA of the password manager.
I use a complex matter password, so what exactly are the techniques used to crack AES?

Frankly I'm not worried at all about my LP vault out in the open.
As Northern Flicker point out above most would not attack AES-256 head-on by running thru the Encryption Key space. Although I could get lucky if I guessed at random and hit your encryption key, in case I would not know your password though.

More than likely, I would attack the mechanisms that were used to derive your encryption key (i.e., Derived Key) from some Secret Value (i.e., Master Password).
A simple model would be:
Master Key = Master Key Function (Master Password, other stuff)
Derived Key = Key Derivation Function (Master Key, Salt, Iteration Count, other stuff)
Encrypted Vault = Encryption Function (Vault, Derived Key, other stuff)

From my understanding the only thing the threat actor does not know in the LastPass case is your Master Password (i.e., your Secret Value). If you Master Password was a 256-bit random value, we could skip the derived key step but that is not the case here and seldom is.

The type of Key Derivation Function (KDF) used, and its iteration count defines how much and what type of compute power and equivalent cost it takes to calculate the Derived Key. Every year this number changes as new silicon is produced, OWASP calculation for PBKDF2-HMAC-SHA256 from 2021 sure 310,000 to now in 01/2023 600,000. So, if you were lucky enough to have the LastPass new default of 100,100 it is already almost 6 times easier than it is recommended.

The next issue is what is the true entropy of your Master Password. This is a much harder value to calculate. First the threat actors have seen all of the same schemes from generating password as you have and worst, they have also seen what people really create using these schemes.
They already know the typical replace characters with numbers and symbols idea. Along with adding special charters and numbers to your words which most people only add these to the beginning or end. So, the threat actor’s algorithm incorporates these ideas significantly reducing the true entropy of a "complex" password.

If you are confident that your complex master password has true entropy (BTW these are not the same thing) then don’t change your master password and any of the passwords in your vault but you are the except to the rule from what I have been exposed to.

One other point is that the threat actors have enough data to triage the stolen vault based some of the unencrypted data values (e.g., URL, IP address) and your email address and iteration count. So, if the treat actor thinks your vault has high value, they can spend more effort in cracking it.
I'm not worried if the iteration count was set at 5000 or 500,000. It's not that big of a difference. If I was that worried I would add another PW character.

2FA exist because people in general are terrible at generating even half complex passwords. They end up sharing them, telling someone else, get phished, or forgetting it and create something easier. 2FA is basically shortcut for them to use subpar passwords.

If anyone is worried about security implementation at the major PW manager vendors or elsewhere, then they shouldn't be using any PW manager, open source or not.

I'm not changing my master password because I'm not worried about the iteration count, I'm not worried if it's 10 or 100 QT years to break, I'm not worried about phishing either.
Northern Flicker
Posts: 12316
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

StrongMBS wrote: Tue Jan 24, 2023 5:15 pm
Hmm not sure how you make the jump from my post to the proprietary vs open-source argument since the part of my post you cut off, pointed out that Bitwarden had the same issue as LastPass in not updating established account to the new best practices for iteration accounts.

Never mind the possible “Bitwarden design flaw: Serverside iterations” as discussed here: https://palant.info/2023/01/23/bitwarde ... terations/
And here: https://news.ycombinator.com/item?id=34497898
I guess “the scrutiny of the global security community” missed those.
Your post shows that the scrutiny uncovered the flaw.
My postings represent my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
Northern Flicker
Posts: 12316
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

mptfan wrote: Tue Jan 24, 2023 4:35 pm
softwaregeek wrote: Mon Dec 19, 2022 1:21 pm Please note, if your password is less than 12 characters, I'm just going to crack it with my desktop computer and a 'rainbow table' I download off the pirate bay. Probably 30 minutes, it's just a snack. It doesn't matter how good you think your password is, or where you store it, I'm going to own it.
It is my understanding that reputable password managers salt passwords before they are hashed, and that rainbow tables are useless against salted password hashes. Am I correct?
If you mean the passwords stored in the vault, these would not be hashed. They need to be decrypted when you want to use then to log on somewhere. A rainbow table is not relevant to these based on the encrypted data in the vault.

If the service to which you log on using one of the passwords stored in the vault was compromised so that an attacker had its hash value, then a rainbow table might enable it to be cracked.

Likewise, the password you use to log on to the password vault site would be hashed, and theoretically might be broken with a rainbow table.

Modern salting protocols make it much harder to create rainbow tables, but do not tender the technique useless. A salt may be randomly generated for each password to be hashed. The hash value is stored with the salt. If the password database/file is compromised, the attacker has the salt and the hash value. If the hash value is in the rainbow table, the attacker retrieves the string that generated it, which is the password concatenated with the salt. Since the salt was compromised with the hash value, the password then may be determined from that.

But having a different random salt for each password means that the size of the rainbow table has to be all combinations that are generated from a password concatenated to a salt, which is much longer than just the password, leading to a combinatorial explosion of the required size of the rainbow table.

If an attacker prunes the search space to manage the size of the table, a long, random password generally will be much less likely to be in the pruned space for which the rainbow table is created.
My postings represent my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
international001
Posts: 2524
Joined: Thu Feb 15, 2018 7:31 pm

Re: SoftwareGeek's Guide to Computer Security

Post by international001 »

Northern Flicker wrote: Tue Jan 24, 2023 6:50 pm
Modern salting protocols make it much harder to create rainbow tables, but do not tender the technique useless. A salt may be randomly generated for each password to be hashed. The hash value is stored with the salt. If the password database/file is compromised, the attacker has the salt and the hash value. If the hash value is in the rainbow table, the attacker retrieves the string that generated it, which is the password concatenated with the salt. Since the salt was compromised with the hash value, the password then may be determined from that.
So is the salt only known to the authenticating website (i.e. unknown to the user)? And it's stored in the clear along the hash value (so if hacker gets one it gets the other)?

Then I understand salt would not make a brute force attack (i.e. trying passwords through the hash function) more difficult. IT's just that you need a bigger rainbow table, or a rainbow table for each specific salt.

Any advantage of having complicated passwords then? i.e. if I have a 8 byte salt (random chars) and a just a 8 byte password lowercase, can a simpler rainbow table be created assuming first 8 bytes are random and next 8 byes are lowercase.
international001
Posts: 2524
Joined: Thu Feb 15, 2018 7:31 pm

Re: SoftwareGeek's Guide to Computer Security

Post by international001 »

Northern Flicker wrote: Tue Jan 24, 2023 2:48 pm Once an online password manager (or any other service where you have an account) has been breached by attackers, you have to assume that any piece of data you ever gave them, including your login password, may have been compromised.

For all you know, the attackers were in the system for a month monitoring all sorts of things in cleartext form.

Cryptography like AES-256 would not be attacked head on. It is the protocols and processes wrapped around it that are your concern.
I thought the assumption was that they could get the encrypted vault file. Not that they could get into the process receiving the password via an encrypted channel.

But if they also get the hash table for the master password. They can take whatever time they need via brute force to figure out the master password. And then use the master password to unencrypt the vault

So it would be better to change every single individual password in the vault as soon as possible.

Am I understanding it right?
Northern Flicker
Posts: 12316
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

international001 wrote: Tue Jan 24, 2023 8:20 pm
Northern Flicker wrote: Tue Jan 24, 2023 6:50 pm
Modern salting protocols make it much harder to create rainbow tables, but do not tender the technique useless. A salt may be randomly generated for each password to be hashed. The hash value is stored with the salt. If the password database/file is compromised, the attacker has the salt and the hash value. If the hash value is in the rainbow table, the attacker retrieves the string that generated it, which is the password concatenated with the salt. Since the salt was compromised with the hash value, the password then may be determined from that.
So is the salt only known to the authenticating website (i.e. unknown to the user)? And it's stored in the clear along the hash value (so if hacker gets one it gets the other)?

Then I understand salt would not make a brute force attack (i.e. trying passwords through the hash function) more difficult. IT's just that you need a bigger rainbow table, or a rainbow table for each specific salt.
A salt increases the CPU cost of executing the 1-way hash function (longer string to be hashed), commensurately increasing the CPU cost and running time of a brute force attack. This was the motivation behind the original password salt for the Unix password protocol 50+ years ago, and it is true for modern salting protocols as well.

A rainbow table for each possible salt value and a larger rainbow table are more or less the same thing. The difference is in how you represent and/or store the rainbow table. The table needs to have the hash value for every concatenation of every combination of password value and salt value. Horizontally partitioning the table so you have a separate "sub-table" for each salt value doesn't change the combined number of entries.
My postings represent my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
Northern Flicker
Posts: 12316
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

international001 wrote: Tue Jan 24, 2023 8:24 pm
Northern Flicker wrote: Tue Jan 24, 2023 2:48 pm Once an online password manager (or any other service where you have an account) has been breached by attackers, you have to assume that any piece of data you ever gave them, including your login password, may have been compromised.

For all you know, the attackers were in the system for a month monitoring all sorts of things in cleartext form.

Cryptography like AES-256 would not be attacked head on. It is the protocols and processes wrapped around it that are your concern.
I thought the assumption was that they could get the encrypted vault file. Not that they could get into the process receiving the password via an encrypted channel.
It's an internet-facing application of moderate complexity. The software was breached. You cannot reliably assume that the attackers only have your encrypted password set. If you have 2FA for services where the stored passwords are used, getting the passwords rotated may not be a time-critical emergency, but it should be done in a timely manner, after changing your login password (and master encryption keys if any).
Last edited by Northern Flicker on Tue Jan 24, 2023 10:26 pm, edited 1 time in total.
My postings represent my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
StrongMBS
Posts: 51
Joined: Sat Jan 14, 2017 2:38 pm

Re: SoftwareGeek's Guide to Computer Security

Post by StrongMBS »

Well, if the LastPass breach did not make you question changing password managers maybe this will.
Headline "GoTo says hackers stole customers' backups and encryption key"

https://www.bleepingcomputer.com/news/s ... ption-key/
JD2775
Posts: 1262
Joined: Thu Jul 09, 2015 10:47 pm

Re: SoftwareGeek's Guide to Computer Security

Post by JD2775 »

StrongMBS wrote: Tue Jan 24, 2023 10:23 pm Well, if the LastPass breach did not make you question changing password managers maybe this will.
Headline "GoTo says hackers stole customers' backups and encryption key"

https://www.bleepingcomputer.com/news/s ... ption-key/
Every time I read one of those I wonder when will Bitwarden or 1Password be next..
mptfan
Posts: 7061
Joined: Mon Mar 05, 2007 9:58 am

Re: SoftwareGeek's Guide to Computer Security

Post by mptfan »

Northern Flicker wrote: Tue Jan 24, 2023 6:50 pm
mptfan wrote: Tue Jan 24, 2023 4:35 pm
softwaregeek wrote: Mon Dec 19, 2022 1:21 pm Please note, if your password is less than 12 characters, I'm just going to crack it with my desktop computer and a 'rainbow table' I download off the pirate bay. Probably 30 minutes, it's just a snack. It doesn't matter how good you think your password is, or where you store it, I'm going to own it.
It is my understanding that reputable password managers salt passwords before they are hashed, and that rainbow tables are useless against salted password hashes. Am I correct?
If you mean the passwords stored in the vault, these would not be hashed.
No, I meant the master password that must be known in order to decrypt the vault.

I have done an extensive amount of research on this topic and I am sure that reputable password managers do not store passwords in their vault, rather, they store hashes of the passwords. Surely it's obvious that my actual passwords are not stored. And in order to unencrypt the vault someone would need to know my master password, which itself is hashed using a salt (among other techniques). Is my understanding correct? This is not my field so I stand to be corrected if I am wrong.
Northern Flicker
Posts: 12316
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

mptfan wrote: Tue Jan 24, 2023 10:38 pm
I have done an extensive amount of research on this topic and I am sure that reputable password managers do not store passwords in their vault, rather, they store hashes of the passwords. Surely it's obvious that my actual passwords are not stored. And in order to unencrypt the vault someone would need to know my master password, which itself is hashed using a salt (among other techniques). Is my understanding correct? This is not my field so I stand to be corrected if I am wrong.
You cannot decrypt 1-way hashes. The password vault needs to produce the stored passwords in cleartext. It thus would use encryption, not 1-way hashes. This is different from password-based authentication, where 1-way hashes are stored, and when a cleartext password is presented, it is hashed and compared to the stored hash value.

Your login password to the password safe service should be stored as a 1-way hash just like any login password artifact should be stored. If it is used in the encryption of your stored passwords, the vault software would get it in cleartext from your login session, and make any use of it to decrypt your passwords. How and whether your password safe login password may be part of, or an input to the encryption keys used for the vault would be implementation-specific.

Generally, I won't use any internet-facing password vault service. I'm not saying others should or shouldn't use them.
My postings represent my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
mptfan
Posts: 7061
Joined: Mon Mar 05, 2007 9:58 am

Re: SoftwareGeek's Guide to Computer Security

Post by mptfan »

I don't think you responded directly to my statement that rainbow tables are useless against master vault passwords that are salted and hashed. Is that true? I am referring to the master password for a reputable password manager. If not useless, then using them becomes so burdensome that they are practically ineffective?
Northern Flicker
Posts: 12316
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

mptfan wrote: Wed Jan 25, 2023 12:40 am I don't think you responded directly to my statement that rainbow tables are useless against master vault passwords that are salted and hashed. Is that true? I am referring to the master password for a reputable password manager. If not useless, then using them becomes so burdensome that they are practically ineffective?
Rainbow tables theoretically can be used against a data item (whatever role the data item plays) that has been salted and hashed. The hash value and the salt would have to be compromised. See my above description about how salts make it difficult by greatly increasing the required size of the table.

But when a system is compromised, you still have to assume any data you sent to it could have been compromised. If the attackers had malware in the system when you logged in, the cleartext could have been sniffed somewhere while it was being used to authenticate your login or to decrypt your vault.
Last edited by Northern Flicker on Wed Jan 25, 2023 12:57 am, edited 1 time in total.
My postings represent my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
mptfan
Posts: 7061
Joined: Mon Mar 05, 2007 9:58 am

Re: SoftwareGeek's Guide to Computer Security

Post by mptfan »

Northern Flicker wrote: Wed Jan 25, 2023 12:46 amSee my above description about how salts make it very difficult by greatly increasing the required size of the table.
Would it be fair to say that the difficulty becomes so great as a practical matter (as opposed to in theory) to be practically useless, and therefore not used?
Northern Flicker
Posts: 12316
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

Rainbow tables are not something I worry about with strong passwords. Some providers may not salt passwords in a robust manner, so it is good to err on the side of stronger passwords. The term "rainbow table" is newer than the technique. I think modern salting protocols were developed in response to dictionary attacks (older term for rainbow tables) against Unix password files back in the day.

If the vault login password is used to encrypt a password vault, then you depend on the 1-way hash holding up as there won't be 2FA for the encryption algorithm. The vault may use a second key either for a second encryption pass or to exclusive-or or whatever with the key you supply, but such a second key would not be able to be stored as a 1-way hash. It would need to be available in cleartext when encrypting or decrypting.
My postings represent my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
mptfan
Posts: 7061
Joined: Mon Mar 05, 2007 9:58 am

Re: SoftwareGeek's Guide to Computer Security

Post by mptfan »

You didn't answer my question. From the reading I have done I think the answer is yes.
HaveaNiceDay
Posts: 16
Joined: Fri Sep 16, 2022 7:32 pm

Re: SoftwareGeek's Guide to Computer Security

Post by HaveaNiceDay »

OWASP updated there standards for PBKDF2-HMAC-SHA256 to 600,000 iterations in Jan 2023 to keep up with advances in computing power.

Reference: https://cheatsheetseries.owasp.org/chea ... rd-lengths

LastPass isn't alone, 1Password currently has their iterations set at 100,000.

All these password managers need to adjust to meet current OWASP asap.
Please excuse the typos, it is my way of showing the post is authentic....
Topic Author
softwaregeek
Posts: 940
Joined: Wed May 08, 2019 8:59 pm

Re: SoftwareGeek's Guide to Computer Security

Post by softwaregeek »

mptfan wrote: Tue Jan 24, 2023 4:35 pm
softwaregeek wrote: Mon Dec 19, 2022 1:21 pm Please note, if your password is less than 12 characters, I'm just going to crack it with my desktop computer and a 'rainbow table' I download off the pirate bay. Probably 30 minutes, it's just a snack. It doesn't matter how good you think your password is, or where you store it, I'm going to own it.
It is my understanding that reputable password managers salt passwords before they are hashed, and that rainbow tables are useless against salted password hashes. Am I correct?
Partially correct. A hash is a one-way function. The password *to* the password manager should be salted. But within the stored password vault, you cannot use a salt because you need a two-way function. Example: I run a password against a hash algorithm. I get a unique 64 digit number (for example). If the numbers match the unique 64 digit number stored in the password table, the password is valid. But it is very difficult to get the password out of the 64 digit number. That's why it's one way and why most computers don't actually store the password.

But you can't do this within the vault, you need to get the original password. You need 2-way encryption. So you use a method that can be decrypted to get the original password.

If you were referring to the LastPass hack, the credentials were stolen, which bypassed the salt altogether. There was encryption by LastPass, on top of encryption by the user. So you are at the mercy of how good your password is. But the key problem with the LastPass attack is that it has the names and URL's associated with the passwords were leaked in plaintext. So now you have a whole roadmap.

Let's say I have the LastPass vault and wanted to attack it. First, I'm going to look for the subset of users - let's say I make a list of accounts with URL's that look interesting. I want to find accounts that indicate there is money to be had - like brokerages, wealth management, crypto, maybe tax. Now, I am going to cross-reference those with publicly leaked lists of passwords. Let's say I start with a million vaults and I select what I consider to be the best 100,000 potential accounts. And then I find 50,000 of those accounts are associated with leaked passwords of some sort. And I'm going to run a hundred thousand versions of the leaked password for each of those 50,000 accounts. I promise you, I would get several thousand decrypted vaults very quickly and very cheaply. Then repeat with the next tranche of accounts until the compute costs exceed the returns.
StrongMBS
Posts: 51
Joined: Sat Jan 14, 2017 2:38 pm

Re: SoftwareGeek's Guide to Computer Security

Post by StrongMBS »

mptfan wrote: Wed Jan 25, 2023 7:29 am You didn't answer my question. From the reading I have done I think the answer is yes.
I am not sure what the question is anymore since the discuss is hard to follow.
So, let’s start with some general ideas.

Think of one-way hashes as this simple model: Hash = F (Value, other stuff).
Like any solution space there are tradeoffs across multiple dimensions.
When dealing with places where one-way hashing function are used there are two general attack avenues: Brute force vs precompute which has the time/compute vs space/storage tradeoff.

There are two relevant areas to this discussion where one-way hash functions are used.

First Area: Logging into a service
There are two attack surfaces here.
First is a direct attack into the login page trying some pre-arranged listings (i.e., dictionary attack). This works because of poor cyber password hygiene since the most used password is “123456”. Any 2FA will stop this type of attack at this stage.

Second attack surface is often termed “cracking your password hash”. In places where you login to need a way to authenticate you from your password (i.e., secret value), this is often done by storing some hash of your password. Often in breaches it is these hashes that are stolen. But to compromise an account you need the password not the hash. If I know all the variables used in the hashing-based function but one (i.e., your password) I can precompute the hashes across the space. This is the premise of a rainbow table attack. I will sidestep the issue of hash collision (i.e., multiple passwords hash to the same hash value).

To make this attack scheme less efficient (i.e., need more space/storage) part of the “other stuff” is a salt value. The bigger, more random, and individualized this salt value is the bigger the space/storage and the less efficient the attack is. Note the salt value does not need to be kept secret its purpose is to expand the space dimension. For small solution space the whole rainbow tables can precomputed. For larger tables often just the more common passwords are used often the ones used in a Dictionary Attack.

These stolen hash table are often used to recover a user password and then used at other sites in an attack called “credential stuffing”, once again this works because of user’s poor cyber password hygiene (i.e., using the same password on different site). Again, any 2FA will stop this type of attack at this stage.

Second Area: Encrypted Vault
The second relevant area to this discussion is what would it take to crack your stolen encrypted password vault.
Again, let’s use this simple model:
Master Key = Master Key Function (Master Password, other stuff)
Derived Key = Key Derivation Function (Master Key, Salt, Iteration Count, other stuff)
Encrypted Vault = Encryption Function (Vault, Derived Key, other stuff)

To decrypt your stolen vault, you need the Derived Key.
Any well architected Zero-Knowledge based password manager does not store anything to do with your Master Password (i.e., Zero-Knowledge) online. So, there is no hash to crack. Therefore, the only way to generate the Derived Key is to brute force stating from the Master Password. This is where the KDF and its iteration count comes into play. This makes the brute force of generating the derived key less efficient in the time/compute dimension. A dictionary attack could be used here but hopefully your Master Password is better than that.

BTW I not sure if anybody can tell you technique is useless because it all depends on the value of the data you are trying to uncover.

Did the answer your question?
Northern Flicker
Posts: 12316
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

mptfan wrote: Wed Jan 25, 2023 7:29 am You didn't answer my question. From the reading I have done I think the answer is yes.
You are asking if a grey color is black or white.
My postings represent my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
Mudpuppy
Posts: 7115
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: SoftwareGeek's Guide to Computer Security

Post by Mudpuppy »

mptfan wrote: Wed Jan 25, 2023 12:40 am I don't think you responded directly to my statement that rainbow tables are useless against master vault passwords that are salted and hashed. Is that true? I am referring to the master password for a reputable password manager. If not useless, then using them becomes so burdensome that they are practically ineffective?
A master password is not used in the same way as a login password. Here's a very simple example of how both are used:

Login password + Salt -> Hash function -> Hash (fixed length depending on hash algorithm) is stored with username (plaintext) and salt (plaintext; also fixed length) in the user database

Master password + other -> Hash function -> Key derivation + other manipulations -> Key used to encrypt and decrypt the password locker (variable length depending on number of passwords stored in it)

Note that in the login case, the hash and salt are both of fixed length. That means you could potentially use a rainbow table because it would be possible to precalculate output of fixed lengths. For modern hash and salt lengths such a rainbow table requires massive amounts of storage and time to do this, but it's theoretically possible because the output relative to the input is of a fixed length. For any given password, there are "salt" (however many valid salts exist) number of possible hashes, one for each valid salt value. Once the attacker has the rainbow table and the user database hashes, they search the rainbow table hashes to see if any match the stolen hashes (time for this operation depends on the size of the rainbow table involved; some are quite massive). If so, they've recovered the password (or a collision of the password, which operates as the same thing as far as login algorithms are concerned).

With the master password on the other hand, its hash should never be directly stored. Instead, the hash is used to derive the key used to encrypt and decrypt an unknown amount of data of variable length, and that key should also never be directly stored. While you could theoretically precalculate all of the derived keys, for modern algorithms it would typically require vastly more storage space and precalulation time than the login password rainbow table, as you'd have to precompute all the "other" variables in the key derivation function and those typically have a much larger valid space than salts. And since the hash and key are never directly stored, the attacker would not be able to do a simple search. They'd instead have to pass through all of the precomputed keys and try to use them to decrypt the password locker one-by-one. That provides only a trivial time speed-up over direct brute-forcing, at the cost of an enormous amount of storage space, so it's just not usually done.
Mudpuppy
Posts: 7115
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: SoftwareGeek's Guide to Computer Security

Post by Mudpuppy »

JD2775 wrote: Tue Jan 24, 2023 10:34 pm
StrongMBS wrote: Tue Jan 24, 2023 10:23 pm Well, if the LastPass breach did not make you question changing password managers maybe this will.
Headline "GoTo says hackers stole customers' backups and encryption key"

https://www.bleepingcomputer.com/news/s ... ption-key/
Every time I read one of those I wonder when will Bitwarden or 1Password be next..
It should be noted that the encryption key stolen from GoTo was the storage encryption key created by GoTo, not the individual password locker encryption keys derived from the master password. There are layers of encryption in this particular case and the attackers have only stolen the key to the outer layer.

And yes, this is a risk for any cloud-based password locker company, since cloud storage has a much broader attack surface and storage compromises happen quite frequently. That's why we go to the bother of using unique passwords in the first place. With unique passwords, if someone steals the user database from a storage compromise at XYZ website, only the password to XYZ website is at risk.

Edit to add: Obviously, with a password locker, far more than just the password to XYZ website is at risk should they steal the encrypted password locker, but that's why you should use very strong master passwords: to make it much harder for them to crack that layer of encryption. The goal is to make your master password so strong that there is plenty of time to realize the compromise has occurred and to change all affected passwords LONG before the attacker can crack that layer.
Last edited by Mudpuppy on Wed Jan 25, 2023 1:52 pm, edited 1 time in total.
JD2775
Posts: 1262
Joined: Thu Jul 09, 2015 10:47 pm

Re: SoftwareGeek's Guide to Computer Security

Post by JD2775 »

Mudpuppy wrote: Wed Jan 25, 2023 1:49 pm
JD2775 wrote: Tue Jan 24, 2023 10:34 pm
StrongMBS wrote: Tue Jan 24, 2023 10:23 pm Well, if the LastPass breach did not make you question changing password managers maybe this will.
Headline "GoTo says hackers stole customers' backups and encryption key"

https://www.bleepingcomputer.com/news/s ... ption-key/
Every time I read one of those I wonder when will Bitwarden or 1Password be next..
It should be noted that the encryption key stolen from GoTo was the storage encryption key created by GoTo, not the individual password locker encryption keys derived from the master password. There are layers of encryption in this particular case and the attackers have only stolen the key to the outer layer.

And yes, this is a risk for any cloud-based password locker company, since cloud storage has a much broader attack surface and storage compromises happen quite frequently. That's why we go to the bother of using unique passwords in the first place. With unique passwords, if someone steals the user database from a storage compromise at XYZ website, only the password to XYZ website is at risk.
Thanks for clarifying
JD2775
Posts: 1262
Joined: Thu Jul 09, 2015 10:47 pm

Re: SoftwareGeek's Guide to Computer Security

Post by JD2775 »

Lots of good information here....

So for my limited knowledge in this area, is the following a safe assumption?

If you have a very strong master password (in Bitwarden, 1Password etc..) and a high key iteration set, even cloud based, the likelihood of someone accessing info in your vault is far less than if someone "hacked" the individual sites you are associated with themselves? For example Bank of America, SSA, Amazon...., even with strong passwords, could depend entirely on their individual security practices around password protection?
Northern Flicker
Posts: 12316
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

Mudpuppy wrote: A master password is not used in the same way as a login password.
An extra wrinkle is that an online password safe could use one's login password as the key or part of the key used to encrypt a vault. The cryptohash of the password would then become part of the attack surface for the encrypted vault.
Last edited by Northern Flicker on Wed Jan 25, 2023 3:25 pm, edited 1 time in total.
My postings represent my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
Northern Flicker
Posts: 12316
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

JD2775 wrote: Wed Jan 25, 2023 1:54 pm Lots of good information here....

So for my limited knowledge in this area, is the following a safe assumption?

If you have a very strong master password (in Bitwarden, 1Password etc..) and a high key iteration set, even cloud based, the likelihood of someone accessing info in your vault is far less than if someone "hacked" the individual sites you are associated with themselves? For example Bank of America, SSA, Amazon...., even with strong passwords, could depend entirely on their individual security practices around password protection?
You are referring to the strength of the cryptography. A direct attack on the cryptography of a password vault is not the most likely way it would be compromised.

The password service and the services for which you use the passwords are all internet facing web applications. The implementations of the applications are a substantial input into any assessment of the level of vulnerability, so it is hard to generalize.

Web runtime platforms are complex. They use a stack of complex software components. In aggregate, that is a large code base that has to be secure. I have more confidence in a standalone, open source piece of software like Keepass. That does not mean that a currently unknown vulnerability won't be found or exploited in Keepass or a similar tool in the future.
Last edited by Northern Flicker on Wed Jan 25, 2023 4:13 pm, edited 1 time in total.
My postings represent my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
Topic Author
softwaregeek
Posts: 940
Joined: Wed May 08, 2019 8:59 pm

Re: SoftwareGeek's Guide to Computer Security

Post by softwaregeek »

JD2775 wrote: Wed Jan 25, 2023 1:54 pm Lots of good information here....

So for my limited knowledge in this area, is the following a safe assumption?

If you have a very strong master password (in Bitwarden, 1Password etc..) and a high key iteration set, even cloud based, the likelihood of someone accessing info in your vault is far less than if someone "hacked" the individual sites you are associated with themselves? For example Bank of America, SSA, Amazon...., even with strong passwords, could depend entirely on their individual security practices around password protection?
Every password is it's own risk, and the majority of the software risk will be on the site side. That's why it's critical not to reuse passwords. The law of probabilities says some fraction of sites will have incidents. But you can make sure the risk of any one password being hacked doesn't spread to others.

In my experience, people tend to overfocus on brute force attacks against encryption. Often passwords are bypassed entirely. Typically, incidents tend to be one of the following, in no particular order:

1. Social engineering and phishing
2. Misconfigure software, particularly cloud storage ("We accidentally forgot to make the bucket private")
3. Didn't patch or update the software/OS
4. Forgot to secure an API.
5. Password left as some default like "Admin"
6. Disgruntled employee naughtiness.
7. Bad programming practices.
8. Gave data to subcontractor who failed to secure it
9. Accidentally posted a password publicly (it happens, believe it or not!).
Post Reply