|T O P I C R E V I E W
||Posted - 13 March 2006 : 11:51:06
I have been using Password Agent for personal use for months, but I am keen to roll it across the company (IT company, lots of passwords). The only way I'd get this past our Tech team is if there was a setting which would destroy the Password Agent data file after 3 failed login attempts.
At the moment I believe that if a malcious user got hold of the data file, he could attempt a brute-force attack using the application.
Has this issue been raised before?
Thanks, great product :)
|3 L A T E S T R E P L I E S (Newest First)
||Posted - 15 April 2006 : 01:28:39
Scott - nice idea! As a mere novice at this security stuff it sure seems like an elegant solution. My personal view is that passwordagent is so dam fast at encrypt/decrypt what possible harm would occur if it was changed to do its thing with x times with x different keys versus just one. While this might not be foolproof solution it sure seems to the casual observer taht it would make brute force exponentially harder. My personal situation is such I couldn't foresee a serious attempt at brute forcing my file but if one is going to compete in this field then I assume that you have to address this possiblity.
..."A good way to help defeat brute force attempts, I think, is to encrypt the data many times over, using a different key each time (not a different password; a different key). "
||Posted - 13 April 2006 : 03:38:19
I always wonder who is using the "I might buy LOTS of licenses" ploy just to try adding leverage to the suggestion being offered. So I'm cynical, sue me.
Besides the two possibilities mentioned by Ahto, securely deleting the data file after just 3 failed attempts is nuts. Why 3? If your master passwords are chosen that poorly, you have bigger problems than this one. It's more likely that a legitimate user would mistype his or her master password 3 times than for a brute force attempt to succeed in fewer than a couple thousand iterations.
Then there's the question of how this would be implemented. Is it going to be hard-coded? "Sorry, everyone, 3 failed attempts, bye-bye data. A big customer wanted it that way. I couldn't make it an option, or configurable at all, because then a malicious user could just change the setting or config file and circumvent it."
A good way to help defeat brute force attempts, I think, is to encrypt the data many times over, using a different key each time (not a different password; a different key). This way, an attacker must deal with a huge additional amount of computational overhead in trying to brute force the key, because after each attempt, many decryptions need to be attempted to see if it worked. The down side is that data saving takes longer, but at least you can configure how many times the data should be encrypted (and thus how long it will take to save it each time), and there is no way to circumvent this. An open-source competitor of Password Safe uses exactly this kind of anti-brute-force approach. This method does not, of course, make it OK to use crappy password.
||Posted - 20 March 2006 : 17:01:29
There is no such setting and currently I don't see this useful as much better brute force performance can be achieved by writing a separate program that will access the data file separately and there is no way to prevent that.
Also one can make a copy of the data file before attempting to login and if the file gets deleted then he can restore it.