Moon Software Forum
Moon Software Forum
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Discussion Forums
 Password Agent
 Is there setting to 'self destruct' password file?
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

warning_uk
Member

1 Posts

Posted - 13 March 2006 :  11:51:06  Show Profile  Reply with Quote
Hi.

I have been using Password Agent for personal use for months, but I am keen to roll it across the company (IT company, lots of passwords). The only way I'd get this past our Tech team is if there was a setting which would destroy the Password Agent data file after 3 failed login attempts.

At the moment I believe that if a malcious user got hold of the data file, he could attempt a brute-force attack using the application.

Has this issue been raised before?
Thanks, great product :)

Dave

Ahto/Moon Software
Developer

Estonia
1141 Posts

Posted - 20 March 2006 :  17:01:29  Show Profile  Visit Ahto/Moon Software's Homepage  Reply with Quote
Hey,

There is no such setting and currently I don't see this useful as much better brute force performance can be achieved by writing a separate program that will access the data file separately and there is no way to prevent that.

Also one can make a copy of the data file before attempting to login and if the file gets deleted then he can restore it.
Go to Top of Page

Scott
Member

55 Posts

Posted - 13 April 2006 :  03:38:19  Show Profile  Reply with Quote
I always wonder who is using the "I might buy LOTS of licenses" ploy just to try adding leverage to the suggestion being offered. So I'm cynical, sue me.

Besides the two possibilities mentioned by Ahto, securely deleting the data file after just 3 failed attempts is nuts. Why 3? If your master passwords are chosen that poorly, you have bigger problems than this one. It's more likely that a legitimate user would mistype his or her master password 3 times than for a brute force attempt to succeed in fewer than a couple thousand iterations.

Then there's the question of how this would be implemented. Is it going to be hard-coded? "Sorry, everyone, 3 failed attempts, bye-bye data. A big customer wanted it that way. I couldn't make it an option, or configurable at all, because then a malicious user could just change the setting or config file and circumvent it."

A good way to help defeat brute force attempts, I think, is to encrypt the data many times over, using a different key each time (not a different password; a different key). This way, an attacker must deal with a huge additional amount of computational overhead in trying to brute force the key, because after each attempt, many decryptions need to be attempted to see if it worked. The down side is that data saving takes longer, but at least you can configure how many times the data should be encrypted (and thus how long it will take to save it each time), and there is no way to circumvent this. An open-source competitor of Password Safe uses exactly this kind of anti-brute-force approach. This method does not, of course, make it OK to use crappy password.
Go to Top of Page

oracledba
Member

26 Posts

Posted - 15 April 2006 :  01:28:39  Show Profile  Reply with Quote
Scott - nice idea! As a mere novice at this security stuff it sure seems like an elegant solution. My personal view is that passwordagent is so dam fast at encrypt/decrypt what possible harm would occur if it was changed to do its thing with x times with x different keys versus just one. While this might not be foolproof solution it sure seems to the casual observer taht it would make brute force exponentially harder. My personal situation is such I couldn't foresee a serious attempt at brute forcing my file but if one is going to compete in this field then I assume that you have to address this possiblity.

..."A good way to help defeat brute force attempts, I think, is to encrypt the data many times over, using a different key each time (not a different password; a different key). "
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Moon Software Forum © Copyright 1996-2011 Moon Software Go To Top Of Page
Snitz Forums 2000