
Breaking into 1Password, KeePass, LastPass and Dashlane - sashk
https://blog.elcomsoft.com/2017/08/one-password-to-rule-them-all-breaking-into-1password-keepass-lastpass-and-dashlane/
======
dsun180
The article says the author is basically unable to break into the password-
vaults. Please rename the clickbait-title.

------
linopolus
So what. I use 1Password, which the article says holds to 95,000 passwords per
second with one GPU. So if say my password is 10 characters, only
alphanumerical (a-zA-Z0-9) without any symbols, it takes this one GPU 62 __10
/95000 = 8834730167035.16 seconds or ~280,000 years to try all combinations.
Even with 1000 GPUs and technical progress, easily more than a lifetime.

As my pass phrase is significantly stronger than that, I'm absolutely not
worried..

~~~
Analemma_
Presumably they are using rainbow tables to speed it up considerably, but it’s
still not a problem if you have a strong password.

~~~
lostcolony
No; if a password manager wasn't individually salting the hashes, I'm pretty
sure it'd be front page news on technical sites.

------
galadran
Pretty misleading!

They test an old version of Keepass with an old KDF (they recently switched to
Argon2 which is much more resistant to GPU/ASIC attacks. Additionally
KeepassDroid is intended to use vaults synched to the device via Google Drive,
Dropbox or whatever, so having the vault in private storage makes no sense!

~~~
ktta
They didn't 'switch' over. The KDBX 4 format introduces Argon2 as a possible
KDF, in addition to AES-KDF which has been the dominant KDF in KeePass and its
implementations.

Even the project with most contributors - KeePassXC, doesn't yet support KDBX
4, and work on it doesn't look like its moving either[1]. Most other
implementations also don't support KDBX 4 format.

[1]:
[https://news.ycombinator.com/item?id=14634253](https://news.ycombinator.com/item?id=14634253)

------
dikaiosune
From this article, it sounds like they have a very specialized GPU-accelerated
brute force mechanism for local database backups?

Assuming they have something like rainbow tables for short passwords on all of
these managers, it still seems like it would take a _very_ long time to
correctly guess longer master passwords (say 20+ characters). No?

~~~
21
There are no rainbow tables, all of they should be using salts.

------
jaclaz
Only to put the site into some context, Elcomsoft is a known provider of
"password breakers" for several programs, nrmally used for digital forensics.

This does not equate to "attack" or "remote attack".

It is mainly about having (legal) access to a seized storage device and trying
to extract from it as much information as possible.

Although using the single NVIDIA GPU of a "normal" desktop is possible,
normally some specialized hardware is needed/used (usually arrays of GPU's) to
achieve a relatively high brute force attempt rate, something _like_ :

[https://www.shellntel.com/blog/2017/2/8/how-to-
build-a-8-gpu...](https://www.shellntel.com/blog/2017/2/8/how-to-
build-a-8-gpu-password-cracker)

------
kip_
So they're brute forcing the master password for these databases. Why should I
be worried if I'm using a non-dictionary multi-word passphrase as my master
password?

"Different password managers employ different approaches to security. As an
example, LastPass generates the encryption key by hashing the username and
master password with 5,000 rounds of PBKDF2-SHA256, while 1Password employs
even more rounds of hashing. This is designed to slow down brute-force
attacks, and it almost works. Granted, these are still nearly an order of
magnitude less secure than, say, Microsoft Office 2016 documents, but even
this level of security is much better than nothing." I'm guessing they meant
more secure then Office 2016.

~~~
lostcolony
No, per the included graph, brute forcing Office 2016 allowed them fewer
guesses per second. Whatever its hashing algorithm, it's stronger than that
being used by the password managers.

------
Analemma_
This article is nothing but marketing fluff promoting the author’s software.
It’s an offline brute-force attack against encrypted database files that of
course works if you have a weak master password, but is otherwise useless.

Nothing to see here, move along.

------
zie
If you want to know how long it will possibly take in actual time, I did all
the math for you(with python code):
[https://gist.github.com/birlorg/cbde00767403f0ac554ea9d28178...](https://gist.github.com/birlorg/cbde00767403f0ac554ea9d28178b1fb)

For instance: commonChars of 1password of password length 20 will take
255,421,331,666,477,399,723,386 years, 3 months, 18 hours, 38 minutes, 39
seconds time

Well, this is the maximum amount of time, it could take considerably less than
this, unless your password happens to be the very last one it tries to crack.

------
directionless
The google text cache works.
[http://webcache.googleusercontent.com/search?q=cache:https:/...](http://webcache.googleusercontent.com/search?q=cache:https://blog.elcomsoft.com/2017/08/one-
password-to-rule-them-all-breaking-into-1password-keepass-lastpass-and-
dashlane/&num=1&strip=1&vwsrc=0)

------
disconnected
Keepass' security measures, described here:

[http://keepass.info/help/base/security.html](http://keepass.info/help/base/security.html)

A question: does anyone have any idea why is it so much slower to crack Rar5
and Office 2016 than these password databases? What sort of magic sauce are
they using to reduce the amount of guesses/second?

~~~
annabellish
The idea you can put a number on how many guesses/second you can make on a
keepass database at least is silly - that number is _configurable_! There's
even a button in the UI which tunes that value to an estimated amount of time
on the user's current hardware, so it's hardly an esoteric option.

MS word, by comparison, does not offer this option, and so they simply default
to something sanely high.

~~~
disconnected
> The idea you can put a number on how many guesses/second you can make on a
> keepass database at least is silly - that number is _configurable_!

I understand this.

I was asking because the article says "[lastpass and 1password] are still
nearly an order of magnitude less secure than, say, Microsoft Office 2016
documents, but even this level of security is much better than nothing.".

That, to me, implied that Office (and Rar5) were using some different - and
much better! - algorithm that made guesses more expensive.

If indeed it is just a matter of more hashing rounds, then that sentence and
the graph are very misleading and borderline FUD.

------
xxkylexx
I'm confused since the article never highlights any of the facts about the
strength of the master password used to protect the vault. Of course a weak
master password can easily be broken with an offline GPU accelerated attack.

------
lousken
You can use keepass to benchmark your CPU in how many iterations should be
used. I did the one second delay and divided it by ten so that I can use it on
my phone without a huge delay. (2 500 000 iterations)

------
tomtoise
Forgive the naive question, but would 2FA completely mitigate this attack,
assuming that the org trying to access a key vault did not have access to the
2FA device?

~~~
xxkylexx
No. This article describes an attack where the user has already gained access
to the encrypted database, which assumes they have already subverted 2FA.

~~~
tomtoise
Ah. Thanks. So the idea is to stop the user before they get that far, I
suppose.

Doesn't this hark back to "If the attacker has local access, it's already game
over"?

~~~
annabellish
Not really, the databases are designed to be effectively public information.
The security comes from the encryption, not OS-level file permission controls!

------
jms703
website broke

~~~
zie
google cache:
[https://webcache.googleusercontent.com/search?q=cache:https%...](https://webcache.googleusercontent.com/search?q=cache:https%3A%2F%2Fblog.elcomsoft.com%2F2017%2F08%2Fone%2Dpassword%2Dto%2Drule%2Dthem%2Dall%2Dbreaking%2Dinto%2D1password%2Dkeepass%2Dlastpass%2Dand%2Ddashlane%2F)

~~~
deelowe
Also broke.

~~~
dmart
Because Google's cached pages still try to load images, scripts, and CSS from
the original domain, meaning they are almost always completely useless unless
you wait long enough for the header to switch to text-only view to appear.

