Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#1601 Password patterns must be encrypted!

KeePass
closed
nobody
5
2012-12-14
2012-04-07
FilosofeM
No

The problem is that the password generation pattern profiles are stored in unencrypted KeePass.config.xml file.
This is very bad, because significantly reduces the cryptographic strength of the passwords, which is generated by patterns.

Discussion

  • FilosofeM
    FilosofeM
    2012-04-07

    • priority: 5 --> 8
     
  • FilosofeM
    FilosofeM
    2012-04-07

    Please fix this issue, by encrypting whole config.xml file, or move user created password pattern settings to another special encrypted file.

    Thanks!

     
  • Paul
    Paul
    2012-04-07

    Why does storing the setting unencrypted reduce the strength? At worst it allows a hacker to limit their searches to a specific pattern, but if the hacker knows your pattern he must have access to your machine. In this case he already has your passwords.

    cheers, Paul

     
  • Dominik Reichl
    Dominik Reichl
    2012-04-07

    • priority: 8 --> 5
    • status: open --> closed
     
  • Dominik Reichl
    Dominik Reichl
    2012-04-07

    Patterns are usually only used when you're forced to follow some specific rules by a website/service. In such a case, the pattern is public (everyone sees the required pattern when trying to register for the website/service). By getting access to your configuration file, the existence of a pattern might allow an attacker to deduce that you're using some website/service, but this provides him no information at all about what your password actually is.

    Best regards
    Dominik

     
  • FilosofeM
    FilosofeM
    2012-04-07

    Having access to the machine where is stored KeePass does not mean to have access to all encrypted passwords.
    All have a free access to my machine, but I'm keeping all the passwords encrypted in
    The problem is that I have to use the user patterns, because I need guarantees that at least one character from the alphabet (for ex. digits) will be added to the password. The first method "Generate using sets" don't give these guarantees. I can select two alfabets - digits and letters and letter may be not included in the random password. So I'm forced to use patterns, because with pattern my password guaranteely will have at least one digit, uppercase letter, lowercase letter and special character.

     
  • Paul
    Paul
    2012-04-07

    Passwords containing digit, upper, lower and special are no more secure than properly generated passwords that may contain those characters. Random password are not guaranteed to contain a mix of characters.

    cheers, Paul

     
  • FilosofeM
    FilosofeM
    2012-04-07

    Password security is measured by its Search Space Depth (Alphabet) and Search Space Length (Characters). Guaranteed containing of a one digit, upperletter, lowerletter and symbol guarantees, that password haves depth 26+26+10+32 = 94. This is very important moment for security.

    It should also be securely kept password generation rules (patterns), also password length, used alphabets, etc. In general - no any kind of information about passwords.