#326 Understanding encryption safety

closed
Rony Shapiro
None
5
2013-09-24
2011-10-28
Ray G
No

Hi, I have been using password safe for a few years and just upgraded from 3.22 to 3.26. Previously I had 2 PC's each running a local database where one was a copy of the other. My New router has a USB port and a NAS, so I hooked a drive to it and created a share and put both database there with different names . I proceeded to do a compare and updated the source database with the differences. I then renamed the updated database to a new name and write protected the originals.

So Far so good, I was able to access the safe from either PC running 3.22 one at a time, Here is my concern I updated to 3.26 green version on desktop and laptop, and successfully opened the new database from each PC. No issues.

1) Security, I have no clue how strong a NAS storage is if I can get hacked in my router, I have a password on the NAS when i map to the share it requires it. So with Password Safe, I have a password with 5 words in a sentence mixed case and punctuation. How secure is this database if I were to get hacked into.

2) Can both PC's access the same database simultaneoulsy or is there a mutual exclusive lock?

3) Is it acceptable to do this type of setup in securing a home netowrk where the database file is on a NAS?

4) I guess it is ok to do green configs like I did on individual PC's. typically both PC's aren't on at the same time.

Thanks

Discussion

  • Ray G
    Ray G
    2011-10-28

    I found the answer to #2 where when it cannot lock, it gives options for read or read-write.

    Forgot to mentione one PC is Win 7 home and the other is XP.

    Thanks

     
  • Rony Shapiro
    Rony Shapiro
    2011-10-28

    Hi,

    Regarding security of the PasswordSafe database: If someone were to copy access your database by hacking the NAS, then it wouldn't help him very much without the password to the database. We use a modern, well published and studied cryptographic algorithm (Twofish) in a standard and well understood manner. This means that short of using brute force to try all 2 to the 256th possible keys, the attacker has no known way of getting your password data.

    Hope this answers your question.

    Rony

     
  • Ray G
    Ray G
    2011-10-28

    Thanks, based on your response, I assume the longer the 'phrase' including punctuation and spaces, the more cryptographically sound it is? Is that a safe assumption?

    Thank You

     
  • Rony Shapiro
    Rony Shapiro
    2011-10-29

    Yes. The longer the passphrase, and the larger the set of characters used in it, the harder it is for the attacker to guess. Two notes:
    1. Don't make it so long that you have to write it down to remember it!
    2. Please make sure to backup your password database regularly, as well as making provisions for the recovery of your master passphrase in case you are no longer able to provide it.

     
  • Rony Shapiro
    Rony Shapiro
    2013-09-24

    • Status: pending --> closed