I am wondering what key derivation function is used by PasswdSafe
and if it's PBKDF2 (sha256?) what is the iteration count? (e g. for new safe created with the Android app; or if i change the master password of a safe made on Windows application from pwsafe.org)
I cant find info nor configurable strength in the app. The desktop version seems to allow to change the strength without talking about the algorithm. (but I dont have access to it now, as i'm without laptop)
ps the question was inspired by reading about the LastPass breach. in the analysis i was reading, PBKDF2 was described as too easy to break with GPU, especially at lower iteration count. the article named other functions as being safer/slower to brute force. I don't know the validity of that argument, but wanted to figure out how safe PasswdSafe is, regardless
(thanks for this useful app! been on my phone ~10 years 🙂)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am wondering what key derivation function is used by PasswdSafe
and if it's PBKDF2 (sha256?) what is the iteration count? (e g. for new safe created with the Android app; or if i change the master password of a safe made on Windows application from pwsafe.org)
I cant find info nor configurable strength in the app. The desktop version seems to allow to change the strength without talking about the algorithm. (but I dont have access to it now, as i'm without laptop)
ps the question was inspired by reading about the LastPass breach. in the analysis i was reading, PBKDF2 was described as too easy to break with GPU, especially at lower iteration count. the article named other functions as being safer/slower to brute force. I don't know the validity of that argument, but wanted to figure out how safe PasswdSafe is, regardless
(thanks for this useful app! been on my phone ~10 years 🙂)
The algorithm is the same as the PC Password Safe application. The file specification is available at https://sourceforge.net/p/passwdsafe/code/ci/default/tree/doc/formatV3.txt, and there's a footnote there for the algorithm which isused.
The app uses the same iteration count as is set in the file by the PC Password Safe. The algorithm seems to be a repetition of SHA-256 hashes.