I am using Windows7 64 bit. I am in Texas, using English version and
installed from the internet download. I used the real key board to create the
database. I have not tried a previous version of Password Safe. The data
base was on a local disk. I created the file, saved it, did not close
password safe. I shut down the computer, then when I went into
Password safe the next day, my password did not work.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Today while opening Password Safe I encountered the Warning "Incorrect passkey, not a PasswordSafe database, or a corrupt database." I'm using Password Safe V3.35.01 on Windows 7 32 bit. It's been installed for only about a month. I checked my "C:\Users\%USERNAME%\Documents\My Safes" folder and found one pwsafe.psafe3 file with Modified Date 20-MAR-15 (the one that was trying to open) and three other .ibak files. All four files have the same Creation Date/Time 9-MAR-15 2:50 PM (see "DBFiles.jpg" in attached ZIP archive). I then tried to open the .ibak files beginning with the one created on 19-MAR-15 and encountered the same error message until trying the third, oldest backup modified 12-MAR-15 at 1:58 PM. This last one opened. I had not changed the password and was certain I was entering it correctly. The fact that the oldest backup does open verifies that the entered password was correct.
One oddity is that the second *.ibak file, modified 12-MAR-15 2:07 PM (9 minutes after the first backup file) is when the "corruption" appears to have started. I checked both the Application and System Event logs for this timeframe and found nothing suspect (see both in attached ZIP). Included in the attached ZIP are:
ApplicationEventLog.jpg
CorruptedDBWarning2.jpg
DBFiles.jpg
MyPCspecs.txt (NOTE: my hard drive is an SSD)
SystemEventLog.jpg
I've redacted User ID and domain info for security reasons. I also will be unable to render any of the corrupted files for the same reason.
The inclusion of the "a corrupt database" disclaimer along with "Incorrect passkey" in the login failure message is rather dubious for such a security-sensitive application, and to me indicates a known serious issue. Having researched this issue in this forum and found numerous past occurrences, an attempted fix, and this open bug (#814 PS 3.19), I am compelled to discontinue the use of this application and to warn the rest of my IT organization about this very real risk.
I hope this report provides new information that will help to resolve this issue.
The inclusion of the "a corrupt database" disclaimer along with "Incorrect passkey" in the login failure message is rather dubious for such a security-sensitive application, and to me indicates a known serious issue.
Actually, this is exactly backwards. The first thing PasswordSafe does after you enter the passkey is to use it to calculate a value that's stored in the database. If the calculated and stored values don't match, then there's actually no way for PasswordSafe to determine if this is because the wrong passkey was entered, the file is damaged, or is not even a PasswordSafe database. Any mechanism that would enable the program to differentiate between these cases would provide an attacker with more information with which to make the attack more effective.
Sorry the original file and backup got corrupted, but this does not reflect on the security of the underlying implementation. The fact that you had a backup that you could access shows that the resiliency built into the application ultimately worked.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Just for completeness, the forum topic associated with this bug report is at
http://sourceforge.net/projects/passwordsafe/forums/forum/134801/topic/3418726
Rony
Information sent by 'kathimooney' :
I am using Windows7 64 bit. I am in Texas, using English version and
installed from the internet download. I used the real key board to create the
database. I have not tried a previous version of Password Safe. The data
base was on a local disk. I created the file, saved it, did not close
password safe. I shut down the computer, then when I went into
Password safe the next day, my password did not work.
I have the same problem, not sure what caused it, but I am willing to share the pwsafe3 and ibak in order to resolve the problem.
Today while opening Password Safe I encountered the Warning "Incorrect passkey, not a PasswordSafe database, or a corrupt database." I'm using Password Safe V3.35.01 on Windows 7 32 bit. It's been installed for only about a month. I checked my "C:\Users\%USERNAME%\Documents\My Safes" folder and found one pwsafe.psafe3 file with Modified Date 20-MAR-15 (the one that was trying to open) and three other .ibak files. All four files have the same Creation Date/Time 9-MAR-15 2:50 PM (see "DBFiles.jpg" in attached ZIP archive). I then tried to open the .ibak files beginning with the one created on 19-MAR-15 and encountered the same error message until trying the third, oldest backup modified 12-MAR-15 at 1:58 PM. This last one opened. I had not changed the password and was certain I was entering it correctly. The fact that the oldest backup does open verifies that the entered password was correct.
One oddity is that the second *.ibak file, modified 12-MAR-15 2:07 PM (9 minutes after the first backup file) is when the "corruption" appears to have started. I checked both the Application and System Event logs for this timeframe and found nothing suspect (see both in attached ZIP). Included in the attached ZIP are:
ApplicationEventLog.jpg
CorruptedDBWarning2.jpg
DBFiles.jpg
MyPCspecs.txt (NOTE: my hard drive is an SSD)
SystemEventLog.jpg
I've redacted User ID and domain info for security reasons. I also will be unable to render any of the corrupted files for the same reason.
The inclusion of the "a corrupt database" disclaimer along with "Incorrect passkey" in the login failure message is rather dubious for such a security-sensitive application, and to me indicates a known serious issue. Having researched this issue in this forum and found numerous past occurrences, an attempted fix, and this open bug (#814 PS 3.19), I am compelled to discontinue the use of this application and to warn the rest of my IT organization about this very real risk.
I hope this report provides new information that will help to resolve this issue.
Thank you.
Actually, this is exactly backwards. The first thing PasswordSafe does after you enter the passkey is to use it to calculate a value that's stored in the database. If the calculated and stored values don't match, then there's actually no way for PasswordSafe to determine if this is because the wrong passkey was entered, the file is damaged, or is not even a PasswordSafe database. Any mechanism that would enable the program to differentiate between these cases would provide an attacker with more information with which to make the attack more effective.
Sorry the original file and backup got corrupted, but this does not reflect on the security of the underlying implementation. The fact that you had a backup that you could access shows that the resiliency built into the application ultimately worked.