How secure is Password Safe?

  • mattstan

    mattstan - 2008-03-10


    I'm running Password Safe v.3.11 (I'll upgrade to the newer version soon I guess). I was wondering, how secure is Password Safe?

    Now I know that any secure system depends on the quality of the pass phrase to be secure against a brute force attack. My master password is a combination of letters and numbers, is not used anywhere else by me, is not stored electronically or elsewhere (just in my head), does not include a dictionary word or widely recognizable word (movie, football team, etc.) and is about as un-guessable as you can get apart from a truly random sequence of letters and numbers (which I can never remember). In other words I know how to create a good password and have done so.

    Therefore I am confidant my Password Safe database would remain secure to a brute force attack even by someone who knows what they're doing.

    My concern is whether it is secure from a more sophisticated attempt to crack the encryption, using mathematical methods?

    I currently store all my banking details in PS, with the exception of the password for my online banking which again exists only in my head, and am looking for assurances that PS really is secure.

    Many thanks and regards, etc..

    • Rony Shapiro

      Rony Shapiro - 2008-03-11


      The good news is that pwsafe is designed and implemented using the best currently known cryptographic practices, the source code is available for review, and we've changed the design and implementation more than once after receiving feedback from reviewers. Based on this, we believe that there's no known attack on a PasswordSafe database better than a brute-force attack on the passphrase. We've also taken measures to make such an attack as hard as possible. I recall reading about a brute-force cracking tool that could only generate ~900 attempts per second on PasswordSafe using a fairly strong PC, this being among the lower rates reported (compared to other security solutions). The encryption algorithm that PasswordSafe uses, TwoFish, is considered secure, and I'm unaware of any weaknesses that would allow an attacker to derive information about the encrypted data with less effort than a brute-force attack.

      The less encouraging news is that a determined attacker can find other ways to find the passphrase, outside the scope of PasswordSafe. Attacks on the operating system, keyboard loggers, shoulder surfing, etc. can give an attacker the information she seeks without having to mount a brute-force attack on PasswordSafe. However, if you take normal precautions (never run untrusted executables, open untrusted attachments, apply security updates regularly, etc.), you should be reasonably safe.

      Hope this helps.


      • mattstan

        mattstan - 2008-03-27


        Sorry for my delay in replying.

        Many thanks for your informative and comphrehnsive reply to my post, it is appreciated.

        Thanks also to you and the development team for the excellect Password Safe, I am now more confident than ever with its security.

        Regards, etc..,



    LIVIA - 2016-11-16

    Hi,maybe you can use the password massage to protect your issues

    [[url=]best password manager for windows[/url]


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks