Re: [Passwordsafe-users] Rekeying or just password change?
Popular easy-to-use and secure password manager
Brought to you by:
ronys
Menu
▾
▴
Re: [Passwordsafe-users] Rekeying or just password change?
|
From: ronys <ro...@gm...> - 2009-12-11 21:40:12
|
Excellent question. Short answer: Each time the database is saved, the key used to encrypt the records changes (to a new random value). A "hash" of the password's used to encrypt the encryption key, so there's no direct relation between the two. Note that if you think your master password's been compromised, you should change *ALL* the passwords in your database, as well as the master password, as soon as possible! PasswordSafe's been designed under the assumption that the master password's secure. If that's not the case, all bets are off... Long answer: The PasswordSafe database format specification describes the cryptographic implementation of PasswordSafe in full detail (http://passwordsafe.svn.sourceforge.net/viewvc/passwordsafe/trunk/pwsafe/pw safe/docs/formatV3.txt) Cheers, Rony -----Original Message----- From: MSBsDkiUHF MSBsDkiUHF [mailto:msb...@ho...] Sent: Thursday, December 10, 2009 2:21 PM To: pas...@li... Subject: [Passwordsafe-users] Rekeying or just password change? Hi, Let's say that - at some point of time a password repository is stolen and the master password is either known or cracked.- to combat this, master password is changed Will the master password change the internal keying, e.g. future versions of the same repository aren't decrypted? I can think of a few ways this could be implemented, MASTER_KEY = hash(MASTER_PASSWORD).In this implementation, master key will change if MASTER_PASSWORD change. MASTER_KEY = noise xor hash(MASTER_PASSWORD).In this implementation master key could remain same upon password change (i.e. could be vulnerable) So, ... how is it? is rekeying implemented to combat "old version stolen and cracked" scenarios? _________________________________________________________________ Hitta hetaste singlarna på MSN Dejting! http://dejting.se.msn.com/channel/index.aspx?trackingid=1002952 ---------------------------------------------------------------------------- -- Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev _______________________________________________ Passwordsafe-users mailing list Pas...@li... https://lists.sourceforge.net/lists/listinfo/passwordsafe-users |
