Thread: RE: [Passwordsafe-users] Decrypting .dat files
Popular easy-to-use and secure password manager
Brought to you by:
ronys
From: Schreck, J. <jue...@si...> - 2004-11-11 09:12:49
|
I will hope, that this will never work. I think this would be against = all purposes of pwsafe. If it would be so easy to decrypt the database you = could hold your passwords in a plain textfile, too. Regards, J=FCrgen Schreck --------------------------------------------- Siemens AG; COM ESY SEC DI4 Otto-Hahn-Ring 6; 81730 M=FCnchen FON: +49 89/636-42636 FAX: +49 89/636-45860 -----Original Message----- From: Dickerson, Cliff [mailto:Cli...@la...]=20 Sent: Wednesday, November 10, 2004 11:24 PM To: 'pas...@li...' Subject: [Passwordsafe-users] Decrypting .dat files Hi, I have version 2.06, does anyone know if/how to decrypt the .dat file = from the command line with a tool like OpenSSL? I've tried a with and without a salt. with salt I get "bad magic number" without salt I get "bad decrypt" Any ideas? Thanks much. ------------------------------------------------------- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld = Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=3D5588&alloc_id=3D12065&op=3Dclick _______________________________________________ Passwordsafe-users mailing list = Pas...@li... https://lists.sourceforge.net/lists/listinfo/passwordsafe-users |
From: Dickerson, C. <Cli...@la...> - 2004-11-11 17:27:53
|
Rony, Thanks for the information! Is there somewhere I can find the differences between 1.9 and 2.0 dat = file formats? -cliff -----Original Message----- From: Rony Shapiro [mailto:ro...@gm...] Sent: Thursday, November 11, 2004 5:20 AM To: 'Schreck, Juergen'; 'Dickerson, Cliff' Cc: pas...@li... Subject: RE: [Passwordsafe-users] Decrypting .dat files Hi, Indeed PasswordSafe does not support the command-line decryption of an entire password database. Two points, though: 1. The source distribution contains a Perl script (pwsafe-decode.pl) = that can parse and decrypt 1.9 databases - it should be straightforward to = modify to support the 2.0 file format. If anyone does so, I'd be glad to = publish it. 2. PasswordSafe can be used via command line to encrypt and decrypt arbitrary files (NOT password databases). "Pwsafe -e foo.txt" will = prompt for a password, and use it to encrypt foo.txt into foo.txt.PSF. "Pwsafe = -d foo.txt.PSF" will prompt for the password, and, if correct, decrypt the file. This is an undocumented vestige of the original version. Hope this helps, Rony > -----Original Message----- > From: pas...@li...=20 > [mailto:pas...@li...] On=20 > Behalf Of Schreck, Juergen > Sent: Thursday, November 11, 2004 11:13 AM > To: 'Dickerson, Cliff'; 'pas...@li...' > Subject: RE: [Passwordsafe-users] Decrypting .dat files >=20 >=20 > I will hope, that this will never work. I think this would be against = all > purposes of pwsafe. If it would be so easy to decrypt the database = you could > hold your passwords in a plain textfile, too. >=20 > Regards, >=20 > J=FCrgen Schreck > --------------------------------------------- > Siemens AG; COM ESY SEC DI4 > Otto-Hahn-Ring 6; 81730 M=FCnchen > FON: +49 89/636-42636 FAX: +49 89/636-45860 >=20 > -----Original Message----- > From: Dickerson, Cliff [mailto:Cli...@la...]=20 > Sent: Wednesday, November 10, 2004 11:24 PM > To: 'pas...@li...' > Subject: [Passwordsafe-users] Decrypting .dat files >=20 >=20 > Hi, >=20 > I have version 2.06, does anyone know if/how to decrypt the=20 > .dat file from > the command line with a tool like OpenSSL? >=20 > I've tried a with and without a salt. >=20 > with salt I get "bad magic number" >=20 > without salt I get "bad decrypt" >=20 > Any ideas? >=20 > Thanks much. >=20 >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by: > Sybase ASE Linux Express Edition - download now for FREE=20 > LinuxWorld Reader's > Choice Award Winner for best database on Linux. > http://ads.osdn.com/?ad_id=3D5588&alloc_id=3D12065&op=3Dclick > _______________________________________________ > Passwordsafe-users mailing list=20 > Pas...@li... > https://lists.sourceforge.net/lists/listinfo/passwordsafe-users >=20 >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by: > Sybase ASE Linux Express Edition - download now for FREE > LinuxWorld Reader's Choice Award Winner for best database on Linux. > http://ads.osdn.com/?ad_idU88&alloc_id=12065&op=3Dick > _______________________________________________ > Passwordsafe-users mailing list > Pas...@li... > https://lists.sourceforge.net/lists/listinfo/passwordsafe-users >=20 |
From: Rony S. <ro...@gm...> - 2004-11-11 21:18:10
|
Hi, The data file formats are documented in the files notes.txt and = formatV2.txt that are part of the source distribution. Rony > -----Original Message----- > From: pas...@li...=20 > [mailto:pas...@li...] On=20 > Behalf Of Dickerson, Cliff > Sent: Thursday, November 11, 2004 7:28 PM > To: 'ro...@us...' > Cc: pas...@li... > Subject: RE: [Passwordsafe-users] Decrypting .dat files >=20 >=20 > Rony, >=20 > Thanks for the information! >=20 > Is there somewhere I can find the differences between 1.9 and=20 > 2.0 dat file formats? >=20 > -cliff >=20 > -----Original Message----- > From: Rony Shapiro [mailto:ro...@gm...] > Sent: Thursday, November 11, 2004 5:20 AM > To: 'Schreck, Juergen'; 'Dickerson, Cliff' > Cc: pas...@li... > Subject: RE: [Passwordsafe-users] Decrypting .dat files >=20 >=20 > Hi, >=20 > Indeed PasswordSafe does not support the command-line decryption of an > entire password database. Two points, though: >=20 > 1. The source distribution contains a Perl script=20 > (pwsafe-decode.pl) that > can parse and decrypt 1.9 databases - it should be=20 > straightforward to modify > to support the 2.0 file format. If anyone does so, I'd be=20 > glad to publish > it. >=20 > 2. PasswordSafe can be used via command line to encrypt and decrypt > arbitrary files (NOT password databases). "Pwsafe -e foo.txt"=20 > will prompt > for a password, and use it to encrypt foo.txt into=20 > foo.txt.PSF. "Pwsafe -d > foo.txt.PSF" will prompt for the password, and, if correct,=20 > decrypt the > file. This is an undocumented vestige of the original version. >=20 > Hope this helps, >=20 > Rony >=20 > > -----Original Message----- > > From: pas...@li...=20 > > [mailto:pas...@li...] On=20 > > Behalf Of Schreck, Juergen > > Sent: Thursday, November 11, 2004 11:13 AM > > To: 'Dickerson, Cliff'; 'pas...@li...' > > Subject: RE: [Passwordsafe-users] Decrypting .dat files > >=20 > >=20 > > I will hope, that this will never work. I think this would=20 > be against all > > purposes of pwsafe. If it would be so easy to decrypt the=20 > database you > could > > hold your passwords in a plain textfile, too. > >=20 > > Regards, > >=20 > > J=FCrgen Schreck > > --------------------------------------------- > > Siemens AG; COM ESY SEC DI4 > > Otto-Hahn-Ring 6; 81730 M=FCnchen > > FON: +49 89/636-42636 FAX: +49 89/636-45860 > >=20 > > -----Original Message----- > > From: Dickerson, Cliff [mailto:Cli...@la...]=20 > > Sent: Wednesday, November 10, 2004 11:24 PM > > To: 'pas...@li...' > > Subject: [Passwordsafe-users] Decrypting .dat files > >=20 > >=20 > > Hi, > >=20 > > I have version 2.06, does anyone know if/how to decrypt the=20 > > .dat file from > > the command line with a tool like OpenSSL? > >=20 > > I've tried a with and without a salt. > >=20 > > with salt I get "bad magic number" > >=20 > > without salt I get "bad decrypt" > >=20 > > Any ideas? > >=20 > > Thanks much. > >=20 |
From: Nigel P. <ni...@ni...> - 2004-11-11 20:53:06
|
Rony, Thanks very much for that info, I think it will come in very handy. In relation to the other comments, I agree that I don't see why a command-line option should make it any more or less secure. I have for some time tried to impress upon people the importance of choosing a strong combination pass phrase by referring to the following link which comes complete with source code. I have only tried it on v1 and it worked a treat, essentially you supply a dictionary and it tries it against a password safe. http://members.aol.com/jpeschel3/PasswordSafeCracker.zip Nigel... |
From: Rony S. <ro...@gm...> - 2004-11-11 13:22:23
|
Hi, Indeed PasswordSafe does not support the command-line decryption of an entire password database. Two points, though: 1. The source distribution contains a Perl script (pwsafe-decode.pl) = that can parse and decrypt 1.9 databases - it should be straightforward to = modify to support the 2.0 file format. If anyone does so, I'd be glad to = publish it. 2. PasswordSafe can be used via command line to encrypt and decrypt arbitrary files (NOT password databases). "Pwsafe -e foo.txt" will = prompt for a password, and use it to encrypt foo.txt into foo.txt.PSF. "Pwsafe = -d foo.txt.PSF" will prompt for the password, and, if correct, decrypt the file. This is an undocumented vestige of the original version. Hope this helps, Rony > -----Original Message----- > From: pas...@li...=20 > [mailto:pas...@li...] On=20 > Behalf Of Schreck, Juergen > Sent: Thursday, November 11, 2004 11:13 AM > To: 'Dickerson, Cliff'; 'pas...@li...' > Subject: RE: [Passwordsafe-users] Decrypting .dat files >=20 >=20 > I will hope, that this will never work. I think this would be against = all > purposes of pwsafe. If it would be so easy to decrypt the database you could > hold your passwords in a plain textfile, too. >=20 > Regards, >=20 > J=FCrgen Schreck > --------------------------------------------- > Siemens AG; COM ESY SEC DI4 > Otto-Hahn-Ring 6; 81730 M=FCnchen > FON: +49 89/636-42636 FAX: +49 89/636-45860 >=20 > -----Original Message----- > From: Dickerson, Cliff [mailto:Cli...@la...]=20 > Sent: Wednesday, November 10, 2004 11:24 PM > To: 'pas...@li...' > Subject: [Passwordsafe-users] Decrypting .dat files >=20 >=20 > Hi, >=20 > I have version 2.06, does anyone know if/how to decrypt the=20 > .dat file from > the command line with a tool like OpenSSL? >=20 > I've tried a with and without a salt. >=20 > with salt I get "bad magic number" >=20 > without salt I get "bad decrypt" >=20 > Any ideas? >=20 > Thanks much. >=20 >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by: > Sybase ASE Linux Express Edition - download now for FREE=20 > LinuxWorld Reader's > Choice Award Winner for best database on Linux. > http://ads.osdn.com/?ad_id=3D5588&alloc_id=3D12065&op=3Dclick > _______________________________________________ > Passwordsafe-users mailing list=20 > Pas...@li... > https://lists.sourceforge.net/lists/listinfo/passwordsafe-users >=20 >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by: > Sybase ASE Linux Express Edition - download now for FREE > LinuxWorld Reader's Choice Award Winner for best database on Linux. > http://ads.osdn.com/?ad_idU88&alloc_id=12065&op=3Dick > _______________________________________________ > Passwordsafe-users mailing list > Pas...@li... > https://lists.sourceforge.net/lists/listinfo/passwordsafe-users >=20 |
From: Philip N. <phi...@gm...> - 2004-11-11 13:33:30
|
On Thu, 11 Nov 2004 10:12:38 +0100, Schreck, Juergen <jue...@si...> wrote: > I think this would be against all > purposes of pwsafe. If it would be so easy to decrypt the database you could > hold your passwords in a plain textfile, too. I though the main component of security lies in the choice of key, not in the specific algorithm. After all, decrypting the database by starting pwsafe is also "easy" if you have the right passphrase; I do not see why a command-line decryption utility *that requires you to know the passphrase* is less secure. Cheers, -- Philip Newton <phi...@gm...> |
From: Rony S. <ro...@gm...> - 2004-11-11 21:28:31
|
Hi Philip, In general, you're right, of course. The strength of the tool is only as strong as the passphrase used to protect the data. What Juergen may have had in mind was that a command-line tool may be = used to create a file with all the database entries decrypted. Such a file = would b a real security risk, since deleting the file by normal means still = leaves the data floating around on the disk if you know where to look. The PasswordSafe application goes through some lengths to ensure that no = more data than is absolutely needed in a given moment is actually decrypted. Rony > -----Original Message----- > From: pas...@li...=20 > [mailto:pas...@li...] On=20 > Behalf Of Philip Newton > Sent: Thursday, November 11, 2004 3:33 PM > To: Schreck, Juergen > Cc: Dickerson, Cliff; pas...@li... > Subject: Re: [Passwordsafe-users] Decrypting .dat files >=20 >=20 > On Thu, 11 Nov 2004 10:12:38 +0100, Schreck, Juergen > <jue...@si...> wrote: > > I think this would be against all > > purposes of pwsafe. If it would be so easy to decrypt the=20 > database you could > > hold your passwords in a plain textfile, too. >=20 > I though the main component of security lies in the choice of key, not > in the specific algorithm. >=20 > After all, decrypting the database by starting pwsafe is also "easy" > if you have the right passphrase; I do not see why a command-line > decryption utility *that requires you to know the passphrase* is less > secure. >=20 > Cheers, > --=20 > Philip Newton <phi...@gm...> >=20 >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by: > Sybase ASE Linux Express Edition - download now for FREE > LinuxWorld Reader's Choice Award Winner for best database on Linux. > http://ads.osdn.com/?ad_id=3D5588&alloc_id=3D12065&op=3Dclick > _______________________________________________ > Passwordsafe-users mailing list > Pas...@li... > https://lists.sourceforge.net/lists/listinfo/passwordsafe-users >=20 |