passwordsafe-users

[Passwordsafe-users] decrypting the .dat file

[Arnaud S. <arn...@gm...>]

Hi,

I saw some previous posting on this topic but no conclusion.

I agree that decrypting the .dat file may create some security issues.
However, since PasswordSafe only runs on a windows platform, what
happens when I am travelling with no Windows box around.

I would like to be able to decrypt the .dat file from any machine,
from the command line for instance.

My guess is that the .dat file stores the passwords as ASCII, with AES
or Blowfish encryption, and maybe some salting. I just would like to
know which algorithm to use.
Once again, without the password, the only way to crack the .dat file
is to use brute force or dictionary attack.

regards,

Arnaud

RE: [Passwordsafe-users] decrypting the .dat file

[Rony S. <ro...@gm...>]

Hi Arnauld,

Short answer: The .dat file cannot be encrypted/decrypted all at once. A
workaround would be to export the .dat file to plain text and
encrypting/decrypting this with a program/algorithm that is available on
your target platform.

WARNING: Doing this is potentially VERY unsecure, as the decrypted data may
remain on the target machine, even after you've deleted the file.

Long answer: There's no need to guess, as the format of the .dat file is
fully documented in the files that come with the source code. Briefly, each
entry stored as a record of variable length fields. All are encrypted using
Blowfish with the same key, but each record has its own salt. 

Hope this helps.

	Cheers,

		Rony

> -----Original Message-----
> From: pas...@li... 
> [mailto:pas...@li...] On 
> Behalf Of Arnaud Sahuguet
> Sent: Wednesday, December 22, 2004 5:43 PM
> To: pas...@li...
> Subject: [Passwordsafe-users] decrypting the .dat file
> 
> 
> Hi,
> 
> I saw some previous posting on this topic but no conclusion.
> 
> I agree that decrypting the .dat file may create some security issues.
> However, since PasswordSafe only runs on a windows platform, what
> happens when I am travelling with no Windows box around.
> 
> I would like to be able to decrypt the .dat file from any machine,
> from the command line for instance.
> 
> My guess is that the .dat file stores the passwords as ASCII, with AES
> or Blowfish encryption, and maybe some salting. I just would like to
> know which algorithm to use.
> Once again, without the password, the only way to crack the .dat file
> is to use brute force or dictionary attack.
> 
> regards,
> 
> Arnaud
> 

Re: [Passwordsafe-users] decrypting the .dat file

[Arnaud S. <arn...@gm...>]

Thanks for info.
I looked at the source code and I should be able to write a program to
decrypt the file, if needed. But I guess I will wait for the need to
show up.

I just want to make sure that if one day I am in a non-Windows
environment, I can retrieve my dat file from the network and run a
simple cmd line script to recover the passwords if needed.

When using PasswordSafe to generate the password, it is very unlikely
that I will even bother to remember them.

regards,

Arnaud


On Wed, 22 Dec 2004 19:48:08 +0200, Rony Shapiro <ro...@gm...> wrote:
> Hi Arnauld,
> 
> Short answer: The .dat file cannot be encrypted/decrypted all at once. A
> workaround would be to export the .dat file to plain text and
> encrypting/decrypting this with a program/algorithm that is available on
> your target platform.
> 
> WARNING: Doing this is potentially VERY unsecure, as the decrypted data may
> remain on the target machine, even after you've deleted the file.
> 
> Long answer: There's no need to guess, as the format of the .dat file is
> fully documented in the files that come with the source code. Briefly, each
> entry stored as a record of variable length fields. All are encrypted using
> Blowfish with the same key, but each record has its own salt.
> 
> Hope this helps.
> 
>         Cheers,
> 
>                 Rony
> 
> > -----Original Message-----
> > From: pas...@li...
> > [mailto:pas...@li...] On
> > Behalf Of Arnaud Sahuguet
> > Sent: Wednesday, December 22, 2004 5:43 PM
> > To: pas...@li...
> > Subject: [Passwordsafe-users] decrypting the .dat file
> >
> >
> > Hi,
> >
> > I saw some previous posting on this topic but no conclusion.
> >
> > I agree that decrypting the .dat file may create some security issues.
> > However, since PasswordSafe only runs on a windows platform, what
> > happens when I am travelling with no Windows box around.
> >
> > I would like to be able to decrypt the .dat file from any machine,
> > from the command line for instance.
> >
> > My guess is that the .dat file stores the passwords as ASCII, with AES
> > or Blowfish encryption, and maybe some salting. I just would like to
> > know which algorithm to use.
> > Once again, without the password, the only way to crack the .dat file
> > is to use brute force or dictionary attack.
> >
> > regards,
> >
> > Arnaud
> >
> 
>