Security of master password in a derived password manager

I am aware of other questions asking similar things as this one, but I believe this design addresses many of the issues raised in those questions. I’m also not concerned with making sure there’s no database to store, only that the database doesn’t store any secrets.

Using some key derivation function KDF
    where KDF requires a secret managed elsewhere
With master password provided from elsewhere
Password requirements are the rules of what are allowed by the site,
    i.e. length, allowed character classes, required classes

# To register with a new site
With username provided from elsewhere
With password requirements provided from elswhere
Create a salt
Store site,password requirements,username,salt
Create key by KDF(salt, master password)
Convert key to generated password to fit password requirements
Give username and generated password to site
Register

# To login to a site
Retrieve password requirements,username,salt by site
Create key by KDF(salt, master password)
Convert key to generated password to fit password requirements
Give username and generated password to site
Login

Let’s say an attacker acquires both the store and the plaintext generated passwords, but not any secret parameters to the KDF.

  1. Does this design make it any easier for the attacker to find the master password than by a brute force attack?
  2. Is a brute force attack on this design easier than a brute force attack on an encrypted password store?
  3. Is this in any other way easier to attack than encrypted password managers that derive the encryption key from a master password?

Of course the list of sites and usernames itself is important information. I’m only wondering about the security of the master password.

Go to Source
Author: JamesH

How to apply custom filters for John The Ripper when cracking RAR3 archive password?

My problem is that I’m trying to crack RAR file with is encrypted with RAR3 encryption.
Decided to try with John The Ripper.
Here are clues I have from my friend.

  1. Max password length is 8
  2. Only capital letters or digits

And I need now filter to make John crack the password without trying to check small lowercase letters.
On hashcat it’s easy to do but program do not support $RAR3$*1 type of hashes.

Go to Source
Author: Madiator2011

Can passwords be compromised via compromised router?

If I am using an up to date device to access internet, can passwords I type on genuine https websites get compromised?

For instance, will the password that I type on Gmail.com be compromised, if my device is connected to compromised router while accessing it? since everything has to go theough router?

Really bugging me. Please please help.

Go to Source
Author: B_S_M

Someone is trying to reset my email password

I don’t know if this is the right place to ask, but I think I got a problem.
Recently I have started to receive emails to reset my password for my main email on my other two emails I have set up for backup. Thing is, I never asked for it to be reset, and oddly enough, its been hapening for over a week now, multiple times a day. I’m inclined to belive that this is an automated attack or something, but I dont understand the point of it if the attacker dosent have access to the backup emails.

All my accounts have 2FA enabled, so I think I’m safe, but I want to be sure. Is there something I should do to be safer?

Go to Source
Author: japadk

Is this (explained in body) a possible attack vector when using haveibeenpwned API?

I’m currently working on understanding and contemplating to implement password strength validation for sign ups in my app, to include checking haveibeenpwned if entered password is compromised elsewhere.

I understand the process involves the site sending a partial hash of the password to HIBP and HIBP will respond whether it’s pwned.

I am also assuming that it is possible that HIBP stores logs of my API request and that it may contain information leading back to my app.

If HIBP gets hacked, and attacker gains access to the above hypothetical logs, assuming that it contains all the information in the original request – the partial hash and where it came from (my site), can the attacker construct an attack on my site is this way?

  1. Hash the passwords in the list of pwned password and get a list of hashes
  2. Match the partial hash he has with those in the above list and
    derive a refined dictionary of N number of possible passwords with
    same partial hash
  3. Try the passwords on my site

I am aware at every point in the above, measures can be put in place to mitigate each, e.g. 2FA. But it is not my objective to ask for how to secure my sign up, but to validate my concerns with using HIBP and whether there’s an attack vector to be considered.

PS: I’m not a security expert but I do know how passwords and hashes work. As HIBP is new to me, I don’t fully know how it works and all the features of its API. Pardon me if I made wrong assumptions.

Go to Source
Author: Aen Tan