Security of master password in a derived password manager

I am aware of other questions asking similar things as this one, but I believe this design addresses many of the issues raised in those questions. I’m also not concerned with making sure there’s no database to store, only that the database doesn’t store any secrets.

Using some key derivation function KDF
    where KDF requires a secret managed elsewhere
With master password provided from elsewhere
Password requirements are the rules of what are allowed by the site,
    i.e. length, allowed character classes, required classes

# To register with a new site
With username provided from elsewhere
With password requirements provided from elswhere
Create a salt
Store site,password requirements,username,salt
Create key by KDF(salt, master password)
Convert key to generated password to fit password requirements
Give username and generated password to site
Register

# To login to a site
Retrieve password requirements,username,salt by site
Create key by KDF(salt, master password)
Convert key to generated password to fit password requirements
Give username and generated password to site
Login

Let’s say an attacker acquires both the store and the plaintext generated passwords, but not any secret parameters to the KDF.

  1. Does this design make it any easier for the attacker to find the master password than by a brute force attack?
  2. Is a brute force attack on this design easier than a brute force attack on an encrypted password store?
  3. Is this in any other way easier to attack than encrypted password managers that derive the encryption key from a master password?

Of course the list of sites and usernames itself is important information. I’m only wondering about the security of the master password.

Go to Source
Author: JamesH

How to apply custom filters for John The Ripper when cracking RAR3 archive password?

My problem is that I’m trying to crack RAR file with is encrypted with RAR3 encryption.
Decided to try with John The Ripper.
Here are clues I have from my friend.

  1. Max password length is 8
  2. Only capital letters or digits

And I need now filter to make John crack the password without trying to check small lowercase letters.
On hashcat it’s easy to do but program do not support $RAR3$*1 type of hashes.

Go to Source
Author: Madiator2011

Can passwords be compromised via compromised router?

If I am using an up to date device to access internet, can passwords I type on genuine https websites get compromised?

For instance, will the password that I type on Gmail.com be compromised, if my device is connected to compromised router while accessing it? since everything has to go theough router?

Really bugging me. Please please help.

Go to Source
Author: B_S_M