fmfm Posted August 18, 2017 Report Share Posted August 18, 2017 (edited) Elmsoft Enpass Hello What's the Enpass opinion on this article : https://blog.elcomsoft.com/2017/08/one-password-to-rule-them-all-breaking-into-1password-keepass-lastpass-and-dashlane/ where those people claim they can easily break many of the master passwords. Despite Enpass was not tested but known competitors to Enpass (1Password, LastPass, Dashlane etc.) , some results appear just SOOO critical..... it would be good to have Enpass's opinion (as well as an ElcomSoft test on Enpass). Kind regards, Francesco Edited August 18, 2017 by fmfm Link to comment Share on other sites More sharing options...
fmfm Posted August 18, 2017 Author Report Share Posted August 18, 2017 (edited) me again : Jeffrey Goldberg, from AgileBits, the makers of 1Password, very quickly answered and criticised the test. He wrote : Quote I am perplexed by your results. In the latest version of 1Password, we use 100,000 rounds of PBKDF2-HMAC-SHA256 in our Key Derivation Function (KDF). Our immediately previous data format (OPVault) used at least (calibrated) 40,000 rounds of PBKDF2-HMAC-SHA512. Only early versions of our long deprecated Agile Keychain Format, which may have used as few as 10,000 rounds of PBKDF2-HMAC-SHA1 would be make sense for the results that you report. Is that the data format you can recover? If you are going after the old Agile Keychain Format, then I expect you are getting a 2x speed up from the bug we described in early 2013 (and discovered by the hashcat developers). But we are already deploying the successor of the successor of that data format. So Elmsoft has to redo it again considering 1Password'd answers which resulted in a MUCH improved rating of 1Password (i.e., a better security than previously tested) : https://blog.elcomsoft.com/2017/08/attacking-the-1password-master-password-follow-up/ So, what about Enpass ? is that PBKDF2-HMAC-SHA1 or PBKDF2-HMAC-SHA512 ? (I understand nothing to cryptology but, according to 1Password, the second is told to be more secure). In Enpass web site/Safety, I could only found, for my little understanding, mention of "only" PBKDF2 but no details about the variant actually used. Kind regards, Francesco Edited August 18, 2017 by fmfm Link to comment Share on other sites More sharing options...
Vinod Kumar Posted August 21, 2017 Report Share Posted August 21, 2017 Hi @fmfm, Enpass uses SQLCipher (open-source and peer-reviewed cryptography engine) with 24000 rounds of PBKDF2-HMAC-SHA1. In context of PBKDF2 or HMAC, SHA1 is still quite suitable from a security standpoint. We have already increased the number of iterations with improved algorithm, and we will implement these changes in production stream from next major release 6. And finally as concluded in their post https://blog.elcomsoft.com/2017/08/attacking-the-1password-master-password-follow-up/ , choice of strong master password is the most important factor guarding your data. Cheers Link to comment Share on other sites More sharing options...
Recommended Posts