Jump to content
Sign in to follow this  
fmfm

Elmsoft Enpass

Recommended Posts

Elmsoft Enpass

Hello

 

What's the Enpass opinion on this article : 

https://blog.elcomsoft.com/2017/08/one-password-to-rule-them-all-breaking-into-1password-keepass-lastpass-and-dashlane/

where those people claim they can easily break many of the master passwords.

Despite Enpass was not tested but known competitors to Enpass (1Password, LastPass, Dashlane etc.) , some results appear just SOOO critical.....

it would be good to have Enpass's opinion (as well as an ElcomSoft test on Enpass).

 

Kind regards, Francesco

Edited by fmfm

Share this post


Link to post
Share on other sites

me again :

 

Jeffrey Goldberg, from AgileBits, the makers of 1Password, very quickly answered and criticised the test. He wrote :

 

Quote

I am perplexed by your results. In the latest version of 1Password, we use 100,000 rounds of PBKDF2-HMAC-SHA256 in our Key Derivation Function (KDF). Our immediately previous data format (OPVault) used at least (calibrated) 40,000 rounds of PBKDF2-HMAC-SHA512.

Only early versions of our long deprecated Agile Keychain Format, which may have used as few as 10,000 rounds of PBKDF2-HMAC-SHA1 would be make sense for the results that you report. Is that the data format you can recover?

If you are going after the old Agile Keychain Format, then I expect you are getting a 2x speed up from the bug we described in early 2013 (and discovered by the hashcat developers). But we are already deploying the successor of the successor of that data format.

 

So Elmsoft has to redo it again considering 1Password'd answers which resulted in a MUCH improved rating of 1Password (i.e., a better security than previously tested) :

https://blog.elcomsoft.com/2017/08/attacking-the-1password-master-password-follow-up/

 

So, what about Enpass ?    is that PBKDF2-HMAC-SHA1 or PBKDF2-HMAC-SHA512 ? (I understand nothing to cryptology but, according to 1Password, the second is told to be more secure).  In Enpass web site/Safety, I could only found, for my little understanding, mention of "only" PBKDF2 but no details about the variant actually used.

 

Kind regards, Francesco

Edited by fmfm

Share this post


Link to post
Share on other sites

Hi @fmfm,

Enpass uses SQLCipher (open-source and peer-reviewed cryptography engine) with 24000 rounds of PBKDF2-HMAC-SHA1. In context of PBKDF2 or HMAC, SHA1 is still quite suitable from a security standpoint. We have already increased the number of iterations with improved algorithm, and we will implement these changes in production stream from next major release 6.

And finally as concluded in their post  https://blog.elcomsoft.com/2017/08/attacking-the-1password-master-password-follow-up/ , choice of strong master password is the most important factor guarding your data.

Cheers

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×
×
  • Create New...