Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 8 May 2014 10:01:23 +1000
From: Michael Samuel <mik@...net.net>
To: john-users@...ts.openwall.com
Subject: Re: cracking a OTP protected keypass db file?

Hi,

> quite frankly I do not understand how a OTP token can be used to decrypt
> a keypass db file [1][2], but anyway I wanted to ask if this protects
> you from offline password bruteforcing or if john  has support for
> cracking such keepass protected db files as well?

>From looking at the source (fairly quickly), it seems to be encrypting the
"master" key for the database with a set of your next OTPs.  To be honest
I don't feel confident in it's methods, but don't have time right now to do
proper analysis.

Also the OTPs aren't really one-time anyway, unless you changed all the
passwords stored in your DB each time you opened it.  The OTP method is
basically like changing the password to the database each time.  For this
reason alone, I'd avoid the extra complexity this module unnecessarily adds.

> [1] http://keepass.info/help/kb/yubikey.html

This page mentions two methods for storing your KeePass password on a
Yubikey token - the static password method and the OTP method.

The static password method would let you store an extremely strong password
on your Yubikey (eg. if you picked 26 base-32 characters (eg. lower-case letters
and numbers) you'd have > 128bit strength, with it typed every time you hit the
button.  I think this is the wise choice (Perhaps with a
prefix/postfix that you type
yourself).

Regards,
  Michael

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.