Judging by the numbers from this article, a single Nvidia GTX 1080 graphics card can calculate 8.5 billion SHA-1 hashes per second. The problem here is: GPUs are extremely good at calculating SHA-1 hashes. Out of the roughly 320 million hashes, we were able to recover all but 116 of the SHA-1 hashes, a roughly 99.9999% success rate. Anybody who ever designed a login function on a website will likely see the red flag here. However, when I looked into the source code, I eventually found the sftkdb_passwordToKey() function that converts a password into an encryption key by means of applying SHA-1 hashing to a string consisting of a random salt and your actual master password. Quite remarkably, I haven’t seen any articles stating the opposite. On the other hand, it is commonly believed that with a master password your data is safe.
While they will still be encrypted in logins.json file, the encryption key is stored in ke圓.db file without any protection whatsoever. It is common knowledge that storing passwords there without defining a master password is equivalent to storing them in plain text. And modern hardware is very good at validating guesses.Ĭase in question: Firefox and Thunderbird password manager. Somebody who gets hold of that encrypted data will try to guess the password you used to protect it.
Kaspersky password manager flaw that generated software#
There is a weakness common to any software letting you protect a piece of data with a password: how does that password translate into an encryption key? If that conversion is a fast one, then you better don’t expect the encryption to hold.
0 kommentar(er)
