Security News Archive

Bad Luck for Password Safe V3!

29 March 2006
Password Safe, the famous database format, historically nourished by great names like "CounterPane" and "Bruce Schneier", is suffering more bad luck in their attempts to create a secure database format. As already reported, V2 has been discovered recently vulnerable to brute force attacks. Now the designed successor format V3 seems to fall for the same fate. As in a Note of ElcomSoft Co.Ltd. the security of the format is dependent on a Windows-XP specific function and from design reasons has a severely bad security status when Password Safe is run under a different operating system.

JPasswords will follow this development with great interest because our roadmap has been, at least sofar, aiming at supporting V3 as a possible alternative for our databases. However, this also shows that our other target, namely developing a JPWS own database format with best available security, is justifiedly on the top of schedule.

Password Safe Data Security Compromised
(Note: This only applies to outdated format V2!)

24 November 2005
We received notice of an expert analysis from INSECURE.ORG for the Password Safe data format which points to a weakness in respect to possible brute force attacks. The report can be seen here. In short that report discovers that brute force attacks cost by a factor 1000 less time than expected by the format designers. Consequences from this should not cause you a heart attack but they mark the data format, which is not any more the latest technology anyway, for substitution. We here at JPasswords are working on it!

As a practical consequence of the discovered weakness you should seriousely think about the file access passwords you are using! We give a summary of recommenditions as follows:

  1. Don't use names from your kin or personal environment, no matter how many you combine
  2. Don't use a single word that might be an element of any publically available dictionary (e.g. English, German, Medicine, Physic etc.)
  3. If you can remember it, use a random generated password of at least 10 characters length containing 3 different character sets (e.g. upper case, lower case, digits)
  4. If you like to use words, use fantasy creations (e.g. "Deffdirendendideldumm") - not really good, but better than dictionary words!
  5. If you are bound for using existing words, use at least 3 words in combination
  6. Amplify your password text with at least 3 digits or special symbols placed anywhere you like (e.g. "830" or "%#`" etc.); the more you can add, the better!
  7. Perhaps you like to note down your (amplified) password for your own security ("forgot it!" desaster). In this case note down only parts of it and either remember the rest or put different parts of the password into different storage places.
  8. If you note down your password, never note it electronically but always on paper!