Just so we're clear: your assertion is that because the password generator uses a non-cryptographically secure PRNG, generating unique 20+ character alphanumeric passwords for every login is worse than people's default behavior?
I mean, I get that it's worse than other keepass implementations - that's obviously a problem - but if this gets people to stop using "hunter2" or "p4$$w0rd" that's got to be worth something, right?
No, it's not worse for your scenario. (That wasn't my assertion)
However, this is an alternative to KeePass/KeePassX, so the typical behavior of KeePass users is to generate passwords with it, not reuse bad passwords.
For example, I use KeePassX to generate strong passwords for long-term encrypted archives, and if I switched to this app, I wouldn't get the same security.
I'm confused, though, should I say: "All right, people, fuck it, generate your passwords with Math.random! YOLO!"
I use KeePass and I don't use it to generate passwords. It's a pain to open and close every time I need to login somewhere, especially if I'm on mobile. I use it for when I forget my passwords, and I honestly believe that is the common use case, but who knows?
I hope that's not a common use case (among the technologically literate). I would expect said individuals to have far more passwords of sufficient length and complexity (not to mention duration) than could reasonably be remembered.
Lastpass, being primarily a browser plugin, makes generated passwords much more convenient. When I'm setting up a new account, I press Alt-G to bring up the generator dialog, and then it auto-fills when I need to log in. I honestly don't know most of my passwords (I still memorise my primary email password, so I'm not totally stuck if I lost access to LastPass).
This is a compromise, because I'd prefer to trust an open source tool and an encrypted local file, but I trust Lastpass enough, and the convenience is very nice.
There's addons for Firefox (KeeFox) and Chrome (ChromeIPass), making the UX of KeePass pretty much the same as of LastPass. I've switched about a month ago and am happy.
There's addons for Firefox/Chrome as well as apps for Android that enable autofill and other stuff you might expect from a modern password manager (making the UX pretty close to LastPass).
I've been pretty happy with keepass2android's keyboard integration. It avoids the clipboard entirely and helps autoselect the right password and username if you let it. It also supports using a HOTP NFC token in conjunction with the master password.
I know it doesn't add that much security since a determined attacker could still brute force the OTP with the way it works but it keeps out the casual attacker that's not that savvy.
The intent of KeePass is generally to let it generate sufficiently strong passwords for you, and a way to store those passwords. It's probably a bad idea to store passwords you've devised in it, because then you're not getting any additional security.
I use KeePass across a range of devices, including my phone and laptop. I keep the dictionary synced with Syncthing.
I use it regularly to generate new passwords for websites, refreshing old website passwords (hello Heartbleed!) and logging into existing accounts. I also lock down the security questions so they can't be guessed. I'm now logged out of most services by default, especially banking, and the dictionary auto-locks after a short time.
Once I accepted a small price of inconvenience in setup and use, it has a positive impact. Now I remember only one password and updates are kept in sync across all my stuff.
Yep, I use KeePass primarily for password management, in most cases I don't control what the passwords are - how else am I meant to store all these different client VPN credentials?
Security experts are really bad about explaining their positions. I don't doubt that you are right, but can you lay out the scenario for me where my Reddit account will be hacked because I used Math.random() to generate the password?
Hmm, I tend to think of KeePass as a manager for passwords for accounts, services, etc. I hadn't considered storing archive passwords in it, or are you only using it to generate them? It seems like pwgen would do that fairly well...
This is the question I ask every single time I read about anything in security. It feels like there's just SO MANY THINGS wrong about every damn thing now the only way I can figure out what I have to really worry about or focus on is anything with a PRACTICAL attack that's easily automated and remotely exploitable.
Cryptographic attacks become better, some of them become practical. RC4 attacks were not considered practical until recently, and now everyone runs with their heads on fire replacing it.
The best answer is to listen to what security people say. When they have a practical attack on something it is already too late.
Security experts, by in large, only care about academics and care very little about usability, so I do not trust them unless they give me specific scenarios where I am in danger.
Just to clarify what I mean; we have to make decisions based on tradeoffs. Having the most secure password possible is not the only thing that matters. So "trust security experts" is not a good response; I need to know threat levels so I can make informed decisions. I'm not just going to do the same thing a security enthusiast does because I value different things, to different degrees.
Looks like you didn't understand the sadness of the issue I was reporting. The author of the software constructed his own random number generator from two primitives: Salsa20 stream generator and Math.random. The last part is what makes this PRNG theoretically insecure: because Math.random is not guaranteed to give cryptographically secure random numbers, thus, theoretically, the generated passwords can be guessed. (The fact that there are no current attacks on current implementations of Math.random in browsers doesn't mean that we won't get them in the future.) The secure alternative to author's PRNG is ~one line of code: window.crypto.getRandomBytes. There are no tradeoffs involved! On the contrary, the author's insecure construction is more difficult to write than the secure one.
(BTW, while we here argue about security experts, the author said "Thank you, I'll replace it of course.")
This is what I'm talking about. You, a security enthusiast, are only interested in the technical security details. You respond to a comment about tradeoffs with details on the bug.
I don't care about why the bug happened or how easy it is/isn't to fix. I care about whether the existence of the bug is something I should be so concerned about as to not use the software. In order to gauge that, I need a little more info about the threat level.
>I don't care about why the bug happened or how easy it is/isn't to fix. I care about whether the existence of the bug is something I should be so concerned about as to not use the software. In order to gauge that, I need a little more info about the threat level.
Threat level is 0%. No currently known attacks exist. This threat level immediately goes to 100% when a practical attack is discovered. There is no guarantee that a practical attack exists that hasn't been brought to academic or mainstream attention (e.g some cracker has a practical attack that they're keeping under wraps). By the time the threat level hits 100% the cracker may have already broken into your account(s) before you even hear about the attack.
Therefore when something is shown that "attacking it is possible" you can make one of two assumptions
1) No practical attack exists and you'll be safe until it exists
2) A practical attack already exists and it is only a matter of time until you get pwned
Rather than worry about whether or not a practical attack already or will one day exist, I'd use cryptography that hasn't been shown to be broken.
This comment doesn't make sense. All attacks are not equal. Some require physical access; some do not. Some require seed data; some do not. What exactly are you talking about here?
This is why security people are so frustrating to talk to; you only talk in extremes.
> Rather than worry about whether or not a practical attack already or will one day exist, I'd use cryptography that hasn't been shown to be broken.
That's not what I'm worried about. I'm worried about given that they do exist what is the risk to me? What is the likelihood that my account has been broken into?
>This comment doesn't make sense. All attacks are not equal. Some require physical access; some do not. Some require seed data; some do not. What exactly are you talking about here?
I'm not a security expert, more of a hobbyist. So I'll let someone else quantify potential specifics. To my understanding, they would not require physical access and would be able to guess any passwords generated (once an attack has been found/created).
>That's not what I'm worried about. I'm worried about given that they do exist what is the risk to me? What is the likelihood that my account has been broken into?
The chances of 0 becoming 1 are not quantifiable because it requires knowing unknowns. It is, however, non-zero. For a small list of unknowns:
1) Who knows about the attack
2) How practical is the attack?
3) What software/websites/people are they choosing to attack
4) Are you even using any of the software/websites that are being attacked?
5) Are they going to accept cracking <10%~ accounts if they can do so in <24 hours or is their goal to crack >50%~ accounts? Many crackers only care to scrape the bottom of a barrel. What are the chances you were in the part of the barrel they scraped?
I assume the worst because being compromised is a zero-sum game. I've been compromised or I haven't. Therefore my variables are:
Everyone. Extremely. Only things I use. Of course. Doesn't matter, I'm in the targeted group.
I wouldn't make any bets on security through obscurity.
Getting my reddit account hacked is not the end of my life. Hell, getting my bank account hacked is not the end of my life. I don't want those things to happen, I will take precautions to prevent it.
But too often security people talk as though it's the only thing I should care about. And it's not, I care about other things too, to varying degrees.
So, to make an informed decision, I need to know more than just that Math.random() is insecure. Knowing that an attack wouldn't require physical access is the type of information I'm interested in. So thank you for that.
I understand completely. I feel most people's threat models stop even before 'threat has physical access'. The chances of both your computer being stolen and the person who stole it being tech-savvy enough [0] to break into things may as well be 0 for anyone who isn't the target of a state actor or working in a security field. At that point the only people who care are the people who care about security or slim chances like that occurring. :)
[0] Or the thief selling it to someone who is tech savvy enough. Still practically 0 for most everyone.
It's (relatively) easy to verify a software against a strict security definition and decide if it meets the definition or not.
It's incredibly difficult (I'd say "impossible", but I'm being pedantic for now) to check a flaw against such strict definition and check it against all possible use cases and all possible inputs and decide if one of them will lead to bad consequences.
Thus, if there's any practical attack? How the hell would I or anybody else know. We can only know a resounding "yes" after you get owned, nobody can ever tell you a honest "no" to this question.
I feel like your conclusion is the opposite of proper.
Proper would be: don't roll your own crypto, use what professionals created, and only in the way they document it to be used. When in doubt, email tptacek or another professional he would point out.
I don't know of any published attacks on XorShift128+, which is used in most browsers for Math.random. What I know is that it's not a cryptographically secure PRNG, though, so all you have to do is sit and wait for one ;-)
> The RandomSource.getRandomValues() method lets you get cryptographically random values. The array given as the parameter is filled with random numbers (random in its cryptographic meaning).
> To guarantee enough performance, implementations are not using a truly random number generator, but they are using a pseudo-random number generator seeded with a value with enough entropy. The PRNG used differs from one implementation to the other but is suitable for cryptographic usages. Implementations are also required to use a seed with enough entropy, like a system-level entropy source.
https://github.com/antelle/kdbxweb/blob/906e927d3e3384db4dd3...
https://github.com/antelle/keeweb/blob/master/app/scripts/ut...
(in meme form: https://imgur.com/FcZNflQ)
Filed issue: https://github.com/antelle/kdbxweb/issues/5
(embarrassing/funny: it was me who wrote Salsa20 "user-space" generator used here (https://github.com/antelle/kdbxweb/blob/906e927d3e3384db4dd3...), but it should be properly seeded from secure random number source to be secure. Added this note to the gist where the author found it: https://gist.github.com/dchest/4582374#file-salsa20-js-L1-L1...)