How secure are the password files used by Password Safe and Password Gorilla?

Question

Password Safe and Password Gorilla are both programs to manage passwords. Both store a list of user passwords in a file, which is encrypted using a master password. They use the same file format, so you can alternate between the two, using the same file, as Joel Spolsky recommended.

Password Safe was created by Bruce Schneier, who said the following about it:

Password Safe protects passwords with the Twofish encryption algorithm, a fast, free alternative to DES.

Although I respect Schneier, the "fast" encryption part gives me pause. I want it to be very difficult to brute force my password file, so I want the decryption be relatively slow.

I think that Password Safe now supports something like the work factor of bcrypt, but if I'm going to use the Spolsky method of sharing my file between computers with Dropbox, I want to be very sure that, if it fell into the wrong hands, nobody would be able to brute force it.

Assuming I've chosen a complex password, how secure is the encryption on these files?

Answer 1

By fast, they mean once you've set up a decryption key (e.g., entered your passphrase), you can decrypt a large or small file very quickly. The time necessary to check a single passphrase of twofish and DES are both similar (see time/cycles to set up key and IV - initialization vector):

http://www.cryptopp.com/benchmarks.html

(these are benchmarks for encryption; but should be similar).

Wikipedia lists some progress on attacks of twofish, but concludes by quotes the first author of the a decades old published partial attack:

"But even from a theoretical perspective, Twofish isn't even remotely broken. There have been no extensions to these results since they were published in 2000".

However, you mention you have a complex password. You probably should be using a passphrase. Eight random characters (upper/lowercase + numbers) ~ 2⁴⁷ ~ 10¹⁴? The quoted benchmark may take ~10 microseconds (10^-5 s) to try one password; so you could try 10^14 passwords in a 10⁹ s ~ 100 years of CPU time; which is in the realm of feasibility for say gov't to eventually break. If you had say a 6 word diceware passphrase (77 bits of entropy) it would take 100 billion years of today's CPU time to break.

Answer 2

When doing encryption while using a password as key, there are two phases:

1. The password is transformed into a key suitable for the symmetric encryption algorithm which is to be used.
2. The encryption algorithm is applied to whatever data is to be encrypted.

Salts and configurable slowness, the two mantras of good password processing, are to be applied on step 1, not step 2. If the encryption was inherently slow, then it would be very slow for you, because encryption time is proportional to the size of the data to encrypt or decrypt. On the other hand, the attacker only has to decrypt the first block or so to quickly rule out wrong passwords.

In other words, if the encryption itself was slow, you would not be able to make it as sow as you would wish, and the attacker would not be much thwarted. When doing the slowness in the password hashing step, on the other hand, you can make things more equal between you and the attacker. I have not looked what Password Safe employs for that step, but usual recommendations are bcrypt and PBKDF2.

In practice, the encryption speed is not important. 3DES is "slow" which means that decrypting all your stored password would take 500 microseconds instead of 50 with a faster algorithm -- but you would not see the difference anyway. Scheneier's banter about speed of Twofish is just an old piece of commercial advertisement which made sense 15 years ago when Twofish was involved in the AES competition (but, ultimately, Rijndael won and became "the AES").

Answer 3

Here is some additional information, not meant to detract from the previous excellent answers.

One analysis of the Password Safe file format can be found in the paper, "On The Security of Password Manager Database Formats," by Gasti and Rasmussen. At the time of this writing, it is available online at https://www.cs.ox.ac.uk/files/6487/pwvault.pdf, but I don't know how long that link will be live. There is a longer paper by the same authors that delves into the actual mathematical analysis of that file format; I have only found it on academic sites that charge for downloading a paper, so I haven't read it yet. It is referenced in the above paper, if anyone wants to have a go at it.

The paper reviewed 9 different password database formats:

• Google Chrome
• Firefox
• Microsoft Internet Explorer
• 1Password
• KDB (aka KeePass 1.x)
• KDBX4 (aka KeePass 2.x)
• PINs
• PasswordSafe v3
• Roboform

Of these, the PasswordSafe format was by far the strongest, and the only one resilient against all of the writer's proposed attacks.

Answer 4

I don't know of any independent assessment of Password Safe and its security. However the fact that the program's source code is open is of some comfort when it comes to hidden backdoors, "calling home" behavior etc.

Until a comprehensive and independent analysis is available, I would keep my Password Safe file wrapped inside a TrueCrypt file container. That way, potential vulnerabilities in the Password Safe implementation should be a lesser problem.

Answer 5

Most attacks discussed in other answers are brute force attacks which guess the password. That aside, it has been verified:

Password Safe protects passwords with the Twofish encryption algorithm, a fast, free alternative to DES. The program's security has been thoroughly verified by Counterpane Labs under the supervision of Bruce Schneier, author of Applied Cryptography and creator of the Twofish algorithm.

But are you using Password Safe or a port, like this one for Mac? If you are, then here's the bad news from Schneier from Counterpane

Various third-party ports, clones, and readers are also available. I haven't looked at any of these programs, and can't vouch for their compatibility or their security.

So the answer is "very."