I'm thinking of using DPAPI to protect configuration file information in my program. After doing some reading on it, it looks like it uses the user's Windows password as part of the encryption process. Now, I've heard that there are tools (like Hieren's boot disk) that can crack Windows passwords "easily". Can DPAPI be counted on for any kind of security in the event that an attacker has physical access to the hard disk and the Windows password is decently complex? (Uppercase, lowercase, number, symbol 8+ length)
-
Warning: there is a *huge* difference between (a) a truly random 8-character password (i.e., where each character is chosen independently and uniformly at random from the list you provided) vs (b) a complex 8-character password that contains at least one uppercase letter, at least one lowercase letter, and at least one number. If you ask a user to generate one of the latter type, the result will usually be much weaker than a truly random 8-character password. Users sometimes interpret "random" to mean "arbitrary", or use passwords derived from words or phrases or names or birthdates, etc. – D.W. Sep 18 '12 at 05:36
-
That's why DPAPI uses PBKDF1 to slow down attacks on the password. If the password was cryptographically random, this wouldn't be necessary. But as you mentioned, no user picks a random password. – John Sep 18 '12 at 16:30
-
This question seems to be more about Windows password security than DPAPI security, DPAPI was just the motivation for the question. So the currently accepted answer has me confused as to what the question is actually asking since it only addresses DPAPI. – B-Con Sep 18 '12 at 16:38
-
@John, yup, I know that's why DPAPI uses PBKDF1! But just because it uses PBKDF1 does not mean that it is safe in practice. For instance, Thomas Pornin's calculations are for case (a) [truly-random passwords]. If you actually fall into case (b) [human-chosen passwords], you might be a lot less secure than you think. I would guess that case (b) is much more prevalent in practice, hence DPAPI might be at greater risk than one might naively expect based upon the mathematical calculations. Your question does not clearly specify whether you are asking about case (a) or case (b). – D.W. Sep 18 '12 at 20:57
-
(b), but that is a given. I was wondering, basically, if the Windows password system was secure, or just a "Do Not Disturb" sign. After researching the matter further, those password crackers are just brute forcing some kind of hash, so it is possible to have a secure Windows password and, therefore, securely protect data at rest with DPAPI. – John Sep 18 '12 at 21:16
-
1No need. Just use it directly: https://security.stackexchange.com/questions/168940/what-harm-is-there-in-obtaining-password-hashes-in-a-windows-environment – SDsolar Sep 07 '17 at 02:52
-
@SDsolar That is truly scary. I had no idea NTLM was so broken like that. I wonder why they haven't changed the implementation so that the password hashes aren't enough for authentication... It kind of baffles me, unless I'm not understanding it right. – John Sep 07 '17 at 16:22
1 Answers
According to this book, the user password is expanded into an encryption key (for DPAPI) using the PBKDF1 key derivation function, configured to use SHA-1 with 4000 iterations by default. PBKDF1 is described in RFC 2898 (section 5.1). An attacker with a few big GPU could compute, perhaps, four billions SHA-1 per second, hence try about one million potential passwords per second. If your password has 8 random characters from an alphabet of size 64 (uppercase and lowercase letters, digits, and two symbols), then it has entropy 48 bits (because 648 = 248), and the attacker will need to try, on average, about 247 passwords before finding the right one. At one million passwords per second, this will take him about four years.
Beware that Windows has a habit of ignoring case in many places -- you should check whether uppercase and lowercase are indeed distinct as far as password verification is concerned.
(The book says "by default" which may imply that the "4000" parameter is configurable -- but I do not know how.)
- 320,799
- 57
- 780
- 949