0

Backing up your password manager is a good idea in case your house burns down, but where do you store the password to the off-site backup?

Remembering the master password is easy, but re-using the master password directly for my off-site backup is a bad idea. But what if I used a key derivation function to generate a password for the backup site from my master password using a predictable salt?

Let's say that I documented publicly, for example in this very post, that I would use PBKDF2-HMAC-SHA256 with one million iterations, using the backup service domain name and an iteration number as the salt, to generate the exact number of bits for a 64-character Base64 encoding, which would then be the password (the iteration number is necessary in case the backup service doesn't accept the first password generated, e.g. missing numbers or special characters).

Questions:

  1. Would this scheme be secure assuming the derived password is compromised, but the master password remains secret?
  2. The master password needs to be strong, so how many bits of entropy does it need to protect against a brute-force attack by all but a nation-state attacker?
Fax
  • 175
  • 6
  • 1
    Instead of PBKDF2 I would go for Argon2 as it does not only require CPU power but also a certain amount of RAM which can prevent massive parallelization of brute-force attacks. – Robert May 06 '22 at 11:35
  • @Robert Good suggestion, but I'm not sure what to do with the parameters (memory, parallelism, iterations). They don't seem to have very obvious values the same way PBKDF2 does on iterations (one million). I could put it in this post, but I'm not confident that I'll be able to find this post again 10 years from now. – Fax May 07 '22 at 00:09

1 Answers1

1
  1. Would this scheme be secure assuming the derived password is compromised, but the master password remains secret?

Assuming the master password has enough entropy, and hasn't otherwise been compromised, yes. The entire point of PBKDF2 is to prevent a password digest from being reversed to recover the original password. Of course an attacker can bring whatever computing power (and intel they have on you) to the table in an attempt to reverse it.

  1. The master password needs to be strong, so how many bits of entropy does it need to protect against a brute-force attack by all but a nation-state attacker?

80 bits is probably safe, but not too far from the edge of practical cracking. If your threat model suggests a near-nation-state attacker is interested in your password, strive for 96 bits of entropy or more.

Mathematically speaking, 128 bits will not be broken by pure brute force. However, any patterns in the password, intelligence gathering, shoulder surfing, spyware, rubber hoses, etc., will render your defenses ineffective. No matter what length you choose, be sure to follow good password processes (OpSec).

John Deters
  • 33,650
  • 3
  • 57
  • 110