this post was submitted on 16 Jun 2023
22 points (100.0% liked)
Linux
157 readers
1 users here now
Everything about Linux
RULES
-
Be nice to each other.
-
No memes or pictures of Linux in the wild.
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
You still need synchronization, and any deterministic password manager that doesn't provide it will break eventually. Any time a site experiences a breach you'll be forced to change your password, so you need to synchronize a counter for that for each account. Also, different sites have different (and often mutually incompatible) composition and length rules (in blatant violation of NIST SP 800-63b recommendations), which need to be synchronized to ensure generated passwords actually work for the account.
True. However the need for synchronization is rather infrequent and can easily be done via sneakernet.
There is something else I would like to highlight, about the problem if a single password gets leaked: At least with PasswordMaker Pro I wouldn't only increase the counter for that one site, but rather change it (ideally to a new random number) globally, and change passwords everywhere. The way PasswordMaker Pro uses the counter is that it just gets appended to the input url before hashing. For the hash algorithms that aren't using HMAC this is equivalent to just prepending that counter to the master password, so, a bad actor could just brute-force the combination of increment and master password, and get access to all sites that used the same master password and increment.
So, yeah, that's another big downside. If one password gets leaked, you can either rely on the attacker never finding out that it's a deterministic one, or you can do the same "change every password" dance that you have to perform if your password manager's cloud service data gets leaked.
If your KeePassXC databate gets leaked and you had a secure master password (10+ Diceware words or similar), you can do nothing (it's encrypted).
Yeah, PasswordMaker Pro isn't built with protection against brute-forcing, sadly. That risk could be mitigated though, by choosing an algorithm that takes a few moments to compute a single password, instead of doing so in mere nanoseconds...
I'm half tempted to write such an app myself (would be a nice upgrade after doing the PasswordMaker Pro port for Sailfish OS), but I'm also in the middle of another spare time project, so, probably not anytime soon...