Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 8 May 2014 10:01:23 +1000
From: Michael Samuel <>
Subject: Re: cracking a OTP protected keypass db file?


> quite frankly I do not understand how a OTP token can be used to decrypt
> a keypass db file [1][2], but anyway I wanted to ask if this protects
> you from offline password bruteforcing or if john  has support for
> cracking such keepass protected db files as well?

>From looking at the source (fairly quickly), it seems to be encrypting the
"master" key for the database with a set of your next OTPs.  To be honest
I don't feel confident in it's methods, but don't have time right now to do
proper analysis.

Also the OTPs aren't really one-time anyway, unless you changed all the
passwords stored in your DB each time you opened it.  The OTP method is
basically like changing the password to the database each time.  For this
reason alone, I'd avoid the extra complexity this module unnecessarily adds.

> [1]

This page mentions two methods for storing your KeePass password on a
Yubikey token - the static password method and the OTP method.

The static password method would let you store an extremely strong password
on your Yubikey (eg. if you picked 26 base-32 characters (eg. lower-case letters
and numbers) you'd have > 128bit strength, with it typed every time you hit the
button.  I think this is the wise choice (Perhaps with a
prefix/postfix that you type


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.