Date: Thu, 8 May 2014 10:01:23 +1000 From: Michael Samuel <mik@...net.net> To: john-users@...ts.openwall.com Subject: Re: cracking a OTP protected keypass db file? Hi, > quite frankly I do not understand how a OTP token can be used to decrypt > a keypass db file , but anyway I wanted to ask if this protects > you from offline password bruteforcing or if john has support for > cracking such keepass protected db files as well? >From looking at the source (fairly quickly), it seems to be encrypting the "master" key for the database with a set of your next OTPs. To be honest I don't feel confident in it's methods, but don't have time right now to do proper analysis. Also the OTPs aren't really one-time anyway, unless you changed all the passwords stored in your DB each time you opened it. The OTP method is basically like changing the password to the database each time. For this reason alone, I'd avoid the extra complexity this module unnecessarily adds. >  http://keepass.info/help/kb/yubikey.html This page mentions two methods for storing your KeePass password on a Yubikey token - the static password method and the OTP method. The static password method would let you store an extremely strong password on your Yubikey (eg. if you picked 26 base-32 characters (eg. lower-case letters and numbers) you'd have > 128bit strength, with it typed every time you hit the button. I think this is the wise choice (Perhaps with a prefix/postfix that you type yourself). Regards, Michael
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.