Tao Effect Forums

Espionage => Espionage 3 => Topic started by: algospe on January 17, 2013, 04:39:22 AM

Title: How easy is to crack E3 Master Password?
Post by: algospe on January 17, 2013, 04:39:22 AM
Dear Espionage 3 Team,

Assuming someone managed to get inside my Mac, may I ask you how easy would be for this person to crack E3 Master Password therefore gaining direct access to the images I´ve created (assuming I am not using plausible deniability)?
Could it be possible for you to implement a feature that protects the Master Password say, after 3 failed login attempts there will be a delay of 10 minutes to allow access attempts again, if it fails again then it will double the time to attempt login up to 20 minutes, and so on?
Thanks for your advise.
Alberto.
Title: Re: How easy is to crack E3 Master Password?
Post by: zsolt on January 17, 2013, 12:54:29 PM
EDIT BY GREG (DEVELOPER): This comment is not entirely correct, the master password is very difficult to crack, and uses a different algorithm to protect it than the disk images use to encrypt the data. Comparing them is not easy because the amount of data encrypted is vastly different. Please see my reply (https://www.taoeffect.com/forum/index.php?topic=2323.msg5292#msg5292) lower down in this thread.

Hello Alberto,
I'm not an encryption expert but the images are protected with 256bit AES encryption, the same Apple uses for file vault (AFAIK) and the passphrase is very secure, this is one example X!EHU[r#CE7v;.'Lc'Xma3tjd1"ma7, as you see the passwords are random and therefore probably hard to crack.
I believe it would be easier to crack your master password and gain access to the database where the disk image passwords are stored.
Regarding your feature request i will submit it to the product management and they will decide if it will get a go at some point or not.
Thanks for your input.
Rgds
Zsolt
Title: Re: How easy is to crack E3 Master Password?
Post by: algospe on January 22, 2013, 04:00:50 AM
Thansk Zsolt,

I do appreciate any feedback on the status of this feature request, better if you could have a place in the blog showing status/progress of all E3 features already requested?

All the best,

Alberto.
Title: Re: How easy is to crack E3 Master Password?
Post by: zsolt on January 22, 2013, 01:24:10 PM
Hello Alberto, we do not publish such a list, it is internal only. But Espionage does check for updates automatically and if any detected then you will get details about problems fixed or features introduced in the release, so this might help.

rgds
Zsolt
Title: Re: How easy is to crack E3 Master Password?
Post by: usergnome on July 04, 2013, 02:23:10 AM
Quote from: zsolt on January 17, 2013, 12:54:29 PM
Hello Alberto,
I'm not an encryption expert but the images are protected with 256bit AES encryption, the same Apple uses for file vault (AFAIK) and the passphrase is very secure, this is one example X!EHU[r#CE7v;.'Lc'Xma3tjd1"ma7, as you see the passwords are random and therefore probably hard to crack.
I believe it would be easier to crack your master password and gain access to the database where the disk image passwords are stored.
Regarding your feature request i will submit it to the product management and they will decide if it will get a go at some point or not.
Thanks for your input.
Rgds
Zsolt

I'm not sure you noticed, but you never answered Alberto's question. He wanted to know how easy it would be to crack the master password not the image password. Is the master password also 256 bit encrypted? If the database containing the sparse image passwords is not encrypted as strongly as the sparse image, then the encryption level of the sparse image is meaningless. Are you saying the master password is easier to crack because it is generated by the user and may not be as random as the passphrase for the sparse image?
Title: Re: How easy is to crack E3 Master Password?
Post by: zsolt on July 05, 2013, 11:23:06 PM
EDIT BY GREG (DEVELOPER): This comment is not entirely correct, the master password is very difficult to crack, and uses a different algorithm to protect it than the disk images use to encrypt the data. Comparing them is not easy because the amount of data encrypted is vastly different. Please see my reply (https://www.taoeffect.com/forum/index.php?topic=2323.msg5292#msg5292) lower down in this thread.

QuoteAre you saying the master password is easier to crack because it is generated by the user and may not be as random as the passphrase for the sparse image?

Yes, this is what I'm saying. The disk image passwords are very strong, so the weakest link is probably your master password, as we do not tend to create such a complex 30 character passwords.

I hope this helps.

Zsolt
Title: Re: How easy is to crack E3 Master Password?
Post by: greg on July 06, 2013, 12:15:16 PM
As advertised on Espionage 3's homepage, Espionage uses SCRYPT:

https://www.tarsnap.com/scrypt.html
https://en.wikipedia.org/wiki/Scrypt

As far as I'm aware, at the moment scrypt is the most advanced and difficult to crack key derivation algorithm there is (it certainly seemed to be at the time I chose it).

From the website:

QuoteWe estimate that on modern (2009) hardware, if 5 seconds are spent computing a derived key, the cost of a hardware brute-force attack against scrypt is roughly 4000 times greater than the cost of a similar attack against bcrypt (to find the same password), and 20000 times greater than a similar attack against PBKDF2.

Have a look at the scrypt site (https://www.tarsnap.com/scrypt.html) for more details. 1Password, for example, uses PBKDF2 instead of scrypt to protect its master password, so make sure your password is long and strong. Using a long string of unrelated words separated by spaces is a very good technique (https://xkcd.com/936/) to create a memorable, yet hard to crack master password:

(https://sslimgs.xkcd.com/comics/password_strength.png)

The master password encrypts all of the individual, long, random passwords for the encrypted disk images that Espionage uses. This is far less data to mess with than the data that the disk images end up encrypting themselves. I'm not entirely sure what the theoretical time is to crack an arbitrary AES-256 disk image image is, and it depends on a lot of factors, including Apple's specific implementation of it. In other words, it's not an easy comparison to make, so I don't have a good answer for you there (yet), but rest assured, we've made sure to protect your master password with the best encryption we could find.
Title: Re: How easy is to crack E3 Master Password?
Post by: algospe on July 08, 2013, 03:16:05 PM
Thanks to "usergnome" for capturing the essence of the question, and to TaoEffect Team to follow-up though you may be still missing the point... fact is that common people we are lazy to learn lengthy passwords ( or maybe it is only me?) so either we use "Password Gorilla" or similar to keep track of 100`s of passwords... my initial point is requesting a mechanism to deter the cracker from guessing "simple passwords" entered by "common people" (  similar to the mechanism implemented by Apple in iOS ) ... so say I define a Master Password which is 4 character long then such mechanism should deter people from cracking this password by delaying access to the application longer every time entered password fails... understand this puts pressure on the programmer to code this mechanism into E3 otherwise you are asking users to learn lengthy "easy to remember" passwords...  for sure these once encrypted by SCRYPT will take forever to crack... just trying TaoEffect Team to make life easier for "common people"... TaoEffect Team will you give it a try?
Title: Re: How easy is to crack E3 Master Password?
Post by: greg on July 08, 2013, 06:45:16 PM
Quote from: algospe on July 08, 2013, 03:16:05 PM
Thanks to "usergnome" for capturing the essence of the question, and to TaoEffect Team to follow-up though you may be still missing the point... fact is that common people we are lazy to learn lengthy passwords ( or maybe it is only me?) so either we use "Password Gorilla" or similar to keep track of 100`s of passwords... my initial point is requesting a mechanism to deter the cracker from guessing "simple passwords" entered by "common people" (  similar to the mechanism implemented by Apple in iOS ) ... so say I define a Master Password which is 4 character long then such mechanism should deter people from cracking this password by delaying access to the application longer every time entered password fails... understand this puts pressure on the programmer to code this mechanism into E3 otherwise you are asking users to learn lengthy "easy to remember" passwords...  for sure these once encrypted by SCRYPT will take forever to crack... just trying TaoEffect Team to make life easier for "common people"... TaoEffect Team will you give it a try?

If someone is using Espionage with the intent of only using it to protect/hide data from "common people" by using a four character password, then they shouldn't be using Espionage because clearly that data is not very important to them. Something like Cloak (http://www.taoeffect.com/blog/2009/05/cloak-manage-your-invisible-files/) should be used instead. Cloak is a free app I wrote that you can use to make files invisible. There are many similar apps to it that you can find on MacUpdate (http://www.macupdate.com).

Espionage 3 is designed to protect your data from organizations with billions of dollars at their disposal. Intentionally using a four character password for the sake of convenience just isn't the sort of scenario it's designed for.

If you really want, you can use Espionage 3 to protect both non-critical data and critical data by using its Folder Sets feature (see its preferences). You can create one Folder Set with a weak 4 character password (make sure to use at least one symbol), and use that Folder Set to protect your non-critical data. Trust me, a delay is not needed at all. For example, if you have a 4 character password consisting of letters (lowercase or uppercase), numbers, and/or symbols, then the number of possible combinations is approximately: (26+26+10+33)^4 = 81450625. If you allow for the possibility of foreign characters it becomes even larger. There is absolutely no reason in that scenario to worry about someone manually guessing a password, because even if they can enter one password per second into the interface, that's ~471 days (over a year) to have a 50% chance of guessing the password. They would die of starvation long before they'd guess it. If you limit yourself to only lowercase letters, that's 26^4 = 456976 possible passwords, or about 2.6 days of typing in a password every second to have a 50% chance of guessing it. Just make sure it's a random password generated by a computer, and not a word found in the dictionary or all numbers.
Title: Re: How easy is to crack E3 Master Password?
Post by: algospe on July 08, 2013, 10:31:52 PM
thanks again for your reply, some comments:
-Nowhere I said I want to "hide" files from anyone, hiding files is so simple, you don´t really need an app for that... and well, you hide files not for security reasons, maybe just to visually clean your desktop or maybe by not mistakenly delete an important file.
-I purchased E3 hoping it would help easy management of Vaults created to protect my data, after so many emails with Zsolt I realized E3 is so cumbersome and dangerous to use I decided to uninstall it, wish I could get a refund... good think there are options, so now I am happily using Macfort together wish Script-Timer.
-I am affraid at Tao Effects you do not like to listen to your customers, I was telling something to Zsolt then he thought I was saying something else, then I am telling something to Greg and he thinks I am saying something completely different... hope four months form now another TE developer looks at this post and gets the point: make things simple for common people to use ( I said common, not dumb...)
-Please learn to listen to your customers and stop believing you have a ´Great Application´ that "common people" does not deserve...
-Good luck.
Title: Re: How easy is to crack E3 Master Password?
Post by: greg on July 09, 2013, 10:09:16 AM
Quote from: algospe on July 08, 2013, 10:31:52 PM
thanks again for your reply, some comments:
-Nowhere I said I want to "hide" files from anyone, hiding files is so simple, you don´t really need an app for that... and well, you hide files not for security reasons, maybe just to visually clean your desktop or maybe by not mistakenly delete an important file.

Yes, I understand.

The reason I mentioned hiding your files instead of encrypting them is because from our perspective, if you decide to encrypt your data with a four character password, then it's almost as bad as not encrypting it at all, and suggests that the data isn't very important to you.

Quote-I am affraid at Tao Effects you do not like to listen to your customers, I was telling something to Zsolt then he thought I was saying something else, then I am telling something to Greg and he thinks I am saying something completely different... hope four months form now another TE developer looks at this post and gets the point: make things simple for common people to use ( I said common, not dumb...)

I'm sorry you feel that way, but I don't understand. Are you saying that Espionage is not "simple for common people" unless we make it take longer to re-enter your master password if you incorrectly type it?
Title: Re: How easy is to crack E3 Master Password?
Post by: algospe on July 09, 2013, 12:05:49 PM
Hello Greg, thanks for your reply.
Quoting Wikipedia:
"Passwords or passphrases created by humans are often short or predictable enough to allow password cracking."
http://en.wikipedia.org/wiki/Key_stretching
I do agree 100%,   common people do not want to remember too many different lengthy "easy to remember" passwords... this is the reason why applications such as "Password Gorilla" or "1Password" are so popular.
I am happy to hear  E3 is using a powerful encrypting engine to protect the Master Password ( SCRYPT) provided it is long and complex enough....., took time but my initial question is answered, thanks. ( You may want to make this fact visible in your marketing material?)
Now, my original request was to make things simpler for common people to choose the length or password they want ( read Wikipedia entry above) then having your E3 application protecting it by delaying access to E3 every time a wrong password is entered, just a simple feature request to enhance E3 ( btw implemented in iOS to protect "Restrictions"; TE blog does not allow to upload pics). Free (ex) E3 user feedback, thanks.
Title: Re: How easy is to crack E3 Master Password?
Post by: zsolt on July 09, 2013, 02:29:22 PM
Hello, I already submitted your feature request to the list of requested features.
I hope it will make it's way into one of the upcoming releases.

Rgds
Zsolt