Add Option to store no hashes on Java-Desktop-App

Cliff's Avatar

Cliff

01 Jan, 2015 11:14 PM

I would prefer to have no check, if I've entered the Master Password correctly (in the Java desktop gui).
Because, in that case, there would be no hashes at all, which can be bruteforced by an attacker.
Yes, in that case, I can login with a generated password to see, if there is a typo or not. But, also an attacker can do only this.
So, I would like to have an option for this behavior.
Thanks in advance!

  1. Support Staff 1 Posted by Maarten Billemo... on 02 Jan, 2015 12:00 AM

    Maarten Billemont's Avatar

    Hey Cliff,

    Two things:

    1. The hash is currently a SHA 256 of a 64-byte key, which means there are 6277101735386680763835789423207666416102355444464034512896 permutations to test. Even at a hypothetical speed of 5 billion USD worth of GPUs combined and devoted 100% to breaking your hash at a rate of 35,642,857,142,857,142 guesses per second, it would still take about 5725625218879999687704801695498240 years to search the space. This is unlikely to be the weakest link into your accounts.

    2. This option does already exist. Tick the "incognito" box on the bottom of the login frame.

    Cheers and let me know if you have any further thoughts,
    Maarten.

  2. Maarten Billemont closed this discussion on 02 Jan, 2015 12:00 AM.

  3. Cliff re-opened this discussion on 02 Jan, 2015 12:47 AM

  4. 2 Posted by Cliff on 02 Jan, 2015 12:47 AM

    Cliff's Avatar

    Hi Maarten,
    thanks for your quick and clear answer.
    One Addition to your second point: I recognized the Incognito-mode, but then I have no access to my previous sites. I suggested a interim solution, so I can access also my saved site-configurations (for useability) without a Key-ID in the .mpsites file.
    I agree with you, that isn't the weakest link to my accounts. But, my suggested option adds a plausible-deniability Feature, or am I wrong (I wrote that with the commic of your faq-site in my mind ;) )?
    (BTW: I just found a dirty-workaround: To delete the Key-ID line after every use in the ~/.mpw.d/username.mpsites file)

    Thanks again and good evening,
    Cliff

  5. Support Staff 3 Posted by Maarten Billemo... on 02 Jan, 2015 03:40 PM

    Maarten Billemont's Avatar

    Hey Cliff,

    That's right, you can remove the KeyID from the mpsites file. For the moment, the best recommendation I have to implement this functionality is to fork the repo on github and modify it to not save the KeyID, by commenting out this line: https://github.com/Lyndir/MasterPassword/blob/master/MasterPassword...

    Since I don't really have any "user preferences" yet, I'm not yet able to add this. I'll keep it in the back of my mind, though, for as soon as the Java GUI is expanded with a preferences section to include this as a user option.

  6. Maarten Billemont closed this discussion on 02 Jan, 2015 03:40 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac

Recent Discussions

09 Oct, 2023 03:28 PM
09 Oct, 2023 02:56 PM
22 Jun, 2022 11:22 AM
02 Feb, 2022 02:22 PM
25 Jan, 2022 11:25 PM

 

31 Dec, 2021 11:42 AM
22 Dec, 2021 06:41 PM
04 Nov, 2021 01:24 AM
30 Oct, 2021 08:29 PM
21 Oct, 2021 08:44 AM
14 Sep, 2021 08:02 AM