Password Safe

The 2014 year is, so far, disturbing for people who care about the security of their data. The deeper serious people dig into openssl, the weaker it seems, and corporations still consider than unsalted md5’s are the state of art for storing passwords in their customer databases.
So time as come for the password spring-cleaning, and it is now obvious that a tool is required for remember the distinct passphrases (15+ characters) required to maintain some security online.

Two tools are prevalent for this job, KeepAss and Password Safe. Even if KeepAss seems serious (it has received the first level of certification of the french IT securiy agency), it relies on the System.Security library provided by the .NET bulls^W framework and I prefer to stay away from the mono execution environment. Instead, Password Safe, which is now available as a native port for GNU/Linux (but still in beta), seems to be a better alternative (it was first designed and still recommended by B. Schneier).

Build on Gentoo

There is no Gentoo package available yet for Password Safe, but it can be built easily from source. Once the .tar.gz archive for source and its corresponding signature are downloaded, import the key used to sign the packages, and verify the archive :

$ gpg --keyserver pgp.mit.edu --recv-keys 5CCF8BB3
$ gpg --verify pwsafe-0.93BETA-src.tgz.sig

Then, install the packages required as dependencies :

# emerge -va x11-libs/wxGTK:2.8 dev-libs/xerces-c

Then build Password Safe without Yubikey support :

$ NO_YUBI=1 make release

Security

Password safe had a few vulnerabilities since its creation, especially in its key derivation function [1] [2].
A quick look at the current code will show the bases are serious : /dev/random is used as source of entropy, Twofish is used as encryption cipher and the difficulty for the password key derivation function can be adjusted (but I found a little bug – patch for V0.93 beta available here).

The latest doubt about Password Safe was related to a SHA-256 calculation speed increase for brute-force attacks [3].
Short explanation : FUD.
Long explanation : Password Safe processes the SHA-256 iterations directly using the last SHA-256 hash result as input. The SHA-256 hash calculation is done in a main loop and internal values can be kept between iterations, so pre-processing and final hash calculations can be avoided for the intermediate iterations in order  to increase hash speed [4]. No weakness here, only an implementation optimization, pushed last year into John the Ripper and which brings a speed increase of about 10% for a brute-force attack. Since then, Password Safe offers the possibility to increase the number of iterations for key derivation from 2048 (default) to 4194304, hardening this type of attacks.

But keep in mind that GPUs, ASIC hardware or even the next Intel microarchitecture [5] can process SHA-256 operations extremely fast, so the required number of iterations (a.k.a. “Unlock Difficulty” in the security options) must be increased and a strong passphrase must be used.
The maximum difficulty can also be adjusted to a higher value in src/core/PWSfile.h (patch here). A value of 2^25 requires about 30s for unlocking on my current laptop, but greatly decreases the efficacy of a brute-force attack.

Additionally, it could also be a good idea to add some compilation flags to the default Makefile, as provided in this patch.


[1] : http://cxsecurity.com/cveshow/CVE-2005-3801
[2] : http://sourceforge.net/p/passwordsafe/bugs/334/
[3] : http://www.ballastsecurity.net/2012/07/auditing-of-password-safe-continues.html
[4] : http://csrc.nist.gov/groups/STM/cavp/documents/shs/sha256-384-512.pdf (page 7)
[5] : http://en.wikipedia.org/wiki/Intel_SHA_extensions