AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Awallet master password recovery8/17/2023 As we have already established, a compromise of the backup is prevented by the strong password, so this leaves the client compromise as the vector to learn the password. ![]() Using a password manager allows you to easily have unique, strong passwords per website, meaning a compromise of your password database or your local client is required. Yes, very much so, if the password manager is decent. In general, is it safe to store login credentials or banking details Of course the added authentication and access control of these cloud services means that chances are only you and the provider have access and it's usually in the provider's best interest to not leak user files. How safe would that be given that I use 2-Factor-Authentication for myĪssuming aWallet's security measures are actually good and you use a strong password and / or a local key file, then uploading the encrypted password database to a cloud service doesn't hurt security, as your password and / or keyfile still protect the passwords. (optionally) backup the data.crypt file onto Google Drive or Dropbox. Is there a tool / technique that I could use to attempt to decrypt theĭata.crypt file used by aWallet app so as to test it's security?Ī quick search turned up nothing, so I suppose that this password manager isn't big enough / hasn't seen enough research to have made somebody else to write a tool to attack this password manager.ĪWallet doesn't offer any cloud storage of their own and allows us to I suggest you visit the Crypto.SE version of this question for a review of the cryptographic details. Please note: This post actually answers the question(s) in the question and doesn't comment (much) on the security of aWallet. ![]() In general, is it safe to store login credentials or banking details or both in a password manager?.How safe would that be given that I use 2-Factor-Authentication for my Google account? aWallet doesn't offer any cloud storage of their own and allows us to (optionally) backup the data.crypt file onto Google Drive or Dropbox.Is there a tool / technique that I could use to attempt to decrypt the data.crypt file used by aWallet app so as to test it's security?.While none of these points make a lot of sense to me, the little bit that I know about Cryptography tells me that repeating an encryption technique multiple times doesn't Mathematically improve the security it may only give one a false impression of added security.Īnd because of this inconsistency, I started doubting the validity of their other claims. Repetitive hashing makes a brute force attack more difficult. The result is hashed 1000 times by SHA-256. The key to open the data file is created by combining your master password with the 512-bit 'salt'.Salt helps to protect from off-line dictionary attacks. Uses a randomly generated 'salt' combined with the Master password.The app itself does not store any hint to the actual cipher, key size or cipher mode of operation. When the data file is decrypted, up to all combinations of algorithm, key size and cipher mode of operation (CBC, CFB, OFB and ECB) are tried with the Master password to unlock the data file.Encrypts data using AES and Blowfish algorithms with key sizes of 256, 192 and 128 bits.All data is encrypted, including Entry names, Category definitions.Here's what they claim on their Google PlayStore page: Given my limited knowledge of cryptography and doubts around privacy (given recent incidents of online thefts), I want to testify the security of aWallet Password Manager before storing my Banking / Card details in it. Needless to say, that 2nd point is debatable because having all credentials stored at a single place introduces a single-point of failure and poses an equal risk of the chain-reaction mentioned earlier. ![]() This would avert a cascading effect (giving away credentials of all accounts) that would be created if one of my accounts, whose login credentials I share with several accounts, gets compromised. Saving my passwords securely allows me to have distinct passwords for each web account which would otherwise be impossible.I'm able to have fairly good-entropy passwords: I'm able to throw in a mixup of lowercase & UPPERCASE alphabets, digits, special characters (including spaces) and have reasonably long passwords (10+ characters).As suggested by I'm posting it here since the topic of the question is better suited for InformationSecurity.StackExchange.Īfter reading a lot of articles on ramping up the security of my web accounts, I started using aWallet Password Manager for Android to backup my passwords. NOTE: This question is a subpart of the original question on aWallet Password Manager posted on Cryptography.StackExchange.
0 Comments
Read More
Leave a Reply. |