Thanks for the clarifying that a bit. Going from 1 to 10000 is definitely a start in the right direction. However it still seems low, unless I'm misunderstanding something. I know dedicated password managers such as LastPass, Bitwarden, etc., hashes that master password 100K on the client side and then another 100K on the server side. Now that we are adding private encryption keys into that collection it is securing, makes me a bit apprehensive.
On 8/26/2020 2:26 PM, Kai Engert wrote: > On 26.08.20 21:19, Mark wrote: >> Could you elaborate a bit more on the new and improved Master Password >> security > > It's a "password based encryption" (PBE) mechanism. > > The password chosen by the user is used with a PBE algorithm to > encrypt information (such as keys and individual passwords, and in our > scenario the automatic passphrase that protects the OpenPGP secret keys). > > An attacker, or a "password recovery program" attempts to find the > correct password using brute force, either trying all possible > passwords, or trying words from a dictionary. > > The more time it takes to try one candidate password, the more time it > takes for a brute force search approach to succeed. > > When performing PBE, one input is the password itself, and another > variable is the "iteration count", which defines how often a > calculation is repeated. > > The higher the iteration count, the more time it takes to encrypt or > decrypt the data. The iteration count can be chosen at the time data > is encrypted. > > Unfortunately, old versions of NSS/Firefox/Thunderbird always used a > iteration count of one (1) for the Master Password. > > Consequently, a brute force attack could try many candidate passwords > in a very short amount of time. > > With NSS 3.48 and newer, as used by Thunderbird 78, the iteration > count has been changed to 10000. > > The longer the password chosen by the user, the more combinations need > to be tried by an attacker to find it. > > Let's say the chosen password had a complexity that previously allowed > it to be found in 1 hour by a fast computer. > > With the newer software (assuming you set/updated the password with > the new software version), it would take 10000 hours to find the same > password, or almost 14 months. > > Kai > _______________________________________________ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
