Florian Weimer of the Debian security team writes:
> I think the proper fix would be to encode the password in UTF-8 for
> new encryptions, and try both the old cp1252 method and the new one on
> decryption.
>
> I would add this information to the Launchpad bug, but for some
> reason, I get error
** Changed in: keepassx (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1214844
Title:
Non-CP1252 characters in passwords are insecure
To manage notifications
Ross, Felix, David, thanks for the feedback.
At least the key derivation function isn't as bad as I feared. It might
not be standardized but it isn't obviously bad.
An update to warn about a password that contains non-cp1252 characters
feels appropriate to me. (Refusing to use non-cp1252 characte
Rather than simply displaying a warning if non-CP1252 characters were
entered, I think it would be better if keepassx refused to allow non-
CP1252 characters to be used when setting a new password. There should
perhaps be a warning when entering them on opening a database, to change
your password A
Seth, I'll leave it to your judgement as part of the Ubuntu Security
Team on whether and how to escalate this. Personally I would err on the
side of removing the decision from the user as we've seen, time and
again, that ordinary users just do not have the ability to make rational
judgements over q
sorry s/less secure/less serious/
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1214844
Title:
Non-CP1252 characters in passwords are insecure
To manage notifications about this bug go to:
https://
I am not sure why a program being intentionally insecure makes the
vulnerability any less secure?
This silently removes _all_ security from any user who uses a password
comprised solely of non CP1252 characters, from a product designed to
improve security. How could this make anyone more vulnerab
The only mitigation that I think is viable would be to display a warning
when non-CP1252 password chars are used.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1214844
Title:
Non-CP1252 characters i
The key derivation function works like this:
The password is hashed with sha256, encrypted x-times with a random key, then
the result is concatenated with 16 random bytes and hashed again.
finalKey = sha256(seed || key(sha256(password), iterations,
transformSeed))
key(password, 1) = aes256cbc(pa
Ross, this is very interesting, nice work.
Because this is an intentional feature of the program, I'm choosing to
not ask for a CVE number, and I'm also just opening the bug report for
public view. This is likely a feature designed to ease inter-operation
with the Windows program of similar name,
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1214844
Title:
Non-CP1252 characters in passwords are insecure
To manage notificat
11 matches
Mail list logo
