On 26.08.20 21:19, Mark wrote:
Could you elaborate a bit more on the new and improved Master Password
security
It's a "password based encryption" (PBE) mechanism.
The password chosen by the user is used with a PBE algorithm to encrypt
information (such as keys and individual passwords, and in our scenario
the automatic passphrase that protects the OpenPGP secret keys).
An attacker, or a "password recovery program" attempts to find the
correct password using brute force, either trying all possible
passwords, or trying words from a dictionary.
The more time it takes to try one candidate password, the more time it
takes for a brute force search approach to succeed.
When performing PBE, one input is the password itself, and another
variable is the "iteration count", which defines how often a calculation
is repeated.
The higher the iteration count, the more time it takes to encrypt or
decrypt the data. The iteration count can be chosen at the time data is
encrypted.
Unfortunately, old versions of NSS/Firefox/Thunderbird always used a
iteration count of one (1) for the Master Password.
Consequently, a brute force attack could try many candidate passwords in
a very short amount of time.
With NSS 3.48 and newer, as used by Thunderbird 78, the iteration count
has been changed to 10000.
The longer the password chosen by the user, the more combinations need
to be tried by an attacker to find it.
Let's say the chosen password had a complexity that previously allowed
it to be found in 1 hour by a fast computer.
With the newer software (assuming you set/updated the password with the
new software version), it would take 10000 hours to find the same
password, or almost 14 months.
Kai
_______________________________________________
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
