One Password to Rule Them All: Breaking into 1Password, KeePass, LastPass and Dashlane

August 10th, 2017 by Oleg Afonin

We’ve just updated Elcomsoft Distributed Password Recovery with the ability to break master passwords protecting encrypted vaults of the four popular password keepers: 1Password, KeePass, LastPass and Dashlane. In this article, we’ll talk about security of today’s password managers, and provide insight on what exactly we did and how to break in to encrypted vaults.

Password managers are nothing new. They’ve been around for years, helping users store, organize, and use passwords. Password managers are designed to solve the problem of password reuse, which gets more attention every year as the number of online accounts used by an average consumer grows. Various researches conducted in 2015 and 2016 suggest that, while an average consumer has 20 different online accounts, that same consumer only uses 7 different passwords, and even those 7 are actually based on as few as 3  truly unique passwords. The rest are variations of one or more strings such as “password”, “password1”, “password1959”, “Password1”, and so on.

20 online accounts. 7 different passwords. Only 3 of them are unique.

At least in theory, the use of password managers can increase overall security by relieving users from having to memorize a number of unique, strong passwords. This in turn would allow users providing secure authentication credentials without reusing the same password on different resources. Most password managers keep authentication credentials (logins, passwords and other data) in an encrypted vault, and use a single user-provided master password to encrypt those other passwords.

Obviously, if the master password is compromised, all other passwords stored in the vault are compromised as well. Back in 2012, we conducted a research of then-popular password keepers. The report indicated that very few of those products were significantly more secure compared to storing passwords in a plain-text file. In 2017, we have a different picture, with quite a few secure options available. This includes 1Password, KeePass, LastPass and Dashlane.

Today, password managers overall security is debatable. On the one hand, using unique, secure passwords for different accounts is strongly recommended for security reasons. On the other hand, if the one master password is compromised or can be recovered, the attacker gains access to the full and complete database containing all user’s passwords and authentication credentials.

Are password managers more secure than keeping a list of passwords in a single Excel spreadsheet? Not necessarily, but this lack of security is easily offset by the extra convenience offered by password managers compared to an Excel spreadsheet.

Elcomsoft Distributed Password Recovery 3.40 now supports four major password manager apps including 1Password, KeePass, LastPass and Dashlane. The tool allows experts attacking a single master password and gaining access to the content of the encrypted vault, exposing any passwords, authentication credentials and other sensitive information (identity documents, credit card data etc.)

The full list of password managers supported by Elcomsoft Distributed Password Recovery 3.40 includes:

1Password

1Password is one of the more secure password keepers. EDPR can attack master passwords protecting encrypted vaults in all versions of 1Password including Windows, macOS, iOS, and Android apps. In addition, we support encrypted vaults backed up to Dropbox and iCloud Drive. In other words, full support for 1Password vaults is available regardless of source and platform.

LastPass

LastPass is one of the most popular cloud-based password managers. Unlike KeePass, its Android version properly uses protected storage area by keeping the data in its own private sandbox (/data/data/com.lastpass.lpandroid); as a result, root access is required to extract the data.

EDPR supports LastPass plug-ins for desktop Web browsers running on Windows, macOS, and even Linux. Android version is supported if you are able to extract the encrypted vault and metadata (root access is required).

Note: in order to extract LastPass encrypted vault and meta data, you must use EDPR Disk Encryption Info. EDPR Disk Encryption Info is a supplemental utility shipped with EDPR. The tool is used to make it easier for experts to extract and de-obfuscate the password hash using this metadata.

KeePass

KeePass does not have built-in backup capabilities. However, it uses two distinctly different vault formats: .kdb (KeePass 1.x) and .kdbx (KeePass 2.x). EDPR supports both vault formats created by KeePass apps and most of its clones on all platforms.

Interestingly, when researching KeePass, we discovered that one of the popular Android apps KeePassDroid keeps its encrypted vault in public storage:

/storage/emulated/0/keepass/keepass.kdbx

This file is easily accessible and extractable. Why developers decided not to protect the database by placing it in the app’s sandboxed storage is a mystery.

DashLane

EDPR supports Windows and macOS versions of this password manager.

Benchmarks

Different password managers employ different approaches to security. As an example, LastPass generates the encryption key by hashing the username and master password with 5,000 rounds of PBKDF2-SHA256, while 1Password employs even more rounds of hashing. This is designed to slow down brute-force attacks, and it almost works. Granted, these are still nearly an order of magnitude less secure than, say, Microsoft Office 2016 documents, but even this level of security is much better than nothing.

Therefore, this is the benchmark. We’ve added RAR5 and Office 2016 to the chart for comparison sake. Higher numbers represent higher recovery speeds.

Conclusion

Password managers become increasingly common, and their forensic support is essential. Our solution provides industry fastest GPU-accelerated, distributed recovery of master passwords that protect password managers’ encrypted vaults, allowing experts to gain access to users’ most sensitive information. The current release of Elcomsoft Distributed Password Recovery supports encrypted vaults produced by the four popular password managers. With the exception of LastPass, which requires using the supplied EDPR Disk Encryption Info tool in order to extract encryption metadata, the additional formats can be attacked by using exactly the same workflow as most other supported formats.

Additional Resources

We collected a short list of resources you may find useful.

Tags: , , ,

Sign up for free ElcomSoft Password Recovery Software newsletter

Leave a Reply

17 Comments on "One Password to Rule Them All: Breaking into 1Password, KeePass, LastPass and Dashlane"

Notify of
avatar
bob
Guest

Sales parson trying to sound technical spotted! No news in this post, brute-forcing (which is your solution) would still not be a viable option for a reasonably good pwd…

Using Dashlane, and a master password of 8 Char (a-zA-Z0-9 and special chars), your cracking station would still need about 1650 years…
As anybody sane would use a longer password as a master pwd, the title of this post is misleading.

“fake news” as someone would say!

phoerious
Guest

It is also worth noting that the number of transformation rounds in KeePass can easily be customized (same for KeePassXC and KeePassX). There is even an option to automatically calibrate a number of rounds which require about 1 second per password attempt on your current machine.

Also the new KDBX4 format wasn’t mentioned at all, which uses Argon2 as key derivation function. Argon2 was specifically designed to make bruteforce attempts really hard and memory consuming (even on GPUs).

Retro
Guest

UTF-8 has +11000 codepoints. A doofus 5 character password renders 11000^5 combinations. Even if you can do 100 billion combinations per second, it would still be impossible to brute force.
Password rule nr1: Always use a ÇÒ|ı^ı||L∑xƒu©kingP∆∫∫wÒrD

Neel
Guest

I thought someone suddenly broke all this! but no everything is fine. Okay. You’re safe. Bye!

NotWorried
Guest

Well, ok. Let’s say your password is just 12 characters long and only contains letters. Let’s say an attacker tries to brute-force it with about 130000 attempts per minute – with a single device – and let’s say the said attacker has 1000 of those devices. Cracking the password this way would still take ≈20000 years. Or as WolframAlpha puts it: 5 × time since the last glacial maximum. No, I’m not worried.

wrkc
Guest

article didn’t mention use of two form authentication, master password and key file. It would make brute attack and this recovery kit useless.

Anonymous Gerbil
Guest
Anonymous Gerbil

I actually find it useful to have the keepass kdbx file in public storage in android, because then I can sync it with my desktop keepass. Admittedly, I have bumped up the number of encryption rounds so it takes about a second to decrypt even on desktop (and 2-3 seconds on android).

Thanks for the article! It’s nice to see real-world numbers on password attempts per second. (Somewhat reassuring, too.)

Dindu Nuffin
Guest
Dindu Nuffin

go ahead you dindus… i dare you to try!!

Jeffrey Goldberg
Guest
Hello, I am Jeffrey Goldberg from AgileBits, the makers of 1Password. I am perplexed by your results. In the latest version of 1Password, we use 100,000 rounds of PBKDF2-HMAC-SHA256 in our Key Derivation Function (KDF). Our immediately previous data format (OPVault) used at least (calibrated) 40,000 rounds of PBKDF2-HMAC-SHA512. Only early versions of our long deprecated Agile Keychain Format, which may have used as few as 10,000 rounds of PBKDF2-HMAC-SHA1 would be make sense for the results that you report. Is that the data format you can recover? If you are going after the old Agile Keychain Format, then I… Read more »
Jeffrey Goldberg
Guest
It looks like I have to apologize. In 1Password for Windows 7, we have not been using as many PBKDF2 iterations as we thought. (How we made mistake is a not quite as dumb as that sounds; but we are not just going to get this addressed quickly, but we’re addressing how we (me) let this get by.) What I would like to point out is that once you have a “sufficient” number of PBKDF2 iterations, you start running into diminishing returns on increasing the slowness of a slow hash. Remember that adding a single randomly chosen digit to your… Read more »
Someone who read the whole article
Guest
Someone who read the whole article

TL;DR version : we try to brute-force your passwords and you should not worry if they are imprevisible enough. But we used a threatening title just in case.

Sabri
Guest

Would you test Enpass, please

Vladimir Katalov
Admin

Thanks all for your comments! We have published an update:

https://blog.elcomsoft.com/2017/08/attacking-the-1password-master-password-follow-up/

wpDiscuz