Question: How safe is EssentialPIM encryption?

General talks about EssentialPIM

Moderators: TerryRogers, Max

a8907433
Guru
Posts: 533
Joined: Fri Mar 12, 2010 11:57 pm
Been thanked: 107 times

Re: Question: How safe is EssentialPIM encryption?

Post by a8907433 »

This is very interesting. I only understand the basics, I´m an interested user.
But, is an encryption algorhytm not..... an encryption algorhytm? Is it so very dependent on implementation, CAN it implementated in software in so diferent ways? AES is AES, and it is known to be safe, can there be a safe AES and a less safe AES?

I think, with a good password, neither my neighbour nor an hobby-programmer or nerd can decrypt my database..... don´t you think?

Even the NSA- when a website says: brute force will take 6464646843589687567454 years to decrypt your password?

This is an important question, I don´t have secrets that would be worth 100 000 000$, nor do I think the NSA is interested in me..... but from a "normal" criminal I want my data in EPIM to be safe!

I hope, there could be a satisfying answer!

TumbleDoor
Expert
Posts: 85
Joined: Tue Jun 21, 2016 7:19 am
Been thanked: 11 times

Re: Question: How safe is EssentialPIM encryption?

Post by TumbleDoor »

a8907433 wrote:
Tue Mar 17, 2020 7:28 pm
This is very interesting. I only understand the basics, I´m an interested user.
But, is an encryption algorhytm not..... an encryption algorhytm? Is it so very dependent on implementation, CAN it implementated in software in so diferent ways? AES is AES, and it is known to be safe, can there be a safe AES and a less safe AES?
There are many ways to imperilment encryption some are vastly safer from different types of attacks then others. How a program handles it's encryption and other parts involved can be extremely important to how secure your data is in the long run.

Though of course the more secure the less convenient.

Example:
For best security from raw brute force [not to be confused with password dictionary attacks] you would keep your seed and salt information hidden in a different hard to find file on your system and not part of the database.

Which means you would need to backup a secret key file [or at least your seed and salt info] elsewhere so you didn't lose access to your database since now your password would no longer be enough to decrypt the database.


a8907433 wrote:
Tue Mar 17, 2020 7:28 pm
I think, with a good password, neither my neighbour nor an hobby-programmer or nerd can decrypt my database..... don´t you think?
As long as there is not an exploit going around for a given program then a good password is all you need to protect yourself from the average passing by neighbor or basic Hobbyist. Though if you have an avid hobbyist then you need a great password not a good one. [Great being something that can't be solved using advanced dictionary attacks, and something that can't be found nearby in plain text. I recommended creating your own crazy cipher for your physical passwords it's a fun hobby.]

a8907433 wrote:
Tue Mar 17, 2020 7:28 pm
Even the NSA- when a website says: brute force will take 6464646843589687567454 years to decrypt your password?
All these estimates are to be taken with bags of salt. Not long ago we had now completely broken encryption standards that were once thought to be unbreakable in x thousands of years. New methods and new advances in technology are unknowns. Quantum computing for example have been taking massive strives the past few years and that could lead to today's AES becoming breakable a lot sooner then expected. It's all a very big unknown, though long before today's strongest AES becomes publicly breakable outside of guessing and spying on the password you'll probably get lots of warning and even better encryption will be standard by then.


Also a special note on sites like that:
Take this one: https://howsecureismypassword.net/
If you type in the password: 1997 Appl3 pIe!
It tells you "429 billion years" this is lie and only based on classical computer password brute force guessing.
An advanced dictionary attack using a common bitcoin mining rig could likely take that password out in a couple of years or even a couple of months because it uses a year date with real words a dash of LEET and only one common symbol. In a few years a trained neural network approch will probably be able to take out passwords like that in hours.
a8907433 wrote:
Tue Mar 17, 2020 7:28 pm
This is an important question, I don´t have secrets that would be worth 100 000 000$, nor do I think the NSA is interested in me..... but from a "normal" criminal I want my data in EPIM to be safe!
If you define a normal criminal as in an average Joe who doesn't know Java from JavaScript your data is likely safe but not always since you always have the "no-to-low tech skills needed" methods. For example your neighbor or cable guy or ...etc could sneak into your house and install a cheap & easy physical keylogger they bought online or a wifi hidden camera and get a good and easy chunk of data that way... Which is where 2FA would bring a lot to the table. 2FA would render camera spying and a large chunk of key and screen loggers useless since no matter if the attacker had your database and your password they would also still need your 2FA device or a backup of it's settings to make their own. [Which this is why systems and EPIM show your password as *'s so that way you need clipboard and/or keylogging and not just screen logging or a camera.]

Speaking of systems just a note that Windows is swiss cheese so even if you have a strong account password don't think people can't get your files or install loggers if they have physical access to your computer. To have any physical security well using windows you need to be using hardware encryption otherwise nearly anyone who knows enough to use google can get files from your system and install hidden malware with physical access without leaving noticeable traces.

Hardware encryption is built into almost all modern motherboards and hard drives too so you probably don't need to actually buy anything just spend time in your bios and do a little research along with training yourself to turn your computer off rather then put it to sleep.

This reply got a bit rambly and has some just interesting info in it not related to EPIM.

Argenthos
Novice
Posts: 17
Joined: Sun Aug 26, 2018 8:47 pm
Has thanked: 19 times
Been thanked: 2 times

Re: Question: How safe is EssentialPIM encryption?

Post by Argenthos »

TumbleDoor wrote:
Wed Mar 18, 2020 12:51 am
This reply got a bit rambly and has some just interesting info in it not related to EPIM.
Not at all. People who aren't experts on the subject like me, are definitly interested in this, especially now that everything is connected.

Please correct me if i am wrong, so if EPIM has the basic AES encryption which serves like a basic lock, with no salt or random seed, etc, the user can improve the security by simply increasing the size of the password, because even if its a basic encryption and there are no extra "delay mechanisms" the time to break in is increased by the number of characters used.

This is what i always thought about the encryption of EPIM, a good lock, but nothing fancy, but with a good password it would be enough by today standards to be more than enough to hold back most of people.

TumbleDoor
Expert
Posts: 85
Joined: Tue Jun 21, 2016 7:19 am
Been thanked: 11 times

Re: Question: How safe is EssentialPIM encryption?

Post by TumbleDoor »

Argenthos wrote:
Wed Mar 18, 2020 5:40 am
TumbleDoor wrote:
Wed Mar 18, 2020 12:51 am
This reply got a bit rambly and has some just interesting info in it not related to EPIM.
Please correct me if i am wrong, so if EPIM has the basic AES encryption which serves like a basic lock, with no salt or random seed, etc, the user can improve the security by simply increasing the size of the password, because even if its a basic encryption and there are no extra "delay mechanisms" the time to break in is increased by the number of characters used.

This is what i always thought about the encryption of EPIM, a good lock, but nothing fancy, but with a good password it would be enough by today standards to be more than enough to hold back most of people.
Kind of, by having a static seed and no salt you removes layers of extra protection from certain kinds of attacks, but as far as password attacks go then you can say that yes.

Now as for how you would make a password that did the same thing:

What seeds really do is they add that classical security in on top of your password.
Like the website that says it takes 100+billion years for a computer to crack the password.
Dictionary attacks, are really attacking the human mind, which is why neural networks are a big deal for them.

So if you go back to the password "1997 Appl3 pIe!" it's really hard for a computer, but pretty easy for a "mind" because it uses a common US date, English words, and common password fidgeting to make it easier for a human mind to remember it. Most humans want to be able to remember their passwords. Thus the issue.

So if you wanted to make a good password that didn't rely on the seed protecting you from dictionary attacks you need to make sure that it is hard for a human and hard for a computer.

For example:

vu{6*J}JpiYMN\T@4)D1+1997 Was the best year ever for apple pies!

Is a great password since it is hard for both computers and minds.

Now of course this assumes there are no back doors or other bad practices in EPIM which being closed source is impossible to know. For all we know EPIM does something really stupid like stores your password as an MD5 hash somewhere. No matter what your password is, if an attacker can find a weak hash for it, it's toast. That's how a lot of websites account got hacked. The web devs store the passwords in an at the time impossible to break hash that becomes breakable and since attackers already had the hash sheets stolen once the hash was broken they had a treasure trove of passwords for accounts. [Which is another reason you should update passwords on important websites from time to time. You're old password could have been stolen as an unbreakable hash today which means it's safe, but that hash could be broken in the near future.]

a8907433
Guru
Posts: 533
Joined: Fri Mar 12, 2010 11:57 pm
Been thanked: 107 times

Re: Question: How safe is EssentialPIM encryption?

Post by a8907433 »

Nobody else interested in the security of his private data in EPIM than three people? This is disappointing.......

lbw2112
Novice
Posts: 27
Joined: Thu Oct 23, 2014 6:47 pm

Re: Question: How safe is EssentialPIM encryption?

Post by lbw2112 »

a8907433 wrote:
Sat Mar 21, 2020 12:28 pm
Nobody else interested in the security of his private data in EPIM than three people? This is disappointing.......
At the time of writing this, there are 439 views on this thread which was just started one week ago. I'd say that's more than three people.

It's a very interesting thread, and I've learned a lot from the posts here and reminded me that I used to change my passwords every six months or so but I haven't done it in a few years. So it gave me a kick to do that again.

The few that posted here are WAY smarter than I am on this subject. So yes, I've very interested in the security of this program but I just haven't had anything positive to contribute. I do enjoy reading it though.

Thanks,
Larry

Ernestton
Posts: 1
Joined: Wed Mar 25, 2020 12:52 pm
Been thanked: 1 time

Re: Question: How safe is EssentialPIM encryption?

Post by Ernestton »

I second what lbw2112 said. Just chipping in so you fellas know there's an interest in this topic. I just don't have anything smart to contribute at this point.

Post Reply