Breaking Password Managers: How Easy Is It and What’s Inside?

We are using longer and more complex passwords to protect our accounts. Hence, keeping track of numerous password combinations has become a task on its own. That is why more and more people are turning to password managers. Be it a free open-source tool or a commercial security architecture, many of us are using them to store our sensitive data.

However, a password manager app, besides passwords, can contain additional data sources, emails, connections, online banking details, and even documents. This data is very appealing to computer forensics. Take a look at “The Potential Importance Of Information From Password Managers” article for further reference.

Passware has recently updated its Password Managers decryption option by adding the support for Mac version of Dashlane – The Best Password Manager for 2022, according to PC Mag. In general, Passware Kit supports five password managing applications: 1Password, KeePass, LastPass, Dashlane, and macOS Keychain.

For the master password to reside in the app’s vault, there should be at least one successful login to the password manager on the target computer. Given this, the vault can be exported and analyzed by Passware Kit. Broadly speaking, the software recovers the master password of the application using a brute-force method with GPU acceleration where possible and afterwards extracts the contained passwords and other records.

Let’s take a closer look into the password managers, their versions, and how difficult it is to break into them.


Get The Latest DFIR News!

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

1Password

1Password is one of the most secure and widely used commercial password managers developed for all popular platforms: Windows, Linux, macOS, iOS, and Android. Passware Kit supports all versions of 1Password including v8 for all the platforms, with some limitations. Besides the GPU-accelerated brute-force recovery of a master password, Passware Kit is also capable of acquiring it from a live memory image for the standalone 1Password for Mac. In some cases, Passware Kit Mobile can decrypt a 1Password database instantly.

In December 2012, AgileBits introduced the OPVault format to replace the outdated Agile Keychain format. The OPVault is now the default format for syncing with iCloud and Dropbox. Passware Kit supports both OPVault and Agile Keychain vaults, as well as the Online database format used in the browser versions of 1Password.

The recovery speed on an AMD Radeon RX 6900 XT is 770,000 passwords per second for Agile Keychain and 30,000 passwords per second for OPVault.

A 1Password vault can contain multiple accounts with different encryption types, and Passware Kit is capable of handling them one by one.

If syncing with Dropbox or iCloud is enabled, 1Password stores its vaults inside the Dropbox and iTunes/iCloud backups correspondingly.

KeePass

KeePass Password Safe is a free and open-source password manager primarily for Windows. Being a handy freebie, it is widely used by small office and home users all over the world.

The location of a KeePass vault (*.KDB for v.1.x and *.KDBX for v.2.x) is specified by the user, so it might be helpful to use the “Find Encrypted Files” option in the Passware Kit to locate this file.

Passware Kit recovers master passwords for the vaults and subsequently extracts user credentials and passwords from them. The password recovery process is accelerated with NVIDIA and AMD GPU cards, as well as distributed computing. The recovery speed on an AMD Radeon RX 6900 XT is 267,000 passwords per second for v.1 and 435,000 passwords per second for v.2.

The only limitation is that ChaCha20 (256-bit) encryption algorithm and Argon2d/Argon2id key derivation functions are not supported.

LastPass

LastPass is a freemium password manager that stores encrypted passwords online. It is available as an extension to web browsers, including Google Chrome, Mozilla Firefox, Apple Safari, Microsoft Edge, Vivaldi, and Opera.

LastPass requires quite a strong master password to be set:

Provided that the average recovery speed for LastPass is 37,000 passwords per second on AMD, this password manager can be considered as one of the most secure ones.

Passware Kit saves the extracted credentials in a CSV file.

Dashlane

Dashlane states that it is “designed for a safer life online”. It is the PC Mag Editors’ Choice winner as the best password manager for 2022. It is supported on the main desktop and mobile platforms: Windows 10, MacOS, iOS, and Android, and all major browsers: Safari, Edge, Chrome, and Firefox.

Passware Kit supports both Desktop and Browser Extension versions of Dashlane. Depending on the encryption algorithm, it can utilize GPU to accelerate the password recovery. Passware Kit Mobile (starting from the upcoming version 2022 v4) is capable of extracting records from iOS and Android versions of Dashlane.

A Dashlane vault can contain multiple accounts with different encryption types. Passware Kit displays them all and offers to choose one for decryption.

Hardware acceleration is only supported for accounts without the Argon2d key derivation function.

As a result, Passware Kit recovers the master passwords and extracts the contained credentials. Additionally, it can save the unrecognized extracted data in .json files.

macOS Keychain

Keychain is the built-in password management database in macOS and iOS that securely stores account names, passwords, private keys, certificates, sensitive application data, payment data, and notes. These records are dynamically linked to users’ particular login passwords so that when they log on to a Mac device, all of their various accounts and passwords are made available to the operating system and select applications.

There are three types of Mac Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. Passware Kit supports them all. Refer to our “A Deep Dive into Apple Keychain Decryption” article for more information.

The password recovery process for a Login Keychain can be accelerated by using GPU, reaching speeds of up to 1,200,000 passwords per second on an AMD 6900 XT.

Summary

Looking at the password recovery performance and the complexity of password settings required for each application, we can conclude that LastPass is the most secure password manager in terms of breaking its master password. In any case, using GPU clusters combined with distributed computing, increases the chances of breaking into the suspect’s password manager and extracting all his credentials, building a good source for further forensic research.

Learn more about breaking into the password managers on the Passware Knowledge Base.

2 thoughts on “Breaking Password Managers: How Easy Is It and What’s Inside?”

  1. No. The 2FA does not usually affect data extraction from a password manager if the master password has been recovered. If you are asking about some particular password manager, please specify it, and we will give it an extra testing.

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...