iteration count
I love pwsafe, and use it on my iPad and iPhone. It's a wonderful application, but I have a request for a new feature, and also a question.
First, I'd like some control over the iteration count used. I'm willing to wait a few seconds to open the file on my iPhone, in exchange for a few bits more of security. I understand this only buys a little bit of extra security, but every little bit helps when you're putting your human ability to remember and type a complicated password up against Moore's law.
Second, I'm curious: in your password generation routine, where do you get your random numbers? How do you know they're any good?
Thanks,
--John
-
AdminJorge Vasquez (Owner, pwSafe) commented
It appears I was mistaken: the number of iterations could be defined and is currently set to 2048 rounds of SHA-256.
We'll investigate increasing this number and even making it configurable.
Regards,
-
AdminJorge Vasquez (Owner, pwSafe) commented
Thanks for your comments, John.
pwSafe's file format is the same one used by Password Safe, i.e. http://keybox.rubyforge.org/password-safe-db-format.html
We can't control the number of iterations to derive a key, because the file format does not allow for configuration of this parameter, which is fixed at a low 300. We will be working with Password Safe's developers to fix that and change to a more robust key derivation algorithm. Until them, we advice you to use very long passphrases.
We get random numbers from /dev/urandom, which, on iOS, is that: https://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man4/urandom.4.html It's up to the iOS Security Server to feed it with entropy.