My OperaYou need to be logged in to post in the forums. If you do not have an account, please sign up first.
wand insecure?
i just found a program called "Opera Password Recovery". it works very well to read the passwords out of the wand file IF YOU KNOW THE MASTERPW. well, i thought, no problem at all. then i tried to read the PW with a wrong MPW and after an error-msg confirming the wrong MPW even though the program read a couple of PW
is there a way to reencrypt the wand-files? is there a way to encrypt all the data and not just the data which is getting handled as PW by opera itself?
alpha, beta and weekly user
Opera11 on Win7x64 & OperaMobile10+OperaMini5 on Nokia5800@S60v5
Opera11 on Win7x64 & OperaMobile10+OperaMini5 on Nokia5800@S60v5
Originally posted by F_V:
What data did you manage to extract? Were they passwords stored by Opera before you enabled a master password?
Interestingly, that software seems to claim recovering lost master password! I don't use wand but anyone using it can give this so called recovery tool a try to see if its real.
Opera-setting higher standards in browsing everyday.
Enjoy Opera on Win Xp(always latest version)
Reset Opera to Factory default, Open IE inside Opera, Having trouble with opera? See Basic checklist of Troubleshooting, Firefox Like Toolbar setup, Operawiki custom buttons, Fix site problem with user scripts, All useful Opera links, How to Install user java script, Enhance font display with Cleartype Font,Remove blank space at top of yahoo mail, Faststone ScreenCapture Tool, My collection of freeware,Opera and Plug-in download,How to install Shockwave plug-in,Opera Forum Search Widget,How to installer WMP plug-in,Latest Opera News
Enjoy Opera on Win Xp(always latest version)
Reset Opera to Factory default, Open IE inside Opera, Having trouble with opera? See Basic checklist of Troubleshooting, Firefox Like Toolbar setup, Operawiki custom buttons, Fix site problem with user scripts, All useful Opera links, How to Install user java script, Enhance font display with Cleartype Font,Remove blank space at top of yahoo mail, Faststone ScreenCapture Tool, My collection of freeware,Opera and Plug-in download,How to install Shockwave plug-in,Opera Forum Search Widget,How to installer WMP plug-in,Latest Opera News
Originally posted by operafan2006:
Interestingly, that software seems to claim recovering lost master password! I don't use wand but anyone using it can give this so called recovery tool a try to see if its real.
It should not be possible and it has been refuted in previous threads. Perhaps it tries brute force, in which case you have a problem if you have a very simple password.
Edit: yes, <http://www.passcape.com/opera_master_password_recovery_screenshots.htm>, it uses brute force and dictionary attacks.
Originally posted by thobi:
yes, but as i told you that there seems to be leaks so pw are visible without trying to recover the masterpw.
URL, form target and username can be accessed without the need to enter masterpw, passwords however can't be read without providing the master password
4. January 2008, 08:35:55 (edited)
Originally posted by larskl:
passwords however can't be read without providing the master password
well, that's what i believed till these days... but it seems to be - anyhow - wrong.
did you try it with your wand file?
opr1.jpg
opr2.jpg
edit: just tried to kick the login-data and save it again. the pw is still shown. so it has nothing to do with the question if the MPW is activated the moment the data gets saved.
alpha, beta and weekly user
Opera11 on Win7x64 & OperaMobile10+OperaMini5 on Nokia5800@S60v5
Opera11 on Win7x64 & OperaMobile10+OperaMini5 on Nokia5800@S60v5
well, you are misinterpreting the screenshots. but just tell me if i can't make my self clear:
the screenshot shows, that the program can not find out ALL pw without a mpw BUT it can find out a couple of them. for sure i'm not going to show logins or pw to the www, so i erased them. but i thought the hint "not shown in trial version" would be enough to let you know, that it found out the correct pw there.
so, better know?
the screenshot shows, that the program can not find out ALL pw without a mpw BUT it can find out a couple of them. for sure i'm not going to show logins or pw to the www, so i erased them. but i thought the hint "not shown in trial version" would be enough to let you know, that it found out the correct pw there.
so, better know?
alpha, beta and weekly user
Opera11 on Win7x64 & OperaMobile10+OperaMini5 on Nokia5800@S60v5
Opera11 on Win7x64 & OperaMobile10+OperaMini5 on Nokia5800@S60v5
Here is what I wrote about the "Unwand" utility: http://my.opera.com/community/forums/findpost.pl?id=1306440 . Most of the same considerations apply here.
"Unwand" is able to read the obfuscated entries in the wand, including the password entry, but only when the Master Security Password is NOT used.
Passcape claims to have found the algorithm used to convert the Security Password into the encryption key used to encrypt/decrypt the entries in the Wand, and that they have created a program that will find the Security Password by dictionary attacks and/or brute force testing.
Well, knowing that algorithm does not make it any less difficult to access the Wand's password data when the Wand is protected by a Security Password, since they still have to find the password to use in the algorithm.
The security of the Security Password has always been, and as long as we base ourselves on what the user enters, will always be, determined by how good the password selected by the user is. The only way to improve this is to use hardware tokens (smartcards) controlled by the user.
Based on the numbers Passcape has published, it will take a computer more than three weeks to scan through all combinations of 6 US-ASCII printable characters (95); increase the number to 9 characters and you are looking at years (to put it mildly). Add international characters from Unicode and the time will increase sharply.
If you have picked a Security Password that is easy to find, for example similar to a word in the dictionary, then you have a problem. If you are better at making passwords then you may be more secure, and the longer and the better you add a mix of odd characters and sequences, the better.
This type software is only a problem if the security your computer has been compromised, and in that case there are much more effective attacks that be used to get the password, such as using a password sniffer.
"Unwand" is able to read the obfuscated entries in the wand, including the password entry, but only when the Master Security Password is NOT used.
Passcape claims to have found the algorithm used to convert the Security Password into the encryption key used to encrypt/decrypt the entries in the Wand, and that they have created a program that will find the Security Password by dictionary attacks and/or brute force testing.
Well, knowing that algorithm does not make it any less difficult to access the Wand's password data when the Wand is protected by a Security Password, since they still have to find the password to use in the algorithm.
The security of the Security Password has always been, and as long as we base ourselves on what the user enters, will always be, determined by how good the password selected by the user is. The only way to improve this is to use hardware tokens (smartcards) controlled by the user.
Based on the numbers Passcape has published, it will take a computer more than three weeks to scan through all combinations of 6 US-ASCII printable characters (95); increase the number to 9 characters and you are looking at years (to put it mildly). Add international characters from Unicode and the time will increase sharply.
If you have picked a Security Password that is easy to find, for example similar to a word in the dictionary, then you have a problem. If you are better at making passwords then you may be more secure, and the longer and the better you add a mix of odd characters and sequences, the better.
This type software is only a problem if the security your computer has been compromised, and in that case there are much more effective attacks that be used to get the password, such as using a password sniffer.
Sincerely,
Yngve N. Pettersen
Yngve N. Pettersen
A paradigm of encryption theory is (in my own words):
If an encryption algorithm is known to its full extent (with all details) the strength of said algorithm is only depending on the password itself, which can then be choosen exactly to given and preset time limits for possible brute force attacks (with given hardware power, speed etc.), because its length and construction rules can be calculated on basis of said algorithm.
Wouldn't it be a smart idea then to include into 'Wand' a password generator, which determines the strength of the password on the fly, such as some web-sites already do?
If an encryption algorithm is known to its full extent (with all details) the strength of said algorithm is only depending on the password itself, which can then be choosen exactly to given and preset time limits for possible brute force attacks (with given hardware power, speed etc.), because its length and construction rules can be calculated on basis of said algorithm.
Wouldn't it be a smart idea then to include into 'Wand' a password generator, which determines the strength of the password on the fly, such as some web-sites already do?
◇ OPERA V8.54 (Win NT4) & V9.27 & V9.52[b10108] & V9.62[b10467] & V10[b1413] standard on (Win 98 SE) / (Win NT4) / (Win 2000 pro)
◇◇ UserJavascript "zz-spoof-id"! ◇◇◇ [Thanks for Finally Considering this Petition!] Composing Emails in the HTML Format in Opera
◇◇ UserJavascript "zz-spoof-id"! ◇◇◇ [Thanks for Finally Considering this Petition!] Composing Emails in the HTML Format in Opera
Originally posted by HaJotKE:
A paradigm of encryption theory is (in my own words):
If an encryption algorithm is known to its full extent (with all details) the strength of said algorithm is only depending on the password itself, which can then be choosen exactly to given and preset time limits for possible brute force attacks (with given hardware power, speed etc.), because its length and construction rules can be calculated on basis of said algorithm.
Wouldn't it be a smart idea then to include into 'Wand' a password generator, which determines the strength of the password on the fly, such as some web-sites already do?
Or at least restrict password selection to more than 8 characters with mix of characters and numbers. Also may require one upper case number. Simply something in that line. This way users will select a better password.
If opera does not want to interfere with users choice of password, then at least mention below the password selction box how one can choose a better password. Just state a recommendation that such and such may make a good one.
Opera-setting higher standards in browsing everyday.
Enjoy Opera on Win Xp(always latest version)
Reset Opera to Factory default, Open IE inside Opera, Having trouble with opera? See Basic checklist of Troubleshooting, Firefox Like Toolbar setup, Operawiki custom buttons, Fix site problem with user scripts, All useful Opera links, How to Install user java script, Enhance font display with Cleartype Font,Remove blank space at top of yahoo mail, Faststone ScreenCapture Tool, My collection of freeware,Opera and Plug-in download,How to install Shockwave plug-in,Opera Forum Search Widget,How to installer WMP plug-in,Latest Opera News
Enjoy Opera on Win Xp(always latest version)
Reset Opera to Factory default, Open IE inside Opera, Having trouble with opera? See Basic checklist of Troubleshooting, Firefox Like Toolbar setup, Operawiki custom buttons, Fix site problem with user scripts, All useful Opera links, How to Install user java script, Enhance font display with Cleartype Font,Remove blank space at top of yahoo mail, Faststone ScreenCapture Tool, My collection of freeware,Opera and Plug-in download,How to install Shockwave plug-in,Opera Forum Search Widget,How to installer WMP plug-in,Latest Opera News
I may add - a Password Strength Checker based on the above rules would be enough...
◇ OPERA V8.54 (Win NT4) & V9.27 & V9.52[b10108] & V9.62[b10467] & V10[b1413] standard on (Win 98 SE) / (Win NT4) / (Win 2000 pro)
◇◇ UserJavascript "zz-spoof-id"! ◇◇◇ [Thanks for Finally Considering this Petition!] Composing Emails in the HTML Format in Opera
◇◇ UserJavascript "zz-spoof-id"! ◇◇◇ [Thanks for Finally Considering this Petition!] Composing Emails in the HTML Format in Opera
Originally posted by operafan2006:
Or at least restrict password selection to more than 8 characters with mix of characters and numbers. Also may require one upper case number.
Here we go again. Make password managers more user unfriendly by forcing things and users will write the passwords down on sticky papers. Or use other browsers.
Nothing should be forced, ever. Some users simply do not need or appreciate an NSA level of securing their computers.
Originally posted by F_V:
Originally posted by operafan2006:
Or at least restrict password selection to more than 8 characters with mix of characters and numbers. Also may require one upper case number.
Here we go again. Make password managers more user unfriendly by forcing things and users will write the passwords down on sticky papers. Or use other browsers.
Nothing should be forced, ever. Some users simply do not need or appreciate an NSA level of securing their computers.
Did you read last two lines of my post ? I mentioned that exact thing. It is always a battle of conveneince vs security.
Opera-setting higher standards in browsing everyday.
Enjoy Opera on Win Xp(always latest version)
Reset Opera to Factory default, Open IE inside Opera, Having trouble with opera? See Basic checklist of Troubleshooting, Firefox Like Toolbar setup, Operawiki custom buttons, Fix site problem with user scripts, All useful Opera links, How to Install user java script, Enhance font display with Cleartype Font,Remove blank space at top of yahoo mail, Faststone ScreenCapture Tool, My collection of freeware,Opera and Plug-in download,How to install Shockwave plug-in,Opera Forum Search Widget,How to installer WMP plug-in,Latest Opera News
Enjoy Opera on Win Xp(always latest version)
Reset Opera to Factory default, Open IE inside Opera, Having trouble with opera? See Basic checklist of Troubleshooting, Firefox Like Toolbar setup, Operawiki custom buttons, Fix site problem with user scripts, All useful Opera links, How to Install user java script, Enhance font display with Cleartype Font,Remove blank space at top of yahoo mail, Faststone ScreenCapture Tool, My collection of freeware,Opera and Plug-in download,How to install Shockwave plug-in,Opera Forum Search Widget,How to installer WMP plug-in,Latest Opera News
Originally posted by F_V:
Originally posted by operafan2006:
Not necessary - I replied to the quoted ones which were flawed.Did you read last two lines of my post ?
Its your judgment and views.
Opera-setting higher standards in browsing everyday.
Enjoy Opera on Win Xp(always latest version)
Reset Opera to Factory default, Open IE inside Opera, Having trouble with opera? See Basic checklist of Troubleshooting, Firefox Like Toolbar setup, Operawiki custom buttons, Fix site problem with user scripts, All useful Opera links, How to Install user java script, Enhance font display with Cleartype Font,Remove blank space at top of yahoo mail, Faststone ScreenCapture Tool, My collection of freeware,Opera and Plug-in download,How to install Shockwave plug-in,Opera Forum Search Widget,How to installer WMP plug-in,Latest Opera News
Enjoy Opera on Win Xp(always latest version)
Reset Opera to Factory default, Open IE inside Opera, Having trouble with opera? See Basic checklist of Troubleshooting, Firefox Like Toolbar setup, Operawiki custom buttons, Fix site problem with user scripts, All useful Opera links, How to Install user java script, Enhance font display with Cleartype Font,Remove blank space at top of yahoo mail, Faststone ScreenCapture Tool, My collection of freeware,Opera and Plug-in download,How to install Shockwave plug-in,Opera Forum Search Widget,How to installer WMP plug-in,Latest Opera News
OperaWand is comfortable. We know that.
OperaWand is secure if you choose a secure password. We hope that.
OperaWand should tell the users very, very frankly that only the MasterPassword makes it secure.
I'm sure many users think Wand per se is secure and don't use a MasterPassword.
OperaWand is secure if you choose a secure password. We hope that.
OperaWand should tell the users very, very frankly that only the MasterPassword makes it secure.
I'm sure many users think Wand per se is secure and don't use a MasterPassword.
Win7Professional x64 (incl. latest updates) - Intel i5 - 4GB RAM - internal Intel HD Graphics
Originally posted by alf5000:
OperaWand is secure if you choose a secure password. We hope that.
well, that's what we'd like to believe. but as i have a good pw - with numbers and small and capital letters - but despite that some pw aren't encoded, i can't believe it anymore...
an as i use wand also with my notebook and notebooks can also get lost or stolen, i'd love to just know, that at least my pw are safe...
alpha, beta and weekly user
Opera11 on Win7x64 & OperaMobile10+OperaMini5 on Nokia5800@S60v5
Opera11 on Win7x64 & OperaMobile10+OperaMini5 on Nokia5800@S60v5
Originally posted by thobi:
Would hard drive encryption be an option to enhance security? Seriously, when talking about unlimited access to somebody's stolen computer, a lot can already be found out and even master passwords can eventually be cracked.an as i use wand also with my notebook and notebooks can also get lost or stolen
Still, I don't see any indication of retrieved passwords in the screenshots above. The blanked areas look more like parameters or usernames to me.
5. January 2008, 13:55:46 (edited)
Originally posted by F_V:
No, this is wrong, you didn't test it yourself, I assume.The only thing the screenshots show is that the passwords are unavailable
What *thobi* is going to show is:
even if you don't give the correct master password, there are still some passwords deciphered, in the trial version they are shown only abbreviated to the first three letters anyway, and I believe *thobi* did even shorten these to one (1) letter, right?
I believe, these passwords have been stored before using a master password, which can be introduced any time later;
and that there is a BUG in OPERA as far as these passwords are not encrypted correctly later on, but that's only guesswork which I didn't verify!
◇ OPERA V8.54 (Win NT4) & V9.27 & V9.52[b10108] & V9.62[b10467] & V10[b1413] standard on (Win 98 SE) / (Win NT4) / (Win 2000 pro)
◇◇ UserJavascript "zz-spoof-id"! ◇◇◇ [Thanks for Finally Considering this Petition!] Composing Emails in the HTML Format in Opera
◇◇ UserJavascript "zz-spoof-id"! ◇◇◇ [Thanks for Finally Considering this Petition!] Composing Emails in the HTML Format in Opera
Originally posted by HaJotKE:
and I believe *thobi* did even shorten these to one (1) letter, right?
right. thx to you i don't have to believe that i'm crazy...
alpha, beta and weekly user
Opera11 on Win7x64 & OperaMobile10+OperaMini5 on Nokia5800@S60v5
Opera11 on Win7x64 & OperaMobile10+OperaMini5 on Nokia5800@S60v5
5. January 2008, 15:03:09 (edited)
OK, if there's indeed (a part of) a password shown in that program, I'll try to reproduce it myself. If this is the case, I consider it an important flaw.
Edit: unfortunately I cannot reproduce. Password fields stay blank. This issue will have to get a clear way to reproduce before anything can be done with it.
Edit: unfortunately I cannot reproduce. Password fields stay blank. This issue will have to get a clear way to reproduce before anything can be done with it.
18. January 2008, 10:39:52 (edited)
I see all my passwords with this program, beacause Ive activated the master password recently. Is there a way to fix this? or I have to delete wand and make a new one?
EDIT
ok, disregard that.
I forgot to select the "Master Pass works in wand or something" option. Nao my passes are encrypted.
EDIT
ok, disregard that.
I forgot to select the "Master Pass works in wand or something" option. Nao my passes are encrypted.