Brute-force attack

Largo · February 28, 2018, 8:02pm

Hi,

I’m wondering, is it possible that one tries to guess my vault password using a dictionary or brute-force attack software?
Will it lock out for a defined duration after a defined number of incorrect password attempts?
some systems have a 5 seconds delay that one must wait before the next password attempt.

any thoughts?

Michael · February 28, 2018, 9:12pm

No, there’s no such function in cryptomator.
To avoid the risk of successful bruteforcing, don’t use weak passwords.

Michael · February 28, 2018, 9:23pm

But nevertheless it’s of course a good idea to implement this function.

tobihagemann · February 28, 2018, 9:41pm

Regarding brute-force protection in Cryptomator: https://github.com/cryptomator/cryptomator/issues/320#issuecomment-239010414

Largo · March 1, 2018, 7:00am

hi, thanks for the prompt reply.
God damn hackers, they’ll always a way in.

privateBungo · March 1, 2018, 9:17am

The reason why brute force protection is not possible for Cryptomator is that the encrypted content and the master key are not stored in some kind of Cryptomator cloud.
Usually brute force protection works by the principle that you request information that is stored by a third party for example dropbox. Now dropbox can decide to give you access to this information or not based on a set of rules. This is where they can implement rules such as “after five tries you will have to wait half an hour”.

Cryptomator could implement something like this if they would store your key on a server like in the following architecture, but I am not sure if I would like that:
-> you ask cryptomator: please give me the key to unlock my vault, I identify myself whith my password
-> Cryptomator decides to send you your key based on a rule set that includes some brute-force protection

The downside of this type of architecture is that Cryptomator then has your encryption key’s, meaning you have to trust them.

If you use a good password manager you can create long random passwords. If you use a 25 digit fully random passwords with uppercase, lowercase, numbers and symbols there is just no way a hacker successfully brute fore them. Well maybe with scary futuristic quantum computers, but thats a different story.

Mega99 · March 2, 2018, 2:12am

Is it possible to use a hardware-Securitykey like Yubikey or Nitrokey to open the vault? A hacker has no 100% chance to unlock this.

First put the password and confirm with the hardware Key. This solution would be the best!

Michael · March 3, 2018, 1:13pm

That’s not possible at the moment