Chat support available. Click the chat icon on the bottom right corner to start chatting with us right away!

mSecure Support

Knowledge Base Forums Submit a ticket

PBKDF2 Hashing

I’ve seen with a couple major password managers, such as 1Password and Bitwarden, that they use many rounds of PBKDF2 hashing on the master password to help slow down brute-forcing. I can’t find anything in the mSecure docs on if it also has that built in. Can any details be provided on this?

Hi Drew,

Thank you for contacting us. At this time, we have not implemented rounds of PBKDF2 hashing for mSecure. I'm not sure how 1Password and Bitwarden's system is implemented, but one thing to mention for mSecure is that your data is not encrypted with your master password. If someone were to get hold of your data in any way, either from hacking our cloud system (if you're using mSecure Cloud syncing), or hacking your Dropbox account (if you're using Dropbox syncing), or in any other way, the data is encrypted with a very strong, completely random account key. Your password is used for the security of the system, but it's not what's used to actually encrypt your data.

You can read more on mSecure's security model here: mSecure’s Security Model - Secure by design

I believe 1Password has the same methodology of using a separate encryption key for encrypting the data, and they still use rounds of PBFDF2. I would assume there would still need to be some sort of storage (in hashed form) of the user’s master password so that the actual encryption key could be accessed in order to decrypt the vault contents. This recent article caught my attention. It shows how fast passwords can be cracked using modern GPU’s and how the speed of that has dropped over the last couple years. This is with passwords that are MD5 hashed. With clusters of GPU’s becoming more and more accessible via the cloud, it seems like there should be more mitigation against brute-forcing built into mSecure.

Hi Drew,

I think 1Password does do something similar with the separate encryption, which is what I think most password managers are doing once the data gets stored in their own cloud system. There has to be a way to keep the data safe when it's not stored locally, and this seems like the best way at least for now.

Thank you for the article link as well. I'm not able to go over it's contents now, but I will in the future. Support right now is out of control after the mSecure 6 launch, so I'm just trying to keep my head above water.

With regards to keeping the password in memory, mSecure purges the password after its entered by the user. The password is used one time to first decrypt the account key, then after that, it's no longer needed. Once the account key has done its job of decrypting and encrypting the information when the app is locked, it too is discarded from memory. To my knowledge, the user's master password is never stored in memory after it's entered to unlock mSecure.

Login or Signup to post a comment