Does two-factor authentication prevent access when encrypted database is stolen?

Hastibe

Distinguished
Feb 25, 2010
13
0
18,560
If you store your encrypted passwords on the cloud (e.g. as a file on Dropbox or on LastPass servers, etc.) does having two-factor authentication enabled (for Dropbox or your LastPast account, etc.) protect you if hackers steal your encrypted file of passwords from Dropbox or LastPast (etc.) and manage to decode your master password for the file (because, say, your password was a weak one, like "12345")?
 
Solution


No.

Two-Factor-Authentication is designed to enhance service security beyond the use of a simple and often reused password. An attacker wishing to gain access to a cloud storage account protected by TFA would have to enter the correct authentication details (username and password) without getting locked out and then...

Hastibe

Distinguished
Feb 25, 2010
13
0
18,560
Okay, I see--so, if the encrypted file is stolen and thieves have direct access to it, what do they need to do to decrypt the file? Is the next step just to try to guess the password for the file (which can be done via brute force or dictionary attack, if it's a weak password)? Is that what it comes down to?
 

Pinhedd

Distinguished
Moderator


No.

Two-Factor-Authentication is designed to enhance service security beyond the use of a simple and often reused password. An attacker wishing to gain access to a cloud storage account protected by TFA would have to enter the correct authentication details (username and password) without getting locked out and then also enter a secondary non-repeating number that is usually sent to a mobile device.

If the attacker gains fraudulent access to the cloud storage service, then he or she will have all the same capabilities as the legitimate owner including adding, removing, and copying files. If you have a password vault/keychain file stored on the cloud storage service then the attacker will have access to this file. This does not mean that the password fault file itself is useful to the attacker however, as most password vault/keychain applications block encrypt the file using strong symmetric encryption such as AES-256. As long as a completely unique and non-derivative password is used to protect this file the contents should be safe even if the file is obtained by an attacker. A password of length 15-20 characters would take all of the computers on the planet several generations to guess; you would be long dead by then.
 
Solution

Hastibe

Distinguished
Feb 25, 2010
13
0
18,560
Really helpful response, Pinhedd--thanks so much!


Okay, right--so, the follow-up question I have is: what makes a strong password? For instance, is this a strong password: "youaretheappleofmyeye"? Or does a password have to look random, like "TP$w08K90lAaw!R," to be strong?

I ask, because if I type in "youaretheappleofmyeye" to any of the password strength estimators that I've linked to below, they all say it's great, but the advice I get about making a strong password is to use numbers, symbols, upper and lower case, and no dictionary words. So, what's going on here/what am I not understanding?

  • ■https://howsecureismypassword.net/
    ■https://passfault.appspot.com/password_strength.html
    ■https://www.grc.com/haystack.htm
 

Pinhedd

Distinguished
Moderator

http://xkcd.com/936/
 

Hastibe

Distinguished
Feb 25, 2010
13
0
18,560

Haha, okay, so it's just because there's more entropy with the longer phrase of dictionary words? But it also has to really be a random collection of dictionary words, if using a passphrase instead of a password is going to work, it sounds like: http://arstechnica.com/business/2012/03/passphrases-only-marginally-more-secure-than-passwords-because-of-poor-choices/

I also read in a comment (here: http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/) that:
"You can throw a spanner in the works by including dictionary words as tokens when brute-forcing... taking the famed CorrectHorseBatteryStaple from 25 characters to 4. Is FiveFourThreeTwoOne really that much stronger than 54321?"

...Know anything about this? Because if this is a case, such passphrases could actually provide terrible security, it seems.
 

Pinhedd

Distinguished
Moderator


Correct. There's nothing at all special about uppercase letters, lowercase letters, symbols, punctuation, etc... they're all just mappings to ASCII/UTF values. A short but complicated password that can't be remembered is no more secure than an long but obscure password that is easily remembered.

Almost all password breaches can be narrowed down to two causes:

1. Password reuse. A user uses the same password for his or her banking login as he or she does for some obscure gaming site that has little to no security policy. No amount of password entropy will stop this because the attacker just copies and pastes the actual password.

2. Common passwords. Passwords such as "Password", "P4ssw0rd", and "123456" are incredibly common and are among the first password combinations attempted by brute force attacks.

Brute force attacks will never, ever guess a long but easily remembered password such as "youaretheappleofmyeye" or a variation such as "You_Are-The_Apple-Of_My-Eye".
It's theoretically possible given enough time, but it's incredibly unlikely as any sane service provider will lock the account after a small number of failed access attempts. There are over 150,000 commonly used words in the English language. Even 4 of those that are marginally obscure still provides 150,000^4 permutations without any sort of variation in length, punctuation, or capitalization.
 

Hastibe

Distinguished
Feb 25, 2010
13
0
18,560

So, in the case of LastPass, if your encrypted data blob of passwords is stolen from LastPast servers, is it the password to your LastPass account that the hackers need to crack to decrypt the data blob and get access to its contents (the passwords)? And, in this case, two-factor authentication doesn't factor in at all, I'm understanding, because it has to do with authentication, not encryption/decryption.

...Sorry that these questions are so basic--this can be surprisingly tricky to understand!

 

Pinhedd

Distinguished
Moderator


These are more complicated questions than you realize!

The answer is that you'd have to ask LastPass how they store and encrypt the data. They may use a multi-layer encryption method in which your password is used to encrypt the blob once, and a separate key (or set of keys) retained by LastPass is used to encrypt the data a second time. In this case, the attacker would need to obtain the raw encrypted data, LastPass's key(s), and your password.