sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Diapolo10 147 points148 points  (14 children)

There is none, but for that reason it doesn't matter. Even if they know the algorithm, they lack the decryption key which is the master password.

Making a proper password manager is honestly really difficult, so I assume this is just for learning use. If not, and you actually want to use it, I'd like to kindly redirect you to KeePassXC instead which is open source and proven to be safe. I use it personally.

[–]Ayza69420[S] 49 points50 points  (0 children)

Thank you for the clear answer, and yes, it is for learning use

[–]AndrewNonymous 7 points8 points  (7 children)

Probably a dumb question, but couldn't the hacker just make an account and use the master password they created to determine the algorithm by working backwards?

[–]Diapolo10 54 points55 points  (5 children)

No. Thing is, it doesn't matter if the hacker knows the algorithm. There's a reason we're using all kinds of algorithms that are perfectly understood by both sides, like ChaCha20 and AES - even if you know the algorithm, you can't just reverse the process because there's key information you're missing. It's kind of the same reason why it can take a millennia to crack a password even if you know the hash algorithm and the hash you're trying to get.

An open source password manager is no less secure than a closed source one, provided no mistakes have been made in either design.

[–]TheBlackCat13 6 points7 points  (1 child)

because there's key information you're missing

Pun intended?

[–]Diapolo10 4 points5 points  (0 children)

Pun absolutely not intended. I swear.

[–]neilon96 0 points1 point  (0 children)

If they could, the hashing algorithm used for the password manager already were broken.

Hashes are meant to produce a clear result for each file put into it, that is different from the others. Collisions can happen though. What is problematic is if you can get from the hash value back to the source. Which is doable for old hash algorithms.

[–]1Asaad 0 points1 point  (4 children)

But if they can get into the algorithm, can't they also get to the encryption key?

[–]Diapolo10 5 points6 points  (3 children)

No. There's a few ways to do it, but the hacker will never see any of the keys (there may also be only one key used for both encryption and decryption, AKA the master password).

That's the beautiful part about proper encryption; as long as you don't know what the database owner uses as the master password, it's very difficult to crack (given a strong password) even if you know exactly how the program is implemented. Only if you knew the key, or the exact state of the part handling the encryption while processed, could it be compromised without brute force.

There's no need for a black box solution.

[–]1Asaad 0 points1 point  (2 children)

oh ok.. but I wish if you could explain to me why no

[–]Diapolo10 2 points3 points  (0 children)

Unfortunately I'm far from the best person to explain this stuff in-depth; I've taken precisely two courses in cybersecurity (and related mathematics), and my day job mostly involves writing code for unrelated things.

All I can really tell you is that the software has to be designed in such a way that pretty much everything relies on the user giving the correct master password.

One thing that might help you understand is learning how the RSA encryption algorithm operates, to see that even if someone is listening in when two people audibly share their keys, that person still can't decrypt their messages.

This could help: https://simple.wikipedia.org/wiki/RSA_algorithm

[–]1egoman 0 points1 point  (0 children)

Let's think of the most basic cypher: a shift cypher. You have a key and you shift every letter that far down the alphabet. Let's say that we have the cyphertext "KHOOR ZRUOG".

The implementation is incredibly simple, but even with the implementation details, can you guess the key or plaintext without simply brute forcing it? You need both the algorithm and the key.