Hacking My Password Manager

I keep all of my passwords in a password manager. My password manager of choice is Keepass. I used because it’s open-source, free and doesn’t require me to be locked into a cloud-based server. If I require syncing across devices then I can use Google Drive or iCloud services I’m already using.

This means the only password I need to remember is the master password for my database. To keep this secure I make it a long passphrase with quirks. Quirks are like weird little rules I make to make my passphrase more secure.

For example, I start with the passphrase “TheQuickBrownFoxDiedPainfully.”, it’s memorable and very long making it hard to crack. I add a couple of quirks, for example

  • all lower case e’s are changed to 3
  • every second lower case o is turned into a 0
  • each third word has it’s case inverted

This means my final password is “Th3QuickbROWNF0xDi3dpAINULLY” This an even harder password to crack and still easy… relatively… to remember. You just need the Phrase and to know the rules.

The Problem

This worked for me for the longest time, until it didn’t.

I change my password every few months and since upgrading my Mac Book Pro I started using the biometric scanner. In other words, I was no longer constantly typing in my password.

You can already guess what happened right? I forgot which quirks I had assigned to my current password. Bummer. I still knew the passphrase and a general idea of which quirks I had assigned, only I couldn’t remember exactly. This meant that I had a number of potential passwords that I needed to check.

First Approach

I tried guessing using educated guesses but that was taking too much time. Then I decided to automate, after all I’m a programmer, I’m too cool to be trying a bunch of passwords repeatedly!

Let’s over engineer this shall we!

Over Engineered Approach

I wrote a script to generate a list of potential passwords. It uses a simple template where the characters in between [] represent different potential options, e.g. p[aA]ssword will generate “password” and “pAssword”. It worked a little too well since it gave me ±5000 potential passwords.

The first idea was to use something like pykeepass, to test each password. That would have worked, but it would take too long and ain’t nobody got time for that.

The solution I ended up with was to use extract the hashed master key then check the generated passwords against it.

John like Cats

To extract the master key I used John The Ripper, ps, do not use the python version because it gets some wrong values.

./JohnTheRipper/run/keepass2john database.kdbx > database.hash

I had to remove the file name from the start of the hash file. Then to check the passwords I used Hashcat.

./hashcat -a 0 -m 13400 database.hash word_file.txt

After a few minutes, I had my password.

Not bad for an hour’s worth of work right? I changed the password and made the quirks easier to remember. Next, I disabled my touch id for Keepass, now I’m typing in my password just so as to not forget it again.