A user, after doing some testing, noted that if his master password was set to something like "00940094" could enter in only "0094" and successfully log into Password Corral.

Putting aside the fact that using such a password is inherently insecure, I delved deeper into the Blowfish encryption and discovered that keys are padded out to fill the 448 bit buffer. Thus password accounts that use keys with redundant characters like the above example could be opened by just using one of the redundant portions.

While this is really an issue of selecting a more secure master password, I decided to change how Password Corral 4.0 stores the master password to bypass this problem. Starting with this build and going forward the master password will be stored using MD5 Message-Digest Algorithm. This creates a one-way hash of the master password that cannot be decrypted back to the original password but will work around the above problem with passwords that use redundant characters in them (though you should still avoid using a password like that). Note that all data stored by the program will still be encrypted using Blowfish or Diamond2. Click here for more information on the MD5 Message-Digest Algorithm.

NOTE: When you first start this new beta 2 build it will update your password data file to re-encrypt your master password using MD5. All import and export features have been updated to work with this change, but any existing export files from a prior beta release must be updated. So if you're keeping a copy or copies of your password data in export files, make sure to create new ones as the old files will no longer import.

That said, you should make an export of your password data from a prior beta build and keep it in a safe place. While I've tested this new build and am confident there are no problems, most of the import and export routines had to be modified, so if a major bug is found, you'll be able to return to the prior build.

Please make sure to report and bugs or errors you find as it will continue to help make the program better. Next up will be beta 3 which should hopefully be feature complete!

Thanks to everyone for your continued support.

[Click here to return to News & Views]