Summary
The gokey utility uses an inadequately low iteration count (4,096) for PBKDF2-HMAC-SHA256 when deriving the master encryption key for "seed files". This significantly weakens the cryptographic protection described in the documentation, allowing an attacker who obtains a user's seed file to perform high-speed offline brute-force attacks to recover the master password and all derived secrets.
Details
gokey is a vaultless password manager that can optionally use a "seed file" as an entropy source. According to the README.md, it is "reasonably safe to store/backup seed files to a third party location" because the data is encrypted with the user's master password.
The encryption key (masterkey) used to protect the seed file is derived in csprng.go using the passKey function:
func passKey(password, realm string) []byte {
return pbkdf2.Key([]byte(password), []byte(realm), 4096, 32, sha256.New)
}The iteration count is hardcoded to 4096. This value is drastically below modern security guidelines (e.g., OWASP recommends at least 600,000 iterations for PBKDF2-HMAC-SHA256). Since the 12-byte salt is stored as a plaintext prefix in the seed file, there is no effective salt secret, and the low work-factor makes the master password vulnerable to GPU-accelerated brute-forcing.
Summary
The
gokeyutility uses an inadequately low iteration count (4,096) for PBKDF2-HMAC-SHA256 when deriving the master encryption key for "seed files". This significantly weakens the cryptographic protection described in the documentation, allowing an attacker who obtains a user's seed file to perform high-speed offline brute-force attacks to recover the master password and all derived secrets.Details
gokeyis a vaultless password manager that can optionally use a "seed file" as an entropy source. According to the README.md, it is "reasonably safe to store/backup seed files to a third party location" because the data is encrypted with the user's master password.The encryption key (
masterkey) used to protect the seed file is derived incsprng.gousing thepassKeyfunction:The iteration count is hardcoded to
4096. This value is drastically below modern security guidelines (e.g., OWASP recommends at least 600,000 iterations for PBKDF2-HMAC-SHA256). Since the 12-byte salt is stored as a plaintext prefix in the seed file, there is no effective salt secret, and the low work-factor makes the master password vulnerable to GPU-accelerated brute-forcing.