search

strongbox-password-safe / Strongbox

A KeePass/Password Safe Client for iOS and OS X
https://strongboxsafe.com
GNU Affero General Public License v3.0
1.33k stars 102 forks source link

Unable to update master credentials, if the database uses empty password + keyfile as credentials #740

Closed hehongbo closed 9 months ago

hehongbo commented 10 months ago

Yes, I know it might not be a good idea if I'm too lazy to enter a password and unlock my database with just a key file, but here is the issue:

I came here from KeePassXC last year, which, I imported both my KDBX database and my key file (also generated by KeePassXC), and started here without generating a new one in StrongBox. I haven't updated my unlock credentials since then. Until today I've been trying to update it, and StrongBox tells me:

"Those credentials are incorrect and your database has now been locked for security reasons."

Screenshot 2023-11-26 at 12 26 43

Here are steps to reproduce it:

  1. Create a new database with the button in the bottom-right corner, and select KeePass 2 (Default)
  2. In the "Enter Master Credentials" interface, uncheck "Use a Password", and getting the red prompt about "at least to use either 3", check "Show Advanced"
  3. Generate a key from the system's entropy device(dd if=/dev/random of=key bs=4096 count=1), and chuck this "key" into the file field under the "Use a Key File"
  4. StrongBox prompts me to save a newly generated "Untitle.kdbx", save it, and then hit "Unlock" directly.
  5. Under the "Database" menu, click "Change Master Credentials"
  6. The dialog "Verify Master Credentials" appears, and already have "Accept Empty Password" checked, and my key file selected.
  7. Hit "Unlock" directly and I will be kicked out with "Those credentials are incorrect and your database has now been locked for security reasons.", even if the credential "empty password + key" is the correct combination.
  8. Then I'm brought back to the unlock interface with the "Accept Empty Password" checked and key file selected, hit "Unlock" again and I can still enter my database, proving that this combination is correct, but not being accepted by the "Verify Master Credentials" dialog.

Looking into the console, I thought this one is relevant:

Error getting Decrypting KDBX4 binary: [Error Domain=com.markmcguill.strongbox. Code=-241 "Incorrect Passphrase/Key File (Composite Key)" UserInfo={NSLocalizedDescription=Incorrect Passphrase/Key File (Composite Key)}]

I'm running the current MAS version of StrongBox (1.58.33), and macOS version 14.1.1.

strongbox-mark commented 10 months ago

That's quite the edge case I must have missed! Thanks @hehongbo - Will take a look into this shortly...

strongbox-mark commented 9 months ago

Hi @hehongbo - This should be fixed for you in 1.58.37, could you confirm and close?

hehongbo commented 9 months ago

Hi @hehongbo - This should be fixed for you in 1.58.37, could you confirm and close?

Thanks @strongbox-mark

With StrongBox updated to 1.58.37, I can confirm this is fixed. On a testing database I tried updating the master credentials from just key file to keyfile+password combination and vice versa, both work without issue, and I updated the master credentials of my main database, for the first time after I migrated my KDBX file to StrongBox : )

Nice work!