VBA/Excel Password minder cracker wanted

Souleh · 21 Jan 2011 at 15:36

Hi all,

Got a wee script to mind passwords and wondering if anyones up for some cracking!

Worthwhile just leaving the file on here?

-Pete

RoyMi6 · 21 Jan 2011 at 16:37

Sounds a lot like KeePass - http://keepass.info/. You made it just for fun?

Host it and post and link and we can all have a spy.

Souleh · 22 Jan 2011 at 14:47

Alright heres the link

http://souleh.co.uk/excel/Password Minder Generic.xlsm

Normally the file is password protected but I have removed that for now.

Theres 3 passwords stored in the file

Craig321 · 22 Jan 2011 at 15:09

Souleh · 22 Jan 2011 at 15:20

Did you get the passwords though?

Use the get password method / button to retrieve the de-crypted version

slylittlefox · 22 Jan 2011 at 15:24

Code:

Sub load()

    UserForm1.Show
    
End Sub
Sub unlockSheet()

    Dim s As String
    
    s = InputBox("Enter Password")
    
    If s = UserForm1.pwtb Then
        Worksheets("pw").Visible = True
        Worksheets("pw").Select
    Else
        MsgBox "Incorrect password - Closing workbook."
        ActiveWorkbook.Close (True)
        Application.Quit
    End If
    
End Sub

Sub hideSheet()

    Worksheets("pw").Visible = xlVeryHidden
    
End Sub

slylittlefox · 22 Jan 2011 at 15:24

Bah beaten to it

Souleh · 22 Jan 2011 at 15:27

Neither of the 3 passwords have been posted on here. He has beaten the first stage of unlocking the encrypted codes

I wouldnt pin my security on VBA's ability to lock code.

This is why I felt it very good for people to beat it - excel is very hard to lock down

slylittlefox · 22 Jan 2011 at 15:56

Oh I see - carrying on then

tntcoder · 22 Jan 2011 at 16:03

You're using AES / Blowfish to encrypt the passwords, so excel doesnt really come into the equation

Is it worth us brute forcing the password? Or is it of too sensible quality to not bother.

slylittlefox · 22 Jan 2011 at 16:04

tntcoder said:
You're using AES / Blowfish to encrypt the passwords, so excel doesnt really come into the equation

Is it worth us brute forcing the password? Or is it of too sensible quality to not bother.

Was just about to post this - do you actually want us to show the decrypted passwords? Because then we're testing the security of the encryption algorithms rather than your program.

Souleh · 22 Jan 2011 at 16:10

Was simply asking if theres any gaping voids in implementation and creation of the tool.

I didnt set out to make any product of types but just a decent password holder for a lot of system passwords I keep that have a very short expiry date and refuse to allow anything similar to the previous 5-10 used.

If you guys think its secure enough then I wont ask you to waste time brute forcing it.
Out of curiosity though how would you be able to brute force this application?
Irrespective of the pass code being correct or incorrect it will return a password. Some sort of semi - intelligent gatherer whereby only logical (defined by coder) outcomes are kept?

Craig321 · 22 Jan 2011 at 16:14

We shouldn't have really been allowed to see the hashes in the first place

. But I guess VBA is difficult to protect properly.

Cannot decrypt the passwords, unless you give me some super computers and a few years.

Souleh said:
Was simply asking if theres any gaping voids in implementation and creation of the tool.

I didnt set out to make any product of types but just a decent password holder for a lot of system passwords I keep that have a very short expiry date and refuse to allow anything similar to the previous 5-10 used.

If you guys think its secure enough then I wont ask you to waste time brute forcing it.
Out of curiosity though how would you be able to brute force this application?
Irrespective of the pass code being correct or incorrect it will return a password. Some sort of semi - intelligent gatherer whereby only logical (defined by coder) outcomes are kept?

I can't see any implementation issues, providing you're not storing the key in plain text or something silly!

It's simple to brute force this application as we have a list of the password hashes, but because of the encryption technique used it's not really something I'd want to wait around for! I guess you mean brute force this application as in getting round the protection all together. I can't see that being possible because of the encryption.

You should see if you can protect the password hashes, seeing them is a step too close for comfort

tntcoder · 22 Jan 2011 at 16:18

Yer you could take the hashes and wrap a brute forcer around them and then you could do a complex search of things like dictionary words, custom word lists etc but once that fails you're out of luck.

Souleh · 22 Jan 2011 at 16:25

Craig321 said:
We shouldn't have really been allowed to see the hashes in the first place . But I guess VBA is difficult to protect properly.

Cannot decrypt the passwords, unless you give me some super computers and a few years.

I can't see any implementation issues, providing you're not storing the key in plain text or something silly!

It's simple to brute force this application as we have a list of the password hashes, but because of the encryption technique used it's not really something I'd want to wait around for! I guess you mean brute force this application as in getting round the protection all together. I can't see that being possible because of the encryption.

You should see if you can protect the password hashes, and seeing them is a step too close for comfort

Yes its a bit annoying but nothing can be completely hidden. Only thing I can think of is mis-direction or something equally annoying to put people off etc!

Im new to encryption so this is my first shot at it so its good to see I chose a decent enough standard.

FYI. (for those that didnt get it)
The password to unlock the GUI is "hehe" - No quotes.

The passcode to de-crypt is "kawasaki636" - Same, no quotes.

Thanks guys