[Cryptography] Norton Password Vault

Kevin W. Wall kevin.w.wall at gmail.com
Sun Nov 18 21:50:30 EST 2018 

A friend of mine who is a financial advisor just had one of his
client's pass away. His client used Norton Anti-virus Password Vault
to manage his all of his web passwords. (Not sure what version, if it
matters.) Unfortunately, he had not thought to share his master
password to Password Vault with his wife or daughter and they having
found anywhere that it is written down. The widow and the deceased
man's daughter have been trying to get some passwords that they think
he might have had used based on a few that they new, but so far have
been unable to guess the Password Vault master password. Password
Vault makes you restart the program after N failed attempts (I think,
N is 3), so automating some sort of dictionary attack is harder than
it ought to be.

I was wondering if anyone was aware of the details of the file format
of the Norton Anti-virus Password Vault file. I know that it is using
AES (I was told 256-bit), but don't know what cipher mode or padding
scheme it is using. It probably is using some sort of PBE, but I have
no idea what it is using for the password based key derivation
function....whether it is PBKDFv2 or scrypt or bcrypt, etc. and even
if I knew that, I wouldn't know what how to pull out any salt from the
vault file. (I don't have a copy of Norton Anti-virus Password Vault
and even if I did, I don't have a copy of Microsoft Windows that I
could even run it on.)

Ideally, What I would like is some program that I could use to supply
the vault file itself as well as a file containing some passwords to
try so we could try it with some common dictionary words, etc. (His
daughter is in IT so she would at least know how to run such a
program, even from the command line and I could give them guidance how
to prepare a custom cracking dictionary they could try.) I know that
there used to be a program similar what I am describing for Schneier's
original Password Safe file format because I used it maybe 15 years or
so ago; ideally, I'd like something like that, but I'd settle for
enough technical specifications that would allow me or his daughter to
write such a program.

On the other hand, I told them their best best would probably look at
IRS returns to see what accounts he had and then contact those places
once they have settled the will and try to get them to set the
passwords reset or otherwise get access to the accounts. (I figure if
they can guess the user name they may be able to use the "forgot
password" flow and discern answers to the security questions used to
reset passwords. That is plan B, right now, but may soon become plan A
if the above doesn't pan out.

Thanks for anyone that can provide any help. Googling really didn't
help at all so thought I'd ask here before I tell them it's completely
hopeless and wait until the estate is settled and go with plan B.

-kevin
--
Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.

-- 
Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.

More information about the cryptography mailing list