Author Topic: Avast Passwords and Zero Knowledge?  (Read 2313 times)

0 Members and 1 Guest are viewing this topic.

Offline TheIndifferent

  • Newbie
  • *
  • Posts: 2
Avast Passwords and Zero Knowledge?
« on: April 13, 2019, 08:47:12 PM »
I've seen somewhere on this forum that Passwords is zero-knowledge storage, but I was not able to find any more technical info on the subject.

What I see is, when I install Passwords on a new device, first step is to create a master password. I type a password that is different from my previous devices, then I turn on synchronization, it downloads my old passwords, and they are immediately seen. I thought that zero-knowledge is based on master password being the same across all my devices and all my data being encrypted on the client, so synchronization with different master password should not be possible.. To be honest, that does not look like zero-knowledge.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Avast Passwords and Zero Knowledge?
« Reply #1 on: April 13, 2019, 09:10:54 PM »
I've seen somewhere on this forum that Passwords is zero-knowledge storage, but I was not able to find any more technical info on the subject.
-> https://files.avast.com/files/passwords/security-whitepaper.pdf
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline TheIndifferent

  • Newbie
  • *
  • Posts: 2
Re: Avast Passwords and Zero Knowledge?
« Reply #2 on: April 13, 2019, 09:56:22 PM »
Thanx, I've seen this one, but it is very concentrated on initial device. Consider following:

0. I already have a vault synced to Avast servers, as described by point 5 in the whitepaper.
1. I install Passwords on a new device, and create a new Master Password. It creates a strong Local Key.
2. I log in with my Avast account and enable synchronization.
3. Vault Passwords and Vault Keys are downloaded from Avast servers to this device.
4. ?...
5. Vault Keys now can be unlocked with the key derived from my Local Key, which is unique for the device.

So what happens at step 4? I am clearly missing something here, some shared secret between devices, or the way to establish that shared secret.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Avast Passwords and Zero Knowledge?
« Reply #3 on: April 14, 2019, 01:43:29 PM »
That's all I know, but feel free to wait for one of the devs.
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0