Password Managers / Password Vault

Rich RumbleSecurity Samurai
CERTIFIED EXPERT
OSCP certified, need I say more?
Published:
Updated:
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.

About Security and Password Managers

Security is a trade-off, typically between ease of use and how secure your data is. I have written about passwords extensively here on EE, as well as encryption, I encourage you to read those articles for more details regarding password security itself. Password managers (PM) typically do as their namesake suggests. Like most vaults, one maybe two keys are all that is needed to unlock it, and inside are many additional items of value.


PM's offer to store as well as generate strong, random and totally unguessable passwords for your accounts. You only have to remember one strong password yourself to get at all the other passwords inside the manager. Some PM's may be easier to use, some may leave certain exercises up to you (Syncing, vault storage etc...) 

 

Password Manger/Vault Attack Vectors

Like I have described before, once an encrypted volume is opened you the user can easily read what is inside it. So if your host is compromised, the attacker (likely) has the same access as you do. Again that is after it's unlocked by you. That vector exists in many encryption products, it's a natural consequence that when the key is in the door (memory), anyone can open it. Below are attack vectors for both locked and unlocked PM's:

 

Memory/Clipboard

Keystroke logging is obviously another way an attacker can get your password manager password, again this applies to so many login/authentication methods. A mitigating factor some password managers use, is to copy the password you select into memory (aka the clipboard) with your mouse rather than keyboard. The clipboard is a very good way to avoid keystroke loggers, but as you'd expect, if your host is infected/compromised; naturally there are ways to read the clipboard too.


Offline

Attacking a PM vault offline is about the only way you can get into it if you forget the password. Or if your an attacker, you can try this method to guess/brute-force your way into someones PM. Most vaults use very slow, or use "high rounds" of encryption to slow down the cracking process. Even simple/small passwords attacks should go so slow it may take you weeks to recover "123456" as a password. Still, use longer, stronger passwords. While 50-100 guesses per second may seem fast, let me assure you, it is not.


Autofill

Some PM products also have the ability to fill in your details, like name, address, phone number etc... if you configure them to. You visit a webpage and your PM detects a form that might be asking for your data, or you visit a webpage and open your PM, select the form data you want filled in, go back to the webpage and viola! The forms are filled in with your information. Again, it's a feature that was exploited on more than one manager, it's been fixed in those products, but more flaws like this could exist again or be yet undiscovered. Examples are: LastPass, 1Password, Browsersas well, and don't think that it's just windows users that are affected.


Credential / Login Sharing

Many password managers allow you to share a login/password with others. If your significant other needs to pay a bill for you, you can send them a page to log into and they can then see the username and password they need. If you send the "credentials" rather than the plain-text password, the person your sharing with needs to have the app/software installed so the credentials can be decrypted and used. The person your sharing the credentials with can't easily see the username/password, but that is not to say they can't find it out pretty easily. If they copy and paste into a webpage they control, or into notepad, the details will be revealed. This is an ill advised feature for someone you do not trust and or for an account that is sensitive/important. PM's make the best effort to secure the shared credentials

 

Cloud

Many password managers have "Cloud" offerings, and a few also claim that the master password is never sent to the cloud. Instead, the app/client downloads the vault, and you enter the password on the device the vault resides on. The device stores the password in memory, and can read the vault when you need a password or to fill in a form. 

Again, various cloud based PM's have been exploited over the years, and more are sure to follow. Cloud offerings offer a level of convenience that most users love, and many security professionals are skeptical of.

 


Principals of Security

Never forget that your security is only as strong as it's weakest link. Over the years with all the password and data dumps that have taken place, we have come to find that passwords can be a very weak link. But I have to say, they aren't the weakest link in most of these data dumps. There was another way into the network(s), and with it the ability to get the database of hashes or in some cases plain-text passwords themselves. Having a password manager and super strong passwords does not negate other weak links in security. It only means that when/if your data is dumped, perhaps your password won't fall when the hackers and researchers try to crack it. Password managers do have the intention of helping in this situation! Not using the same password is as important as using a strong one! Don't use the same password, or similar password, use very diverse passwords. A PM can make that a very real and manageable possibility!



 

Alternatives (Personal)

What I've outlined above as far as attack vectors seems very gloomy. I personally would never use a cloud based password manager, I am partial to the "Password Safe". I am able to do the same thing a cloud based PM does... securely copy a vault to a device I want to read the vault with. I can keep the vault on a share in the web, in a draft in my email, anywhere I can get to it securely. I do not actually EMAIL it, but keeping as an attachment in draft form, this allows me to view/download it over httpS, and keep it behind another user/pass as well. I do not keep Credit Card or other information (address, phone...)  in my manager, even if it were provable to be 100% secure, I can type in a 16 digit number when needed. That is a trade off I make, the convenience isn't what I'm trying to solve, it's the volume of passwords I have to know/remember. I know my information, I have my CC with me at all times, I don't allow my browser or PM to remember those things for me. Having to work a little bit harder to access that data keeps my guard up, 


Spreadsheets used to be a common place to find passwords stored, this is/was frowned upon. The security (encryption) that protected spreadsheets was laughable prior to Microsoft Office 2007 (SP2). Ever since then however, I'd say using a password protected (password to open) spreadsheet isn't half bad. Excel isn't as feature rich as most PM's but it can still serve as a viable "vault" for your login data. Office documents however leave many artifacts on the system, so consider them a good runner-up or good in a pinch for a PM :)


If your interested in the Enterprise versions of PM's have a look at my other Article:

https://www.experts-exchange.com/articles/29099/Enterprise-Password-Managers.html 


P.S.

More compromises worth noting:

KeeThief (attacks KeePass)

https://github.com/HarmJ0y/KeeThief/HarmJ0y/KeeThief/

LastPass flaws

https://www.theregister.co.uk/2017/03/27/lastpass_confirms_major_flaw//2017/03/27/lastpass_confirms_major_flaw


-rich

3
2,196 Views
Rich RumbleSecurity Samurai
CERTIFIED EXPERT
OSCP certified, need I say more?

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.