Password managers, something I'm not getting
drykid
Posts: 1,510 Forum Member
✭✭✭
OK so all this talk of Gameover Zeus or whatever it's called is finally convincing me that I need to bite the bullet and install a password manager. But not having used one before I'm struggling to understand what the best way to use one of these is in practice.
From reading online it seems that most password manager software stores passwords for a particular site and then whenever you visit that site the password manager will kick in and automatically log you in using the password it has stored (so really it's just like having the browser remember your password for you, except presumably more secure since the password is being stored by the password manager rather than within the browser.) But doesn't this mean that if someone somehow gains access to my PC - either physically or via some kind of remote access vulnerability - then they no longer even need to know my passwords, because they just need to visit ebay or paypal or whatever and hey presto the password manager will just let them in automatically?
My current method of just memorising passwords as best I can may not be perfect, but at least this way I type them in manually each time I visit a site and don't let the browser remember them. So in some ways this actually seems more secure than using a password manger that would just fill them in automatically.
Any thoughts? Am I missing something obvious? Is there software out there that simply acts as a password vault for storing and retrieving your passwords and nothing more? Because I think that might be more what I'm actually after.
From reading online it seems that most password manager software stores passwords for a particular site and then whenever you visit that site the password manager will kick in and automatically log you in using the password it has stored (so really it's just like having the browser remember your password for you, except presumably more secure since the password is being stored by the password manager rather than within the browser.) But doesn't this mean that if someone somehow gains access to my PC - either physically or via some kind of remote access vulnerability - then they no longer even need to know my passwords, because they just need to visit ebay or paypal or whatever and hey presto the password manager will just let them in automatically?
My current method of just memorising passwords as best I can may not be perfect, but at least this way I type them in manually each time I visit a site and don't let the browser remember them. So in some ways this actually seems more secure than using a password manger that would just fill them in automatically.
Any thoughts? Am I missing something obvious? Is there software out there that simply acts as a password vault for storing and retrieving your passwords and nothing more? Because I think that might be more what I'm actually after.
0
Comments
I use KeepassX which is entirely off line which means I keep control of all my passwords. Sure, it means I sacrifice convenience but that is not my priority when it comes to my passwords.
Also, your machine is usually safe with you. If you suspect a third party has access, you can reset the master password and lock them out.
Cloud based services like lastpass work with mobile devices too (protected by the password or a code) and although they store on their servers, it's encrypted and only decrypted locally so a hack on their system won't expose your data.
You get to choose your level of risk. With Lastpass (and it's roughly the same with the others) the password manager locks after some period of time, after which you need to supply your master passphrase. The "lock" is fundamental, in that the evolved key derived from the passphrase is overwritten. You can also if you want set particular passwords to require the master password each time they're used, or with a shorter timeout.
I'm a security researcher working in formal verification, and I use Lastpass. There are some aspects of it that worry me, but I think the advantages (16 or more character randomly generated passwords, different for each of my 200+ accounts) outweigh the weaknesses (an attacker who gets physical access to my unlocked machine has an advantage). I use a Yubikey as a second factor for access to Lastpass, so even if I give you my Lastpass passphrase you still need the Yubikey to obtain my encrypted passwords, and I use two-factor authentication for stuff that really matters.
What is good that it works on windows, mac and Linux, on the main browsers, you can access it online from any device if need be, being online, if your computer goes belly up, you do not lose the passwords.
There are mobile apps, but they are part of the pro version and that is not free.
Yep Keepass
I do have a password for login to Windows itself obviously, but I'm concerned that if a virus was to install some kind of remote backdoor into the PC then this wouldn't necessarily help much.
OK I'll check that out specifically then; thanks
Then, even if they do have your machine they would also need either your phone or your YubiKey. It's pretty unlikely that they would get hold of both and certainly rules out a remote access vulnerability.
1Password stores a key on your computer. If you want to use it on iOS or another Mac you can sync the key file using Dropbox or iCloud syncing. It uses 256bit encryption and also informs you of any weak passwords and passwords that haven't been changed recently. Extensions work with Safari, Chrome and Firefox. There is also 1Password Anywhere which allows you to put your key on a USB stick which opens in the browser so you can access it from any other computer.
It is quite expensive but one of the best apps you can buy for Mac.
The only thing to remember is a strong Master password, because if people know that then you are screwed. 1Password gets round this by being stored locally. Services like LastPass are cloud based but they have 2 step authentication so there is an extra layer of security.
If you haven't already then you should enable 2 step auth on everything you can including Google, Facebook, Twitter, LinkedIn, Evernote, PayPal, Dropbox, Microsoft, GitHub, Heroku, Blizzard, Steam, LastPass, TeamViewer, Apple and Tumblr just to name a few:
www.twofactorauth.org
I dont think you necessarily need a strong master password. I use 1Password on my devices a MBP, iPhone and iPad, and for someone to steal my passwords they would first need physical acces to my devices, then need to unlock them, and then guess the master password.
That's what I do (with a Yubikey), but I'm not quite sure what the threat model it's defending against is. I'm not sufficiently motivated to analyse it in detail, but I think it's a bit confused.
Lastpass/1Password/Keepass protect you against attackers who steal hashes from websites and brute-force reverse them. They protect you because (a) they reduce the risk of the brute-forcing succeeding, even if the hashing is unsalted and generally rubbish, because they allow you to use long random password and (b) they mitigate the consequences of your password being stolen (perhaps because some website you used stored it in clear or mailed it to you in clear) because the password is used on precisely one website. But if the attacker can run malware on your machine, you're ****ed whichever one you're using.
You can only authenticate a hardware one-time password system against a service which knows the secret embedded in the token. So it can give a "yes, that checks out" or "no, that doesn't check out" answer, but it can't of itself give the key for a decryption. So the 2-factor stuff in Lastpass can only protect data which the attacker doesn't have; it stops the attacker from downloading the encrypted bundle that contains all your passwords. But if the attacker does in fact have the encrypted bundle, then the two-factor provides no real help. It may be that Lastpass's supplied code insists on authenticating with the two factors before it uses the master password to decrypt the bundle, but an attacker can just NOP that out of the code and proceed anyway.
So the two-factor guards against an attacker who has your master password but doesn't have your encrypted bundle: an attacker with a keylogger, or an attacker who has shoulder-surfed you while logging on. They can't sign on to Lastpass, use your password, and download and decrypt the bundle, as Lastpass's service won't release the bundle unless they use the second factor that they don't have. However, if they have access to your machine and can obtain the bundle, it doesn't help.
This is why I don't think the people who believe 1Password/Keepass and other "local" systems are better are making a terribly strong case. An attacker who can run malware on your machine can get your passphrase and the encrypted bundle. The only extra risk Lastpass brings is that an attacker who has your passphrase but doesn't have the ability to run code on your machine might be able to obtain the bundle from the Lastpass server and decrypt it using the passphrase they know. Leaving aside that a lot of people store their 1Password/Keepass bundle on Dropbox, which takes them precisely back to the same situation as Lastpass.
Are there many malware's threats that run on iOS or OS x ?
There's no particular reason why OSX or iOS (both of which I use) should be substantially more or less permeable than other operating systems. Modern operating systems with full ASLR (ie, OSX post 10.7, iOS post 5-ish) have a slight edge over Windows and Android (whose ASLR implementation is a bit weak) but it's going to be very marginal. Most of the mystique of Apple security is because the platforms have smaller user bases and are perceived therefore as less worthwhile to exploit, and because the Apple user base is slightly more likely to be running patched and current bits.
Assuming a vaguely up to date copy of Windows/Android/etc being used by someone who's not a complete idiot, and a vaguely up to date Mac/iPhone/etc being used by someone who's also not a complete idiot, then a targeted attack on each will be of about the same complexity.
What apart from the fact that Gatekeeper stops any sort of program being installed on OSX without explicit consent from the user, Java is disabled by default and iOS unless jailbroken can only install apps from the Apps store and not 'side loaded' like Android.
None of those protections will be effective against an exploit based around stack smashing. Gatekeeper doesn't do what you appear to think it does: you can drop a file into the filesystem, mark it executable and exec() it without encountering any gatekeeper controls. Gatekeeper only provides origin control and codesigning for applications bundles (directories with the .app extension), not for arbitrary Unix executables. The attackers aren't so fussy.
That means that any exploit which is able to create a file with code in it will be able to execute that file. As Perl and Python are shipped with extensive libraries, this means that an attacker who can create a file has arbitrary capabilities.
ASLR is very powerful against that sort of attack, but ASLR is hardly unique to OSX. The mechanism you neglected to list in your enthusiasm was the OSX sandbox mechanism, which is incredibly powerful against stack-smashing attacks. Unfortunately, sandbox only has 47 profiles, and in fact is now protecting fewer daemons that it used to (10.8 had a profile for ntpd, for example, which 10.9 doesn't:).