

Ask HN: Are password managers secure? - JuDue

OK so I've come to like a certain password manager.<p>I'm sure the data itself is secure in its raw encrypted form.<p>But, if I were an evil hacker, I'd be aiming to target the User Interface somehow. Since once I enter my password, the app is unlocked and my passwords are all there to find through the GUI. I'd aim to siphon out data through the OS and windowing system somehow, after the user has unlocked.<p>How much of a threat is this, do you think?<p>Also having a Chrome plugin just feels like an extra hackable interface?
======
trekkin
If your system is hacked, _using_ any password manager is insecure. Some
password managers also have poor encryption, so even read-only access to your
password database can be bad.

KeePass (KeePassX in Linux) is one of the best, but a simple keylogger can get
your "master password" when you enter it, and thus access to your password
database.

Nothing is absolutely secure, there are just degrees of relative safety.

~~~
JuDue
So I guess in that case, given even large software companies release products
with dangerous exploits in them, password managers are a bad idea... why give
a hacker a single point to access every one of your passwords?

------
xvolter
The idea of phising out your data through the UI would be extremely difficult.
There would be three methods you could attempt to gain access through a UI.
The first and simplest to try is to check in memory, it's possible the
application stores some data in memory after loading it from your database.
This is a minimal risk with certain types of applications, Java based or Web
applications are protected through security layers which make any information
that is in memory useless. The second method is to use an injection, this
primarily only works on Windows, and it would be a virus that would try to get
a hook into your password manager to try and gain access programmatically to
variables and memory. This is a threat to desktop applications, but again, a
minimal risk to Java or Web based applications protected by the JVM or the
browser's locking of the JavaScript. The third is the most useless for a
hacker to attempt, since it is fickle and unlikely to work, it'd be for them
to automate mouse clicks and keyboard actions to either the OS or the
application in an effort to copy your data. This would be fickle since the UI
can change, it has to be very precise actions, probably hard coded X,Y cords
and therefore very likely to break - and if you are using the computer at the
time it tries this, you will notice things going on.

Chrome plugins are not easy to gain access to. Chrome is a very secure
browser, and they lock their V8 JavaScript engine so no two plugins can talk
to each other unless they setup special hooks. They also run the entire
application in a locked state, which both prevents plugins from accessing the
operating system and from other applications from easily accessing Chrome
without a special plugin.

Web-based password managers offer many benefits over desktop-based password
managers. The risks for desktop based are there are many things they have to
fight against and also maintain your database in a state that is secure
against extreme bruteforce hacking attempts.

Web based are protected by their application and the browser, at the same time
3rd party plugins can pose risk, but developers of these can easily protect
against interference of plugins and users can do so easily as well by
disabling plugins on that site.

To both keyloggers are minimal risk, most password managers you use not to
record your password but to create new account entries, and you are likely to
generate a unique password for each site, therefore keylogger would be
useless. Clipboard monitor may pose a risk, but applications like KeePass
avoid this by using their Auto Login feature, and web/Chrome extensions avoid
this by auto-filling or auto-logging in your login details.

The risk of a key logger getting your master password is also minimal risk for
most applications. Most tend to offer "access codes" or "pin numbers" in
addition to your password, allowing you to enter a small additional password
or your original password via an on screen keyboard, which negates risk of
keyloggers.

The idea that a password manager is a "single point of failure" is also wrong.
The primary point of failure will be the end user releasing their login to
their password manager, not the password manager being hacked. Because all
passwords managers worth using encrypt your data, bruteforcing would take
years per user. If any online manager were hacked, your data would be one of
thousands and would likely never be decrypted to begin with. If it's a desktop
application, those tend to encrypt with even stronger types of encryptions
because they can waste the CPU on it; which means even more years to
bruteforce if your database is given out.

The risk is in the end user, if he/she leaks her password or gets a
virus/keylogger to get his/her master password. In which case this is just the
same as using the same password across all sites.

I have heard of people using a single password and adding the website's domain
they are registering under with an SHA1. Therefore if my password is
"password" and I registering a facebook account, I'd go to an SHA1 site, enter
"facebook.compassword" and get "ca2e97dbded3dc7af83446a225471fc6a721a1f9" as
my password.

Modernly bruteforcing works quite quickly, so longers passwords are higher
security than having a short-special character. Most sites require a min
length of a password, usually 5 or 6 characters, therefore a password of
"f1v3r" would be easy to brute force if I know the min length, I could get to
that in a matter of minutes, whereas a long password like
"thisisalamepasswordbutitslongsohahahaha" would take forever to try and
bruteforce, and no dictionary hack method would work against that.

People who use password managers still make the mistake in using an insecure
password with it, allowing people to simply bruteforce into their account,
which is just as bad as using a weak password on websites directly, making the
use of a password manager pointless.

Personally, and I have bias to this, I recommend Cyphrd.com - it's an online
password manager that is well above any other online password manager for
security, they are well protected and the weakest point is the end user, which
they do all they can to help you protect yourself. Additionally they do more
than just passwords, it's also a secure note taking service, stores credit
cards, files/documents, contact and profile information for people, anything -
since they encrypt all the data client-side and are open source with their
encryption and are also constantly checked for security holes and patched
before any are made into production, it's a great service.

