
Flaws in deterministic password managers - bascule
https://tonyarcieri.com/4-fatal-flaws-in-deterministic-password-managers
======
libeclipse
I'm the creator of visionary[0], a deterministic password generator that the
article links to. When I thought of the idea (quite a while ago), I thought it
was a good idea, and I thought I was the first one there. I was wrong on both
accounts.

The points that the article makes are right, and people should use
conventional passwords over deterministic ones.

But I guess it appeals to a certain small subset of people. For some servers
and things that I own I find myself using it sometimes: it turns a relatively
strong password into a monster of a password.

Another useful use is that it's good at sharing passwords for things with
friends, and for that, it's surprisingly handy.

For the average person however, the disadvantages and the things that could go
wrong outweigh the advantages. Keepass is what you should be using.

[0] [https://libeclipse.me/visionary/](https://libeclipse.me/visionary/)

~~~
ogrisel
Funny, I also implemented mine a while ago (mostly un-maintained but I still
use it):
[https://pypi.python.org/pypi/virtualkeyring/](https://pypi.python.org/pypi/virtualkeyring/)

I also thought I was clever and the first to do it ;)

I have been thinking about adding support to keep some state info in a yaml
file to deal with revocation and specific varying password policies (e.g. in a
dropbox synced folder) but I was too lazy to implement it. If someone wants to
do it please feel free to send a PR.

The compromised master password issue is a real issue though.

~~~
Nomentatus
Use a photo as the master password. It can't be confused with text.

------
ceronman
Two extra advantages of vault based password managers:

1\. The manager can automatically change old passwords for you. LastPass
support a big set of websites, when Dropbox was hacked this was very handy. I
like to change social media passwords every few months and this makes it very
easy.

2\. You can store passwords that you can remember if necessary. Sometimes I
need to access a password for a service or a site in an environment where I
don't have an easy access to my password manager, for example when I'm using a
friend's phone or when I SSHd into another machine. In those cases is handy to
have some passwords that you remember, but are stored in the vault just in
case you forget them. I only do this for a few passwords, but it's a nice
feature to have.

------
clark800
I've been surprised by how negative the opinions of deterministic password
managers have been since I've been using one for over two years and it has
been a much better experience overall than using KeePass on Dropbox, and I
also think that it's more secure than cloud-based systems (see point 4).

My take on the points in the post:

1\. Out of the 100 or so sites that I use, only a few have password policies
that require tweaks, and it usually just requires disabling symbols and or
adjusting the length. These tweaks are cached in my browser, so this hasn't
been much of an inconvenience.

2\. My passwords are rarely revoked, and when they are it is just a counter
bump. This is state, but again it is cached in the browser.

3\. It's true that they can't store existing secrets, but this can be viewed
as out of scope for a password manager.

4\. For the application I use, it's not true that exposing just the master
password exposes all of your site passwords. There is a 512bit private key
that is synchronized once between devices using a QR code. An attacker would
need both the master password and the private key file to generate any
passwords. Because the private key only exists on devices I physically own,
this should be harder to obtain than an encrypted database that lives in the
cloud, so I view this system as more secure than KeePass on Dropbox, Lastpass,
or 1Password.

My experience over the past two years has been that the advantages are more
significant than the disadvantages.

~~~
pwinnski
If your browser is caching all of your passwords, I think you've got security
problems well outside the scope of your choice of password managers.

~~~
eikenberry
I'd guess he doesn't mean cached, but instead means that his web browser works
with this system keyring (or has its own) to save/use the passwords.

~~~
problems
Which is bad. I've reverse engineered script kiddie malware far too many times
to find them shipping "iStealer" and similar, which basically just dump
browser password stores and send them to a gmail or FTP account. Often these
pieces of malware include the SMTP credentials to the same gmail account or
FTP access to download the results.

And having seen their results, let me just say, these script kiddies can do
damn well with this tactic.

Do not use a browser/system keyring store under any circumstances unless you
can be 100% positive that you won't accidentally run that sketchy exe you came
across.

If you use Keepass, it presents another layer, they have to actually get your
keepass password too, or dump your database when it's logged in. Often
something like that won't be hit by script kiddies but certainly would in a
targeted attack. The best practice here is to run Keepass on a separate
machine to prevent an all-at-once dump. Even a separate machine on the same
network where you use Synergy or similar to sync the clipboards would probably
be sufficient.

Anything worth more than dirt should of course have 2FA, which is why I also
suggest a tiered password system (ie: junk password for common and worthless
sites, separate passwords for banking, etc) and 2FA as an alternative to a
real password manager.

~~~
tomrod
Neophyte to all this. What is a browser password store? Do you mean never
letting Chrome (or whatever) save a password?

~~~
problems
Yes. If you want to see how vulnerable you are to this sort of attack, Nirsoft
ships a good tool called WebBrowserPassView:

[http://www.nirsoft.net/utils/web_browser_password.html](http://www.nirsoft.net/utils/web_browser_password.html)

Be aware, this may be detected as malware or a "hacking tool" by your AV for
obvious reasons.

~~~
countingteeth
How is this to supposed to show "how vulnerable you are to this sort of
attack"? This runs standalone.

1\. As a general rule, if you download and run an untrusted standalone
program, it could probably steal your passwords even if you use a password
vault (although that would certainly make it a little bit harder).

2\. You can just go into the Chrome password manager and click "show" to see
any stored password. No tool needed.

Chrome uses sandboxing and process isolation extensively. Using the default
browser password store certainly presents a ripe target if someone manages to
totally own the browser, but technically there's not a huge leap from owning
the browser to owning an external password store, and certainly not grabbing
any and all passwords entered into the browser via a password vault.

I'm not disagreeing that a standalone password vault encrypted with a master
password is effectively more secure than the built-in manager. I do think it
has been exaggerated both how much more so it is. Saving strong passwords with
the built-in password store is generally much less bad than, for instance,
using a common memorized password, or using very weak passwords. Both of which
are likely outcomes of "never use the password store."

~~~
problems
Yeah, this is not an attack itself, just one of the most common post
exploitation routes to easy profit. So common that if you have amateur people
who try to pirate things, cheat at games or click on the big flashing red
banner ad, they're almost certain to come across it and they're almost certain
to have common accounts stolen.

Using even a separate password manager, even an integrated one like LastPass
raises the bar beyond this extremely basic level and takes it from easy target
to medium target, eliminating every common stealer malware I've seen. This
definitely doesn't rule out targeted ones of course, like you say, on an
objective level there doesn't seem to be much of a difference. At a practical
level though based on what's in the wild for non targeted attacks, it's huge.

------
pwinnski
Today I learned that many people on Hacker News have really insecure web
security practices. :(

I don't understand the resistance to using a vault-based password manager. Is
it inertia? I mean, if you're using the same one or two passwords on every
site, then sure, it may not seem worthwhile to us 1Password. But then, enough
password hashes have been leaked this year alone to suggest that you need to
do something better.

~~~
Gruselbauer
For me it was a case of thinking I know better. As in, "no way I'm giving you
my passwords" and "who knows how tight their opsec is" ... never even tried
anything like LastPass or 1Password until six months ago.

Now I cannot imagine going back. My LastPass subscription is among the most
vital services I pay for and the sheer freedom of having to remember _one_
diceware-style master password instead of maintaining my own local database is
just too nice.

I'm using banking software with a HBCI card and have set reasonable limits on
all things like PayPal. So if you cracked my LastPass vault - good luck with
that, 2FA considered - you'd be well able to ruin my digital life. But you
would not get much out of it.

The attack surface I offer in total has shrunk a lot, too. Unique, maximum
allowed length passwords for every unimportant little account and no need to
memorise a single one.

It's to Web logins what pubkey auth is to ssh for me personally. Just such a
freaking blessing.

~~~
stouset
> For me it was a case of thinking I know better.

I'm deeply curious: _why_? When virtually every reputable security
practitioner on this site and others has echoed the advice to just use a
password manager for years, how do you come to the conclusion that you know
better than them?

If it sounds like I'm asking judgmentally, please don't interpret it that way.
Your experience mirrors that of many others, and if I can understand how this
line of thinking happens then maybe we can find ways to combat it.

This is just one battle amongst many where, despite endless warnings and
examples to the contrary, people seem to think they are qualified to go
against encouraged practice for password storage, password management,
encrypting data at rest, encrypting data over the wire, etc. And in almost all
cases, people come to the conclusion that they know better, when they
absolutely do not.

~~~
gabemart
>I'm deeply curious: why? When virtually every reputable security practitioner
on this site and others has echoed the advice to just use a password manager
for years

I think the disconnect is "perfect use" vs. "typical use".

With perfect use, generating a unique passphrase for each service and storing
it only in your head is more secure than using any kind of remotely-syncing
password manager. It's also more convenient - wherever you are, whatever you
have with you, so long as you have an internet connection you can identify and
verify yourself. You don't need your phone or an app or anything else.

With typical use, people use weak passphrases, reuse passphrases and forget
passphrases, so using a remotely-syncing password manager is more secure, even
if it's less convenient.

Some people (possibly wrongly) think they can achieve close enough to perfect
use that they're better off not using a manager. Security experts know that
virtually no one can achieve perfect use, so they recommend using a manager
(which is almost certainly the correct advice to give to a wide audience).

But your apparent absolute confidence in the superior security of password
managers, especially closed-source cloud-based password managers, seems to me
to be overplaying your hand a little. The failure mode of a closed-source
cloud-based password manager, even if very unlikely, is absolutely
catastrophic.

~~~
stouset
> But your apparent absolute confidence in the superior security of password
> managers, especially closed-source cloud-based password managers, seems to
> me to be overplaying your hand a little. The failure mode of a closed-source
> cloud-based password manager, even if very unlikely, is absolutely
> catastrophic.

In fact it's you that's overplayed your hand.

Open-source vs. closed-source is a red herring. Did you download compiled
binaries published by the authors of an open source project? Would you be able
to tell if they had published backdoored binaries that didn't match the
source? Would you be able to tell if they cleverly added backdoors to the
source code itself? You might argue that such deception would eventually be
discovered. Maybe, but by then the "catastrophic" scenario has already
unfolded.

Similarly, if you're downloading and running a third-party deterministic
password manager, open-source or not, you're giving the author of that project
the ability to run arbitrary code on your machine. Unless you're running it in
a container with no network access or access to storage, the failure case is
identical — regardless of what the software claims to do on the label, it may
do something wildly different (e.g., send all of your passwords to the
author).

------
Retr0spectrum
I have an irrational(?) fear of vault password managers. I see it as a single
point of failure.

Furthermore, the more "useful" they become, with browser extensions etc., the
greater the attack surface becomes.

Because of this fear, I generate random passwords and memorise them, which is
not ideal.

~~~
hackuser
> the more "useful" they become, with browser extensions etc., the greater the
> attack surface becomes

Also, the more popular the password manager becomes, the more valuable
cracking it becomes. One exploit can yield the email, banking, workplace,
confidential document, and other passwords for many millions of people. If you
are an attacker, it would be worth it to have the exploit on file,
proactively, for the next time you attack someone using that password manager.

~~~
Gee19
This is only true for cloud based password managers. I recommend using
1Password or KeePassX with Dropbox.

~~~
krick
Maybe I'm paranoid, but it still doesn't feel "safe" to me. Let's assume that
KeePassX is truly unbreakable at the moment. I still fear losing my kdbx file,
as if someday it will become vulnerable (maybe for technical reasons, or maybe
just because of master-password exposure) I'd lose much more than any single
of the accounts there: even if passwords there will be outdated already, it
will be exposed that all these accounts belong to one person with known
identity. All bank accounts, credit cards, email addresses, messengers,
accounts on some shady forums. And if passwords are not outdated — oh my God…

It may be unlikely, but it's still putting all eggs in one basket. Just one
failure, and you are truly fucked.

~~~
noir_lord
I guess you have to balance the probability of that kind of breach in Keepassx
against the probability of fucking up and forgetting a password or reusing
passwords (I still see this) across multiple services.

If you have an eidetic memory and can remember 20 digit random passwords for
every service after securely generating them then keepassx increases your
risk.

If however you behave like a 'normal' user and use the same one or three
passwords on everything I'd estimated keepassx improves your security.

~~~
krick
FWIW, I do use a password manager. But what you say is pure speculation. I
don't see any formula for how should I estimate risks here, and the common
narrative amongst security folks is "hooray password managers!". I'm often
giving that advice myself, but honestly, I'm doubting it more and more.

The truth is that I don't give a fuck about losing 90% of accounts I use (and
I guess I'm not the only one). Many of them I could even give you myself as a
birthday present. Using password manager as a rule of thumb would imply that
these accounts are as important as the most important ones. Which is nonsense.
Even if we discard all the disposable accounts, I still doubt that losing your
twitter would hit you nearly as hard as losing your main email account or bank
account.

However, exposing that all these trash accounts are _mine_ might make me feel
uncomfortable.

If that makes sense, then we must actually stop using the rule "password
managers FTW" and start using the rule "consider how important is every given
account to you, and treat it accordingly, chosing between several kdbx files".
Which is much more complicated rule, obviously. I would even say it creates
much higher mental load than remembering several sufficiently complicated
passwords.

------
slaymaker1907
I thought I'd make an account on contribute on this issue as the author of a
(probably pretty bad) password manager
[https://slaymaker1907.github.io/password/](https://slaymaker1907.github.io/password/),
source code at [https://github.com/slaymaker1907/password-
hasher](https://github.com/slaymaker1907/password-hasher).

There definitely is an issue with some websites having strange requirements,
but the way I get around it is keeping an drive sheet with all information
used to generate the password (except for the master password of course). This
does add some state, but I find that for common passwords I memorize the
method of generation very quickly.

There is a central point of failure if the master password is compromised.
However, this can be mitigated by first choosing and memorizing a very strong
master password as well as versioning passwords by storing the name of the
master password used with the rest of the info (though obviously not the
master password itself). Additionally, I find the threat model under which
such compromises to not be very convincing assuming you choose a strong master
password compared to the common case of simply needing to change a password
key on the site from linkedin1 to linkedin2 in case of a password database
breach.

One weakness of password vaults is that they don't have the advantage of
working without access to the vault. While my method can store state as
mentioned above, it is very easy to memorize this state, particularly for
common/important passwords and has actually saved my bacon before.

Finally, something that I think is a significant strength to a manager but a
weakness for managers is that I can and do use my manager for passwords that I
need to type out, most often using a feature that translates the password into
a password similar to a diceware password (I use a significantly shorter
dictionary since dictionary length does not affect the entropy density of a
password very much and it makes them easier to type/remember if only using
common words). Using this feature, I've been able to create separate passwords
for my desktop, laptop, and phone that are both easy to remember as well as
having good entropy (when I compute entropy I do assume that an attacker knows
the method of generation).

------
dvdkon
I don't agree with the author on many of his points. 1 and 2 are "merely"
convenience features. Sure, those things make a truly stateless password
manager harder to use and a very niche tool, but they're by no means fatal
flaws. 3 is a good argument, but storing existing secrets is by definition out
of scope for password generators. It is a usability problem, which makes using
a truly stateless password generator as the only password manager harder, but
still not a fatal flaw. The fourth one is in my opinion the only one which
could be called a fatal flaw. It's probably the thing that has to be
considered the most before using a master secret password generator. The
hyperbolical title annoys me, but what annoys me probably even more is that
the author then recommends (not directly, mentions as his personal choice, but
that counts as a "seal of approval" for me) a closed-source cloud password
manager, which could possibly be less secure than a password generator.

~~~
pavel_lishin
> _Sure, those things make a truly stateless password manager harder to use
> and a very niche tool, but they 're by no means fatal flaws._

If the Deterministic Password Generator does not generate a valid password for
a given site, it's certainly a fatal flaw for that site, and a usability
nightmare - now I have to remember which sites aren't supported and keep a
vault anyway.

And I guess point 2 isn't a fatal flaw until you need to change a password for
whatever reason, but after that it becomes quite a problem.

~~~
dvdkon
We both seem to have a different view of what a "fatal flaw" is. For me
(especially when talking about a computer security tool), it means a very
serious security vulnerability and nothing less. You seem to have a more
relaxed view, accepting things that create a bad user experience as fatal
flaws, too.

~~~
bascule
Security isn't an end in and of itself, it's a means to an end. A tool which
delivers on security but isn't usable still fails to fulfill its purpose, in
the same way an unplugged computer is both secure and useless.

I know there's a group within the security community willing to tolerate poor
user experiences, or wear them as a badge of honor, "the price of security" or
so to speak. But often I find these are the same people scratching their heads
wondering why OpenPGP encrypted email hasn't seen more widespread adoption, or
why the Web of Trust failed (or perhaps they think it succeeded), while at the
same time bemoaning successful encrypted chat systems like WhatsApp and
Signal.

I would argue that user experience is just as important a consideration as the
security properties of a tool.

~~~
Gruselbauer
I couldn't agree more. Getting smart but non-nerd friends set up with OpenPGP
is truly an eye opener. The rate of adoption is terrible because of that and
nothing else.

Even with a GUI like Enigmail, I needed hour long explainathons to make it
work for these friends. Smart, borderline brilliant folk.

The same people now use WhatsApp with encryption and don't even know it.
That's what a good crypto UX looks like.

I'd love for a google-free, proprietary-free, facebook-free alternative to
exist but if the alternative is painful hours of setting up encrypted mail
only to have it cease working after two weeks because the user forgot their
passphrase, I'm gonna say I don't care too much.

------
minitech
I use a deterministic password generator so all I have to remember is my
master password and default password scheme to get access to all my critical
accounts (critical ones generally don’t have silly password requirements). If
I were using something that stored passwords and lost my database somehow, I’d
lose access to all of those.

~~~
macintux
"lost my database somehow"

I have mine in Dropbox and at least 3 devices. I'm really not concerned I'll
lose it.

~~~
minitech
If I were out of country and my laptop got stolen, for example, I’d lose it.
Sure, you can use a separate password for your Dropbox/email/etc. that you
remember, but that’s pretty much the same thing as generating based off a
master password.

(With the exception of your master password being brute-forceable based on any
password you generate, but you just use a master + KDF combo that’s
unbreakable to prevent that.)

------
bradvo
I agree with the author's opinion with the master password being compromised,
you're done. I have found an elegant solution for managing my passwords with
[http://masterpasswordapp.com/](http://masterpasswordapp.com/) the iOS app is
a breeze and I also use the export feature to backup my login names, hashed
passwords, custom passwords, and stored secrets. This app in particular solves
the author's third point. For the second point, I save the iteration X of a
password as a stored secret when I need to revoke a password. It doesn't
sacrifice the user experience in my opinion.

------
Scaevolus
Another flaw: deterministic password managers are inherently vulnerable to
brute forcing-- it's basically like sending your password database to every
site you log into. Ideally they use a very expensive KDF, but I've seen
implementations that use weak derivations like 10,000 round PBKDF2.

~~~
minitech
Use a master password that’s impossible to brute-force, then. (128 bits.)

------
m3rc
Do people really complain that size is an issue in syncing password data? The
author of this article's file was 512 KB, personally mine is 10 KB. That's
basically none.

------
kristianp
On a related topic, a number of Bitcoin wallets have moved to hierarchical
deterministic (HD) addresses and they market that as a positive.

------
ofek
This is a good one (from what I've heard)
[https://github.com/habnabit/passacre](https://github.com/habnabit/passacre)

------
BuuQu9hu
When will we stop using passwords?

------
ythn
The only deterministic password manager you need is your own mind. Come up
with a set of password rules that are generic enough to accommodate all these
issues. For example my deterministic password manager might be:

1\. random english wordx2 + first 4 letters of registered domain, all caps +
remaining lowercase + number of letters in domain (integer) + symbols
associated with digits of the integer digits

2\. If site doesn't allow special characters, remove them

3\. If site requires a shorter password than the generated one, trim the
minimum number of characters from the front of the password until the criteria
is met.

So, using my above rules my password for Ycombinator would be:

coppercopperYCOMbinator11!!

If the site restricts passwords to max 12 characters, it would become:

Mbinator11!!

~~~
IshKebab
> If the site restricts passwords to max 12 characters

The problem with this is that most sites are designed by idiots and don't
state their pointless password rules on the login page - only on the 'change
password' page. So you can be trying your coppercopperYCOMbinator11!! password
and thinking "why the hell doesn't this work?", then after 10 minutes you give
up and go to change it and see "Your password must be between 8 and 12
characters and contain a symbol." So infuriating.

~~~
ythn
That's very true. I forgot to mention that I also have a spreadsheet that has
site-specific password rules so that I can do a lookup and see how I need to
adapt my generated password.

Maybe what we really need instead of deterministic password generators is an
authoritative database that tracks the password rules of all the different
sites on the internet so we can easily look it up and/or publicly shame
companies with asinine password policies.

~~~
pavel_lishin
> _I forgot to mention that I also have a spreadsheet that has site-specific
> password rules so that I can do a lookup and see how I need to adapt my
> generated password._

So you do have a password manager.

> _Maybe what we really need instead of deterministic password generators is
> an authoritative database that tracks the password rules of all the
> different sites on the internet_

I'm glad to hear you volunteering to look up all of these policies, and keep
them up to date!

