

Why Masked Passwords Are a Serious Security Hole - freejoe76
http://blog.passpack.com/2011/04/why-masked-passwords-are-a-serious-security-hole/

======
SwellJoe
It's hard to lose customers due to customer ignorance, but the alternative of
giving them what they want (despite it being bad for them) is probably worse.
At least, I don't know that I'd be comfortable doing so.

We run into it quite a bit, because our products are _extremely_ complex, have
numerous security-sensitive contact points in the system, and we've made some
choices that do not match those of our competitors, often due to security
concerns. Our refusal to treat chroot as a security tool is perhaps our most
common source of "why don't you support this?" questions, and despite years of
explaining our position, referencing numerous resources on the subject,
providing examples of the futility of it, etc. doesn't make the question go
away.

I think the best you can do is try to educate whenever the question comes up.
It gets frustrating to answer the same question over and over again for years,
especially if it's answered in the FAQ or documentation, but you pretty much
just have to do it.

~~~
hvs
I think it's equally important in those situations to get at _why_ the user
wants to do that and coming up with a solution to their problem in your
framework. One thing I've learned after years of supporting users is that they
often ask for something because "that's how they've always done it," but if
you find out what problem that they are trying to solve, you can come to
reasonable solution for both parties without having to implement whatever
"feature" it is that they are asking for.

------
giberson
Could someone detail the process of "sharing a masked password", or at least
how it would theoretically be implemented as a feature? I'm not quite sure I
get the scenario. Is the masked password to access passpack user account? Or
is it to access some site passpack is managing a password for?

~~~
code_duck
It seems to be some sort of utter nonsense imagined by someone who has no idea
how any of this works. Well written article, but I don't see why it's worth
taking the time to address this.

~~~
seabee
You overestimate people's understanding of security. Clearly Passpack have had
enough customers request the feature or complain about its absence to be worth
writing about it.

~~~
code_duck
The customers don't care about the particular method, they just know what they
want to accomplish and try to suggest how they think it may work. It's beside
the point and somewhat obtuse to go into detail explaining why a particular
way doesn't work.

A much better way to respond to this request would be 'Yes! Here's a one
time/time limited password generator that will do what you want'.

~~~
mc32
passpack already provides the ability to generate one-time passwords.

~~~
code_duck
Great, what I'm saying is they should steer their customers towards the
solution and not bother refuting inanity.

------
jbwyme
Who shares masked passwords? I thought they were just there to keep someone
over your shoulder from reading it.

~~~
geuis
One usecase might be if you have someone over at your house and they need to
use your wifi. You might want to be able to let them connect securely without
you having to tell them your password.

~~~
code_duck
My suggestion for that would be to change it, either before or after.

This entire idea of 'sharing a masked password' is completely ridiculous.

------
gmac
Um, OK. Or you could just go to Preferences > Security > Saved Passwords
(Firefox), or fire up Keychain Access (for Safari/Mac), or ... ?

~~~
joejohnson
Yes. This is a big vulnerability on Mac. If someone knows your password (say,
to let them in in case of a screensaver when you're not there...) then they
can view any saved passwords in Keychain Access with this same password.

I know a lot of people who don't realize this.

~~~
jonknee
That's a feature, not a bug. I use it all the time. It's a password manager,
as the admin I should be able to view its data.

~~~
peterwwillis
None of my linux keychain passwords are the same as my user password. The
keychain password is much more difficult and I never re-enter it to get back
into my machine (unlike the screensaver password prompt).

~~~
jonknee
You can change your Keychain's password... "Edit > Change password for
Keychain "login"..."

~~~
peterwwillis
when i said 'my linux keychains' i meant ssh-agent and firefox's password
repository. neither can have their passwords changed without putting in the
password again; the credentials are merely stored in memory.

(so if you could get past the screensaver you could in theory extract the
creds from memory, but i don't know of a tool to do this and doing it by hand
could be time consuming)

~~~
jonknee
Sure, but I was speaking of OS X. Your Keychain password doesn't have to be
the same as your account password.

~~~
peterwwillis
Oh, I misunderstood; I thought you meant anyone could change the keychain
password once they logged into the box (which would be kind of dangerous)

------
rdl
Passpack is one of the more interesting security applications in the cloud --
they actually do client side encryption properly (I work out of the same
office as them and talked with their lead developer a few times).

------
brown9-2
If a third party is able to run arbitrary JavaScript in your browser / on a
login page, isn't it already game over?

~~~
SwellJoe
You've misunderstood the context. This is passwords that are handed over to a
third party (but in a "masked" form). It's not _your_ browser you're worried
about...it's the browser of the person you handed the password to, without
trusting them to actually know the password. Due to numerous methods of
figuring out the password anyway, some of which the author documented, this
would be an irreparably insecure feature.

------
nvictor
how about we don't install any bookmarklet? i don't have any, and i
aggressively hate toolbar extensions, being a refugee from the old IE monopoly
time.

or how about browsers letting us know whether a bookmarklet is doing something
suspicious?

