Ask HN: Are password managers secure?

[JuDue]

OK so I've come to like a certain password manager.

I'm sure the data itself is secure in its raw encrypted form.

But, if I were an evil hacker, I'd be aiming to target the User Interface somehow. Since once I enter my password, the app is unlocked and my passwords are all there to find through the GUI. I'd aim to siphon out data through the OS and windowing system somehow, after the user has unlocked.

How much of a threat is this, do you think?

Also having a Chrome plugin just feels like an extra hackable interface?

[trekkin]

If your system is hacked, _using_ any password manager is insecure. Some password managers also have poor encryption, so even read-only access to your password database can be bad.

KeePass (KeePassX in Linux) is one of the best, but a simple keylogger can get your "master password" when you enter it, and thus access to your password database.

Nothing is absolutely secure, there are just degrees of relative safety.

[JuDue]

So I guess in that case, given even large software companies release products with dangerous exploits in them, password managers are a bad idea... why give a hacker a single point to access every one of your passwords?

[xvolter]

The idea of phising out your data through the UI would be extremely difficult. There would be three methods you could attempt to gain access through a UI. The first and simplest to try is to check in memory, it's possible the application stores some data in memory after loading it from your database. This is a minimal risk with certain types of applications, Java based or Web applications are protected through security layers which make any information that is in memory useless. The second method is to use an injection, this primarily only works on Windows, and it would be a virus that would try to get a hook into your password manager to try and gain access programmatically to variables and memory. This is a threat to desktop applications, but again, a minimal risk to Java or Web based applications protected by the JVM or the browser's locking of the JavaScript. The third is the most useless for a hacker to attempt, since it is fickle and unlikely to work, it'd be for them to automate mouse clicks and keyboard actions to either the OS or the application in an effort to copy your data. This would be fickle since the UI can change, it has to be very precise actions, probably hard coded X,Y cords and therefore very likely to break - and if you are using the computer at the time it tries this, you will notice things going on.

Chrome plugins are not easy to gain access to. Chrome is a very secure browser, and they lock their V8 JavaScript engine so no two plugins can talk to each other unless they setup special hooks. They also run the entire application in a locked state, which both prevents plugins from accessing the operating system and from other applications from easily accessing Chrome without a special plugin.

Web-based password managers offer many benefits over desktop-based password managers. The risks for desktop based are there are many things they have to fight against and also maintain your database in a state that is secure against extreme bruteforce hacking attempts.

Web based are protected by their application and the browser, at the same time 3rd party plugins can pose risk, but developers of these can easily protect against interference of plugins and users can do so easily as well by disabling plugins on that site.

To both keyloggers are minimal risk, most password managers you use not to record your password but to create new account entries, and you are likely to generate a unique password for each site, therefore keylogger would be useless. Clipboard monitor may pose a risk, but applications like KeePass avoid this by using their Auto Login feature, and web/Chrome extensions avoid this by auto-filling or auto-logging in your login details.

The risk of a key logger getting your master password is also minimal risk for most applications. Most tend to offer "access codes" or "pin numbers" in addition to your password, allowing you to enter a small additional password or your original password via an on screen keyboard, which negates risk of keyloggers.

The idea that a password manager is a "single point of failure" is also wrong. The primary point of failure will be the end user releasing their login to their password manager, not the password manager being hacked. Because all passwords managers worth using encrypt your data, bruteforcing would take years per user. If any online manager were hacked, your data would be one of thousands and would likely never be decrypted to begin with. If it's a desktop application, those tend to encrypt with even stronger types of encryptions because they can waste the CPU on it; which means even more years to bruteforce if your database is given out.

The risk is in the end user, if he/she leaks her password or gets a virus/keylogger to get his/her master password. In which case this is just the same as using the same password across all sites.

I have heard of people using a single password and adding the website's domain they are registering under with an SHA1. Therefore if my password is "password" and I registering a facebook account, I'd go to an SHA1 site, enter "facebook.compassword" and get "ca2e97dbded3dc7af83446a225471fc6a721a1f9" as my password.

Modernly bruteforcing works quite quickly, so longers passwords are higher security than having a short-special character. Most sites require a min length of a password, usually 5 or 6 characters, therefore a password of "f1v3r" would be easy to brute force if I know the min length, I could get to that in a matter of minutes, whereas a long password like "thisisalamepasswordbutitslongsohahahaha" would take forever to try and bruteforce, and no dictionary hack method would work against that.

People who use password managers still make the mistake in using an insecure password with it, allowing people to simply bruteforce into their account, which is just as bad as using a weak password on websites directly, making the use of a password manager pointless.

Personally, and I have bias to this, I recommend Cyphrd.com - it's an online password manager that is well above any other online password manager for security, they are well protected and the weakest point is the end user, which they do all they can to help you protect yourself. Additionally they do more than just passwords, it's also a secure note taking service, stores credit cards, files/documents, contact and profile information for people, anything - since they encrypt all the data client-side and are open source with their encryption and are also constantly checked for security holes and patched before any are made into production, it's a great service.