Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Password Managers Vulnerabilities - Under Hood of Secrets Management

4 Weeks Ago   #1
Brink

64-bit Windows 10 Pro
 
 
Password Managers Vulnerabilities - Under Hood of Secrets Management

Quote:
Abstract:

Password managers allow the storage and retrieval of sensitive information from an encrypted database. Users rely on them to provide better security guarantees against trivial exfiltration than alternative ways of storing passwords, such as an unsecured flat text file. In this paper we propose security guarantees password managers should offer and examine the underlying workings of five popular password managers targeting the Windows 10 platform: 1Password 7 [1], 1Password 4 [1], Dashlane [2], KeePass [3], and LastPass [4]. We anticipated that password managers would employ basic security best practices, such as scrubbing secrets from memory when they are not in use and sanitization of memory once a password manager was logged out and placed into a locked state. However, we found that in all password managers we examined, trivial secrets extraction was possible from a locked password manager, including the master password in some cases, exposing up to 60 million users that use the password managers in this study to secrets retrieval from an assumed secure locked state.

Introduction:

First and foremost, password managers are a good thing. All password managers we have examined add value to the security posture of secrets management, and as Troy Hunt, an active security researcher once wrote, “Password managers don’t have to be perfect, they just have to be better than not having one” [5]. Aside from being an administrative tool to allow users to categorize and better manage their credentials, password managers guide users to avoid bad password practices such as using weak passwords, common passwords, generic passwords, and password reuse.

The tradeoff is that users’ credentials are then centrally stored and managed, typically protected by a single master password to unlock a password manager data store. With the rising popularity of password manager use it is safe to assume that adversarial activity will target the growing user base of these password managers. Table 1, below, outlines the number of individual users and business entities for each of the password managers we examine in this paper.


Read more: Password Managers: Under the Hood of Secrets Management - Independent Security Evaluators


My System SpecsSystem Spec
.
4 Weeks Ago   #2
F22 Simpilot

Windows 7 Ultimate x64
 
 

So the tl;dl of it is, is that the most popular password managers all have flaws regarding secrets being stored in memory.

The one thing I do after I copy and use a password from my manager is to then copy a junk text document on my desktop. This is using Keepass. Not sure if that will work or not, but the passwords are all in a txt file that is stored in Keepass and not individual entries. So I'm now wondering what security factors there are in storing txt documents with secret data in a password manager is? I also store backup 2FA codes as a text document in my manager as well.
My System SpecsSystem Spec
4 Weeks Ago   #3
RoWin7

Win 7 Ultimate 64-bit
 
 

Quote   Quote: Originally Posted by F22 Simpilot View Post
So the tl;dl of it is, is that the most popular password managers all have flaws regarding secrets being stored in memory.

The one thing I do after I copy and use a password from my manager is to then copy a junk text document on my desktop. This is using Keepass. Not sure if that will work or not, but the passwords are all in a txt file that is stored in Keepass and not individual entries. So I'm now wondering what security factors there are in storing txt documents with secret data in a password manager is? I also store backup 2FA codes as a text document in my manager as well.

I think Keepass has a forum where you can ask. I've already asked mine, StickyPassWord.

Brink--
This is only for Win10?
My System SpecsSystem Spec
.

4 Weeks Ago   #4
Brink

64-bit Windows 10 Pro
 
 

It's targeting the W10 platform, but could have the same vulnerabilities for other Windows.
My System SpecsSystem Spec
3 Weeks Ago   #5
ShadouFox

Windows-7 Ultimate 32bit
 
 

My password manager is, and shall remain, a notebook where I write them down. No data leakage that way, and there is nothing in any data base whether it's local or on-line.
My System SpecsSystem Spec
3 Weeks Ago   #6
RoWin7

Win 7 Ultimate 64-bit
 
 

I had that years ago, but copying a 14-character line of gibberish led to too many errors. I admire your ability to copy them all correctly.
My System SpecsSystem Spec
3 Weeks Ago   #7
F22 Simpilot

Windows 7 Ultimate x64
 
 

Tell me about it. Just reentering passwords in a new phone was tedious.
My System SpecsSystem Spec
3 Weeks Ago   #8
ShadouFox

Windows-7 Ultimate 32bit
 
 

Quote   Quote: Originally Posted by RoWin7 View Post
I had that years ago, but copying a 14-character line of gibberish led to too many errors. I admire your ability to copy them all correctly.
Not a big deal. I wrote a Python script to generate passwords:

Code:
#!/usr/bin/env python

#  Generate random passwords of length up to 16. Use upper and
#  lower case letters, digits, and punctuation marks. May run
#  interactively or with command line options.

import sys
import getopt
from random import randint

VERSION= "1.0.0"

HELP= ["-l [length] (1-16) -- The length of password generated",
"-p [--punct] -- Use punctuation",
"-h [--help] -- show the command line help; exit",
"-v [--version] -- show the version of app; exit"]

LENGTH_ERR= ["Password must be between 1 and 16 characters in length",
"Entering interactive mode..."]

#                            Functions

def WriteOut(Msg) :
    '''Prints out multi-line messages'''

    for Line in Msg :
        print("\n{0}".format(Line))

    pass

################################################################################

def Options(argv) :
    '''Parse command line options, return values as needed'''

    Length= 0
    PMark=  "n"

#  Put this in a try...except block since getopt barfs on empty command lines
#  catch and discard the exception. Send back 0 as a result, set up for
#  interactive session

    try :
        Opts,Args= getopt.getopt(argv, "l:phv", ["length=", "punct", "help", "version"])
    except getopt.GetoptError as err : return Length,PMark

    for opts,args in Opts :
        if opts in ("-l", "--length") : Length= int(args)
        elif opts in ("-p", "--punct") : PMark= "y"
        elif opts in ("-h", "--help") :
            WriteOut(HELP)
            sys.exit(0)
        elif opts in ("-v", "--version") :
            print("Version: {0}".format(VERSION))
            sys.exit(0)
        pass

    return Length,PMark

################################################################################

def Password(Length, PMark) :
    '''Generate random passwords'''

#  Key= 1: Upper case letter
#  Key= 2: Lower case letter
#  Key= 3: Digit
#  Key= 4: Punc. mark

    RetVal= ""
    Letters= "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
    letters= "abcdefghijklmnopqrstuvwxyz"
    Digits=  "0123456789"
    Punct=   "~@#$&%*_"

    i= 1

    while i <= Length :

        Key= randint(1, 4)

        if Key == 1 :
            Index= randint(0, 25)
            RetVal+= Letters[Index]
        elif Key == 2 :
            Index= randint(0, 25)
            RetVal+= letters[Index]
        elif Key == 3 :
            Index= randint(0, 9)
            RetVal+= Digits[Index]
        elif Key == 4 :
            if PMark != "y" : continue
            Index= randint(0, 7)
            RetVal+= Punct[Index]

        i+= 1
        pass

    return RetVal

################################################################################

def main() :
    '''The main program: run as stand-alone script'''

    Length,PMark= Options(sys.argv[1:])

    if Length <= 0 or Length > 16 :
        WriteOut(LENGTH_ERR)
        Length= 0

    if not Length :
        print("\nUsing interactive mode...")
        if PMark == "n" : PMark= raw_input("Use puncruation? y|n [ n ] ")

        while 1 :
            Len_str= raw_input("Enter length of password--> ")
            Length= int(Len_str)

            if Length > 0 and Length < 17 : break
            else : print("\nPassword must be between 1 and 16 characters in length")

            pass

    print("Here is your password: {0}\n".format(Password(Length, PMark)))
    sys.exit(0)

################################################################################

if __name__ == '__main__' : main()
You can run that in Linux as is after tagging it as executable, or use Cygwin with Windows, or install the Windows version of Python and run it from a terminal:

py passwordgen.py <options here>

If you do a copy pasta and name it "passwordgen.py". Just copy what it gives you right off the screen. "py" invokes the Python interpreter in Windows, and just pass it the script file name and you're good to go. That way, you always get secure passwords, no need to think of them yourself, and it's easy to give every web site its own password in case one gets compromised.
My System SpecsSystem Spec
3 Weeks Ago   #9
F22 Simpilot

Windows 7 Ultimate x64
 
 

My System SpecsSystem Spec
Reply

 Password Managers Vulnerabilities - Under Hood of Secrets Management




Thread Tools




Similar help and support threads
Thread Forum
Password managers vs. Manual password management
I've been thinking about the use of password managers lately and wondering whether it's worth exploring an alternative. The problem, as I see it, is with having one master password - I know this is supposed to be kept securely by the developers, but I've heard of several security scares in the...
Software
Password managers
I came across this this morning Password Managers Compared: LastPass vs KeePass vs Dashlane vs 1Password and I am wondering if I should be using something like the first one listed because it is free and I am never really sure of passwords as there always seems to be so many. Any thoughts and...
Software
What is 'best practice' for password management?
Hi What is the 'best practice' for managing one's passwords? A) HOW SHOULD I STORE PASSWORDS? Problems: 1. I need to manage a fairly large number (i.e. 50+). So there are too many to remember. 2. Obviously I don't want to keep them inside a simple unencrypted text file, in case my data...
General Discussion
Libraries Under the Hood
More...
News
Windows 7-Under the Hood
Whats really happening when you boot your Windows 7
Chillout Room


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 03:59.
Twitter Facebook Google+