Password Managers Vulnerabilities - Under Hood of Secrets Management

Brink

Administrator
Staff member
Local time
5:53 AM
Messages
74,922
Location
Oklahoma
Abstract:

Password managers allow the storage and retrieval of sensitive information from an encrypted database. Users rely on them to provide better security guarantees against trivial exfiltration than alternative ways of storing passwords, such as an unsecured flat text file. In this paper we propose security guarantees password managers should offer and examine the underlying workings of five popular password managers targeting the Windows 10 platform: 1Password 7 [1], 1Password 4 [1], Dashlane [2], KeePass [3], and LastPass [4]. We anticipated that password managers would employ basic security best practices, such as scrubbing secrets from memory when they are not in use and sanitization of memory once a password manager was logged out and placed into a locked state. However, we found that in all password managers we examined, trivial secrets extraction was possible from a locked password manager, including the master password in some cases, exposing up to 60 million users that use the password managers in this study to secrets retrieval from an assumed secure locked state.

Introduction:

First and foremost, password managers are a good thing. All password managers we have examined add value to the security posture of secrets management, and as Troy Hunt, an active security researcher once wrote, “Password managers don’t have to be perfect, they just have to be better than not having one” [5]. Aside from being an administrative tool to allow users to categorize and better manage their credentials, password managers guide users to avoid bad password practices such as using weak passwords, common passwords, generic passwords, and password reuse.

The tradeoff is that users’ credentials are then centrally stored and managed, typically protected by a single master password to unlock a password manager data store. With the rising popularity of password manager use it is safe to assume that adversarial activity will target the growing user base of these password managers. Table 1, below, outlines the number of individual users and business entities for each of the password managers we examine in this paper.


Read more: Password Managers: Under the Hood of Secrets Management - Independent Security Evaluators
 

My Computer My Computer

At a glance

64-bit Windows 11 Pro for WorkstationsIntel i7-8700K OC'd to 5 GHz64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600...ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Self built custom
OS
64-bit Windows 11 Pro for Workstations
CPU
Intel i7-8700K OC'd to 5 GHz
Motherboard
ASUS ROG Maximus XI Formula Z390
Memory
64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz
Graphics Card(s)
ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Sound Card
Integrated
Monitor(s) Displays
2 x Samsung Odyssey G7 27"
Screen Resolution
2560x1440
Hard Drives
1TB Samsung 990 PRO M.2,
4TB Samsung 990 PRO PRO M.2,
TerraMaster F8 SSD Plus NAS
PSU
Seasonic Prime Titanium 850W
Case
Thermaltake Core P3
Cooling
Corsair Hydro H115i
Keyboard
Logitech wireless K800
Mouse
Logitech MX Master 4
Internet Speed
2 Gb/s Download and 100 Mb/s Upload
Antivirus
Malwarebyte Anti-Malware Premium
Browser
Google Chrome
Other Info
Logitech Z625 speaker system,
Logitech BRIO 4K Pro webcam,
HP Color LaserJet Pro MFP M477fdn,
APC SMART-UPS RT 1000 XL - SURT1000XLI,
Galaxy S23 Plus phone
So the tl;dl of it is, is that the most popular password managers all have flaws regarding secrets being stored in memory.

The one thing I do after I copy and use a password from my manager is to then copy a junk text document on my desktop. This is using Keepass. Not sure if that will work or not, but the passwords are all in a txt file that is stored in Keepass and not individual entries. So I'm now wondering what security factors there are in storing txt documents with secret data in a password manager is? I also store backup 2FA codes as a text document in my manager as well.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64
Computer type
PC/Desktop
OS
Windows 7 Ultimate x64
So the tl;dl of it is, is that the most popular password managers all have flaws regarding secrets being stored in memory.

The one thing I do after I copy and use a password from my manager is to then copy a junk text document on my desktop. This is using Keepass. Not sure if that will work or not, but the passwords are all in a txt file that is stored in Keepass and not individual entries. So I'm now wondering what security factors there are in storing txt documents with secret data in a password manager is? I also store backup 2FA codes as a text document in my manager as well.


I think Keepass has a forum where you can ask. I've already asked mine, StickyPassWord.

Brink--
This is only for Win10?
 

My Computer My Computer

At a glance

Win 7 Ult 64-bitG620 2.6GHZ Pentium R6 GB
Computer type
PC/Desktop
Computer Manufacturer/Model Number
HP p6-2020t
OS
Win 7 Ult 64-bit
CPU
G620 2.6GHZ Pentium R
Memory
6 GB
Monitor(s) Displays
25" HPLV2311
Screen Resolution
1920 x 1200
Hard Drives
1 SATA, 1 exterior SATA
Case
HP
Cooling
PSU
Antivirus
Glasswire
Browser
Waterfox; Firefox; Chrome for work
Other Info
Firewall--Glasswire
Similar specs in Gateway DX4200
Verizon FIOS Wired network

1 other Win7 computer-- has SSD
It's targeting the W10 platform, but could have the same vulnerabilities for other Windows.
 

My Computer My Computer

At a glance

64-bit Windows 11 Pro for WorkstationsIntel i7-8700K OC'd to 5 GHz64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600...ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Self built custom
OS
64-bit Windows 11 Pro for Workstations
CPU
Intel i7-8700K OC'd to 5 GHz
Motherboard
ASUS ROG Maximus XI Formula Z390
Memory
64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz
Graphics Card(s)
ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Sound Card
Integrated
Monitor(s) Displays
2 x Samsung Odyssey G7 27"
Screen Resolution
2560x1440
Hard Drives
1TB Samsung 990 PRO M.2,
4TB Samsung 990 PRO PRO M.2,
TerraMaster F8 SSD Plus NAS
PSU
Seasonic Prime Titanium 850W
Case
Thermaltake Core P3
Cooling
Corsair Hydro H115i
Keyboard
Logitech wireless K800
Mouse
Logitech MX Master 4
Internet Speed
2 Gb/s Download and 100 Mb/s Upload
Antivirus
Malwarebyte Anti-Malware Premium
Browser
Google Chrome
Other Info
Logitech Z625 speaker system,
Logitech BRIO 4K Pro webcam,
HP Color LaserJet Pro MFP M477fdn,
APC SMART-UPS RT 1000 XL - SURT1000XLI,
Galaxy S23 Plus phone
My password manager is, and shall remain, a notebook where I write them down. No data leakage that way, and there is nothing in any data base whether it's local or on-line.
 

My Computer My Computer

At a glance

Windows-7 Ultimate 32bitIntel Pentium IV HT
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell Optiplex
OS
Windows-7 Ultimate 32bit
CPU
Intel Pentium IV HT
Antivirus
Avast
Browser
Palemoon
I had that years ago, but copying a 14-character line of gibberish led to too many errors. I admire your ability to copy them all correctly.
 

My Computer My Computer

At a glance

Win 7 Ult 64-bitG620 2.6GHZ Pentium R6 GB
Computer type
PC/Desktop
Computer Manufacturer/Model Number
HP p6-2020t
OS
Win 7 Ult 64-bit
CPU
G620 2.6GHZ Pentium R
Memory
6 GB
Monitor(s) Displays
25" HPLV2311
Screen Resolution
1920 x 1200
Hard Drives
1 SATA, 1 exterior SATA
Case
HP
Cooling
PSU
Antivirus
Glasswire
Browser
Waterfox; Firefox; Chrome for work
Other Info
Firewall--Glasswire
Similar specs in Gateway DX4200
Verizon FIOS Wired network

1 other Win7 computer-- has SSD
Tell me about it. Just reentering passwords in a new phone was tedious.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64
Computer type
PC/Desktop
OS
Windows 7 Ultimate x64
I had that years ago, but copying a 14-character line of gibberish led to too many errors. I admire your ability to copy them all correctly.

Not a big deal. I wrote a Python script to generate passwords:

Code:
#!/usr/bin/env python

#  Generate random passwords of length up to 16. Use upper and
#  lower case letters, digits, and punctuation marks. May run
#  interactively or with command line options.

import sys
import getopt
from random import randint

VERSION= "1.0.0"

HELP= ["-l [length] (1-16) -- The length of password generated",
"-p [--punct] -- Use punctuation",
"-h [--help] -- show the command line help; exit",
"-v [--version] -- show the version of app; exit"]

LENGTH_ERR= ["Password must be between 1 and 16 characters in length",
"Entering interactive mode..."]

#                            Functions

def WriteOut(Msg) :
    '''Prints out multi-line messages'''

    for Line in Msg :
        print("\n{0}".format(Line))

    pass

################################################################################

def Options(argv) :
    '''Parse command line options, return values as needed'''

    Length= 0
    PMark=  "n"

#  Put this in a try...except block since getopt barfs on empty command lines
#  catch and discard the exception. Send back 0 as a result, set up for
#  interactive session

    try :
        Opts,Args= getopt.getopt(argv, "l:phv", ["length=", "punct", "help", "version"])
    except getopt.GetoptError as err : return Length,PMark

    for opts,args in Opts :
        if opts in ("-l", "--length") : Length= int(args)
        elif opts in ("-p", "--punct") : PMark= "y"
        elif opts in ("-h", "--help") :
            WriteOut(HELP)
            sys.exit(0)
        elif opts in ("-v", "--version") :
            print("Version: {0}".format(VERSION))
            sys.exit(0)
        pass

    return Length,PMark

################################################################################

def Password(Length, PMark) :
    '''Generate random passwords'''

#  Key= 1: Upper case letter
#  Key= 2: Lower case letter
#  Key= 3: Digit
#  Key= 4: Punc. mark

    RetVal= ""
    Letters= "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
    letters= "abcdefghijklmnopqrstuvwxyz"
    Digits=  "0123456789"
    Punct=   "~@#$&%*_"

    i= 1

    while i <= Length :

        Key= randint(1, 4)

        if Key == 1 :
            Index= randint(0, 25)
            RetVal+= Letters[Index]
        elif Key == 2 :
            Index= randint(0, 25)
            RetVal+= letters[Index]
        elif Key == 3 :
            Index= randint(0, 9)
            RetVal+= Digits[Index]
        elif Key == 4 :
            if PMark != "y" : continue
            Index= randint(0, 7)
            RetVal+= Punct[Index]

        i+= 1
        pass

    return RetVal

################################################################################

def main() :
    '''The main program: run as stand-alone script'''

    Length,PMark= Options(sys.argv[1:])

    if Length <= 0 or Length > 16 :
        WriteOut(LENGTH_ERR)
        Length= 0

    if not Length :
        print("\nUsing interactive mode...")
        if PMark == "n" : PMark= raw_input("Use puncruation? y|n [ n ] ")

        while 1 :
            Len_str= raw_input("Enter length of password--> ")
            Length= int(Len_str)

            if Length > 0 and Length < 17 : break
            else : print("\nPassword must be between 1 and 16 characters in length")

            pass

    print("Here is your password: {0}\n".format(Password(Length, PMark)))
    sys.exit(0)

################################################################################

if __name__ == '__main__' : main()
You can run that in Linux as is after tagging it as executable, or use Cygwin with Windows, or install the Windows version of Python and run it from a terminal:

py passwordgen.py <options here>

If you do a copy pasta and name it "passwordgen.py". Just copy what it gives you right off the screen. "py" invokes the Python interpreter in Windows, and just pass it the script file name and you're good to go. That way, you always get secure passwords, no need to think of them yourself, and it's easy to give every web site its own password in case one gets compromised.
 

My Computer My Computer

At a glance

Windows-7 Ultimate 32bitIntel Pentium IV HT
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell Optiplex
OS
Windows-7 Ultimate 32bit
CPU
Intel Pentium IV HT
Antivirus
Avast
Browser
Palemoon
Back
Top