Password Manager Vulnerabilities Exposed

cageymaru

Fully [H]
Joined
Apr 10, 2003
Messages
19,985
What you want simply isn't possible. If given direct memory access, you don't have any secrets left. And in the majority of cases they can only read the password when you actively decrypt the password to use it.
True! But some of them decrypted the entire password list if you checked one password. I think they can do better; or Windows can do better as the article pointed out how Windows isn't doing these companies a favor.

Difference of opinion, and that's fine.
 

cageymaru

Fully [H]
Joined
Apr 10, 2003
Messages
19,985
Did you read the article?
The issue brought up has nothing to do with the things not being encrypted well enough
But fundamentally at some point the password needs to be in a shape the recipients can understand them aka unencrypted
That not something the password manager kan change that a fundamental law of exchanging a password the recipines need to be able to understand it.

So when that exchange happens the password is decrypted (like expected) and can then be read by software on your computer.
This is again not an added risk. its the same as keylogger and you would have the same issue using a password manager or not.

You can have something encrypted forever at some point you need to decrypt it to be able to understand it.anything else defies the laws of logic here
because if it was understandable before it got decrypted. it would not be encrypted at all.


So trying to use this articles as an argument that using password manager are bad or they are not secure. is based in a false understanding of the issues found
in a "cold state" the password manager was perfect able to resist attack on it it,. aka if somebody gets you data base
Quote from the article: All password managers we examined sufficiently secured user secrets while in a ‘not running’ state.

its only on warm states there is an issue and only if you have running bad software running on you system
compared to not using a proper password manager you would be in the same situations as bad software running on your system simply logs you keystrokes to get you password aka a keylogger


So again bottom line. there is no added security issues form using a proper password manager but tons of benefits to do so,
there is nothing in this articles that warrant a negative reaction against using a password manager


exactly the same situation for ordinary user and spectre. There was no added security risc from havine the spectre flaw.
The attack vector remains the same
But yet ppl make a big deal out of things they don't understand because it does not "sound" good



or to put it short:
if you got bad software on your computer, then that itself is your security issue.
Yes, I read the article multiple times. I do not believe that a password manager should be storing the master password in memory in cleartext for over 24 hours. That seems like a bad design to me. What if a laptop is stolen while the user is logged in? Have you seen how ram can be read in a laboratory setting? Why not take that risk out by fixing the program?

Of course nobody is going to take average Joe's laptop to a lab, but they would if it belonged to the head of a company.

I think using a password manager is a great idea. I just wouldn't use one of these if I had billions of dollars at risk.
 

aaronspink

2[H]4U
Joined
Jun 7, 2004
Messages
2,122
True! But some of them decrypted the entire password list if you checked one password. I think they can do better; or Windows can do better as the article pointed out how Windows isn't doing these companies a favor.

Difference of opinion, and that's fine.
Well yeah. One issue that exists is the Windows secure entry form doesn't have a way to scrub at will. That's the primary issue with for instance 1Password4.

I do think its far beyond time for computer architecture to design security from the ground up, but retrofitting that into existing systems has significant issues.
 

SvenBent

2[H]4U
Joined
Sep 13, 2008
Messages
3,168
Yes, I read the article multiple times. I do not believe that a password manager should be storing the master password in memory in cleartext for over 24 hours. That seems like a bad design to me. What if a laptop is stolen while the user is logged in? Have you seen how ram can be read in a laboratory setting? Why not take that risk out by fixing the program?

Of course nobody is going to take average Joe's laptop to a lab, but they would if it belonged to the head of a company.

I think using a password manager is a great idea. I just wouldn't use one of these if I had billions of dollars at risk.

We can agree on that. That would be nice if it didnt. but it does not make the password manager less secure than not using one.
Thats my point. and that informing the user that having bad software running on their system is going to break using a password manager. (Whatever it has the master password in cleatex or not) is still a technical sane "excuse"
If you have bad software running n your systme you are screwed. no matter what. nothing will protect you once this happens

Dont get my wrong the article itself is really good from a technical viewpoint. its the conclussion uneducated people are drawing from it that im worried about.


Bottom line is still that none of this introduce any insecurity compared to not using a password manager at all. Despite ppl trying to use this and an argument to not use password managers
 
Top