5 min read

Removing that single-point-of-failure Password Managers pose

Removing that single-point-of-failure Password Managers pose

You’ve heard that your password has already been compromised by LinkedIn, Yahoo, Vodafone, Sony, Minecraft, and Snapchat to name a few of the more then 200 breaches I know about, but do you know that the Password Managers you put trust in for all of your passwords are just as vulnerable?

With the revelations of security slip-ups in password managers we’re still told by security experts that everything’s fine now. Patch. Keep using them. Move along, but I say that’s not good enough and it’s time to get smarter and question whether our security experts are keeping up with the times and listening to their younger more in touch peers.

Password Managers are no more secure from hackers then any other product

If we take only 5 password managers that first come to mind today we can see a rich history

  • February 2011 LastPass XSS discovered
  • May 2011 LastPass announced possible breach
  • June 2012 KeePass remote attack exploit
  • June 2015 LastPass compromised servers
  • October 2015 1PasswordAnywhere exposed PPI & user reset password links
  • November 2015 KeePass vulnerable to KeeFarce hacking tool
  • June 2016 KeePass Automatic Update Vulnerability
  • July 2016 LastPass users plaintext passwords exposed
  • August 2016 KeePass Header Authentication
  • August 2016 OneLogin application cleartext logs exposed
  • August 2016 Dashlane Universal XSS
  • September 2016 1Password user passwords exposed to subdomains
  • February 2017 1Password encrypted data exposed via Cloudflare issue
  • March 2017 LastPass multiple security vulnerabilities in browser extensions
  • May 2017 OneLogin unauthorized full server side access security breach
  • May 2017 KeePass master passwords cracked with Hashcat tool

I spent less than an hour to come up with that timeline, this is not a research exercise so it is likely i uncovered only half the total list out there and its 90% more then you knew.

I read security experts publications and listen to security podcasts daily and I knew of only a handful in that list, you’re probably reading that to yourself on the train to work and passengers are thinking if they should call an ambulance for you before you pass out!

Where’s the mainstream media coverage on this?

Password managers are the single-point-of-failure when it comes to your passwords, they can expose all of your passwords to all of your programs, sites, secure notes, and encryption keys in just 1 breach, and I’ve just shown you 16 vulnerabilities for the leading 5 tools and you’re probably using one of these daily.

This should scare you

So my message is treat Password Managers as a convenience tool and not give them your passwords anymore.

Hang on, what? That defeats the purpose you might ask, well no it doesn’t. Password managers are still useful as convenience tools even if they don’t know your whole password but rather they just need to manage a portion of the password you can’t remember yourself.

Here’s the technique;

  • Tell the password manager to generate the long jumble of characters as usual, and store it for you for any particular program
  • Choose a PIN or password you will remember — DO NOT write it down anywhere, ever! So make it memorable (even if it is easy).
    For demonstration we’ll say it is 123456 (do not use 123456 yourself..)
  • Now combine the memorable password with the generated one your password manager keeps, prefix or suffix it’s your choice, but tell the program the password is the combination of your memorable one and the one generated and stored by the password manager.
    To demonstrate, your new password might be;
  • Never give the password manager your memorable PIN or password
  • Now when you use the program your password manager will fill in the password it has, it is incomplete and wont let you log into the program but all you have to do is add your memorable portion to the one pre-filled and you’re good to go.
  • [even better] instead of append or prepend (which might be intuative to an attacher) choose a location somewhere in the middle to place your PIN and do so for every password just like a prefix or suffix but rather it is somewhere in the middle. An attacker with both the PIN and the long random string password might try suffix and prefix but to crack this they would need to try the PIN shifting by 1 character. Now, what if you have 2 PINs in there! That is not just easy for you to type but it is far more difficault to guess and harder to code an algorithm to try all the variations.

Now if the password vault of the Password manager is compromised all the bad actor has is a collection of unusable parts of your passwords.

If they are aware you have a prefix or suffix PIN or password, and they have compromised another 3rd party application that you used the PIN or password combined with the generated portion they obtained from your password vault AND they are able to access the secret memorable portion as cleartext by somehow breaking the encryption used by the 3rd party application (or it was stored cleartext in the first place, which I might wonder how they earned your trust).

In this chain of low likelihood scenarios you arrive back at the current level of security you have with your chosen Password manager.

Now it might be obvious to some of you, but those that know that length is the only thing that really influences password strength would agree that adding a suffix or prefix can only make passwords stronger, not weaker.

By any standards, you have to admit that removing any single-point-of-failure to the access of all of your passwords in one breach can only be a good thing.

On the topic of keystroke capture risks to someone learning your memorable secret — this is the case where there is a running compromise on the computer you are using, i.e. the computer is already compromised.

Most, if not all, Password Manager’s openly state they cannot protect your passwords from an already compromised system. I’d suggest this includes systems that are operating a keystroke capture vulnerability where the Password Manager statement is less specific. Why? Because the Password Manager’s master passphrase can be compromised unlocking the password vault!

Where the keystroke capture might unlock the Password Manager vault as-well-as learn your memorable PIN or password, they’d have to also figure out that you use these in combination, trying the prefix or suffix techniques or any other technique you’ve chosen to use to combine them (I use my own secret technique) and that is a lot of assumptions, it’s not a simple hack or breach and its more likely that the bad actor will simply try one or 2 things and move onto a more vulnerable victim whereas if you just store whole passwords in your Password Manager you are that more vulnerable victim.

But of course, critique is expressly invited — bring the pain