Password managers (eg Keepass, Lastpass, 1Password etc)- security risk

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
protagonist
Posts: 5435
Joined: Sun Dec 26, 2010 12:47 pm

Password managers (eg Keepass, Lastpass, 1Password etc)- security risk

Post by protagonist » Sun Nov 08, 2015 10:24 am

I probably have on the order of 50 username/password combinations, so I consider a password manager an extremely valuable tool.

But then there is this: http://arstechnica.com/security/2015/11 ... d-manager/

Scary.

Thoughts?

jchef
Posts: 263
Joined: Wed Aug 29, 2012 7:04 am

Re: Password managers (eg Keepass, Lastpass, 1Password etc)- security risk

Post by jchef » Sun Nov 08, 2015 10:52 am

In order for that tool to work it needs to be installed on your machine.

If someone has the ability to install software on your machine, you already have a huge problem. They could install a keylogger, change your browser to a modified browser that looks the same but actually records everything you do, or many other things.

So it's not really a big deal that there's a new tool that can do bad things if it gets installed onto your machine. There was already plenty of old tools that could do that same.

User avatar
saltycaper
Posts: 2650
Joined: Thu Apr 24, 2014 8:47 pm
Location: The Tower

Re: Password managers (eg Keepass, Lastpass, 1Password etc)- security risk

Post by saltycaper » Sun Nov 08, 2015 11:28 am

I think this sums it up pretty well:
KeeFarce will no doubt rekindle the common criticism that when password managers fail, they offer a one-stop destination for hackers to obtain all of a target's passwords. There's no doubt that password managers represent a single point of failure that could be catastrophic. Still, on the whole, they provide more benefit than risk when used correctly. That's because password managers allow average people to generate and store virtually crack-proof passcodes that are unique for every site. Password managers also prevent a breach on one site—say, the recent compromise of 000Webhost—from contributing to account hijacks on other sites because the account holder used the same password.

But it's also important that people recognize that there are some threats that password managers do nothing to mitigate, and chief among them is password theft from an infected computer to begin with. Lest anyone forget, KeeFarce is here to remind them.
The single point of failure is the increased risk, but the program can also lower risk in other ways. It's a matter of weighing the chances of your personal machine being completely compromised versus any one financial account password--perhaps weaker without a password manager--being compromised.

Alternatively, you can also lower risk of your password being compromised without using a password manager by using long, hard-to-crack passwords, and never using the same one twice. This is partially a behavioral issue--not a technical one--albeit one that can be difficult to address.
Quod vitae sectabor iter?

daveatca
Posts: 627
Joined: Thu Feb 19, 2015 10:03 pm

Whatever

Post by daveatca » Sun Nov 08, 2015 11:32 am

"KeeFarce uses DLL injection to execute code" - https://github.com/denandz/KeeFarce

So, who cares. Mac OS X does not use DLLs.

User avatar
telemark
Posts: 2318
Joined: Sat Aug 11, 2012 6:35 am

Re: Password managers (eg Keepass, Lastpass, 1Password etc)- security risk

Post by telemark » Sun Nov 08, 2015 12:35 pm

As others have said, if a bad guy is in a position to install new DLLs on your PC, you are already toast in so many ways that this one doesn't matter much.

One suggestion: if you are like me, most of those 50 or so passwords are what I call junk passwords. I bought a thingummy once on doodads.com and they insisted on opening an "account" for me, but I will probably never use the site again. Then there are the important passwords, like the one to my checking account. Consider using a separate database, with a different master password, for the important ones.

User avatar
wintermute
Posts: 192
Joined: Mon Mar 15, 2010 10:36 pm

Re: Whatever

Post by wintermute » Sun Nov 08, 2015 5:37 pm

daveatca wrote:"KeeFarce uses DLL injection to execute code" - https://github.com/denandz/KeeFarce

So, who cares. Mac OS X does not use DLLs.
Just about all modern OSes use dynamically linked shared libraries, including OS X.

tech_arch
Posts: 253
Joined: Wed May 27, 2015 11:47 am

Re: Password managers (eg Keepass, Lastpass, 1Password etc)- security risk

Post by tech_arch » Sun Nov 08, 2015 5:42 pm

jchef wrote:In order for that tool to work it needs to be installed on your machine.

If someone has the ability to install software on your machine, you already have a huge problem. They could install a keylogger, change your browser to a modified browser that looks the same but actually records everything you do, or many other things.

So it's not really a big deal that there's a new tool that can do bad things if it gets installed onto your machine. There was already plenty of old tools that could do that same.
+1.

richardglm
Posts: 260
Joined: Sun Jan 04, 2015 9:42 pm

Re: Password managers (eg Keepass, Lastpass, 1Password etc)- security risk

Post by richardglm » Sun Nov 08, 2015 6:44 pm

All security measures are going to be a trade-off between convenience and security level. Password managers which allow you to have a distinct long randomly generated password for each site give you a relatively high security level for a small amount of effort, but they do depend on you keeping your computer free of viruses and malware.

Of course, if you can't do that, then all passwords will be at risk as well, whether in a password manager or not.

User avatar
patrick013
Posts: 2407
Joined: Mon Jul 13, 2015 7:49 pm

Re: Password managers (eg Keepass, Lastpass, 1Password etc)- security risk

Post by patrick013 » Sun Nov 08, 2015 7:21 pm

I wonder if KeeFarce would affect Linux. I don't have any of those
files on my computer, which is a Linux box.
age in bonds, buy-and-hold, 10 year business cycle

BogleBoogie
Posts: 575
Joined: Tue May 13, 2014 11:15 am
Location: AK

Re: Password managers (eg Keepass, Lastpass, 1Password etc)- security risk

Post by BogleBoogie » Sun Nov 08, 2015 7:26 pm

protagonist wrote:I probably have on the order of 50 username/password combinations, so I consider a password manager an extremely valuable tool.

But then there is this: http://arstechnica.com/security/2015/11 ... d-manager/

Scary.

Thoughts?
Just do what I do and use your last name (use yours, not mine). This way you never forget!

IPer
Posts: 1639
Joined: Sun Jul 28, 2013 8:51 pm

Re: Password managers (eg Keepass, Lastpass, 1Password etc)- security risk

Post by IPer » Sun Nov 08, 2015 7:47 pm

Yeah, I have been using a small Linux VM and a text file only accessible to root with a small
search script so I store everything in that text file, login through SSH (encrypted) and issue
a search command, similar to this:

g citi

returns Citi Bank information (not a real example).

I also have this VM backed up automatically to another VM though that does not prevent hacking.
There is a brute force detection firewall installed on both and the SSH ports are not standard so
those automatically SSH probes that happen every few hours on the 'net don't reach the VMs.

This does NOT prevent the event of a virus/hack to my workstation where they would sniff the
credentials used to the VMs and then be able to gain access, however, this is highly unlikely
as I am not using a widely known commercially available piece of software and the ports are
scrambled. So they would really need a reason to target my machine, because that is all they
would gain.

ps if anyone needs the search script or more info on how to setup/manage the VMs you can
PM me.
Read the Wiki Wiki !

IPer
Posts: 1639
Joined: Sun Jul 28, 2013 8:51 pm

Re: Whatever

Post by IPer » Sun Nov 08, 2015 7:49 pm

daveatca wrote:"KeeFarce uses DLL injection to execute code" - https://github.com/denandz/KeeFarce

So, who cares. Mac OS X does not use DLLs.
Any commercially available software that stores keys on any operating system will be the eventual target
of these types of exploits. There is no way around that other than to not use one.
Read the Wiki Wiki !

User avatar
Epsilon Delta
Posts: 7430
Joined: Thu Apr 28, 2011 7:00 pm

Re: Password managers (eg Keepass, Lastpass, 1Password etc)- security risk

Post by Epsilon Delta » Sun Nov 08, 2015 7:52 pm

patrick013 wrote:I wonder if KeeFarce would affect Linux. I don't have any of those
files on my computer, which is a Linux box.
The "released" KeeFarce only works on windows. But this does not mean Linux or OS X are safe.

KeeFarce is simply an existence proof that a long predicted threat is not just a theory. That it doesn't work on OS X and Linux simply means the authors did not bother public prove that those OSs are vulnerable, it doesn't mean they are not and there are sound reasons to believe they are.

IPer
Posts: 1639
Joined: Sun Jul 28, 2013 8:51 pm

Re: Password managers (eg Keepass, Lastpass, 1Password etc)- security risk

Post by IPer » Sun Nov 08, 2015 7:54 pm

telemark wrote:As others have said, if a bad guy is in a position to install new DLLs on your PC, you are already toast in so many ways that this one doesn't matter much.

One suggestion: if you are like me, most of those 50 or so passwords are what I call junk passwords. I bought a thingummy once on doodads.com and they insisted on opening an "account" for me, but I will probably never use the site again. Then there are the important passwords, like the one to my checking account. Consider using a separate database, with a different master password, for the important ones.
I always use machine generated passwords on any account I open, they are unique, close to impossible to guess and are
added to the text file on my VM(s). As for your statement about DLL's, viruses are out there and even some of the most
savvy users contract them from time to time, so just saying you are toast doesn't really add much.
Read the Wiki Wiki !

IPer
Posts: 1639
Joined: Sun Jul 28, 2013 8:51 pm

Re: Password managers (eg Keepass, Lastpass, 1Password etc)- security risk

Post by IPer » Sun Nov 08, 2015 7:56 pm

Epsilon Delta wrote:
patrick013 wrote:I wonder if KeeFarce would affect Linux. I don't have any of those
files on my computer, which is a Linux box.
The "released" KeeFarce only works on windows. But this does not mean Linux or OS X are safe.

KeeFarce is simply an existence proof that a long predicted threat is not just a theory. That it doesn't work on OS X and Linux simply means the authors did not bother public prove that those OSs are vulnerable, it doesn't mean they are not and there are sound reasons to believe they are.
Right, it is ridiculous to stand up and say XYZ OS is immune to all attacks, unless it is on a headless computer unattached to the internet, and
even then the kid next door will most likely foil you!
Read the Wiki Wiki !

tech_arch
Posts: 253
Joined: Wed May 27, 2015 11:47 am

Re: Password managers (eg Keepass, Lastpass, 1Password etc)- security risk

Post by tech_arch » Sun Nov 08, 2015 8:55 pm

IPer wrote:Yeah, I have been using a small Linux VM and a text file only accessible to root with a small
search script so I store everything in that text file, login through SSH (encrypted) and issue
a search command, similar to this:

g citi

returns Citi Bank information (not a real example).

I also have this VM backed up automatically to another VM though that does not prevent hacking.
There is a brute force detection firewall installed on both and the SSH ports are not standard so
those automatically SSH probes that happen every few hours on the 'net don't reach the VMs.

This does NOT prevent the event of a virus/hack to my workstation where they would sniff the
credentials used to the VMs and then be able to gain access, however, this is highly unlikely
as I am not using a widely known commercially available piece of software and the ports are
scrambled. So they would really need a reason to target my machine, because that is all they
would gain.

ps if anyone needs the search script or more info on how to setup/manage the VMs you can
PM me.
A simple keylogger on your workstation is all that's needed to steal the passwords, albeit one at a time.

IPer
Posts: 1639
Joined: Sun Jul 28, 2013 8:51 pm

Re: Password managers (eg Keepass, Lastpass, 1Password etc)- security risk

Post by IPer » Mon Nov 09, 2015 1:29 am

tech_arch wrote:
IPer wrote:Yeah, I have been using a small Linux VM and a text file only accessible to root with a small
search script so I store everything in that text file, login through SSH (encrypted) and issue
a search command, similar to this:

g citi

returns Citi Bank information (not a real example).

I also have this VM backed up automatically to another VM though that does not prevent hacking.
There is a brute force detection firewall installed on both and the SSH ports are not standard so
those automatically SSH probes that happen every few hours on the 'net don't reach the VMs.

This does NOT prevent the event of a virus/hack to my workstation where they would sniff the
credentials used to the VMs and then be able to gain access, however, this is highly unlikely
as I am not using a widely known commercially available piece of software and the ports are
scrambled. So they would really need a reason to target my machine, because that is all they
would gain.

ps if anyone needs the search script or more info on how to setup/manage the VMs you can
PM me.
A simple keylogger on your workstation is all that's needed to steal the passwords, albeit one at a time.
Not so, they cannot log if you are using an SSH certificate. On the other hand a keylogger virus is a good place to start
for attackers...
Read the Wiki Wiki !

protagonist
Posts: 5435
Joined: Sun Dec 26, 2010 12:47 pm

Re: Password managers (eg Keepass, Lastpass, 1Password etc)- security risk

Post by protagonist » Mon Nov 09, 2015 10:39 am

My take upon reading these responses is that a Keepass attack is the cyber-equivalent of a nuclear attack. It is an extremely unlikely event, but the results would be potentially devastating. And insuring against it is futile- keeping all of your passwords and usernames in a locked safe in your home might be just as risky. It's all ultimately a house of cards I suppose, but one in which we choose to live because it is so nice.

User avatar
Epsilon Delta
Posts: 7430
Joined: Thu Apr 28, 2011 7:00 pm

Re: Password managers (eg Keepass, Lastpass, 1Password etc)- security risk

Post by Epsilon Delta » Mon Nov 09, 2015 12:14 pm

protagonist wrote:My take upon reading these responses is that a Keepass attack is the cyber-equivalent of a nuclear attack.
I don't like the nuclear attack analogy. The reason a nuclear attack is uninsurable is that it takes out an entire city in one blow. The combined losses are too big to handle.

A Keepass attack could be devastating to you, but it isn't going likely to take the whole house of cards down at once. Either it's an attack on a limited number of unlucky people or it's going to be noticed and institutions (and account holders) have a chance to notice and mitigate before it's a systemic issue.

So one way to deal with such threats is to harden the targets that could bring down the system in one blow, monitor (and react to) threats that could combine to bring down the system and insure individuals against losses that are devastating to them but trivial for the system as a whole. IMO this is what we actually do in an imperfect way, or maybe it really is just a house of cards.

protagonist
Posts: 5435
Joined: Sun Dec 26, 2010 12:47 pm

Re: Password managers (eg Keepass, Lastpass, 1Password etc)- security risk

Post by protagonist » Mon Nov 09, 2015 12:54 pm

Epsilon Delta wrote:
protagonist wrote:My take upon reading these responses is that a Keepass attack is the cyber-equivalent of a nuclear attack.
I don't like the nuclear attack analogy. The reason a nuclear attack is uninsurable is that it takes out an entire city in one blow. The combined losses are too big to handle.

A Keepass attack could be devastating to you, but it isn't going likely to take the whole house of cards down at once. Either it's an attack on a limited number of unlucky people or it's going to be noticed and institutions (and account holders) have a chance to notice and mitigate before it's a systemic issue.

So one way to deal with such threats is to harden the targets that could bring down the system in one blow, monitor (and react to) threats that could combine to bring down the system and insure individuals against losses that are devastating to them but trivial for the system as a whole. IMO this is what we actually do in an imperfect way, or maybe it really is just a house of cards.
I agree.

The reason that most of us have willingly sacrificed so much in terms of security and privacy as the cyberculture becomes more a part of our daily lives is because we (myself included) feel the benefits are worth the risks/gamble. In this sense, the nuclear risk analogy is appropriate, as it is a byproduct of all the wonders of 20th-21st century science and technology that we would never want to do without.

User avatar
Ged
Posts: 3616
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: Whatever

Post by Ged » Mon Nov 09, 2015 1:02 pm

IPer wrote:
daveatca wrote:"KeeFarce uses DLL injection to execute code" - https://github.com/denandz/KeeFarce

So, who cares. Mac OS X does not use DLLs.
Any commercially available software that stores keys on any operating system will be the eventual target
of these types of exploits. There is no way around that other than to not use one.
Ultimately there is no way to be sure because the key store on the host can be compromised as well.

fishingmn
Posts: 59
Joined: Thu Mar 08, 2012 1:21 pm

Re: Password managers (eg Keepass, Lastpass, 1Password etc)- security risk

Post by fishingmn » Mon Nov 09, 2015 4:14 pm

So let's play this out -

Someone steals my Vanguard login and password somehow.

Would Vanguard's safeguards stop them from stealing the money? Most importantly, who's liable if they do steal it?

User avatar
LazyNihilist
Posts: 874
Joined: Sat Feb 19, 2011 9:56 pm
Location: 6.66% (xirr)
Contact:

Re: Password managers (eg Keepass, Lastpass, 1Password etc)- security risk

Post by LazyNihilist » Mon Nov 09, 2015 6:31 pm

Security is a trade off most of the time.
KeePass is still one of the best Password managers around.
If an attacker has root/Admin access to the user's system, the system is compromised and it's time to reinstall the OS and reset all the passwords.
The strong do what they can and the weak suffer what they must -Thucydides

ThankYouJack
Posts: 2244
Joined: Wed Oct 08, 2014 7:27 pm

Re: Password managers (eg Keepass, Lastpass, 1Password etc)- security risk

Post by ThankYouJack » Mon Nov 09, 2015 6:37 pm

1st step if you're concerned is to set up 2FA.

Second possible step is get a little creative in how you use the password manager.

User avatar
Ged
Posts: 3616
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: Password managers (eg Keepass, Lastpass, 1Password etc)- security risk

Post by Ged » Mon Nov 09, 2015 6:45 pm

fishingmn wrote:So let's play this out -

Someone steals my Vanguard login and password somehow.

Would Vanguard's safeguards stop them from stealing the money? Most importantly, who's liable if they do steal it?
Vanguard User Agreement:

You are responsible for maintaining the confidentiality of any account information, user names, logins, passwords and security questions and answers that you use to access any page or feature on this Site, and for logging off of your account and any protected areas of the Site. Further, you are fully responsible for all activities occurring under your accounts, user names, logins, passwords and security questions and answers that result from your negligence, carelessness, misconduct or failure to use or maintain appropriate security measures. If you become aware of any suspicious or unauthorized conduct concerning your accounts, user names, logins, passwords or security questions and answers, you agree to contact Vanguard immediately. Vanguard will not be liable for any loss or damage arising from your failure to comply with this paragraph.

Mordoch
Posts: 350
Joined: Sat Mar 10, 2007 11:27 am

Re: Password managers (eg Keepass, Lastpass, 1Password etc)- security risk

Post by Mordoch » Mon Nov 09, 2015 7:11 pm

fishingmn wrote:So let's play this out -

Someone steals my Vanguard login and password somehow.

Would Vanguard's safeguards stop them from stealing the money? Most importantly, who's liable if they do steal it?
There are certainly several levels of safeguard's. A basic major optional one would be two factor authentication (which actually makes merely having your password and login have little value on its own if you have it set to be used every time you log in.) Even if you opt for the less aggressive and more convenient "two factor authentication only if it detects it may be a new computer you are logging in from" this still makes for a major additional technical barrier where any hacker is going to have to fake out Vanguard to actually access your account.

Another practical significant protection is that as long as you have Vanguard set to notify you by email when you make changes or make a transaction request for your account and you check that email regularly, you should be able to note that something is up and get concerned once you check your Vanguard account (or are locked out of it in spite of putting in the right password which should also be a dead giveaway.) At this point you call up Vanguard and should be in position to have them block the move.

A key point here is that Vanguard has major protections which basically make it impossible for someone to promptly get a check mailed to their desired address or sent electronically sent to their bank account right after they hack your account, so you have time to discover and block this action. Even if enough time has passed that an electronic transfer has been initiated Vanguard still has a bit more time where they can block it so it doesn't actually go through.) Theoretically someone could hack your account along with a bunch of others to try to "pump and dump" a lightly traded stock, but this is very difficult to do with the protections Vanguard actually has and still would take time which would allow you to still block it before it happens. The only way you would have possibly less time is if specifically configure you account in certain ways along with specifically having a margin account. (You certainly don't have this by default and fairly few of us on this board do have such an account.)

In terms of if the damage is still done and getting Vanguard to make you whole, you certainly should be ultimately ok as long as you have anti-virus software which gets periodic updates and otherwise keep you computer os reasonably up to date in terms of security patches. The only other obvious issue is Vanguard might have problems if it turned out your master password was ridiculously weak. (Basically the Vanguard stipulations only apply if you actually act negligent and/or fail to notify Vanguard once you clearly know there is almost certainly an issue with your account being hacked.)

Now theoretically Vanguard could still make an issue of things or have someone object to you using a password manager for some reason, but in practice you could be confident they would eventually cave if you threaten to go public and start talking to the media with the circumstances of the case if they don't make you whole. (Among other issues the potential extreme negative publicity and hit to the investing public's trust in Vanguard would be much more serious business wise than making you whole unless you personally have a 200 million dollar account at Vanguard or something.)

fishingmn
Posts: 59
Joined: Thu Mar 08, 2012 1:21 pm

Re: Password managers (eg Keepass, Lastpass, 1Password etc)- security risk

Post by fishingmn » Mon Nov 09, 2015 7:30 pm

Thanks Mordoch - this is helpful.

I already do all of these but I did just log in and set up to have text message alerts in addition to e-mail alerts to any activity on my account.

ThankYouJack
Posts: 2244
Joined: Wed Oct 08, 2014 7:27 pm

Re: Password managers (eg Keepass, Lastpass, 1Password etc)- security risk

Post by ThankYouJack » Mon Nov 09, 2015 7:34 pm

fishingmn wrote:Thanks Mordoch - this is helpful.

I already do all of these but I did just log in and set up to have text message alerts in addition to e-mail alerts to any activity on my account.
You can do the same for most credit cards too. You can set it up so you receive a text for every purchase where the card is not physically present (like online) and for all purchases over a certain dollar amount. It works well for catching credit card fraud as soon as it happens.

wassabi
Posts: 422
Joined: Sun Feb 02, 2014 8:06 am

Re: Password managers (eg Keepass, Lastpass, 1Password etc)- security risk

Post by wassabi » Mon Nov 09, 2015 8:26 pm

Seems to me the discussion should be on how to detect if your system is "owned."

User avatar
magellan
Posts: 3469
Joined: Fri Mar 09, 2007 4:12 pm

Re: Password managers (eg Keepass, Lastpass, 1Password etc)- security risk

Post by magellan » Tue Nov 10, 2015 9:35 am

The problem with using a password manager is that it lumps everything into a single tier of security. That's usually not an optimal approach. Good security balances costs, like complexity and inconvenience, with the likely benefit, eg money or headache saved from a thwarted attack. The level of security that you need with a site like Vanguard is probably multiple times the level you need with a site like Bogleheads. With that in mind, I use a 3-tiered security approach for accessing online accounts.

1) Non-financial sites with limited personal information (eg Bogleheads)

For these sites, I don't need multi-stage DoD level bio-metric security. Because I log into these sites multiple times per day, I prioritize convenience over rock solid security and for this tier I use my browser's password manager to store unique passwords for each site. This accounts for about 90% of the passwords I use. A good password manager would probably be a better solution for this tier, but I just haven't bothered.

2) Banking sites covered by the Electronic Funds Transfer Act Regulation E, and credit card sites

These are more important than 'just for fun' sites, but the financial cost of a compromise is still limited. For these sites I use strong passwords that I can remember in my head and enable two factor to my phone when possible. I do not use a password manger and don't let my browser remember login information. If asked, I tell the sites not to remember my computer.

3) Non-bank financial accounts that don't have statutory fraud protection (eg Vanguard,Fidelity)

I use memorizable strong passwords for these accounts along with two factor and and only access the accounts using a dedicated computer. Since I only have a couple accounts in this tier that I only access a couple of times a month, the inconvenience of this near paranoid level of security is quite low. (One note: moving to this approach required me to close my Vanguard Advantage checking account to reduce the frequency of vanguard logins)

If my laptop gets compromised, I assume the adversary will get all of my tier 1 passwords (even if using a password manager). The passwords on tier 2 sites will only be compromised on the sites I access between the time I'm compromised and the time I detect the compromise. The sites I access from my dedicated computer shouldn't be impacted.

Post Reply