[Discuss] Password managers

[tmetro+blu at gmail.com (Tom Metro)]

> I use lastpass. It works on all platforms. Individual passwords are
> encrypted as is the master password.

Before giving advice on password managers its good to consider the type
of user and the level of security required. Someone mentioned using a
paper solution, and indeed that can be an acceptable upgrade for any
user who is currently using one or a few weak passwords on multiple sites.

Similarly, a cloud-based service with browser integration like Lastpass
can also be a perfectly acceptable solution for other users. You gain a
random password generator, and the convenience of passwords being
automatically or semi-automatically populated into logon forms, and
synchronized for you across all your devices.

I can see a security professional like Steve Gibson recommending such a
tool for use by typical users. But I'd consider it malpractice for a
security professional to recommend such a tool for use by other
professionals that have high-security needs.

Kent Borg has noted that having a password manager that can auto-fill
passwords into login forms carries a risk. Additionally a tool that runs
in the browser further increases the risk. Not only do you have to be
concerned about bugs in the password manager, but it also takes on all
the vulnerabilities that can be found in the millions of lines of code
that make up modern web browsers.

Then there is the NSA paranoia angle: any cloud-based solution, even if
the code executes on your local browser, is far more vulnerable to the
code being changed without your awareness. This could be by the vendor,
the vendor being forced by a government agency, or the vendor's systems
having been compromised by hackers. That code change could capture your
master password and send it off to any server. If your encrypted blob is
already in the cloud, then you've just given everything away and have no
idea that it happened.

So again, I don't think the vast majority of people need this level of
protection/paranoia, but perhaps many BLU members who are responsible
for corporate networks and client systems fall into the category of
needing something beyond the convenience tools.

Here are the characteristics I consider minimum acceptable for a
password manager:

-open source implementation; ideally with multiple independent
implementations and support for multiple platforms.

-code that only changes when I explicitly download and install a new
version; (My password manager doesn't auto-update on any of the
platforms where I use it. That does mean I take responsibility for
monitoring for updates.)

-good random password generator that can be customized to fit the silly
requirements of whatever site is being used.

-no browser integration. no direct connection between the browser and
the manager.

-no cloud storage. Less convenient, but not too hard for a tech
professional to set up their own machine-to-machine synch using open
source tools, and if cloud storage is still desired, the encrypted
password store can be put inside an outer encrypted container. (This is
what happens when an encrypted backup of your system is stored in the
cloud. You aren't relying only on your master pass phrase.)

Add to that: use 2FA or rather, 2SV (two-step verification) as Rich
clarifies, with any site that supports it. Avid using SMS or adding a
"recovery phone" to any accounts, if possible.

I use oathtool, a Linux command line tool for generating Google
Authenticator compatible codes. I can actually integrate it with my
password manager, which holds the seed in its encrypted storage,
creating an entry where the usual web site URL is replaced with:

cmd://bin/gui_oathtool --base32 "seed"

and "opening" that site generates the code. (gui_oathtool is a simple
wrapper that shows the generated code in a dialog box.)

Yes, this us a significant step below having a hardware key, or even
having separate device to run Google Authenticator, but on the other
hand it makes it practical to use 2FA codes on a far higher percentage
of sites I use. I still get the "over the wire" benefit. A MitM/phishing
site can't capture useful credentials.

I'm way more concerned with vulnerabilities that can happen on the
remote site or the link between, than I am with what happens on my own
secured machine. It's always about considering the threat model, and I'm
consciously choosing not to protect against the scenario where my local
machine has been compromised. Doing so is possible, but generally you
have far bigger problems if that happens, and likely far more determined
attackers. (Unless you are an average office worker clicking on random
email links. Thus Google's Yubikey policy.)

 -Tom

-- 
Tom Metro
The Perl Shop, Newton, MA, USA
"Predictable On-demand Perl Consulting."
http://www.theperlshop.com/