We all must be aware of the risks of using passwords……. Or are we!
We are constantly told / or tell (depending on our role) users what to do and not to do, things like:
- Use separate passwords for each secure site
- Change them regularly is what we all advise
- Use easy to remember but hard to guess! But it should be ‘harder than hard’ to guess…….
- Do not use Dictionary words etc. etc.
Users then start to think of more secure passwords, but whilst doing this write them down as they rearrange characters, record them in diaries, calendars or those annoying post-it notes.
Some of the smarter ones (or so they think) may use password managers. The question I am posing here is should we trust them!
Over the years I have seen several ‘password manager’ sites and programs, I have even been handed a password management notebook somewhere along the line!
Password managers come in a variety of types, their main premise is to allow users to save their passwords for easy retrieval. Most are legitimate and have good security within their infrastructure; the problem is that security is only as strong as the weakest link.
The weakest link generally being the password used to log into these. If a hacker gets this password or compromises the website, they then have the keys to the kingdom!
Should we use them?
So should we use password Manager Application’s or websites at all, should we save our passwords in our browser for easier access later?
Although I have heard a number of security consultants and experts advise the use of password managers, I am very sceptical, I always wonder who is actually behind the password manager, after all, as the latin saying goes “Quis custodiet ipsos custodes?”(Anderson, 1982) (translated as ‘Who Watches the Watchmen’) it is not as if they are vetted individuals or organisations. They are generally self-regulated.
What if they get hacked? What if we log into a password manager on an insecure system, which has been infected with some form of keylogger? How secure is the site and your connection to it? These are just some of the things that users need to be aware.
LastPass Browser Add-in Vulnerability
LastPass is a password management service, which stores encrypted passwords in private accounts, it comes as a browser plug-in and as a web interface. The image below shows the Chrome browser add-in page.
Lastpass.com Chrome Browser Extension
A vulnerability has emerged with a password manager called LastPass which were spotted by Tavis Ormandy, which would allow anyone to proxy unauthenticated messages to the LastPass browser extension. Details of the vulnerability can be viewed in the following link https://bugs.chromium.org/p/project-zero/issues/detail?id=1209, Tavis states that “this script will proxy unauthenticated window messages to the extension.” Stating that there are hundreds of RPC’s allowing things like copying and filling in passwords….. (Ormandy, 2017)
LastPass later released a blog post explaining the issue and that they have since released a fix. They state however that ““We have no indication that any of the reported vulnerabilities were exploited in the wild, but we’re doing a thorough review at this time to confirm”.
Will this be the last vulnerability found in a password manager? I highly suspect not.
The Use of Password Managers in general?
Users have to be careful where they enter passwords in general as well as the strength and complexity of the password. They need to ensure that they are not entering passwords into fake sites. This is where Mutual Authentication is great (where the site can prove its identity to you prior to you logging in) and if users do use password managers (which I do not recommend) they need to be very careful with the account details and where they log in to these from.
This includes browser log-ins and passwords saved via same. Those using google who save their passwords in the browser should view passwords.google.com, where you can log in and view the saved passwords. The following image shows the interface (clicking the eye shows the password in plain text!) don’t worry it’s a fictitious account showing.
The same goes for applications, users have to validate that the application that they are using is genuine.
I have previously created fake password checkers whilst working as a consultant. These were used to lure staff into entering their passwords where it would check the strength and complexity of the password! (don’t worry – it was just a form saving nothing, but the amount of users and administrators, who simply followed my instructions and were happy after getting that ‘Secure’ message without wandering what else may be done with their account password) always amazed me.
Here is an example of a page which does nothing, but could easily have been created to capture credential data to include passwords if desired. http://www.ipa-sec.org/password-manager/
Coming soon. How to choose a good password!
Anderson, W. S. (1982). Essays on Roman Satire. Princeton University Press.
Ormandy, T. (2017). LastPass Vulnerability websiteConnector.js content script allows proxying internal RPC commands. Retrieved from https://bugs.chromium.org/p/project-zero/issues/detail?id=1209
Main Image Retrieved from https://pixabay.com/en/lock-open-unlocked-decrypted-36018/
Google Passwords: https://passwords.google.com