nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Security slip-ups in 1Password and other password managers 'extremely worrying'

ZSn

Little blue book

Nothing beats writing them down and keeping them in a filing cabinet at home.

18
1
Silver badge

Re: Little blue book

The flaw there is that then they're not available for an online security breach.

4
0
Silver badge

Re: Little blue book

Especially if you die unexpectedly.

0
0
Silver badge

Re: Little blue book

Especially if you die unexpectedly.
I've always found entering passwords extremely difficult after I died.

38
0
Silver badge

Re: Little blue book

How about someone else entering them FOR YOU?

2
4

Re: Little blue book

“I've always found entering passwords extremely difficult after I died.”

Really? I’ve never tried.

8
0

Re: Little blue book

keeping them in a filing cabinet at home.

If you do, remember to add the "beware of the leopard" sign.

22
0
Silver badge

Re: Little blue book

"I've always found entering passwords extremely difficult after I died."

Ah, then you'll be interested in the iPhone 8 with its built in Ouija interface...

9
0
Silver badge

Re: Little blue book

I've always found entering passwords extremely difficult after I died.

Then I've got some bad news for you: the Pearly Gates have been upgraded to 2FA and moved into the cloud.

11
0
Silver badge

Re: Little blue book

"Then I've got some bad news for you: the Pearly Gates have been upgraded to 2FA and moved into the cloud."

I thought they were supposed to be "in the cloud" already?

12
0
Anonymous Coward

Re: Little blue book

"Nothing beats writing them down and keeping them in a filing cabinet at home."

Completely agree, the issue was accessing online. So I did similar using a sheet of paper with them all written down then pointed a cheap Asian webcam at them which I can access remotely. Whenever I need a password I fire up the webcam from a browser and type it in. Simples!

12
0
Silver badge

The Pearly Gates

"Then I've got some bad news for you: the Pearly Gates have been upgraded to 2FA and moved into the cloud."

I thought they were supposed to be "in the cloud" already?

You believed the glossy brochures and marketing!

4
0
Silver badge
Unhappy

Re: Little blue book

I've got some bad news for you: the Pearly Gates have been upgraded

Meh, there's nothing but a bunch of self-righteous, boring do-gooders up there anyway. Imagine having to spend the rest of eternity never committing a sin.

3
1
Bronze badge
FAIL

Re: Little blue book

"pointed a cheap Asian webcam at them"

I hope your camera isn't made by Xiongmai then as that would be even less secure!

https://www.theguardian.com/technology/2016/oct/24/chinese-webcam-maker-recalls-devices-cyberattack-ddos-internet-of-things-xiongmai

0
4
Silver badge

Re: Little blue book

Oh you guys... 8-) 8-) 8-)

2
0
Silver badge

Re: Little blue book

Mine is in a little blue book too!

I always feel if anyone has the guts to break into my home for them, then job well done.

Been waiting for the great password manager break in to happen for a while now. All these tech journos telling everyone to pop their passwords into these applications with zero comment on who actually is behind these pieces of software or how actually secure they are.

It will all end in tears I suspect. Lambs to the slaughter...

3
0
Silver badge

Re: Little blue book

All these tech journos telling everyone to pop their passwords into these applications with zero comment on who actually is behind these pieces of software or how actually secure they are.

Bruce Schneier is behind the software I use. Something about due diligence...

2
0

Re: Little blue book

What if your webcam is protected with a high-entropy password?

Do you look up its hard-coded SSH password/port on Shodan?

0
0
Bronze badge
Thumb Down

Re: Little blue book

BAH! No matter that vulnerabilities show up occasionally, because the way people used to use passwords was WAY MORE vulnerable than the occasional unpatched problem that shows up once and a while. If I gave up using managers, I'd be in much more serious condition than if I didn't use one. The little blue book is okay, if you are sure you do not have a keylogger in your phone - same for password manager - At least with the manager, if you change the master password, the attacker loses all advantage until the next breach.

I don't know about Android, but Windows has so many apps that keep keystrokes in memory or on the hard disk, that an attacker doesn't even need a keystroke logger to find all you passwords EVER used. The little blue book isn't too bad, but the more difficulty you put into password management the less likely the user will adopt the tactic. You are probably better off with a vulnerable password manager most of the time, than using practices that are even worse.

0
0
Silver badge

Once again, the open-source Keepass is being ignored

It just ain't fair - they'll need to add a bug to get noticed.

35
0
Silver badge

Re: Once again, the open-source Keepass is being ignored

So is Password Safe (wot I use)...

7
0

Re: Once again, the open-source Keepass is being ignored

I noticed that too. The factor that might have put them off is that Keepass itself isn't an Android app or even arguably a Linux one being that it needs mono to work. There are Android apps that can connect to a Keepass database such as Keepass2Android (the offline version of which I use) but I suppose they could be said not to be popular enough to feature compared to the online vaults that seem to get more mentions when password managers are covered in news reports.

3
0
Silver badge

Re: Once again, the open-source Keepass is being ignored

But the research only looked at Android:

In order to answer these questions, we performed a security analysis on the most popular Android password manager applications from the Google Play Store based on download count.

and if we wander over to the Keepass download page we see various "Contributed/unofficial" ports for Android. Dunno which of those are present on the Google Play Store (don't have an Android device here).

0
0

Hey, Will here from AgileBits - makers of 1Password

We and our customers benefit greatly from the work that Team-SIK did in their excellent analysis of 1Password 6.3.3 for Android. The particular vulnerabilities that they reported to us at the beginning of September 2016 were addressed in our Beta versions (1Password 6.4.1-BETA-1 on September 13 and 6.4.1-BETA-2 on September 21) and in full release of 1Password for Android 6.4.1 on September 27.

Although the Team-SIK report is highly critical of the security offered by password managers on Android in general, we hope that readers of their overview will take the time to recognize that their general statements do not apply universally, and that the issues that were specific to 1Password on Android were promptly addressed.

If you have more questions about this, please do get in touch.

34
2
Silver badge

What sounds better in a press release:

"All password managers are broken"

Or

"Password managers have flaws of different severity"

12
0

Astounding

I for one am astounded at the security flaws listed specifically for 1P. I am a long-time user.

FWIW: AgileBits has informed users about the website icon shenanigans when the feature was first released, but that doesn't mean many/most users understood the implications or that a better, more secure was was possible. I sure did. Still not sure I trust AB over that "lapse", even though it's claimed to have been fixed.

1
3
Silver badge

Re: Astounding

@doggybreath let me guess, you are this fabled developer who never committed a bug?

1
2

Re: Astounding

Deflection will get you nowhere.

Are you suggesting the issues reported for 1P were unintentional, e.g. not motivated by making it easier for the customer or to reduce the number of customer support interactions?

The URL icon issue sure looked/looks intentional. I don't see how AgileBits can deny that.

As for the others, if not intentional, they look like tremendous lapses in thought by experts in the field.

1
0
Anonymous Coward

Portable password manager?

I could do with some crypto advice ...

I tend to generate my passwords from a concatenation of my username, the site in question, and my secret passphrase: "anonymouscoward elreg MyVerySecretPassword" which I then hash, convert to base64, make some substitutions to meet "you must use a special character" rules ...

~$ read text; echo -n $text | sha256sum | cut -c 1-64 | xxd -r -p | base64 | cut -c 1-24 | tr 'a-m' '!--'x

I think that gives me a 24 char 144 bit password that is specific to any given account and is reasonably safe but that allows me to recreate it any time I have access to a shell (BTW, I use read text, to avoid getting the password in the .bash_history or similar) or a programming environment I can do SHA256, base64 etc.

I clear the terminal display and the clipboard after use. Accounts that require me to change passwords regularly just get yyyy-mm in there as well. Is this a terrible idea?

3
0
Bronze badge

Re: Portable password manager?

Well, it boils down to two things. How easily an attacker could guess the inputs and the security of the hashing algorithm. Every else is second order beans, e.g. it would not take long to notice that you had a low frequency of a-m and a high one of !-- and reverse that.

The hash is pretty good, but only as good as its inputs: if an attacker can guess those, then the strength of the hash is moot.

So now we are down to: can an attacker guess your username, sites you might visit, and your passphrase? In many cases (perhaps not you personally) I would wager that the first two are easy to guess. How many John Smiths have a username of jsmith, johnsmith etc? (It's worse if your name is unusual, as you're more likely to grab the easy user names and not have to resort to some number after your ID. There's probably only one JanetOoberLuba in the bank's system, but John Smith is probably johnsmith03456). Sites are easy to watch too. Work in IT? British? Chances are you read El Reg. Right-wing, American? Look at Fox News, and maybe you bank with a bank in a red state. It's amazing what you can work out.

So then, at the end, we are down to this: is your passphrase any good?

4
0
Silver badge

Command-line password manager?

Hashing with each web site address does in principle breach the rule of "don't re-use one password on multiple sites", even with variations.

I generate random letter-number passwords and, when I have to write them down. If a web site visit calls for another new password, I pause to decide if I really want to take the trouble.

2
0

Re: Portable password manager?

Is this a terrible idea?

Not at all. With that system you get insanely long and fairly secure (compared to my regular password 'passwÖrd') password.

2
0
Silver badge

Re: Portable password manager?

Your scheme is called a password hasher.

There have been a couple of articles on LWN about password storage/management. The latest article about password hashers is available here at: lwn.net.

1
0
Silver badge

Re: Command-line password manager?

The thing is, only after analysis of his passwords would the pattern be identified.

So, he is 100% safe from automated mass attacks, he is only in relative danger from targeted attacks.

And targeted attacks would, almost for sure, not go for his passwords in this way.. the normal route is targeted zero-day on banners in linkedin, etc, plus mails. Easier, and cheaper.

So while technically not safe, I would say it is completely safe.

5
0
Silver badge

Re: Command-line password manager?

Hashing with each web site address does in principle breach the rule of "don't re-use one password on multiple sites", even with variations.

Not really ... the advice not to use the same password on multiple sites is there to prevent someone who discovers your password from trying it on all/any other sites for which you have an account. Clearly, if someone discovers (say) that your password on El Reg is elreg!mysecret they're likely to try linkedin!mysecret to break into your LinedIn account, and so on ... but only because this is a manual attack and the attacker can see at a glance what your method is.

If the passwords you use are actually hashes, you're not reusing the same password or any part of it for multiple sites in any obvious or discernible way -- just reusing some of the input data for a hash -- so the situation is quite different.

If someone discovers the hash you use as a password for El Reg, they are not going to be able to work out what that hash is a hash of (that's kind-of the point of using a hash) so they won't be able to substitute other service names in the same way. If the attacker is able to discover by some means what process you go through to compute the hash then all bets are off ... but given the ways most passwords become compromised that's not very likely, and the hashing method is pretty safe.

1
0

Re: Command-line password manager?

This is a variation Of what I do, except its simpler and done in my head.

To get my (for example)Bank password the need to.

A)get my bank hash and guesstimate an apparently random 11+ digit password.

B)

1.get at least two other sets off hashes, (they prob have my old yahoo and linked in )

2. guesstimate two different apparently random 11+ digit password,

3. take those two passwords and try and work out what my "internal algorithm"

4. Find my banking username and generate my bank password.

5. do this before my rolling password resets complete(About 2 years)

remember related but not the same is as far as hashing is concerned completely different.

The way I see it I trust NO-ONE with my hashes now and assume them all vulnerable to guestimating.

so if A) is "secure enough" for me then the B step 2 x B step 2 difficulty is secure enough for me.

Remeber you cant outrun the (fancy)bear, you just need to outrun the other internet users.

(eg your password just needs to be hard enough to take too long to guesstimate, and as your banking password only need to be twice as hard to crack just make it ONE digit longer)

0
0
Silver badge

Re: Command-line password manager?

"Remeber you cant outrun the (fancy)bear, you just need to outrun the other internet users."

Except the bear will still be hungry and will keep going. Ultimately, he'll reach you. Meanwhile, there's the discerning tiger who might recognize you as a tastier meal and single you out.

0
0

This post has been deleted by its author

Bronze badge
Windows

Re: Totally Overrated / Fake Sense Of Security

I always thought these PMs were a bad idea.

Until someone figures out how to hack my brain, I'll keep my passwords in my head thanks.

6
14
Silver badge

Re: Totally Overrated / Fake Sense Of Security

A notebook on a desk isn't much bloody use when I'm not *at* my desk. And no-one enjoys typing in truly strong passwords, so if you don't use software which fills them in for you, you have a strong incentive to make your passwords not really very strong (but more convenient to type).

13
1
Silver badge

Re: Totally Overrated / Fake Sense Of Security

So, what you're saying is, you'll keep re-using the same password for multiple different sites, then? Since no-one can possibly remember several hundred or thousand different strong passwords, many of which you will only use quite infrequently. Of course, sharing passwords across sites is one of the single worst problems with password security in general. But no, by all means, go on doing it.

7
4
Bronze badge
WTF?

Re: Totally Overrated / Fake Sense Of Security

> "So, what you're saying is, you'll keep re-using the same password for multiple different sites, then?"

No.

4
3
Anonymous Coward

'notebook on a desk isn't much bloody use'

"when I'm not *at* my desk. And no-one enjoys strong passwords"

@AdamWill

Q1: What did you do before crutches like Password Managers? This is a tech website. Presumably as an IT pro you've been forced to systemically design complex passwords over the course of your career to secure many diverse systems...???

Q2: What happens next time Amazon-S3 is down, (the Cloud system your password manager website uses etc), and there's an outage at your workplace that requires urgent login to all the diverse systems you manage?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

There isn't any need for notebooks and they're a vulnerability. Instead use a little imagination and come up with a system, your own unique take on 'Too Many Secrets'. Form a strong password by designing a password structure into 3 / 4 / 5 / 6 segments etc.

Crude example: 1. Information related to your reason for using a website or the purpose of such a system, 2. The approx date you signed up, 3. Personal info uniquely related solely to you but never ever made public, 4. Your job status in your own cynical pov, 5. A private life goal on a bucket list somewhere, 6. An index number that can have a simple math operation defined on it, but something not easily reverse engineered except by you.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Break a strong password up into sections. Have a few different templates for each layout. Then have a system for evolving or changing it periodically as necessary, but within limits / bounds so you don't pick anything too random to forget.

This isn't for everyone, but we're tech pros. We shouldn't trust password websites to nanny us. What have Snowden / Russian hackers taught us? All data is leaky / hackable / slurpable!

4
3
Alien

Re: Totally Overrated / Fake Sense Of Security

Wow!! You must be really amazing to be able to remember over 400 different passwords for a variety of different websites, apps, programs and such. What a hero! :-D

Personally I am older, much less of a superhero and need my crutch to be able to function, so I use a cloud based system that caches locally as well and for less important items I reuse the same passwords. Human I am, fallible I am, learned to work around my weaknesses I have. Yoda I seem to have become. <LOL>

14
3

Re: 'notebook on a desk isn't much bloody use'

@AC - Not sure if you've noticed but the number of sites with personalisation and login systems has grown phenomenally over the last decade or so. Before password managers, massive breaches were uncommon, and people didn't have 300 sites to access. (I think I've hit 700 sites stored in my PM at the moment).

A lot of people, before PMs used a single password for various sites. That's why the big breaches were such a problem - it allowed the attackers access to a bunch of other sites too.

5
2
Anonymous Coward

'400 different passwords for a variety of different websites'

- Honestly, how many of the 400 websites get used outside of your home / how many do you really use everyday?

- To learn a musical instrument or a foreign language a person develops tricks & techniques. But we're not taught to think about passwords that way. We're taught to entrust security to someone else, from a web service to a local device... But past history has shown: users always get burned!

- Online / Local PM's will always be a magnet for hackers / cybercrims. System designers must protect against every possible intrusion, but hackers only need to get lucky once!

1
2
Pint

Re: Totally Overrated / Fake Sense Of Security

@Tom 64 - "Until someone figures out how to hack my brain."

See icon.

11
0

Re: Q2: What happens next time Amazon-S3 is down

I use a password manager, but not a password website. Specifically, KeePass. So passwords are stored locally on my PC. I use DropBox to back them up and replicate them to other devices. I can get at them from my phone without needing internet access.

6
1
Silver badge

Re: Totally Overrated / Fake Sense Of Security

There's always a trade off between security and usability, or to put it another way, you can have a completely secure system by keeping it turned off.

Password managers sit at a particular point on the line between security and usability, they're more secure than using the same password for every site, or using the password manager most browser's come with. However, they're not as secure as keeping your passwords written down in a book, or memorising them. Again though, a password manager is much more usable than trying to memorise many unique passwords, or keeping them in a book.

Just because a password manager is not the most secure method, does not mean they don't have a place, it's about balancing risk with ease of use.

8
1
Bronze badge

Re: '400 different passwords for a variety of different websites'

"Honestly, how many of the 400 websites get used outside of your home / how many do you really use everyday?"

IMHO how often and where you use the website and username/password is not the point. The point is how long the password is and whether the password is unique for each site.

The Sony hack showed that a significant proportion of users had the same password across multiple high-profile websites which were then immediately hacked as well.

It is generally accepted that any password less than 11 characters can be brute force attacked in a day. Anything with 12 or more characters will take significantly longer as long as the system allows non alpha-numeric characters.

I've got about 10 key websites for banking, email, shopping, appstore etc. that I use regularly. I'm not sure I could remember 10 completely different passwords for these that had no relation to each other and also included random non alpha-numeric characters.

At the end of the day everyone has to make their own judgement on ease of use vs. security. Personally I use a PM because I believe relative ease of use increases security. I remember one long >20 character passphrase and then all the sites I use have unique random passwords.

3
1

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing