Security slip-ups in 1Password and other password managers 'extremely worrying' Password management applications, recommended by many security experts as the only viable way to deal with large sets of passwords that are unique and sufficiently complex, introduce their own set of problems – namely the general fallibility of software. A group of security researchers called TeamSIK from the Fraunhofer …
"Nothing beats writing them down and keeping them in a filing cabinet at home."
Completely agree, the issue was accessing online. So I did similar using a sheet of paper with them all written down then pointed a cheap Asian webcam at them which I can access remotely. Whenever I need a password I fire up the webcam from a browser and type it in. Simples!
Mine is in a little blue book too!
I always feel if anyone has the guts to break into my home for them, then job well done.
Been waiting for the great password manager break in to happen for a while now. All these tech journos telling everyone to pop their passwords into these applications with zero comment on who actually is behind these pieces of software or how actually secure they are.
It will all end in tears I suspect. Lambs to the slaughter...
All these tech journos telling everyone to pop their passwords into these applications with zero comment on who actually is behind these pieces of software or how actually secure they are.
Bruce Schneier is behind the software I use. Something about due diligence...
BAH! No matter that vulnerabilities show up occasionally, because the way people used to use passwords was WAY MORE vulnerable than the occasional unpatched problem that shows up once and a while. If I gave up using managers, I'd be in much more serious condition than if I didn't use one. The little blue book is okay, if you are sure you do not have a keylogger in your phone - same for password manager - At least with the manager, if you change the master password, the attacker loses all advantage until the next breach.
I don't know about Android, but Windows has so many apps that keep keystrokes in memory or on the hard disk, that an attacker doesn't even need a keystroke logger to find all you passwords EVER used. The little blue book isn't too bad, but the more difficulty you put into password management the less likely the user will adopt the tactic. You are probably better off with a vulnerable password manager most of the time, than using practices that are even worse.
I noticed that too. The factor that might have put them off is that Keepass itself isn't an Android app or even arguably a Linux one being that it needs mono to work. There are Android apps that can connect to a Keepass database such as Keepass2Android (the offline version of which I use) but I suppose they could be said not to be popular enough to feature compared to the online vaults that seem to get more mentions when password managers are covered in news reports.
But the research only looked at Android:
In order to answer these questions, we performed a security analysis on the most popular Android password manager applications from the Google Play Store based on download count.
and if we wander over to the Keepass download page we see various "Contributed/unofficial" ports for Android. Dunno which of those are present on the Google Play Store (don't have an Android device here).
Hey, Will here from AgileBits - makers of 1Password
We and our customers benefit greatly from the work that Team-SIK did in their excellent analysis of 1Password 6.3.3 for Android. The particular vulnerabilities that they reported to us at the beginning of September 2016 were addressed in our Beta versions (1Password 6.4.1-BETA-1 on September 13 and 6.4.1-BETA-2 on September 21) and in full release of 1Password for Android 6.4.1 on September 27.
Although the Team-SIK report is highly critical of the security offered by password managers on Android in general, we hope that readers of their overview will take the time to recognize that their general statements do not apply universally, and that the issues that were specific to 1Password on Android were promptly addressed.
If you have more questions about this, please do get in touch.
I for one am astounded at the security flaws listed specifically for 1P. I am a long-time user.
FWIW: AgileBits has informed users about the website icon shenanigans when the feature was first released, but that doesn't mean many/most users understood the implications or that a better, more secure was was possible. I sure did. Still not sure I trust AB over that "lapse", even though it's claimed to have been fixed.
Deflection will get you nowhere.
Are you suggesting the issues reported for 1P were unintentional, e.g. not motivated by making it easier for the customer or to reduce the number of customer support interactions?
The URL icon issue sure looked/looks intentional. I don't see how AgileBits can deny that.
As for the others, if not intentional, they look like tremendous lapses in thought by experts in the field.
I could do with some crypto advice ...
I tend to generate my passwords from a concatenation of my username, the site in question, and my secret passphrase: "anonymouscoward elreg MyVerySecretPassword" which I then hash, convert to base64, make some substitutions to meet "you must use a special character" rules ...
~$ read text; echo -n $text | sha256sum | cut -c 1-64 | xxd -r -p | base64 | cut -c 1-24 | tr 'a-m' '!--'x
I think that gives me a 24 char 144 bit password that is specific to any given account and is reasonably safe but that allows me to recreate it any time I have access to a shell (BTW, I use read text, to avoid getting the password in the .bash_history or similar) or a programming environment I can do SHA256, base64 etc.
I clear the terminal display and the clipboard after use. Accounts that require me to change passwords regularly just get yyyy-mm in there as well. Is this a terrible idea?
Well, it boils down to two things. How easily an attacker could guess the inputs and the security of the hashing algorithm. Every else is second order beans, e.g. it would not take long to notice that you had a low frequency of a-m and a high one of !-- and reverse that.
The hash is pretty good, but only as good as its inputs: if an attacker can guess those, then the strength of the hash is moot.
So now we are down to: can an attacker guess your username, sites you might visit, and your passphrase? In many cases (perhaps not you personally) I would wager that the first two are easy to guess. How many John Smiths have a username of jsmith, johnsmith etc? (It's worse if your name is unusual, as you're more likely to grab the easy user names and not have to resort to some number after your ID. There's probably only one JanetOoberLuba in the bank's system, but John Smith is probably johnsmith03456). Sites are easy to watch too. Work in IT? British? Chances are you read El Reg. Right-wing, American? Look at Fox News, and maybe you bank with a bank in a red state. It's amazing what you can work out.
So then, at the end, we are down to this: is your passphrase any good?
Hashing with each web site address does in principle breach the rule of "don't re-use one password on multiple sites", even with variations.
I generate random letter-number passwords and, when I have to write them down. If a web site visit calls for another new password, I pause to decide if I really want to take the trouble.
The thing is, only after analysis of his passwords would the pattern be identified.
So, he is 100% safe from automated mass attacks, he is only in relative danger from targeted attacks.
And targeted attacks would, almost for sure, not go for his passwords in this way.. the normal route is targeted zero-day on banners in linkedin, etc, plus mails. Easier, and cheaper.
So while technically not safe, I would say it is completely safe.
This is a variation Of what I do, except its simpler and done in my head.
To get my (for example)Bank password the need to.
A)get my bank hash and guesstimate an apparently random 11+ digit password.
B)
1.get at least two other sets off hashes, (they prob have my old yahoo and linked in )
2. guesstimate two different apparently random 11+ digit password,
3. take those two passwords and try and work out what my "internal algorithm"
4. Find my banking username and generate my bank password.
5. do this before my rolling password resets complete(About 2 years)
remember related but not the same is as far as hashing is concerned completely different.
The way I see it I trust NO-ONE with my hashes now and assume them all vulnerable to guestimating.
so if A) is "secure enough" for me then the B step 2 x B step 2 difficulty is secure enough for me.
Remeber you cant outrun the (fancy)bear, you just need to outrun the other internet users.
(eg your password just needs to be hard enough to take too long to guesstimate, and as your banking password only need to be twice as hard to crack just make it ONE digit longer)
"Remeber you cant outrun the (fancy)bear, you just need to outrun the other internet users."
Except the bear will still be hungry and will keep going. Ultimately, he'll reach you. Meanwhile, there's the discerning tiger who might recognize you as a tastier meal and single you out.
Hashing with each web site address does in principle breach the rule of "don't re-use one password on multiple sites", even with variations.
Not really ... the advice not to use the same password on multiple sites is there to prevent someone who discovers your password from trying it on all/any other sites for which you have an account. Clearly, if someone discovers (say) that your password on El Reg is elreg!mysecret they're likely to try linkedin!mysecret to break into your LinedIn account, and so on ... but only because this is a manual attack and the attacker can see at a glance what your method is.
If the passwords you use are actually hashes, you're not reusing the same password or any part of it for multiple sites in any obvious or discernible way -- just reusing some of the input data for a hash -- so the situation is quite different.
If someone discovers the hash you use as a password for El Reg, they are not going to be able to work out what that hash is a hash of (that's kind-of the point of using a hash) so they won't be able to substitute other service names in the same way. If the attacker is able to discover by some means what process you go through to compute the hash then all bets are off ... but given the ways most passwords become compromised that's not very likely, and the hashing method is pretty safe.
This post has been deleted by its author
So, what you're saying is, you'll keep re-using the same password for multiple different sites, then? Since no-one can possibly remember several hundred or thousand different strong passwords, many of which you will only use quite infrequently. Of course, sharing passwords across sites is one of the single worst problems with password security in general. But no, by all means, go on doing it.
Wow!! You must be really amazing to be able to remember over 400 different passwords for a variety of different websites, apps, programs and such. What a hero! :-D
Personally I am older, much less of a superhero and need my crutch to be able to function, so I use a cloud based system that caches locally as well and for less important items I reuse the same passwords. Human I am, fallible I am, learned to work around my weaknesses I have. Yoda I seem to have become. <LOL>
Just use a core password with an extension that is unique to the site/service you're using at the time; the site/service itself reminds you of the extension - 'my Register forums password', for instance, is easily remembered by noting that you're logging into El Reg in order to comment on the forums. So it's almost a no-brainer once you've got the core password memorised.
Obligatory xkcd: https://www.xkcd.com/538
Which is why I chose a password for my phone that I can blurt out safe in the knowledge that you'll never realise that's what I'm doing - you can seduce me, drug me, blackmail me, rubber hose me until you're in agony, never mind me, I can't give you a different one because I've been telling you the real one all along.
it isn't "F*ck you and the horse you rode in on!" but you get the idea.
A notebook on a desk isn't much bloody use when I'm not *at* my desk. And no-one enjoys typing in truly strong passwords, so if you don't use software which fills them in for you, you have a strong incentive to make your passwords not really very strong (but more convenient to type).
"when I'm not *at* my desk. And no-one enjoys strong passwords"
@AdamWill
Q1: What did you do before crutches like Password Managers? This is a tech website. Presumably as an IT pro you've been forced to systemically design complex passwords over the course of your career to secure many diverse systems...???
Q2: What happens next time Amazon-S3 is down, (the Cloud system your password manager website uses etc), and there's an outage at your workplace that requires urgent login to all the diverse systems you manage?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
There isn't any need for notebooks and they're a vulnerability. Instead use a little imagination and come up with a system, your own unique take on 'Too Many Secrets'. Form a strong password by designing a password structure into 3 / 4 / 5 / 6 segments etc.
Crude example: 1. Information related to your reason for using a website or the purpose of such a system, 2. The approx date you signed up, 3. Personal info uniquely related solely to you but never ever made public, 4. Your job status in your own cynical pov, 5. A private life goal on a bucket list somewhere, 6. An index number that can have a simple math operation defined on it, but something not easily reverse engineered except by you.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Break a strong password up into sections. Have a few different templates for each layout. Then have a system for evolving or changing it periodically as necessary, but within limits / bounds so you don't pick anything too random to forget.
This isn't for everyone, but we're tech pros. We shouldn't trust password websites to nanny us. What have Snowden / Russian hackers taught us? All data is leaky / hackable / slurpable!
@AC - Not sure if you've noticed but the number of sites with personalisation and login systems has grown phenomenally over the last decade or so. Before password managers, massive breaches were uncommon, and people didn't have 300 sites to access. (I think I've hit 700 sites stored in my PM at the moment).
A lot of people, before PMs used a single password for various sites. That's why the big breaches were such a problem - it allowed the attackers access to a bunch of other sites too.
I use a password manager, but not a password website. Specifically, KeePass. So passwords are stored locally on my PC. I use DropBox to back them up and replicate them to other devices. I can get at them from my phone without needing internet access.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
