MSE guide discussion - 60 seconds on password managers

Code

esuhl wrote: »

Don't be silly. Obviously, part of the reason I consider it secure is that I don't make it available to others via the internet.

And that, boys and girls, is why you shouldn't use password managers.

Even though Veracrypt (based on Truecrypt) has "masses" of encryption, you're still not quite comfortable to post it publicly to the Internet. I guess you don't fully trust the encryption & software code to keep you safe . Plus, malware on your PC (the same PC you use for both browsing/general work and storing the veracrypt volume) won't have any such compunction.

That discomfort you felt when you wrote that reply - that's the feeling that says things aren't quite as secure as one may wish.

AndyPix

^^ impeccable logic -


Code, out of interest, what strategy do use for your passwords ?


You can see mine above and it works well for me ..
I only need to remember 1 important password , nobody is going to guess it and i am a penetration tester amongst other things so the password is designed to be the most awkward it can be for a PC to crack.

knightstyle

I have a simple password formulae and some family now use this method for everything except banks, paypal etc.
Take the first 3 letters of the website, make the 3rd a capital, insert a number, write the next 3 letters, ignore spaces.
So for this site moN123eys of course that is not quite what I use but you can see the principal.

Code

AndyPix wrote: »

Code, out of interest, what strategy do use for your passwords ?

I tier my credentials (rather, the data they protect) pretty much as you've said, but with a slight difference.

Here's a long explanation, but it's a very simple summary. Unique passwords and 2 factor for critical stuff, a pot of passwords for less critical stuff, and a standard password or 2 for everything else I don't care about.


Top tier "critical"
Used for: high risk services, e.g.: online banking, or primary email (which accepts "password reset" mails), anything that could seriously damage life
Policy: unique username and password, especially where the username may be "guessable" (e.g.: gmail). If an email address is enforced, I use a different primary email to the second and third tiers. 2 factor authentication where supported. Password policy is similar to XKCD image to be sufficiently complex but also memorable. There aren't many of these, I can remember less than 10 combos easily.

Second tier "important"
Used for: med risk services, e.g.: LinkedIn or other reputational risks, major retailers I use regularly (Amazon), anything with Personally Identifiable Info in it that may enable ID theft or limited financial loss (e.g.: credit card fraud that's recoverable)
Policy: Most of these sites accept usernames based around an email address, gmail allows the "+" modifier to create "unlimited" aliases for 1 mailbox - if a credential database was hacked and leaked (a la LinkedIn), this simple change prevents the credentials being passed through an automated script to try them on popular services (attackers are very unlikely to manually go through the database and see that my email address is myname+thiswebsite@gmail.com and correct it). Password policy is similar to XKCD image, however I have a pot of passphrases that I select from & alter on the fly, based on a criteria I'm not going to disclose :-) . This means I only need to remember an additional small pot of passphrases to access these sites.

Third tier "I don't care"
Used for: everything else, no PII. If these were compromised, I'd be mildly annoyed then get on with my day.
Policy: I have a couple of passwords that comply with silly restrictions (must be 47 chars long, all with unicode unprintable characters etc). I just pick one and use it. I've just ended up remembering these because I've typed them so many times.


Therefore, with just a handful of passphrases that I can easily remember, I'm confident I've minimized my risk as far as practical without making my life impossible.

The reason my second tier appears more complex than my first is for one reason. If anything in my first tier was compromised, I'd be screwed and there was probably nothing I could have done anyway (AndyPix - as you rightly said in your earlier message). But there are only a limited number of these.

There are proportionately more in the second tier, which is the one that wouldn't be world-ending if compromised but would still put a serious dent in my day (LinkedIn profile changed to something unprofessional, or having to get credit cards cancelled and reissued). So, by taking an extra couple of steps (small pot of passphrases, avoid using the same email address), I'm minimizing my risk whilst still not making life difficult or requiring me to write anything down.

A quick note on that myname+thiswebsite@gmail.com thing, for those who don't know. If you have a gmail address, you can add "+<anything>" to it. Mail will be delivered to your one single main Gmail address. However, if an attacker manages to download a database of credentials (like the LinkedIn hack), they will often run the data through an automatic script that tries to use the same user/pass combo on common services (Facebook, Gmail, etc). Because these databases are tens of thousands of entries large, it has to be done by script and not by hand. Therefore, using my approach, the script would try and log into Facebook with "myname+linkedin@gmail.com", when my actual username is "myname+facebook@gmail.com". A human would spot that in a second, but a script shouldn't. So this buys me some extra time to go and change the passwords once the breach is publicized.

Remember, when being chased by a dinosaur, you only have to run faster than the slowest person in the group, so nobody please copy my approach or I'll have to come up with a new one ;-)

Code

To add, it's about taking a risk based approach and understanding how things can be compromised. An attacker who grabs the entire LinkedIn database won't use it in the same way as someone who shoulder-surfs my password.

For web platforms, some of my inherent risks might be:
1. Someone I know stealing my credentials and using them (shoulder surfing)
2. Malware stealing my credentials
3. A website database being hacked, which includes my credentials
4. A service being hacked & my "stuff" is stolen (money from bank account etc)

My controls to mitigate them are:
1. I don't write the credentials down, and they are different for each of my critical services, and I look over my shoulder when I write them in (like you do with chip & pin)
2. See #1 ("don't write down" = don't use an encrypted file/password manager). I also have strong anti-malware controls
3. I use different credentials on tier 1, and modified credentials on tier 2
4. I have no control for this

Therefore my residual risks are:
1. A mind-reader can steal 1 set of credentials - low likelihood
2. Zero day malware could possibly key log a set of credentials if I type them in - low likelihood
3. Possible compromise of similar Tier 2 credentials, compromise of tier 3 credentials
4. Risk remains

I am comfortable that risk 1, 2 and 3 can now be accepted, based on the impact. And risk 4 has to be tolerated, because the mitigation is to (for example) not use any online banking, which is impractical.

In future I might decide that residual risk 1 cannot be tolerated, and I'll make myself a foil hat. You get the point...!

If you approach it in this way, rather than picking and choosing which bits to dive into, you will be in a more informed and more secure position.

I've made this all really formal to try and explain, but you can basically decide it in about 5 mins.

ARandomMiser

Password managers are a disaster waiting to happen if you do not force them to sign out when you shut the browser or lock the machine or after X minutes of non use.

esuhl

Code wrote: »

And that, boys and girls, is why you shouldn't use password managers.

Err... I don't use a password manager. :cool:

Code wrote: »

Even though Veracrypt (based on Truecrypt) has "masses" of encryption, you're still not quite comfortable to post it publicly to the Internet. I guess you don't fully trust the encryption & software code to keep you safe . Plus, malware on your PC (the same PC you use for both browsing/general work and storing the veracrypt volume) won't have any such compunction.

You're suggesting that malware might upload my VeraCrypt volume to a Dropbox account...? Unlikely!

And I wonder how adept malware might be at extracting passwords from a freeform text document that doesn't follow any particular conventions. I doubt it would be possible without human intervention. And I don't think I'm that much of a target.

Code wrote: »

That discomfort you felt when you wrote that reply - that's the feeling that says things aren't quite as secure as one may wish.

That wasn't discomfort; it was utter bafflement as to why you are so interested in my perfectly adequate system for storing passwords. Especially when you don't have a good system yourself.

Do I really need to explain why sharing passwords (even in an encrypted form) isn't a good idea?

What you need to understand is that no system is ever "as secure as one may wish". Ideally, all systems would be unbreakable, but that's not how things work in the real world. There's always a trade-off between security and practicality. So long as you consider all possible attack vectors, you can put systems in place to make attacks unlikely and less feasible.

You also need to consider the "worst-case scenario" to assess the importance of protecting your passwords. For example, if your password list contains logins for financial institutions, then you will probably want to protect these details with better security than if you just had forum logins.

And don't forget, every time you use a password, you risk revealing it to the world. Malware is much more likely to intercept a password you've typed into a website than once stored in an encrypted volume.

Do you feel a sense of discomfort every time you enter a password, knowing that malware on your PC could be transmitting it to parties unknown...?

Jivesinger

S0litaire wrote: »

Biometric based password/security... Built in iris& fingerprint scanner on every device!!

Problem solved…

...until someone discovers a way to copy your fingerprints etc. (in fact I think someone already did this when phones started to have fingerprint-unlock).
You can change your password, but changing your fingerprint is somewhat harder

Strider590

Most account passwords are stolen through phishing emails and/or fake websites.

Most of my passwords get stored to Firefox, except for important passwords like online banking and paypal. I tend to remember these, but also have them in a .txt file in an encrypted format (of my own design).

securityguy

Unsupervised biometrics are almost impossible to make secure. The idea that you can get any meaningful security from a fingerprint or iris scan offered to a device you physically control connected to a network you physically control with the scan done in a private room where you are the only witness is fanciful, to put it mildly. It requires all the devices involved to be tamper resistant up to an attacker who has access to a large number of samples and is able to work in private, and that is extremely difficult, again, to put it mildly. Even leaving aside the issue of being unable to change identities, the implications for witness protection etc and a range of other problems with storing biometrics, If you can construct a scheme which is safe against an attacker who can dismantle the scanner and access the software running on it and any associated key material, knock yourself out. Extra points if you can do it without requiring exotic hardware fabrication techniques. Pay special attention to device enrolment and personal enrolment. Claim your PhD at the door with anything even remotely plausible.

(For fingerprints, you copy the fingerprint onto rubber. For iris and facial, a picture will do. If you can't be bothered to do that, you just modify the device to record a scan and then replay the scan itself (ie, the bit the sensor got from the camera/surface/etc) into the devuce. If you can't be bothered to do that, you modify the firmware to store the sensor data).