Author Topic: How safe are password managers?  (Read 2584 times)

0 Members and 1 Guest are viewing this topic.

Offline F1n

  • /dev/null
  • *
  • Posts: 5
  • Cookies: 3
    • View Profile
How safe are password managers?
« on: June 08, 2015, 10:31:52 pm »

All the major products (1Password, LastPass, KeePass, etc.) encrypt each stored password with some AES/PBKDF2 combo using a master password as a key, then store the data locally or on some server (usually iCloud or Dropbox). Most claim that the master key is never stored, so I guess that means the user needs to enter it anytime they need to use one of these apps, which also perform autofill on most sites via a browser plug-in and can create custom passwords as well. Other than brute forcing the master password or keylogging the phone, I would assume the best/only way to access the manager app would be an exploit in one of these plug-ins, but I don't know if that could get you into the entire app or just the password to a specific website.

Just wondering if anyone's taken a good look at these apps or messed around with them. Please note I'm not asking anyone to do anything, just wondering if an attack on one of these is plausible. Might do a write-up for a class. The amount of information people put on these things is staggering considering it's all behind a single password.

Also, I thought I hastily posted this earlier today on my way out the door, but I may not have gotten it up after all. If I did and someone took it down for whatever reason, my bad.
« Last Edit: June 08, 2015, 10:32:53 pm by F1n »

Offline horusffs

  • NULL
  • Posts: 4
  • Cookies: -2
    • View Profile
Re: How safe are password managers?
« Reply #1 on: June 20, 2015, 10:45:28 pm »
Well, in my opinion they are all safe.
The only thing that they do is open the document where your passwords are stored. It's like a "hidden" file.
Have you ever tried to RAT someone on computer?

Enviado do meu GT-I9301I através de Tapatalk


Offline Trogdor

  • Peasant
  • *
  • Posts: 63
  • Cookies: -12
    • View Profile
Re: How safe are password managers?
« Reply #2 on: June 24, 2015, 04:18:00 am »
I would only trust a password manager that stores the master password encrypted on the device. I think mostly the security is dependent on whether the data is stored locally or remotely. I would never knowingly store my passwords with some 'cloud' service. Keepass is definitely my favorite manager

Offline xor

  • Peasant
  • *
  • Posts: 59
  • Cookies: 32
    • View Profile
Re: How safe are password managers?
« Reply #3 on: June 24, 2015, 05:27:44 am »
Some password managers are open source.


I modified KeePass and recompiled in our IT department to include a module that automatically e-mails me when someone unlocks the database and copies and pastes an entry.


If someone hosted this on a LAN, or you got access to their personal installation of KeePass, you wouldn't need to know their master password or key, you could just play the waiting game and get notifications of their user/password combinations.


It's not hard to exfiltrate data if you want to.


-- xor
« Last Edit: June 24, 2015, 05:28:17 am by xor »

Offline Trogdor

  • Peasant
  • *
  • Posts: 63
  • Cookies: -12
    • View Profile
Re: How safe are password managers?
« Reply #4 on: June 24, 2015, 06:06:12 am »
Haha is it all company data or is there any personal info?

Offline xor

  • Peasant
  • *
  • Posts: 59
  • Cookies: 32
    • View Profile
Re: How safe are password managers?
« Reply #5 on: June 24, 2015, 06:07:18 am »
This stuff on our network is all corporate information.

Offline Trogdor

  • Peasant
  • *
  • Posts: 63
  • Cookies: -12
    • View Profile
Re: How safe are password managers?
« Reply #6 on: June 24, 2015, 06:09:45 am »
Ok because that could be fun  :)