I have so many examples of people that think they know how a Password Manager works and warn against the use of Password Managers — as they think other alternative solutions are more secure. In some special case it might be true — but in most cases they are wrong. Many people also think that passwords are just about to be replaced by other and better technologies — this is also a wrong understanding in my view.
I’m the developer of Password Crypt (https://pcrypt.com) and have direct knowledge about how a Password Manager works. At least I know how Password Crypt work — but I think that others more or less follow the same principles.
Security is not a simple beast and there is not a simple answer about what to do in every situation. It’s been said many times that using a Password Manager is like putting all your eggs in one basket — a hacker that compromise it has been handed the keys to your online world. This may seem like a deal breaker.
The actual risk of compromising a Password Manager is far less than if you reuse a password across multiple sites. In this case you are relying on many different sites to keep your data safe. If one of them suffer a breach — all the others are compromised as a result. And to remember more than one password you have to use very simple and short passwords.
In this article, I will give inside details about the security of Password Crypt and also some hints about security in general. It may get a bit technical at times, but I hope that most people will be able to follow.
Security or hacker attacks can be separated in these categories.
- Attacks against the user interface over the internet or the user interface of a client program.
- Attacks against a copy of the password database. In some cases it might be possible for a hacker to get access to the raw encrypted data stored.
- Attacks with a key logger or some other sort of Trojan horse installed on a system.
- Man in the middle attacks. A hacker can intercept and maybe manipulate the traffic that goes from the user to the back-end system and vise versa.
- Social attacks. Lure the passwords out of people.
- Plus many others
I will cover the first 3 possibilities here and maybe reserve the rest to a follow-up article in the future.
The first possible attack vector is just to try a lot of different combinations for the master password. This can be made smarter by using a list of the most used passwords first. People tend to use the same passwords. This is a so called Brute force attack.
This is not so smart against the normal user interface, as it is very easy to implement protection against this — just limit the amount of tries based on time. If the hacker get a copy of the database it can be made a lot more efficient as it is possible to work as fast as the system allow.
So the big question is if local or online internet Password Managers are the most secure? Where is it most easy to get access to the database with the passwords — not a simple question to answer.
A Password Manager that keeps your passwords “in the cloud” gives you the convenience of accessing your passwords from any device, anywhere, at any time — but it also means that the actual database is not under your direct control.
As long as your passwords are locally encrypted and protected by a good master password — then your passwords are safe even when stored online. In order to compromise this, an attacker would first have to compromise the system, then crack the encryption protecting your password data. It is no more risky than if the password data were stored locally — it is the encryption algorithm and where encryption is done that is important.
The master password you enter in a Password Manager is not used directly, but is subjected to a so-called “key expansion”. Typically a lot of hash rounds that will make it hard to make a brute force attack. For each password you try, you must perform 10000 or more operations (takes time).
Along with the master password is also a random long computer generated value pr. user. This is a so called salt value. Salt is mostly used to ensure that the same password can not be applied to other accounts that uses the same password, but it does also increase key entropy if the database has not been captured. Password Crypt also use a random salt values for each account.
From the master password and salt etc. 2 very different keys can be subtracted or generated. One to encrypt/decrypt the passwords and one used as a key to store and retriever the password data. It is impossible to get to the other key if you get knowledge of a single key in some way.
Typically, the key used to encrypt/decrypt is not sent to the database at all, but is only used locally on the client you are working on. So if a hacker get access to the database data, it is impossible to find the crypt key or the master password just by doing MD5/SHA hash operations or similar.
Password Crypt is implemented with the SRP6a protocol, so the key used to log on to the back-end database is never sent to the database server (a form of public/private key validation). The login key is, as previously described, are also not the same key as used to encrypt/decrypt.
Many people also state that a key logger or Trojan horse makes the master password easy to get for a hacker, but this is also the case if you can memorize all your passwords in your brain. Likewise, this will over time give access to all systems that are in use. So the existence of key loggers is not a good reason not to use a Password Manager.
Existence of key loggers is the main reason to use 2-factor authorization (2fa). This will prevent data disclosure, unless the hacker have access to the raw database data. Similarly, systems that advise the user about all access attempts is also helpful in this respect.
The truth is that you need a Password Manager, and it’s worth to take the time to set one up. Auto filling of passwords, as some systems including Password Crypt can do, is a security risk as this can be targeted by a hacker in different ways. But a simple Password Manager use if it is local or online is something most people need.
We do not think that within reasonable time, technological changes will make passwords redundant. Possibly the strength of this need will change, but it will not disappear.
To use a secret, there must be an interface to the system. At the moment it is primarily keyboard and mouse. A mobile phone can also be used — but it can be stolen similarly as a paper note with passwords on it.
Passwords will exist for many years to come, as it is the only access protection that can not easily be forced out of us and which can be transported easily and secretly. Other bio metric methods such as fingerprints and, in part, iris scanning perceive experts primarily as second factor authorization that can function in conjunction with passwords.
For example, one can force you to give fingerprints at the U.S. border to open a mobile phone. Fingerprints can also be relatively easily taken from items that have been touched and copied.
Other options are that third party login systems like Google and Facebook login are getting more publicity. These systems have a privacy issue, sharing information about time and access to a third-party system. Any respectful business will never allow this.
For example, who wants to let Facebook control and know the access to the company’s online banking solution?
There are systems that allow third party login without big privacy issues — such as OpenID. These systems have been on the market for a long time without marked adoption as they are difficult to implement and cumbersome for the user to use and understand.
Hardware storage is that not better? It depends very much on the situation — if we assume that the codes shall be used on the Internet a hardware solution does not secure you against a key logger that collects your passwords over time. Paper in the wallet is not secure as it require you to constantly ensure that the paper passwords are safe (the wallet is never left unattended). My wallet have been stolen a number of times. The software solution is for sure more user friendly if you have many unique codes.
In general we would get better security with greater diversity of implementations and solutions. At the moment, it is a form of “one size fits all”. Everyone uses the same tools, programs and operating systems.
Once you have made a tool or system to break in somewhere, the system can be recycled a lot of other places.
In practice, it is difficult to achieve greater diversity. Firstly, it required that the individual implementations to some extent followed “best practices” and very few people, unfortunately, have knowledge and skills to make such different and secure solutions.
Hope the above gives you some insight and makes you start using a Password Manager. If not, I have made a lousy job with this article ;-)
Benny Ejholm Nissen — CEO and Back-End developer for Password Crypt