Password manager security papers

Discussion in 'other security issues & news' started by MrBrian, Jul 5, 2014.

  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    "Password Managers: Risks, Pitfalls, and Improvements" (2014)

    I'm not sure if this paper has been released yet, but slides are available at
    Code:
    hxxp://forum.stanford.edu/events/2014slides/security/Suman%20pwdmgr.pdf
    --------------------

    "Vulnerability and Risk Analysis of Two Commercial Browser and Cloud Based Password Managers" (2013)

    Code:
    hxxp://www.cs.uccs.edu/~cyue/papers/ASEScience13.pdf
    --------------------

    "Automated Password Extraction Attack on Modern Password Managers" (2013)

    Code:
    hxxp://arxiv.org/pdf/1309.1416
    --------------------

    "Protecting Users Against XSS-based Password Manager Abuse" (2014)

    Code:
    hxxps://ben-stock.de/wp-content/uploads/asiacss2014.pdf
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    "Keys to the Cloud: Formal Analysis and Concrete Attacks on Encrypted Web Storage" (2013)

    Code:
    hxxp://www.doc.ic.ac.uk/~maffeis/papers/post13.pdf
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    "On The Security of Password Manager Database Formats" (2012)

    Code:
    hxxp://www.6nelweb.com/bio/papers/pwvault-ESORICS12-ext.pdf
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Web-based Attacks on Host-Proof Encrypted Storage (2012):
     
    Last edited: Jul 6, 2014
  5. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    Very interesting. Thanks for sharing. Have you posted those link in Lastpass Forum? It would be interesting to know their thoughts.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Yeah thanks, it´s interesting indeed. :)

    Perhaps auto-fill is not a good idea, at least not on all sites.
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    @dogbite and @Rasheed187: You're welcome :).

    I haven't posted these links in the LastPass forum. If anyone wants to, go ahead.
     
  8. SirDrexl

    SirDrexl Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    545
    Location:
    USA
    Aside from the security implications, it can also be a problem with certain places on the site, like the page to change your password (which often requires that you enter old and new passwords) or sites which have multiple passwords (like a router interface, which needs an admin password and a wi-fi password).
     
  9. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    I have submitted the link to LastPass directly, let's see how they reply.
     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Which paper(s)?
     
  11. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    This one.


    Anyway, they got back to me and said that their development team is going to look at that. Actually I invited them to read the whole thread here and eventually give us their thoughts.
     
  12. tlu

    tlu Guest

    Already done nearly one week ago. So far no response :cautious:
     
  13. Nanobot

    Nanobot Registered Member

    Joined:
    Jun 23, 2010
    Posts:
    237
    Location:
    Neo Tokyo
    You need to bump that thread tlu, No one would notice it on the 3rd page and if it doesn't get a reply soon then most probably will end up in obscurity.
     
  14. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    Good point. Bump it.
     
  15. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Thanks for posting :).

    The paper referenced there is "The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers" (2014)

    Code:
    hxxp://devd.me/papers/pwdmgr-usenix14.pdf
     
  17. bazinga

    bazinga Registered Member

    Joined:
    Aug 16, 2014
    Posts:
    9
    So for the users of password managers are you going to stop using them based on this info? I think updates have been made but this will always be a potential problem. I've been considering using one but frankly I'm scared to death of putting all my passwords in one place. Although I'm also loosing my mind trying to keep my logins/passwords straight...which also leads to duplicate logins/passwords which is almost as bad, if not worse.
     
  18. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Password Managers: Attacks and Defenses (2014):
     
  19. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I haven't read enough to decide yet, but I doubt I will stop using them.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Same over here, need to do some more reading. But I have to admit that I´m getting tired of having to manually fill in usernames/passwords stored in KeePass. I´m looking for a simple password manager (not cloud based) that can integrate into Opera v11 and 12, but I guess I´m out of luck. :)
     
    Last edited: Aug 25, 2014
  21. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Last edited: Sep 6, 2014
  22. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    87
    That link is not working. Did they remove your thread?
     
  23. tlu

    tlu Guest

    It's here now. Got one response but not from Lastpass.
     
  24. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,726
    Location:
    localhost
    The response, even if not coming from lastpass, seems interesting and practically trashing the supposed vulnerability... :)
     
  25. tlu

    tlu Guest

    Perhaps, but what about the other vulnerabilities presented in those papers found by MrBrian?
     
Loading...