Password Managers: Under the Hood of Secrets Management – Independent Security Evaluators
A new report from Independent Security Evaluators (ISE) — Password Managers: Under the Hood of Secrets Management — reveals and details various vulnerabilities in several leading password managers which can enable the theft of user credentials. According to the report, “We found that in all password managers we examined, trivial secrets extraction was possible from a locked password manager, including the master password in some cases, exposing up to 60 million users that use the password managers in this study to secrets retrieval from an assumed secure locked state. Password Manager, Encryption, Windows Memory Model, Memory Forensics, Key Derivation Function (KDF), Malware, Reverse Engineering, Master Password, Key Logger, Process Memory, Control Flow Analysis… READ FULL REPORT
Colin Little, Sr. Threat Intelligence Analyst at Centripetal Networks offered insights into these revelations, saying, “There’s no “magic wand,” and there’s no exception to be found for password vault software. Password “vaults” sound ultra-secure and are great tools to manage the multitude of ever-changing passwords, and they also have the added and convenient benefit of password generation tools to create longer and more secure passwords without the need to remember them, but the software itself is much like any other software: Vulnerable to attack. When we read stories about how our “Vault” is not so vault-like, it can scare us. The truth of the matter is, passwords by themselves aren’t very secure anyway; passwords as part of a larger security posture are much more effective.”
According to Little, there are many options, ranging from simple and conventional to absolutely Draconian, such as:
- Have a security stack with conventional and advanced security equipment between your endpoints and the Internet. The bad guys have to get in, and then get the passwords out. There are emerging technologies that automatically detect both the invading infrastructure and the exfiltration infrastructure.
- Define minimum age, length, and complexity requirements. Define different sets of requirements for standard endpoints and critical systems and users.
- Don’t use the same password in two spots.
- Create a password blacklist to eliminate the most simple passwords.
- Use two-factor authentication to compliment your password architecture. A password is useless without the second code, the correct cryptographies, or the correct biometrics. There are other more conventional options as well.
- Make critical systems ad-hoc when possible, meaning physical access to the system is required to use the password. This is a very severe measure but adds immeasurable security for critical systems.
- Use two-person authentication for ad-hoc critical systems, this is common in the military
Executives from STEALTHbits Technologies also weighed in on the report. Martin Cannard, VP, Privileged Access Management Product Strategy, said, “Everything in life comes with a level of risk, it’s more a question of weighing the options. You have only a few choices: you can use easy to remember passwords for your (likely) hundreds of websites and run the risk of brute force / credential stuffing attacks, you can create a spreadsheet to track the different credentials for each site yourself but then how do you secure it, or you can use a password manager and keep good control of the systems you use it from. I know what my choice would be. In spite of the recent vulnerabilities, which vendors are in the process of addressing, password managers are still the only viable choice in my opinion. Remember, if someone has compromised the device you are logging in from, you have bigger problems to worry about.”
Cannard’s colleague, Adam Laub, Senior VP, Product Marketing, observed, “The commentary provided by each vendor in response to ISE’s findings actually contains the most important information about what’s really at the root of this problem. Dashlane’s spokesperson hit the nail on the head in that this vulnerability really applies to ”any software or in fact any device that stores digital information.” If an attacker has wholly compromised a system, pretty much all bets are off. LastPass CTO Sandor Palfy said, “In order to read the memory of an application, an attacker would need to have local access and admin privileges to the compromised computer.” Unfortunately this is all too common as the users the attackers have compromised often have excessive levels of rights to their systems, which they rarely need, especially in enterprise environments. This makes it extremely trivial for attackers to exploit vulnerabilities as they need not do much more than phish an unsuspecting user in order to obtain full control over their systems. It’d be great to say there’s some real hacking going on here, but it’s about as simple as opening a door.”