Password Managers

General Tech Shed Talk
1

Bit of Background on Password Managers

The key benefit of password managers is to allow humans to use passwords that it’s hard for machines (controlled by humans, normally) to crack.

It means we can use unique, long, non-memorable passwords across the various online accounts we use.

That reduces 2 of the key security risks for password-based authentication:

  • password re-use - it’s easy to use the same password in many accounts - less to remember - so many people do it. The trouble is, if any of those accounts are compromised, all of the accounts are potentially pwned (check your accounts on haveIbeenpwned.com).
  • simple passwords - vulnerable to brute-force and dictionary attacks - the simpler the password, the easier to remember, but the more trivial it is for a machine to break

The more online accounts we have, the harder it is to maintain strong unique passwords as a human, so we need a hand from the machines in the form of a password manager (hardware keys are another option for some accounts).

Shopping Around

After LastPass changed their Policies and have a bit more tracking than seems appropriate (trackers can be a potential way for malware to enter an app as well as the creepy factor of tracking).

Pass

Hollie mentioned the CLI tool Pass that Mesar introduced her to, which sounds awesome for desktop use.

PassBolt

I’ve been considering self-hosting PassBolt - pretty much fully featured, multi-user password manager (obviously that means you need to keep it up to date for security, but it looks pretty good & covers all platforms).

BitWarden

For free Password Manager options with mobile apps, I’ve been leaning towards BitWarden - slightly restricted (no file storage or hardware key - e.g. YubiKey)

Buttercup

There’s also Buttercup - it uses several popular cloud storage providers as a backend (Google Drive, Dropbox etc.). An encrypted password vault is stored as a file in the cloud, and decrypted by mobile app or browser plugin. Not the best UI, but free, opensource & effectively multi-user, so it was my choice last year for a cheapskate option to allow several users to share a password vault.

Any suggestions and discussions would be very welcome!

2

Here is a little bit more info on pass if anyone is interested.

Advantages

  • pass entries are just files, so they are very flexible
  • can generate you long, complex passwords
  • passwords are encrypted using GPG and saved in a git repository (so you get version history, and can save the password store somewhere [possibly public] and share it with others)
  • simple command-line interface (all the details of git and GPG are hidden from the user)

Disadvantages

  • command line only
  • desktop only
  • storing your GPG key securely can be a pain

Example eusage

$ pass # list stored passwords
$ pass insert my-new-password # opens your default editor. also --multiline to add a multiline entry
$ pass generate test # generates a new entry, saving it in test
The generated password for test is:
2;AfD|L_o6@&XypCOq7*AC+jb
$ pass edit test # opens your default editor
$ # when editing / viewing passwords, you will be prompted for your GPG key passphrase, which acts as your "master password"
$ pass show test # print passwerd to the console
2;AfD|L_o6@&XypCOq7*AC+jb_edited
$ pass show -c test # copy passwerd to clipboard
Copied test to clipboard. Will clear in 45 seconds.

Conclusion

Great for desktop use, only annoyance is that there isn’t a mobile app (as far as I know).

2 Likes
3

Why shouldn’t I use the default password manager in my browser?

In my case, there are very few times that I’m required to enter a password outside of the browser (Firefox) so I’m happy to take a couple of seconds to open my saved passwords and copy them. There may be a few managers that make this process slicker but this is free.

I love the idea of pass but I’d only use it on my linux machines and I would need it everywhere including mobile.

4

It’s a good question! One reason might be that not all passwords are web passwords, as you note.

The thing about security choices, is that you need to have a threat model - what it is that you’re worried about. Is it a flatmate using your unlocked laptop to prank you? Is it having border control extract all your phone contacts when you travel? Is it getting ransomware which locks you out of your computer? Or having your email password changed by persons unknown? Or a rogue bank transfer?

I’m very interested in computer security - and physical security - but my own practice is not very sophisticated. (I’d probably better not list all my failings here in public though.)

I do use my browser to store passwords, but not all passwords. And when I use different browsers in the course of the day, I sometimes find that not all my browsers have all my passwords.

Edit: browsers are of course used for all sorts of sites, with content coming from all sorts of sources including advertisers. If your browser can be compromised - and it probably can - then its password store might also be vulnerable. Qubes is an interesting experiment in partitioning computer use.

Edit: see also this post by Bruce Schneier, who offers his own password manager.

1 Like
5

Main Thoughts on Password Manager vs Browser Storage

Mainly, Password managers give you:

  • Portability/availability across Apps and OSs.
  • As Ed says you can store varied content (SSH keys, secure notes, sometimes files etc.)
  • It may provide an additional layer of security vs browser storage (see below) though many disagree given your whole machine is likely compromised if your browser passwords store is compromised…

Additional features (depending on app):

  • Password audits and cross checking with password dumps built in too
  • Better password generation options
  • Temporary password sharing
  • Support for automating password changes from the app

Note: I believe Google Accounts & Mozilla’s Password manager (built into Chrome and Firefox respectively) also do password audits.

Generally browsers store using OS facilities to encrypt locally but…

Storage

AFAIK major browsers store locally with OS encryption (see threats below), sync to the cloud for portability & are unlockable via a cloud account.

Most Password managers encrypt locally using the master password, meaning there’s something else to get through if the machine is compromised. They sync to the cloud, but the passwords are only ever decrypted locally.

There’s caching & time-limited unlocking with most password managers, so you don’t have to constantly enter the long master password, meaning all passwords are not always locked away. I’m not sure how attackable that is, but it’s worth noting.

Threats

OS storage not totally safe since, depending on the OS and how it’s set up, it may just need someone to access your machine while it’s unlocked. (see this Nirsoft tool for a Windows example)

There’s a sort of ambient threat from browser flaws as a route for malware from adverts or malicious/compromised sites.

Password data is a fairly general/saleable target that IMHO doesn’t need you to be high value to get caught in, so worth considering.

Note: if your browser itself gets compromised via that route, each time you log in somewhere it’s up for snooping - regardless of a password manager.

That doesn’t mean you will get caught out, or that password managers are invulnerable, but:

  • there’s likely to be more protection with them against the whole password stash getting stolen in one go (unless you master password is grabbed)
  • it’s not a lot of effort (until you get a bait & switch from LastPass)
2 Likes