Master Password risk!

Stephen H
2016-10-02
4 days ago
  • Stephen H

    Stephen H - 2016-10-02

    Thumbs up for Pwd Safe!
    But I'm still hesitant over the notion of a master pwd (with any pwd mgr), since if a hacker gets this, they've got all the pwds!
    So I've been researchign in to how to secure master pwd entry - and I would welcome further comments / advice:

    Obviously top of the security / protection tree here is Yubikey, but almost £40 (and curiosity!) makes me wonder...
    Alternatively, I might accept less safe but cheaper and more convenient options:
    1) Are virtual keyboards a waste of time here re hiding from key-loggers?
    or offer some protection? against keybd / mouse / clipbd entries?
    2) What if I disconnect from internet while entering masster pwd? - or would key-logger simply store log and send when reconnected?
    3) Doesn't firewall (Windows 10 OS's) protect enough against key-loggers anyway?
    4) How about manualy disguise, like enter dummy characs within pwd >select with mouse >type correct chars?

     
  • Rony Shapiro

    Rony Shapiro - 2016-10-02

    You're underlying assumption is that if we protect the master password, then all is well.

    Problem is, if your adversary can install a keylogger, they can also install (with less effort) a modified version of PasswordSafe that, for example, encrypts with a fixed encryption key, regardless of the master password, and exfiltrates the password database to the attacker.

    My point is that PasswordSafe's value is in making it easy to create and manage different strong passwords for each site, while storing them securely. This protects againt (a) having a single website breached, since your password on that site will be hard to crack, and cracking it won't help the attacker use that password elsewhere, and (b) losing your laptop, disk-on-key or otherwise inadvertantly exposing your password file.

    PasswordSafe was not designed to protect against a compromised PC. We take reasonable effort and follow best practices, but if someone wants to target you, PasswordSafe cannot be assumed to protect you (as described above).

    I would take anyone's claim to provide more security than PasswordSafe does as a password manager with a grain fo salt, as the real issue is the platform, not the application.

     
  • Ulrich Boche

    Ulrich Boche - 2016-10-02

    Excellent explanation. If somebody succeeded to put malware on your PC, he owns everything you have on that PC.

     
  • Stephen H

    Stephen H - 2016-10-02

    So inother words?:
    PWS (and other pwd mgrs) are more a convenience than a big protection, altho it (they) do offer some extra security, but should not be relied up to secure against an invaded / breached OS / PC?

    But surely having all our eggs in one basket protected only by one Master pwd is risky if the m pwd is entered manually via keybd. And so we should at least try to enter m pwd another safer way? or you saying I'm wasting my time trying to do this, and the only way to relaly protect the PWS (or other p mgr) database is 2-step authentication?

    Which brings us back to Yubikey - Is Yibikey the only 2-step auth'n available for with PWS?

    Thanks Rony for responding promptly.

     
  • Rony Shapiro

    Rony Shapiro - 2016-10-02

    "more a convenience than a big protection" - That's not what I said.

    It would be more accurate to say that password managers offer good protection against the threats that people are most exposed to.

    As to "all your eggs in one basket":Nothing prevents you from creating as many passwordsafe databases as you like, each with a different master password. Of course, then you need to remember what password goes to which database...

    As to 2-factor, I believe that the iOS PasswordSafe clone works with the iPhone's fingerprint reader. Other than that and Yubikey, I'm unaware of any 2-factor authentication implementation.

     
  • Jeff Harris

    Jeff Harris - 2016-10-02

    PasswdSafe for Android can store the master password encrypted with a key tied to the fingerprint reader. It's not 2-factor authentication, but it can be used in conjunction with a Yubikey.

     
  • ninjasherpa

    ninjasherpa - 4 days ago

    The version of password safe I run on Windows shows a vertual keyborad, on the login screen.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks