Passphase visible in memory

David
2004-06-27
2012-09-17
  • David

    David - 2004-06-27

    As reported by someone in the bug report, the passphrase is visible in memory when running Password Safe.  An interesting article about this security issue can be found at:
    http://www.infosecwriters.com/text_resources/pdf/Discovering_Passwords_In_Memory.pdf

     
    • David

      David - 2004-06-30

      And another interesting article about this security issue:
      http://www.newscientist.com/news/news.jsp?id=ns99995064

       
    • Rony Shapiro

      Rony Shapiro - 2004-07-06

      FWIW, this will be addressed in 2.04.

      I'm a bit skeptic as to how much this will improve the security, though, since anyone who can sniff the memory while the application is running (*), can also (and probably with less effort) install a keyboard sniffer, in which case all bets are off.

      (*) PasswordSafe is very careful about wiping the passphrase clear upon exit, so the user doesn't have to worry about his swap file being searched after the application has exited.

       
    • Tom Paden

      Tom Paden - 2004-07-23

      "install a keyboard sniffer"

      I've always wondered about them. Does this mean that even if copy&paste is used, a keyboard sniffer grabs the info?

      What about Perform Auto Type?

       
      • Rony Shapiro

        Rony Shapiro - 2004-07-24

        Hi,

        A simple keyboard sniffer would not catch "copy & paste" data (I'm not sure about autotype, but I think that it would be caught).

        However, "enhancing" a keyboard sniffer so that it will record data passed to the clipboard is fairly straightforward - there is nothing in the clipboard API that affords any security to the data placed there.

        Not that I'd have any direct experience with these, but that's how I'd write one, if I had to.

        (I've also seen photos of keyboard sniffers that are just a small doohickey that the attacker slips in between the keyboard and the computer - this obviously can't intercept cut&paste and autotype, but that's small consolation, I think..)

         
    • Tom Paden

      Tom Paden - 2004-07-27

      I just did some tests using Perfect Keylogger Lite from
      http://www.blazingtools.com/bpk.html

      It does not catch "copy & paste" data, but it does log the autotype method used with PwS. I didn't try any of the many other loggers.

      Would it be worth modifying PwS to copy&paste the info for autotype? Is the problem that you're truly emulating keystrokes with autotype?

      Not that I'm paranoid, mind you, but I don't trust the management at work!

       
      • Rony Shapiro

        Rony Shapiro - 2004-07-27

        Well, this has nothing to do with the original topic - passphrase in memory (which has been addressed in 2.04).

        Autotype currently emulates keystrokes at a very low level (via the keybd_event function), in order to provide the tab-to-next-field and Enter functionality. I guess it would be possible to modify it to use the paste function as much as possible, but I'm certain that there are other tools out there that capture paste buffers as well.

        So, if you want to protect yourself against a "simple" keystroke logger, just don't use autotype. If you're worried about something more intrusive on your machine, then I'm not sure PasswordSafe can help you...

         
      • Anonymous - 2004-12-21

        Hello:

        If someone has a keylogger on your system, then won't they be able to get your master password for Password Safe? After they retrieve that, doesn't it make it moot whether or not they can retrieve the passwords that are within PS? That is, with the master password, the person would be able to access your other passwords.

        Rajiv Varma

         

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks