Hacking tool swipes encrypted credentials from password manager

Welcome to Reddit,

Recommended Clients
NET implementation is lacking; 2 the fundamental crypto design of the kdbx database which is shared by all implementations, in any language is lacking. All it creats a file which says database is unlocked. The question here is not whether you trust dropbox, but whether you trust keypass. Neither of which would be relevant to an offline file format. I may not actually switch, as the Pass project some others have posted here looks very good as a cross-platform solution e. For example, 1P is now already at version 5. All of them can be used to bring down the time immensely.

What the ‘average’ user sets their password to:

A KeePass setting that might save your online identity

In the end, getting shit done is more important than open source. Unless you are RMS. JoachimS on June 17, User of 1password here too.

One thing I don't like with it is the cleartext metadata. And things like the URL to where the secret may be used. Given the type and link to 'hamsterporn. What do you think about pass [1]? This one looks really great. Properly following the UNIX philosophy, at last. Too bad the only way to use 1Password with linux or a BSD is some jaxy browser extension. Windows version works perfectly well under Wine, though you won't get official browser extension to work for autofill.

Is that open source too or how would you know about their security? When you went looking for it, did you try Googling for [1password file format]? No, didn't know that looking just at the file format is sufficient. I'm no security specialist so excuse me any stupidity here ; But couldn't the implementation of parts of the service being flawed? And how do you save and sync the passwords across various machines? However, if you're using 1Password with Dropbox, I'd say this combination doesn't feel any more secure than LastPass.

Other more secure options like WiFi sync aren't convenient enough. So, it appears there's no strong reason for me to consider switching from LastPass. With LastPass, your account password is your master password.

Its hash is stored on their servers, and they have an opportunity to intercept the plaintext whenever you log in. It only ever sees the encrypted vault, and doesn't have any opportunity to intercept any plaintext. If your password is strong enough, you could probably even get away with posting your vault on a public website. I use 2-step auth with LastPass. Although passwords are encrypted on client-side for LastPass too, I understand that if LastPass wants, they can get the master password or password for any specific site.

All they need to do is change their client. However, considering 1Password is closed-sourced, if they want, they can do so too. And if I think about "What is harder for hackers to get to: Anything very obviously wrong with this thinking?

You log in every day to LastPass, giving them a lot more opportunity to intercept your password without changing anything on the client side. LastPass also has a web interface where you can log in, and you often need to log in there in order to make changes to your account. This can act as an additional attack vector if they were compromised. If 1Password was compromised, on the other hand, they'd have to wait until you upgrade the client to the bugged version.

As far as I can tell, they don't even have a web interface for you to log in. Dropbox doesn't even come into the equation since it's just dumb storage. Someone who compromises Dropbox will only see a useless blob. The attacker would have to compromise both 1Password and Dropbox, as well as get you to install a compromised 1Password client, in order to get your encrypted passwords. There is no straightforward way for AgileBits to quietly steal credentials from a specific target they'd have to publish an update that did that to their whole userbase, hope the target actually updates, and they would get caught.

With the 1Password syncing feature. I tend to use Dropbox. But there are a multitude of options available to users. As I understood it, only Password Safe provided both secrecy and data authenticity.

If only I had heard of this article earlier. I actually downloaded the source code to a bunch of these tools to see if they properly implemented their crypto That said, even PassWord safe has some issues. As the article points out, it computes an HMAC over the unencripted contents instead of over the encrypted ones. To prove their point, Ferguson and Schneier describe an attack over an instance of IPsec in which the encrypt-then-MAC was not done properly. I think Ferguson and Schneier got this wrong.

Specialized AEAD modes are preferable. But if you're going to do generic composition, the best current practice is encrypt-then-MAC. Even if you encrypt-then-MAC, you can still forget to authenticate parameters a good reason not to use generic composition.

But if you MAC and then encrypt, you concede to attackers the ability to target the cipher's decryption operation directly with chosen-ciphertext attacks.

Those attacks are powerful and have repeatedly broken TLS; they're also the most common form of attack on other cryptosystems every padding oracle attack is a variant of them. I wrote a bunch about this here: I'm not saying Schneier is right.

More to illustrate his previous thoughts on this. Interesting, I'm using KeePassX and I've seen the corruption issue; some of the fields are duplicated to other fields in other password entries. It's a little disturbing that this is an issue but I've been using the same KDB file for the last 5? Also, I found a slightly better link, not directly to the PDF but to a page with the abstract and other info: According to [0], it does: NeatoJn on June 16, I suppose some of the results are obsolete.

For example, 1P is now already at version 5. Version 2 was about 5 years ago. Linux support seems to be BETA. Where did you get that information? McElroy on June 16, Password Safe seems interesting.

Too bad it's hosted on Source Forge. What about pass http: There are two things that bug me about pass: No confidentiality and no integrity guarantees for those.

This integrates well with gpg-agent but it means that you need to carry a gpg private-key file around with you instead of just remembering a passphrase. May I politely point out https: I think I'm gonna drop keepass for that.

Been using it for a month now, it's fantastic. Do you use any syncing mechanism, eg syncing to a repo on Github? The format should lend to using some remote git repo, but I'm still afraid of the implications of having my passwords in the wild, even encrypted with GPG.

I push it up to an encrypted disk on my VPS behind an ssh connection. The only way ssh access works without a key is from certain trusted networks.

I'm using pass, and like it. FractalNerve on June 16, That's what I've been using for a long time now. Just a general info: KeePassX can read and write the KeePass2 file format, but you have to checkout the git repo manually. It works for me since at least one year. The problem is the current maintainer, it seems that he has no interest in releasing a new version: I've looked through the source of KeePassX and it doesn't look complicated, but it requires a crypto expert to say something valuable about it's crypto.

Would someone qualified mind sparing some time? Well, the language isn't really in question here -- it's the crypto used for the database files themselves. KeePassX is the old database format and KeePass 2.

I don't know if the database format also resulted in any crypto changes. There are 2 problems here. NET implementation is lacking; 2 the fundamental crypto design of the kdbx database which is shared by all implementations, in any language is lacking. Yes, but since this isn't some networked service I'm not as concerned about the general quality of the code.

Offline attacks really have to focus on the encrypted password database. If an attacker has local access you're already owned -- they could just modify the application to do whatever they want The safety of your database in a world where your keepass database is leaked due to a Dropbox attack or something is what really matters here, IMO.

Did they screw up the crypto so offline attacks are easier? Locke on June 16, As you said, if they manage to access your Dropbox, they could theoretically sync an altered database back to you. If the application leaks some information while attempting to open the database or can be made to leak information, that would be bad.

Sync it in an encfs encrypted folder, and it should be fine! Yea, that's what I've been using for the past 2 or 3 years, I think.

This audit resulted in a "CSPN" certificate, which basically means that 35 days were spent by a competent auditor Thales , and no important vulnerabilities were found in KeePass 2. To those who don't see a problem with leaking timing data: KeePass goes to great lengths to do in-memory encryption of data.

I'm not saying these attempts are properly done, but there is certainly no lack of trying. The only reason to even bother is assume that this memory can be accessed by an attacker. An attacker may be able to read the unencrypted swap space on disk. In this scenario it makes sense to encrypt passwords in memory and store the key in a locked page. Ok, your password database was affected by malicious modification.

How it can break the confidentiality of your data? By the way, what's wrong with the bytearray compare code snippet? I notice that the "change-password" function of yourbank. I just need to trick you into changing your password. I have access to your kdbx db ex.

I can alter the kdbx file to change your password so that it is no longer valid. KeePass doesn't complain at all. You say "this is far-fetched, non-realistic scenario". I say "this is poor crypto design". If you're able to inspect the network packets and the page is over HTTP, then KeePass doesn't even matter at that point.

It's game over right there. StavrosK on June 16, Wait, you just inserted an invalid password in my database, how do I change my password? Hell, the only way I'll even realize something's wrong is by trying to log in in the first place, and, if you can see my connection, why would you have me enter a wrong password, rather than the right one? Oh, you mean the account recovery page, not one that requires the old password to change to a new one.

AjithAntony on June 16, I think he's suggesting that you happen to actually know the right password, and will attempt to enter it after the failed keepass attempt? But then, if you know the right password, you could also visually inspect the keepass data to know it was wrong.

Guvante on June 16, How are you generating a kdbx file that has the record where they think it is? The entire file is encrypted en-mass except the header. You can certainly make a kdbx file that KeePass will open, but it is impossible to make one that will fool the user without more than enough information to just compromise the database.

I have a private server in a datacenter that I put together myself. What is the attack vector there? You die and the Executor of your Estate tries to access the Lawyer's website, only to be met with "invalid password". It turns out that the kdbx on your private server got silently corrupted ex.

However, your Dropbox backups only have 30 days of previous kdbx versions. Can your Executor handle the disappointment? I believe this issue is grave enough.

With fail2ban in place, and it's on a random port. TheDong on June 17, That answer does not inspire confidence. Get a real firewall 2 Fail2ban is not a real firewall 3 Keys only, no passwords.

Tomte on June 16, It's literally the textbook example of a timing sidechannel. Though I won't speculate if it's a real problem here, since I have no idea what data is being compared. I must admit, I can't immediately see the problem with leaking timing data. The client that decrypts the password database runs on your local computer, and typically places clear-text-passwords into the clipboard during normal use. So if your local computer is compromised you have way bigger problems than timing attacks.

Guvante on June 17, It does have a mode that allows you to avoid clipboard sniffers if the program you are targeting supports it. However most attack vectors on the local machine can usually get a hold of both keyboard and clipboard data making it impossible to prevent sniffing, but that does assume a sophisticated sniffer.

UnoriginalGuy on June 17, The vast majority of modern malware no longer monitors either the clipboard OR keyboard. It hooks right into the browser or sometimes network stack. So when you submit a form the malware records what was in the form and just as important where that form was submitted to i. Without context the where the information the what is near worthless.

Aside from toy malware nobody actually logs keys anymore, the term "keylogger" is just a word, it isn't literal. I have looked at the leaked source of commercial in the black market malware.

A core part of this malware is automation for resale, nobody is going to read through hundreds of pages of someone's clipboard and keystrokes to figure out what page they're on, and it is by far a more difficult route than just breaking into the browser, hooking Win32 functions, or hooking into the network stack before encryption occurs.

Do you care about that kind of side channel for an offline vault? If your adversaries are on your box while you operate your vault, then you have already lost because they will also have keyloggers, strace, etc.

Nogwater on June 16, What if they hack your dropbox account and get a copy of the vault that way? They're not on your box, but now they can try to break into your vault. Well, the decryption code is open source. And they have the ciphertext. So what does a timing attack give the attacker? If keeppass removes the possible timing attack, the attacker could just add it back in and use their own client, if they have a copy of your database.

Then a timing side channel is not relevant, because they won't be watching you operate the vault. The problem is that it's usually not true that you can have confidentiality without integrity, because of chosen ciphertext attacks. Confidentiality isn't your only concern. You should also be worried about integrity and availability. Unfortunately, [KDBX4] introduces new vulnerabilities. As such, is it susceptible to modifications This modification is not detectable by the password manager This attack highlights a remarkable design flaw.

Such corruption is unlikely to be immediately detected by users, who may subsequently add new entries.

Over time, the database will be composed of both correct and corrupted entries, making it difficult to reconstruct the damaged records from a backup. Which reminds me - I need to migrate back to Password Safe as soon as possible. Confidentiality is my only concern in the case of malicious modification. Remember, that availability and integrity of your database can be broken without an attacker, just due to hardware problem, for example. So it is up to you to have a cold backup for such a critical asset.

May I emphasize this sentence? I don't know enough about cryptography to be able to say whether it's possible to break a particular cryptographic protocol by blindly altering the ciphertext, but I do know plenty about human nature and backups. My own personal backup retention limit is on the order of 30 days, and that's with careful planning. Silent, on-going data corruption happening to a password database seems like a very reasonable thing to concern oneself with, especially if one's expectation was that the password manager would throw some kind of data integrity error whenever said database was accessed.

How will you do that? It looks tricky to say the least: It looks like you can clear out all the comments and other stuff in the db and export to Keepass v1 CSV and you should be able to import from that. Hey, thanks a ton for the clue! This isn't true anymore. I haven't checked other implementations. I broke into your e-mail and need to get you to force a password reset on some other account, so I maliciously modify to give you an invalid stored password.

If the attacker already has control of the email address, they can reset the account without going to such lengths--just visit the site and request a password reset. Could you please provide more details on suggested attack? KeePass from version 1.

TimWolla on June 16, Apparently someone reported this thread to the author. You might want to follow the SourceForge issue: Much like 4th page retractions on stories in newspapers, headlines will always win out in terms of the influence on the readers.

That said, the author of KeePass responded to all the discussions here over on the project forum at SourceForge. Since a lot of people aren't willing to even visit SF anymore, his notable responses were: The header validation was fixed as of 2. He has fixed this anyhow as the performance impact was minimal as of 2. They have no concerns about SF doing anything to their project. It would be nice if someone like CodesInChaos ie. NET expertise were to casually audit the KeePass 2.

It would be nice to create a kdbx 3. Additional evidence of inadequate. Clearly, the "process memory compromise" threat vector is taken very seriously by the authors. Here's a KeePass function that generates a key: The reason for introducing a delay is to slow down a brute force attack to the point it is unfeasible in this lifetime.

A brute force attack starts by trying every character A-Z, a-z, , symbols , then every two character combination aa, ab, ac… , then every three character combination aaa, aab, aac , and so on. A related approach, called a dictionary attack, loops through a dictionary and tries all words and various combinations of words with different delimiters.

Eventually these approaches will find the master password. If your password is sufficiently strong, say 30 random characters including A-Z, a-z, , and 10 different possible symbols, that is 72 characters to draw from.

Only an attacker with a huge number of CPUs or a huge amount of time would be able to check all combinations. I doubt this little technique would deter high level national security organizations with billions of dollars in funding. However, I have a strong sense that a high N would deter script kiddies and cracking programs.

As CPUs get faster, N needs to increase to offset the time it takes to attempt a single crack at the master password. I plan to increase the value every time I get a new machine. Even worse, bugs such as Heartbleed thankfully not too common can be used to exploit almost any website. As Lifehacker pointed out, KeePass would have helped you keep relatively safe in case of websites getting their user info stolen.

I don't care whether you use KeePass, which I discuss here, as long as you use some password manager e. LastPass is excellent too. First off, why even bother with password managers? You should use KeePass or similar password management software , because:. This is not a guide to how to use the KeePass software itself see here or official site for that , but practical steps to take when starting to use it on Windows.

All you need is KeePass, which is free, Dropbox and a tiny flash drive to have permanent access to your secure passwords. KeePass is software that can open. All your passwords are stored in this one database file, which sits like any other file on your computer.

You need to open the file with KeePass, and enter a password to gain access to the database. So to access all your passwords at any time, you need:. The beginning is a bit boring, because you have to enter all your accounts.

Promoted Comments