Ask HN: Are password managers secure?
OK so I've come to like a certain password manager.
I'm sure the data itself is secure in its raw encrypted form.
But, if I were an evil hacker, I'd be aiming to target the User Interface somehow. Since once I enter my password, the app is unlocked and my passwords are all there to find through the GUI. I'd aim to siphon out data through the OS and windowing system somehow, after the user has unlocked.
How much of a threat is this, do you think?
Also having a Chrome plugin just feels like an extra hackable interface?
3 comments
[ 3.3 ms ] story [ 14.4 ms ] threadKeePass (KeePassX in Linux) is one of the best, but a simple keylogger can get your "master password" when you enter it, and thus access to your password database.
Nothing is absolutely secure, there are just degrees of relative safety.
Chrome plugins are not easy to gain access to. Chrome is a very secure browser, and they lock their V8 JavaScript engine so no two plugins can talk to each other unless they setup special hooks. They also run the entire application in a locked state, which both prevents plugins from accessing the operating system and from other applications from easily accessing Chrome without a special plugin.
Web-based password managers offer many benefits over desktop-based password managers. The risks for desktop based are there are many things they have to fight against and also maintain your database in a state that is secure against extreme bruteforce hacking attempts.
Web based are protected by their application and the browser, at the same time 3rd party plugins can pose risk, but developers of these can easily protect against interference of plugins and users can do so easily as well by disabling plugins on that site.
To both keyloggers are minimal risk, most password managers you use not to record your password but to create new account entries, and you are likely to generate a unique password for each site, therefore keylogger would be useless. Clipboard monitor may pose a risk, but applications like KeePass avoid this by using their Auto Login feature, and web/Chrome extensions avoid this by auto-filling or auto-logging in your login details.
The risk of a key logger getting your master password is also minimal risk for most applications. Most tend to offer "access codes" or "pin numbers" in addition to your password, allowing you to enter a small additional password or your original password via an on screen keyboard, which negates risk of keyloggers.
The idea that a password manager is a "single point of failure" is also wrong. The primary point of failure will be the end user releasing their login to their password manager, not the password manager being hacked. Because all passwords managers worth using encrypt your data, bruteforcing would take years per user. If any online manager were hacked, your data would be one of thousands and would likely never be decrypted to begin with. If it's a desktop application, those tend to encrypt with even stronger types of encryptions because they can waste the CPU on it; which means even more years to bruteforce if your database is given out.
The risk is in the end user, if he/she leaks her password or gets a virus/keylogger to get his/her master password. In which case this is just the same as using the same password across all sites.
I have heard of people using a single password and adding the website's domain they are registering under with an SHA1. Therefore if my password is "password" and I registering a facebook account, I'd go to an SHA...