User: Password:
|
|
Subscribe / Log in / New account

A Periodic Table of password managers

A Periodic Table of password managers

Posted Nov 10, 2011 10:45 UTC (Thu) by Cato (subscriber, #7643)
In reply to: A Periodic Table of password managers by danielpf
Parent article: A Periodic Table of password managers

That's just security by obscurity - finding encrypted files is not that hard by scanning for high entropy data, at which point your unique password manager had better be as good as the well known ones.

If you still want obscurity, how about modifying the source of one of these tools to replace common strings with something random, including filenames used? It won't do much good but you could then have more assurance that this obscure one is still more secure against brute forcing.

Attacks using GPUs and FPGAs for brute forcing are getting very cheap indeed (hundreds to thousands of dollars) so it is worth using proper salting and stretching (iterated hashing) of passwords to protect against brute forcing.

I think the biggest vulnerability for Linux desktop users is (a) any copies of the password manager's encrypted DB file on non-"Linux classic" OSs, particularly Windows or Android, and (b) web app passwords being stolen via SQL injection and other web server attacks. I would protect against the former by mandating two-factor authentication on all platforms (LastPass using Yubikey or Google Authenticator is one example) and against the latter by using a password manager.


(Log in to post comments)

A Periodic Table of password managers

Posted Nov 10, 2011 11:36 UTC (Thu) by danielpf (subscriber, #4723) [Link]

>That's just security by obscurity - finding encrypted files is not that >hard by scanning for high entropy data, at which point your unique password >manager had better be as good as the well known ones.

No, the best protection is not storing the whole information on the same computer. It is not obscurity, it is a physical barrier.
One part of information can stay in the brain (say "add the name of you cat after each stored password"), or on a portable device (a sheet in wallet, a cell phone), and the combination of the distinct pieces of information can follow a simple algorithm easy to remember (all cap letters are actually small, etc.).

But such methods as well as password managers do not hold against keyloggers.

A Periodic Table of password managers

Posted Nov 10, 2011 17:25 UTC (Thu) by drag (subscriber, #31333) [Link]

>But such methods as well as password managers do not hold against keyloggers.

If a attacker is present on your machine and can access your account there really is no method that is really useful. Any password you use is a password they can get.

A Periodic Table of password managers

Posted Nov 10, 2011 19:40 UTC (Thu) by danielpf (subscriber, #4723) [Link]

Yes, but there are other cases.

A keylogger can be a device hidden on the keyboard cable and broadcasting every single key.
A keylogger can be a hidden program injected by some mean (say a downloaded package).

Such situations do not need an attacker present on the machine.

A Periodic Table of password managers

Posted Nov 10, 2011 20:44 UTC (Thu) by felixfix (subscriber, #242) [Link]

That's quibbling. In those cases, the attacker is the keylogger, not the person who installed it, and it is on your machine, as was the installer when they installed the keylogger.

Use two-factor

Posted Nov 11, 2011 13:01 UTC (Fri) by Cato (subscriber, #7643) [Link]

The main defence against simple keyloggers is a second factor - if the authentication process calls your phone (like Google Authenticator or Duo Security), you will know some hacker has got your passwords and is trying them out. Since most keyloggers are installed en masse, this is quite a useful defence.

LastPass is a good password manager (free as in beer for desktop OSs, paid-for on mobiles) which now includes Google Authenticator support and has some other two-factor options (grids, biometrics, and Yubikey). See http://lastpass.com/

Although LastPass has the weakness of a cloud-based point of attack, the two-factor options make it more secure against keyloggers than the password managers listed here. It's still vulnerable to a targetted attack against the LastPass client plugin, but that's true of almost any authentication technique.

Use two-factor

Posted Nov 12, 2011 0:21 UTC (Sat) by drag (subscriber, #31333) [Link]

Yes. Against simple loggers then 2 factor auth is a good thing.

The main danger then changes from password stealing to session hijacking.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds