Jump to content
exile360

Password Managers - Very secure, right?

Recommended Posts

Posted (edited)

As with many critical services, most password managers rely heavily on additional validation of your credentials to make sure that you are you to avoid giving access to all of your passwords to anyone who should not have them.  This generally includes some form of two-factor authentication (2FA), however 2FA isn't always quite as secure as it may seem.  Aside from the fact that phones themselves are vulnerable, 2FA has additional issues of its own even when a cell phone is not the method used for one of the 2 factors for validation of your identity, not to mention the fact that Password Managers themselves have their own downsides.  Social engineering, brute force attacks, phone number hijacking (which requires no physical access to your phone; just the right info about you to convince your phone carrier that they are you so that they can port your number to the device of their choice that they possess), and of course the usual backdoors/hacks/exploits and Trojans can all render even the tightest, most stringent security absolutely useless.  With data breaches on the rise, including at least one breach of one of the top password managers, users need to be more proactive than ever in how they handle their passwords, their devices, and especially their data.

PRO TIP: Don't go blabbing on your Facebook profile what your mother's maiden name is, what high school you went to, where you met your partner, or anything else you might have once used or might use in the future as an answer to one of those so-called 'security questions' that you're asked as a method of additional authentication for many online services, banks and other services.  In fact, if you want to be truly secure, don't use any real answers for any of those security questions; instead, make your answers random strings of words/things that don't make any possible sense so these questions/answers simply become like additional passwords that only YOU will know the answers to so that even someone who has intimate knowledge of your life would find it impossible to provide the correct responses, and just as with actual passwords, never use the same nonsense answers across multiple sites/services in case there is any sort of data breach to prevent incidentally compromising other sites/services.  Just make sure you don't forget them or they won't do you any good!

Now to be clear, my name isn't Chicken Little and I am NOT saying that the sky is falling; I'm just recommending that maybe we should get our heads out of our devices and look up every once in a while to see what is going on around us, because being aware of the potential dangers and risk factors can go a long way in helping you to avoid becoming a victim of bad actors with evil intent.  So no, the sky is not falling, but it has been known to rain from time to time, lightning does strike (even in the same place twice, contrary to the popular saying/belief), and even the occasional baseball sized meteor does actually make landfall on occasion and all it takes is being in the wrong place at the wrong time in the crosshairs of the right attacker or threat.

It's a jungle out there, so stay frosty Malwarenauts!

Oh, and don't forget your umbrella, you know, just in case ;) 

the-sky-is-falling.jpg

Edited by exile360

Share this post


Link to post
Share on other sites
Posted (edited)

Ha.  I like that Pro Tip - Don't go blabbing on your Facebook profile what your mother's maiden name is, what high school you went to, where you met your partner, or anything else you might have once used or might use in the future as an answer to one of those so-called 'security questions' that you're asked as a method of additional authentication for many online services, banks and other services.

When we all know that those are the exact questions that FB repeatedly hounds you to answer in order to 'complete' your profile.  And, yes, I mean they hound you - ad nauseum.

Thankfully, I've made the move to using physical keys where I can, and KeePass for PW and critical file storage (my KP database stores PWs, my PGP sigs, even a couple of license files for programs that I might need at any given time).  You need a PW and the key file to access it and they are not shared by the same cloud service.  Oh, and for those sites that support 2FA but only through an 'app' (to generate TOTPs), KeePass manages those for me as well - no more separate app on my phone to look up the code.

Once I can figure out a way to use the Titan keys for the KeePass database, I'll be really set - 3 factor authentication, one by physical key - you'll be hard pressed to get in to my KP database.

I currently have the Google Titan Security key bundle (2 of them, because I kept the original one that had the issue with the BT key, when they sent me my replacement set - they charged me $1 - worth it to have 2 NFC/USB keys to use.  The USB ones are in safes now.  But I recently read about this, and I'm stoked to get one ASAP - https://solokeys.com/

The coolest thing is that the firmware has had recent changes to it that make it work with Windows Hello - PWs and security codes, begone - no key, no Windows!

However, in spite of all of the above spiel - I'm not fooled.  Over at Calendar of Updates, we had numerous discussions on the subject of personal security over a decade ago - I stressed then, and still know this to be a fact today - if you want ot be safe online, well, you can't be - there is n 1005 method of staying safe online - except getting offline.

As I was fond of saying back then - if it is digital, it can be hacked.  Which really means that it's only a matter of time before it is hacked.

Edited by John L. Galt

Share this post


Link to post
Share on other sites

Yeah, unfortunately many banks and other online services require you to set up such security questions, meaning if you happen to provide too much info on social media, you're ripe for the picking by criminals who do their homework.

Share this post


Link to post
Share on other sites

Unless I read it wrong, he did not say to use on other sites. Without going back and reading again, I thought he said "do not" reuse. From day one when those showed up from my bank probably over a decade ago now I used fake information for them and every single sites gets their own unique fake information that I do store in Keepass.

The biggest take-away for me was to make sure you have a fall back plan if you forget your master password or other issues you might not have considered.

 

Share this post


Link to post
Share on other sites
Posted (edited)

Right, that's what my tip was about.  You're much better off using fake information, and not providing duplicate answers across sites.

The bit about social media was in case you've already set up security questions and did use legit/accurate answers; you don't want those answers posted in public view for everyone to see and potentially use to infiltrate your accounts.

Edited by exile360

Share this post


Link to post
Share on other sites
Posted (edited)

Almost makes you wonder.

The banks are being hacked left and right.  And yet they are asking for information that they know, as users of social media, that are already asked numerous times over in social media user profiles.

If I was a conspiracy theorist, I'd say that banks and other financial institutions specifically set themselves up to be able to be hacked.  Which would then lead to all sorts of conundrums that led to more theories as I ran down the rabbit hole, seeing how far I got.

But I'm not.

The real question:  At this point, with the mounting evidence, should I be?

Edited by John L. Galt

Share this post


Link to post
Share on other sites

Banks and the like have been using those kinds of security questions for a very long time, even pre-dating the internet (like for when you could access your accounts by phone etc.) so I don't think there's a connection, however it is disturbing that social media sites try to gather so much personal data about everyone and it's an issue I have a major problem with; the same reason I'm at odds with the likes of Microsoft and Google trying to harvest so much data from/about their users.

Share this post


Link to post
Share on other sites

I was looking more at SoMed using questions that they specifically knew were used in security.  And also sharing your info without letting you know.  And also sharing your location without letting you know.

Share this post


Link to post
Share on other sites


https://solokeys.com/blogs/news/insights-from-feedback-on-solo-and-our-plans-to-improve

https://fidoalliance.org/fido2/

What's wrong with https://www.yubico.com/ John? They seem to be one of the ones that pioneered this.

Loss or Theft of these keys, especially by someone that may have or know some things about you could be more dangerous. If they knew your bank, plug this key in, go to your bank site, press the button to log in. Maybe not that easy but sure seems to be the idea here. I don't have first hand experience with them as I've been using passwords for 30 years and it hasn't bothered me like it seems to bother others.

 

 

 

Share this post


Link to post
Share on other sites

Yep, as I thought. Not safe at all for securing a Keepass database. Anyone in your household simply needs to plug in the device, hit the key and they're now into your Keepass database. No thanks.

https://keepass.info/help/kb/yubikey.html

Quote

When you lose your YubiKey or someone else gets access to it, your database isn't secure anymore. A YubiKey in static password mode can be seen as a sheet of paper with a password on it.

 

Share this post


Link to post
Share on other sites
On 8/27/2019 at 12:20 AM, AdvancedSetup said:


https://solokeys.com/blogs/news/insights-from-feedback-on-solo-and-our-plans-to-improve

https://fidoalliance.org/fido2/

What's wrong with https://www.yubico.com/ John? They seem to be one of the ones that pioneered this.

Loss or Theft of these keys, especially by someone that may have or know some things about you could be more dangerous. If they knew your bank, plug this key in, go to your bank site, press the button to log in. Maybe not that easy but sure seems to be the idea here. I don't have first hand experience with them as I've been using passwords for 30 years and it hasn't bothered me like it seems to bother others.

 

 

 

 

On 8/27/2019 at 12:47 AM, AdvancedSetup said:

Yep, as I thought. Not safe at all for securing a Keepass database. Anyone in your household simply needs to plug in the device, hit the key and they're now into your Keepass database. No thanks.

https://keepass.info/help/kb/yubikey.html

 

Lol - yeah - hence why I didn't want to use a Yubikey. 

I had used, a very long time ago, a method to secure my Win2K desktop via a flash drive - had to have it inserted in order to allow Win2k to boot.  Alas, like a moron, I accidentally grabbed said key and formatted it when I was in dire need to transfer some data to another computer- and subsequently lost that install on the reboot.  It just works.

But with a true FIDOE2 key, it's not a piece of paper with a password - it's an authenticated handshake that cannot simply be pulled from the key.

I'm in awe of the SoloKey simply because I can build it myself, if I have the gumption to do so - but I most likely would not do so, unless I were to become a reseller or something and mass produced them.  All that effeort for a couple of keys is not worth it - but being able to trace down the components and verify them myself, as well as having the firmware actively developed (and to be able to be updated by me - or not updated, if I choose to skip any particular build) rather than relying on a 3rd party to do so is, IMO, a safer bet than just relying on the company.  I spent the money for the Titan Security keys, in part, because it was a pair of keys, with multiple functionality (the BT key also handles USB connections via USB micro to USB A cable supplied with the bundle, and the  NFC also handles USB (by directly inserting it into a USB type A slot).

If I had really done a bit more reading and seen that I had no way to verify the firmware on the devices, much less update them, I would have passed - because Google's Advanced Protection for Google Accounts requires dual keys in order to work.  Of course, the fact that they would make Pixel devices (at least Pixel 2 for sure, which I Have) work as one of the keys since it has the Titan chipset in it (which they claim - for all I know it may be software emulation), also work with Advanced Protection was not known at the time I purchased my Titan keys.

Share this post


Link to post
Share on other sites

As always I suggest creating a password encrypted ( enhanced RSA and AES ) Excel Spreadsheet using highbit encryption with a Strong Password.  For added security, that password encrypted Excel Spreadsheet can be stored within a password protected ZIP file using a Strong Password.  Thus making the data enclosed within a double wrapped secured container.

Share this post


Link to post
Share on other sites
1 hour ago, AdvancedSetup said:

No, my concern is that anyone in my household can pick up that USB stick, insert it and login as me.

Oh.  I guess I could see that - but if I were to implement this for Windows, I most certainly wouldn't leave the device around to begin with 😛

1 hour ago, David H. Lipman said:

As always I suggest creating a password encrypted ( enhanced RSA and AES ) Excel Spreadsheet using highbit encryption with a Strong Password.  For added security, that password encrypted Excel Spreadsheet can be stored within a password protected ZIP file using a Strong Password.  Thus making the data enclosed within a double wrapped secured container.

Ayup - one of the reasons I use KP in the first place.  And I refuse to store anything in Excel anymore as I use Microsoft Office 365 - the 'always on' aka always phoning home version.

Share this post


Link to post
Share on other sites
On 9/3/2019 at 12:57 PM, John L. Galt said:

Oh.  I guess I could see that - but if I were to implement this for Windows, I most certainly wouldn't leave the device around to begin with 😛

 

Pretty difficult to keep any type of "device' on your person 24/7/365
What about room mates that are just plain nosy. They see how you use it to login. You go to sleep with it in your pants pocket. They rummage through your pants, get your device and login to your computer. Obviously not a concern for myself, my point is that any device or method like that is less secure to me than a password only I know. Security is security and ignores the desires of ease of use. Unless I'm missing something I see these devices as a crutch for someone not wanting or willing to remember a password and type it in each time. Am I missing or overlooking something here?

 

Share this post


Link to post
Share on other sites
6 hours ago, AdvancedSetup said:

Pretty difficult to keep any type of "device' on your person 24/7/365
What about room mates that are just plain nosy. They see how you use it to login. You go to sleep with it in your pants pocket. They rummage through your pants, get your device and login to your computer. Obviously not a concern for myself, my point is that any device or method like that is less secure to me than a password only I know. Security is security and ignores the desires of ease of use. Unless I'm missing something I see these devices as a crutch for someone not wanting or willing to remember a password and type it in each time. Am I missing or overlooking something here?

All good points, however in my case I live alone and likely will for the remainder of my days on this Earth and no one has physical access to my system except me.  That said, I don't use such a device to secure my passwords and probably wouldn't just because knowing me, I'd be very likely to lose it :P.

Share this post


Link to post
Share on other sites

My point is that regardless of our own personal situations, if someone can simply plug in a device like that and log onto your computer as you then that is terrible security.

 

Share this post


Link to post
Share on other sites
1 hour ago, AdvancedSetup said:

My point is that regardless of our own personal situations, if someone can simply plug in a device like that and log onto your computer as you then that is terrible security.

Yep, true.  It's the same reason I don't and never have trusted 2-factor authentication, because people have their phones lost, stolen, hijacked or cloned all the time.  All it does is make it that much more of a pain to login to something, especially for those of us who don't use smart phones since many 2FA apps require them (though some still use normal text messages with confirmation codes; though of course this leaves them susceptible to SMS hijacking attacks).

Share this post


Link to post
Share on other sites

Obviously - but that is also called situational awareness - if you live in a situation where someone could get access to your device, then you don't use said device.  Or, conversely, you implement additional layers of security - like a power on PW for the machine itself.

And your arguments apply just as much to a PW - if said roommates are willing and able to steal your physical key they're probably just as willing and able to record your PW / PIN / pattern, at which point you kinda have to wonder why you have them as roommates to begin with.  In a situation where you cannot control who you live with, you implement additional layers of security - whatever those may be.

Share this post


Link to post
Share on other sites

Okay let me be a bit more clear. The room mate was just one of possibly dozens or more possibilities. Sorry but under NO circumstances that I can think of would the use of one of these keys be for security. They are for people too inconvenienced to use a password. I don't care if the police want access, they'll need to break encryption to obtain access. With this key fob they don't need to and yes there are other things one can do to protect their data - that's not my point. My point is that these are not for security but are advertised as being for security.

Again, if I'm wrong please explain how they are safer so that I too can possibly learn more

 

 

 

Share this post


Link to post
Share on other sites
1 hour ago, John L. Galt said:

Obviously - but that is also called situational awareness - if you live in a situation where someone could get access to your device, then you don't use said device.  Or, conversely, you implement additional layers of security - like a power on PW for the machine itself.

That's not Situational Awareness.  That's the "Insider Threat".

An Insider Threat is someone inside the enclave that has physical access to to the device, equipment and data and for various reasons can be a source of compromise of that device, equipment and/or data.  The objective is taking evasive and preventative action.

Situational Awareness is about keeping ones wits about them them by understanding current threats, keeping their attention to their physical or virtual environment, by staying on guard and having reactionary plans at hand.  Its all about one's relationship to their environmental space and location in time.

Situational awareness could be as simple as not looking at a cell phone while walking down a street where their attention to their phone can leave them open to a slip and fall, being hit by a vehicle or even being the object of an assault or robbery.

It could also be not eating while driving or playing with their digital dashboard of the vehicle while in motion.

It could also be learning about the physical attributes of threats in the virtual world of the Internet and one's interaction in that environment.

While there are overlaps in all types of threats it is important to understand the distinction between them and the intricacies of each.

 

Edited by David H. Lipman

Share this post


Link to post
Share on other sites
1 hour ago, David H. Lipman said:

That's not Situational Awareness.  That's the "Insider Threat".

An Insider Threat is someone inside the enclave that has physical access to to the device, equipment and data and for various reasons can be a source of compromise of that device, equipment and/or data.  The objective is taking evasive and preventative action.

Situational Awareness is about keeping ones wits about them them by understanding current threats, keeping their attention to their physical or virtual environment, by staying on guard and having reactionary plans at hand.  Its all about one's relationship to their environmental space and location in time.

Situational awareness could be as simple as not looking at a cell phone while walking down a street where their attention to their phone can leave them open to a slip and fall, being hit by a vehicle or even being the object of an assault or robbery.

It could also be not eating while driving or playing with their digital dashboard of the vehicle while in motion.

It could also be learning about the physical attributes of threats in the virtual world of the Internet and one's interaction in that environment.

While there are overlaps in all types of threats it is important to understand the distinction between them and the intricacies of each.

 

One could make the argument that he has 'situational awareness' with regards to the relevant threats within his environment, including the potential for the 'insider threat', but of course now we're just arguing semantics :P.

Sorry, couldn't help myself; please feel free to disregard my silliness.

Share this post


Link to post
Share on other sites

I'm not going to argue the semantics - I simply meant you have to be aware of wtf is possible wrt your computer use, whether at home or outside of your home.

As for security keys:

I think there is a bit of misinformation here.

The keys are not used in lieu of PWs at sites - they are used for 2FA.  On Windows, since I don't have a key to verify, I think that they do replace the PWs (via Windows Hello, just as the PINs do, which Windows 10 encourages all users to create upon installing Windows - so that is on M$ to begin with), and that was the point of the comment I made early on "But I am not fooled". 

So, for your home computer, obviously you have to have situational awareness of any and all (including insider, not just external) threats if you implement the use of the key with Windows Hello - and a *LOT* of people are already at a compromisable state by using Windows Hello with a PIN (in lieu of a pw) when using a Micro$oft account top log into Windows 10 (and IIRC, this can *als* be set on local login accounts as well, but I haven't ha a local account for a while, due to my continued testing of Insider Preview builds).  Yeah, not safe at all.  And I will not disagree with that - it really isn't safe - but it is also what is pushed by M$ as the 'alternative' to using PWs.

But for actual sites that you visit?  No, it's not a "plug in key and get access", it's enter username and PW, then get asked to plug in key to verify access.

PWs by themselves are better than the keys by themselves - but put both together as a part of a multi-factor system of authentication and things get better.

Of course, the argument can always be made that we need even more - but at what point are you going to stop?  3 layers?  5? At this point, unless you're physically at your bank, you're probably using some sort of digital interface - and as we always remarked over at CoU - If it is digital, it can be hacked

Share this post


Link to post
Share on other sites

Thanks for clarification John. Yes, using it like 2FA is good. Using it to simply login to Windows (if it works that way) is not.

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.