Security

How safe are online password managers?

People who use online password managers have a lot riding on the application's integrity. What are the chances of others gaining access to the stored passwords?

password manager1x300.png
Digital bad guys are as concerned about return on investment (ROI) as any big business. That’s why they attack credit-card processing centers rather than gathering account information one credit card at a time. It’s also why they’re more interested in cracking online password managers instead of stealing individual passwords.

Recently, it has come to our attention that someone else (U.S. Government) seems to be interested in passwords, which has people who use online password managers asking an important question, who other than the person owning the password manager account knows the master password? Or, more to the point, is it possible for anyone other than the account owner to access passwords stored in online password managers?

Cracking password managers

To be honest, I’ve wondered the same thing: how hard is it to get at the passwords protected by one of these applications? To find out, I chatted with Jacob Williams, a forensic scientist and penetration tester. If anyone can break into a password manager, Jake can.

I specifically asked Jake about the master and synchronization passwords, as obtaining these passwords appears to be the simplest way (remember bad-guy ROI) to crack the applications:

“Even if the passwords are encrypted at rest, they must use reversible encryption. That means a hacker with access to the victim’s machine could potentially steal the database/backup files, and walk away with the passwords. Of course, with a master password that's less of an issue.

"Synchronization is another thing entirely. I looked at some FAQs and did not see any guarantee that synchronized passwords are encrypted. However, I'd bet they just synchronize the copy of the encrypted password database on each machine. It appears the master password is the key used to encrypt the data. Good for them in that regard. That's what they should do."

It sounds like there may be a way in for bad guys, albeit difficult.

What’s legal

I also wondered what can be legally requested by government agencies. To figure that out, I asked Tyler Pitchford, my attorney friend, for his opinion. Here is what he had to say:

“The general concept is the same as the classic lock/key debate. If the access password is written down, they can request a copy, if the access password is in your mind they need an exception to the Fifth Amendment such as the foregone-conclusion doctrine.

"As for password manager programs, assuming there's probable cause or a subpoena right, the government can request the password database and attempt to break it; or as mentioned above, ask for a physical copy of the password if one exists or force disclosure if they have an exception handy.

"If the password database is stored on a remote server, it's probably subpoenable and if the users employ weak encryption or store the master, they may be out of luck.”

What the developers are saying

With the “breaking into and legal” aspects taken care of, it’s time to see what the developers have to say about their products. Rather than have each vendor extol the virtues of their technology, it seemed better to ask each of them the question on users’ minds, “If the government orders you to turn over someone's passwords, is it possible?”

Agilebits

First up is Agilebits, with 1Password being their version of online password manager. I asked Jeff Goldberg, Agilebits Chief Defender Against the Dark Arts (great title) “The Question.” His response:

“We never have the opportunity to see either your data or your master password. In fact, we don’t even have the chance to see how or whether you even use 1Password. So the short answer to your question is, no, it is not possible for us to obtain your password database, nor it is possible for us to decrypt it even if we did manage to get hold of it.”

LastPass

Next up is LastPass, a popular online password manager. Erin Styles, Vice President of Marketing answered “The Question,” and included a comment from LastPass CEO Joe Siegrist:

“In Joe's words, ‘We can't give them what we don't have.’ So, to answer your question, there is nothing we could do to obtain someone's passwords. If ordered by the government, we would hand over a blob of encrypted data that they could attempt to brute force. As everyone knows, with a strong master password, brute force would be virtually impossible.”

mSeven

Moving on to mSeven, mSecure is the company’s password manager. Ray Marshall, CEO and president of mSeven responded to “The Question” this way:

“It's a great question. We don't have access to any of our users’ data, and we can't decrypt it even if we did, since we don't have their password. mSecure stores all data locally and encrypts the data with the user's own password. Much to the chagrin of users, if they forget their mSecure password, even we can't get it back for them.”

Siber Systems

Last up is Siber Systems with their password manager — Roboform. Vadim Maslov, CEO and founder of Siber Systems answered “The Question”:

“We really cannot open users’ passcard (password database) without knowing the master password. Also, RoboForm has no backdoors. If you use long and random master passwords, your passcards will be hard (computationally) to crack. It does not mean the NSA will not be able to do it, as we heard that they may throw a lot of computational power at it.”

That last comment tweaked my attention, having just read this Wired article quoting Director of National Intelligence James Clapper: “[W]e are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit internet traffic.”

Even before this, there’s been talk about a substantial NSA breakthrough in cryptanalytic capabilities. With that in mind, I asked Vadim a few more questions.

Kassner: Vadim, did any government agencies contact you?

Maslov: We never received any legal communication from NSA or FISA or anybody else requesting disclosure of user data.

Kassner: What if the government orders you to allow them to snoop the login exchange? Will that work?

Maslov: To answer your question, there is no snooping on the master password, as it never gets sent to a server. Only a hash of the RoboForm Everywhere password is sent, so it can be snooped on in principle. Then again, it is sent over SSL only, so this would have to be done somewhere on the server. Well, even Google and Yahoo had to release salts (hashes) of passwords to the NSA, if you believe the press.

Final thoughts

As I was working through this piece, I realized that I’m introducing more questions than providing answers. Using online password managers apparently means trusting the app’s developer, hoping the ROI is not enough to interest the bad guys, and staying off government agency’s lists.

There is good news: Jake, my break-in expert, has decided to take hard look at online password managers, so stay tuned.


About

Information is my field...Writing is my passion...Coupling the two is my mission.

52 comments
MaxPeters
MaxPeters

Better yet, create a password that is hard to hack! I made mine with www.passwordturtle.com , a password generator that creates secure passwords that are easy to remember from common english phrases. I highly recommend it to create a stronger password

MaxPeters
MaxPeters

Better yet, create a password that is hard to hack! I made mine with www.passwordturtle.com , a password generator that creates secure passwords that are easy to remember from common english phrases. I highly recommend it to create a stronger password.

paulmoore2014
paulmoore2014

"there is no snooping on the master password, as it never gets sent to a server"


That's wrong for a start.  It IS sent to the server.  I questioned them on this and they initially denied it.  After a couple of messages back and forth, they eventually admitted it.

paulmoore2014
paulmoore2014

"there is no snooping on the master password, as it never gets sent to a server"


That's wrong for a start.  It IS sent to the server, it's required to decrypt the data!  I questioned them on this and they initially denied it.  After a couple of messages back and forth, they eventually admitted it.

mikin
mikin

You should have asked Sticky Password - they are great and even let you to keep your database offline if you do not trust being online.

garyj2010
garyj2010

I don't know why Intuitive Password is not on the list. I highly recommend Intuitive Password, because I have used it myself. Mobility and browser compatibility is fabulous. Also it is very easy to use. You technically have to remember zero passwords. Your passwords are securely stored on the enterprise-grade cloud servers.

You may check it out here https://www.intuitivepassword.com

JSpitzer1540
JSpitzer1540

Those guys at Siber systems are pretty reassuring, as a general practice we use anywhere between 20-32 character master passwords with their enterprise product line. They've been doing password management for years.

joecascio
joecascio

There are alternatives to using passwords. A digital signature based authentication scheme would not require accepting sites to store anything but a user's public key. I've proposed such a system in this blog post: http://joecascio.net/joecblog/2013/03/25/collateralized-identity-using-bitcoin-to-suppress-sockpuppets/

Such a system decentralizes authentication, requiring an attacker to penetrate every individual user's machine rather than being able to access an entire database of credentials by penetrating one site.

Yamon
Yamon

 The weak link here is the 'master password'.  Most people simply do NOT want to try and remember anything complicated.  Therefore, in many ways online password managers merely shift the focus of where you start your hunting.  

I have no data to back it up but I'm betting most people use 'weak' passwords as their master password.  

2FA should be a minimum standard for all of these services and support calls/emails should be fully vetted to ensure getting around the entire process is not a joke: cough Amazon, cough Apple.
RNR1995
RNR1995

your passwords are not protected
you are voluntarily sharing them with a 3rd party
this is the BS law they use to get the phone numbers you are dialing without a warrant
look it up

mrsmissus
mrsmissus

In another life, I worked in telecommunications when landline telephones were the norm and cell phones were exclusively for the wealthy.  Our Federal Government had total and complete access to every phone call that was made.  That access meant they could 'listen in' as they chose and it was legally provisioned.  

Additionally, when GSM (wireless technology) was first introduced into the USA, our Federal Government mandated changes to the encryption procedures, since the  European standard was too difficult a code for our government to crack.  

No one objected since there were checks and balances provided by the FCC to be sure that only the good guys had access.  My how times have changed.

mikeh222
mikeh222

A big question here was not brought up. 

Assume that a password management company is compelled to turn over everything they have. Sure, they have a hashed copy of their customers master password but that's only part of the story.

Do they have to also turn over the FORMAT of the hashed password? 

Suppose, for example, it is stored as a blob where the first few bytes represent a software version number and the next few bytes are a code for the cipher used. Then comes the hashed password. If the government agency getting this data does not know the format of the encrypted blob, they have no chance at all of decrypting it.

framefritti
framefritti

Do you want a very simple solution?  An odt document encrypted with AES + a good passphrase (not your pet's name!) saved on some network accessible repository (e.g., Dropbox, but also a disk of yours exported with NFS [or something more recent]).  The file is never stored in clear on the disk, but decrypted/encrypted when read/updated, so the most that the storage provider can give to the agency is your encrypted file.  If you choose your passphrase with care, maybe they can have quite a hard time to recover it.

wpbflguy2
wpbflguy2

It would seem to me that there would be reputable companies offering this type of program and possibly not so reputable ones.  I would think that if the company had a good reputation they would put out a reputable product.  I have used Norton for years to store my passwords and I am assuming their model is similar to the others mentioned here. 

I just don't understand though how some people have blind faith when downloading and installing a program from the internet.  If it were developed properly (maliciously) they could hijack all of your passwords it seems......

NeverSecureEnough
NeverSecureEnough

The question to developers was “If the government orders you to turn over someone's passwords, is it possible?” and, naturally, the answer is NOOOOO!!!!

But what if a court order to the same developers was to install some spy s/w in order to steal the user's master password or any other data?

Would any of these companies have the courage to shutdown its bustiness (as Lavabit did) in order not to have to comply?

BrianODoherty
BrianODoherty

Netsso.com also does not know users' Master Passwords, which are used to encrypt the users' database of private passwords for logging in to various websites.

Please note that users' Master Passwords are also used to encrypt users' databases of "encryption passwords", random, 40-character long passwords used to encrypt users' documents as they are uploaded, via Netsso.com, to users' SkyDrive or DropBox stores. Later, when a user accesses an encrypted SkyDrive/DropBox document via Netsso.com, the document will be delivered to him decrypted, onto any computer. But the password is remembered and the decryption is done on the user's local computer, not on the Netsso server.

paganiniy
paganiniy

Mr. Kassner, how safe is password maneger on my PC e.g. KeePass?

Neon Samurai
Neon Samurai

You got Malware Jake? Sir, you don't skimp out when you look for expert comments.

Question or perhaps your follow-up article, what third parties have pentested these products?

I know Steve Gibson gives a good review of Lastpass. Has any other independents had a run at it to see if a local install can be compromised that way?

How do the other ones compare to Lastpass' additional features like the leaked password watch and the password strength challenge tool?

paulharryjennion
paulharryjennion

I'm a Dashlane user, I don't remeber ever having my user account hacked.

Craig_B
Craig_B

It seems that data security comes down to a matter of trust which brings up the question, Who do you trust?

The developers, the vendors, the ISP's, the government, etc.  Also, assume you trust all the business aspects, what about malware, criminals, state sponsored organizations, etc. 

Sometimes it just seems like a big scary world out there.  It's funny, the more connected we become it seems the more fear is induced.  I guess the good news is it seems we also have more transparency, even if it comes indirectly at times.   Why can't we all just get along... 

mikin
mikin

@garyj2010  probably they are not "well known" like my software I use -Sticky Password http://www.stickypassword.com  Only the big boys are in this game :) 

mikin
mikin

@JSpitzer1540  I don't trust them, they are not nice to customers, they have forced everyone to their annualy paid licensing without letting you have any option to switch for offline or whatever and I don't trust them. What they say to public may be totally misleading. Lastpass  had an incident once and they dealt with it great. 

Neon Samurai
Neon Samurai

@RNR1995 How are your passwords not protected? What law are you referring to. Can you provide links or more detail?

Do you mean your passwords are not legally protected if authorities present you with a warrant? Latest from a couple of US lawyers that I heard was that this depends on where the password is:

- if you write it down on paper, courts can demand you hand over that paper

- if you memorize it, courts can not demand you divulge it due to self-incrimination potential

Do you mean your passwords are not physically protected if authorities present the service provider with a warrant? This depends on how your passwords are stored:

- a local password manager (keepass/keepassx) or a properly hosted service (lastpass) so that even they can't decrypt user's data should keep your passwords protected provided you choose a strong master password.

- a local password manager or any hosted service that does not encrypt user data or encrypts it on the server side (ie. can recover your lost password or data if you call them) is very much unprotected.


Based on laywers talks this summer, security expert review and my own experience; use Lastpass or another trusted password manager or Keepass if you can't trust a third party service. Memorize your strong master password; never write it down. Keep all your other passwords encrypted away in it. Use the random generator so all your other passwords are max lenth/complexity leaving the manager to remember and enter them for you.

- service provider can not expose you to risk because they can not decrypt your data even under threat of government

- legal system can not compel you to divulge your master password because it is something you know not written down; you can not be compelled to self-incriminate

- keyboard sniffers can not expose you to risk because a good manager like lastpass do not pass through the keyboard when auto-entering your credentials

- your passwords and other important information are not lost should your hard drive crash or home burn down since they are stored encrypted on an outside server. dead drive, dead usb, dead backup.. dno't care.. safely stored off-site. (eg. PDf your insurance policy, store it in lastpass as an encrypted note with file attached.)


Now, the caveat.. which password managers are written in the US or other nations where the gov may compel them to compromise there products. (My only complaint with lastpass.. not open source developed so we must put some trust in the company).

Neon Samurai
Neon Samurai

@mrsmissus especially since GSM was cracked a while back by independent researchers (and, by statistical probability, other's with malicious intent).

Neon Samurai
Neon Samurai

@mikeh222 isn't this threat negated by use of a strong password protecting strong encryption certs?

For a system to be truly secure, it must remain secure even when every detail about it is known except the secret key.

If knowing the hash, the cypher, and the salt makes it possible to easily crack the encryption then it was already broken to begin with. (salt protects against mass cracking more than individual cracking doesn't it?) Would knowing that I use PBKDF2 significantly decrease your effort in cracking 20+ character fully randomized passcodes?

Neon Samurai
Neon Samurai

@framefritti Just watch for temp files.. your decrypted odt may find it's way onto your hard drive somewhere unless you have a document reader that only ever stores the decrypted file in ram and expunges it as soon as it's not needed.

an encrypted text would also work. I think there are fewer text editors that save a temp file while it's open. You could even do a quick little bash script to request password and display decrypted contents so you know it's never writing decrypted data to the drive.

Michael Kassner
Michael Kassner

@framefritti 

What you suggest is pretty much what online password managers do now, in fact several work with the various file-syncing apps to sync an encrypted password database. 

Neon Samurai
Neon Samurai

@wpbflguy2 Can Norton tech support help you recover your login password or help decrypt your data encase of local loss? If so, then they are not comparable to a reputable company and service which only ever touches encrypted data and can not recover your data if you loose your passwords.

Remember also that Norton is a nice giant US company. I can't imagine that they have not already been approached long ago with demands for complacency.


Michael Kassner
Michael Kassner

@wpbflguy2 

I wanted to add that it is a matter of trust. Most password managers are proprietary software that has been obfuscated to prevent researching the code. That is why getting Jake involved will be interesting.

Michael Kassner
Michael Kassner

@wpbflguy2 

I asked Symantec to comment, but have yet not received any response from them. I would agree, except that the government involvement adds a whole new perspective. 

JCitizen
JCitizen

@paganiniy I'm not familiar with KeePass but read good reviews of it. One thing to keep in mind is although Michael is right that crooks are not trying that hard to get you PC stored master password, a keylogger could record it while you are logging into it. The only defense that is recognized as effective to that (so far) is blocking keyboard access at the kernal layer to the browser. Rapport from Trusteer tests out well with AKLT, and passes all tests from that utility; however Rapport does not claim to protect the password unless you are in an SSL session. I use Keyscrambler in an attempt to obfuscate any keylogger that may be getting past my defenses.QFX will flunk some of the AKLT tests because it can't block screen access or snapshot spying; but it is better than nothing.

Michael Kassner
Michael Kassner

@paganiniy 

I asked the people at KeePass for their comments to "The Question," but as of yet have not received a response. 

Michael Kassner
Michael Kassner

@csomole 

Interesting comment. There has been little if any in-depth studies, hence Jake's wanting to look into it. Any insight you could offer would be appreciated. 

Michael Kassner
Michael Kassner

@paulharryjennion

They say they authenticate you based on your machine, I am curious about that. So you still have to log into the app with a password? 

JCitizen
JCitizen

@Craig_B One thing about LastPass is their integrity went WAY UP with me after they detected someone moving blobs around indside their data base, and they reported it to the public ASAP! This is bound to happend to any cloud service no matter what, but owning up to even a mild breach such as this, put their credibility way high to me. Most breaches that have come to light from other companies revealed that they tried to hide it from their customer base and it also turned out they weren't dong their homework to harden customer data. Personally I'm sold on LastPass so far.

Michael Kassner
Michael Kassner

@Craig_B 

I'm not so sure your question can be answered, Craig.

Neon Samurai
Neon Samurai

@Michael Kassner 

"getting Jake involved".. oh.. oh.. oh.. is he gonna do it? Is he going to have a run at each of them to see how the stand up to abuse?

Neon Samurai
Neon Samurai

@Michael Kassner @csomole 

KeepassX is opensource. The tarball for version 0.4.3 is on the site. The bug reporting system is very visible on the home page.

The development model isn't a magic bullet but it does provide the opportunity for code audit and a look at how responsive the developer community is.

If your master password is strong or you use the certificate option then your encrypted database should be well protected from anything  looking at it on your local machine.

If you use the auto-type function then you negate the opertunity for most keypress sniffers (definitely physical sniffers). The build in onscreen keyboard even protects the master password from sniffing.

My only complaint was that syncing the database between locations. If an entry changes in two locations then you risk data loss when one version of the database overwrites the other. Something like Lastpass syncs data by entry imediately so you don't have the risk of collisions. (if you open it in multiple locations of course).

Neon Samurai
Neon Samurai

@Michael Kassner 

Nice summary of the enterprise features and very much in line with Mr Gibson's summary after talking to them directly. I've actually been looking at that deciding if the additional features justify upgrading from premium.

I'll be very interested to hear what Mr Williams finds if he does get time to audit them.

Neon Samurai
Neon Samurai

@Michael Kassner 

Thank you Michael, 2010? How did I miss this.. I must have if I didn't comment on it one way or the other.

Editor's Picks