Recently, it has come to our attention that someone else (U.S. Government) seems to be interested in passwords, which has people who use online password managers asking an important question, who other than the person owning the password manager account knows the master password? Or, more to the point, is it possible for anyone other than the account owner to access passwords stored in online password managers?
Cracking password managers
To be honest, I’ve wondered the same thing: how hard is it to get at the passwords protected by one of these applications? To find out, I chatted with Jacob Williams, a forensic scientist and penetration tester. If anyone can break into a password manager, Jake can.
I specifically asked Jake about the master and synchronization passwords, as obtaining these passwords appears to be the simplest way (remember bad-guy ROI) to crack the applications:
“Even if the passwords are encrypted at rest, they must use reversible encryption. That means a hacker with access to the victim’s machine could potentially steal the database/backup files, and walk away with the passwords. Of course, with a master password that's less of an issue.
"Synchronization is another thing entirely. I looked at some FAQs and did not see any guarantee that synchronized passwords are encrypted. However, I'd bet they just synchronize the copy of the encrypted password database on each machine. It appears the master password is the key used to encrypt the data. Good for them in that regard. That's what they should do."
It sounds like there may be a way in for bad guys, albeit difficult.
I also wondered what can be legally requested by government agencies. To figure that out, I asked Tyler Pitchford, my attorney friend, for his opinion. Here is what he had to say:
“The general concept is the same as the classic lock/key debate. If the access password is written down, they can request a copy, if the access password is in your mind they need an exception to the Fifth Amendment such as the foregone-conclusion doctrine.
"As for password manager programs, assuming there's probable cause or a subpoena right, the government can request the password database and attempt to break it; or as mentioned above, ask for a physical copy of the password if one exists or force disclosure if they have an exception handy.
"If the password database is stored on a remote server, it's probably subpoenable and if the users employ weak encryption or store the master, they may be out of luck.”
What the developers are saying
With the “breaking into and legal” aspects taken care of, it’s time to see what the developers have to say about their products. Rather than have each vendor extol the virtues of their technology, it seemed better to ask each of them the question on users’ minds, “If the government orders you to turn over someone's passwords, is it possible?”
First up is Agilebits, with 1Password being their version of online password manager. I asked Jeff Goldberg, Agilebits Chief Defender Against the Dark Arts (great title) “The Question.” His response:
“We never have the opportunity to see either your data or your master password. In fact, we don’t even have the chance to see how or whether you even use 1Password. So the short answer to your question is, no, it is not possible for us to obtain your password database, nor it is possible for us to decrypt it even if we did manage to get hold of it.”
Next up is LastPass, a popular online password manager. Erin Styles, Vice President of Marketing answered “The Question,” and included a comment from LastPass CEO Joe Siegrist:
“In Joe's words, ‘We can't give them what we don't have.’ So, to answer your question, there is nothing we could do to obtain someone's passwords. If ordered by the government, we would hand over a blob of encrypted data that they could attempt to brute force. As everyone knows, with a strong master password, brute force would be virtually impossible.”
Moving on to mSeven, mSecure is the company’s password manager. Ray Marshall, CEO and president of mSeven responded to “The Question” this way:
“It's a great question. We don't have access to any of our users’ data, and we can't decrypt it even if we did, since we don't have their password. mSecure stores all data locally and encrypts the data with the user's own password. Much to the chagrin of users, if they forget their mSecure password, even we can't get it back for them.”
Last up is Siber Systems with their password manager — Roboform. Vadim Maslov, CEO and founder of Siber Systems answered “The Question”:
“We really cannot open users’ passcard (password database) without knowing the master password. Also, RoboForm has no backdoors. If you use long and random master passwords, your passcards will be hard (computationally) to crack. It does not mean the NSA will not be able to do it, as we heard that they may throw a lot of computational power at it.”
That last comment tweaked my attention, having just read this Wired article quoting Director of National Intelligence James Clapper: “[W]e are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit internet traffic.”
Even before this, there’s been talk about a substantial NSA breakthrough in cryptanalytic capabilities. With that in mind, I asked Vadim a few more questions.
Kassner: Vadim, did any government agencies contact you?
Maslov: We never received any legal communication from NSA or FISA or anybody else requesting disclosure of user data.
Kassner: What if the government orders you to allow them to snoop the login exchange? Will that work?
Maslov: To answer your question, there is no snooping on the master password, as it never gets sent to a server. Only a hash of the RoboForm Everywhere password is sent, so it can be snooped on in principle. Then again, it is sent over SSL only, so this would have to be done somewhere on the server. Well, even Google and Yahoo had to release salts (hashes) of passwords to the NSA, if you believe the press.
As I was working through this piece, I realized that I’m introducing more questions than providing answers. Using online password managers apparently means trusting the app’s developer, hoping the ROI is not enough to interest the bad guys, and staying off government agency’s lists.
There is good news: Jake, my break-in expert, has decided to take hard look at online password managers, so stay tuned.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.