Posted by Andrew Harrison 23 July 2014
Why you shouldn't trust password managers
Even in the seemingly care-free world that existed before June 2013, I can’t say I was enamoured by the idea of putting my personal files into someone else’s cloud. It was long known that most companies that offer to store your data online for your convenience are based in the United States. And that the country’s ill-conceived Patriot Act rushed in post-9/11 effectively said ‘anything you store on our shores, belongs to us’.
So when armed with a signed subpoena, everything you care to keep in DropBox or Microsoft OneDrive (SkyDrive) or Google Drive or similar service will be fair game to the US government and all its agencies.
The difference now on this post-Snowden planet Earth is we know the US government doesn’t always bother with warrants before it looks inside these, er, secure and encrypted online repositories. Oh and that this kind of disregard for personal and commercial privacy is also standard operating practice in this country too.
Even the most lobotomised of ‘nothing to hide, nothing to fear’ apologists for the continuous-surveillance horror that is the modern internet may draw the line somewhere. That line might simply be where their own money is involved. Such as their online banking credentials, access to savings accounts and pension plans. Would you give up your passwords to your online bank to a stranger in the street? How about any government official that casually asked?
Yet nowadays we’re increasingly being encouraged to store our most important online security asset in the cloud. I’m still talking about passwords.
One box to be hacked
One way you may be asked to put all your passwords in the cloud is with a password manager program for your PC or mobile device. The names may be familiar, maybe you already use one of them – LastPass, RoboForm, PasswordBox to name three.
Developers of these services may have started with the best of intentions, to allow you to use long, complex and secure but impossible-to-memorise passwords for any site or service that requires a password to log on. These passwords are then filled-in on demand from an encrypted archive managed by the software.
That’s all fine and dandyish so long as the encrypted master vault is stored locally, on one PC. But all bets are off once you share that password vault with a third party, such as the password-manager developer or another such cloudy service.
Problems here I present as at least two-fold: allowing network access to privileged data means you have to secure every possible back door and side door in all the possible ways that a smart adversary could find a way in. That’s made all the easier when the developer’s implementation is full of security holes, as was discovered in a research project conducted by the University of California, Berkeley, and published last month in the paper ‘The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers’.
The team of four analysed five password managers that thoughtfully offer to manage your passwords across all your gadgets. The team’s damning findings were that all five were flawed in some way at the time of testing with ‘critical security vulnerabilities’, with various hidden defects that means your bestest and most securest of passwords would be worth nought if trusted to these password managers. In four password managers, ‘an attacker could steal arbitrary credentials from a user’s account’.
As responsible researchers, they revealed these failings they’d found before publication, giving the software makers time to shore the up before blackhats could read all about it. But given some of the schoolboy errors demonstrated by the developers, who’s to say these people are qualified to be trusted with the crown jewels of your online security ever again?
My second fold – even if the software and its implementation were perfect, you’re still putting all of your eggs into one basket, then putting your wickerwork where any cunning fox could potentially liberate them. The archive may be encrypted but that can mean little when the new owner of your password basket puts their talents to cracking their way in.
It’s not just careless new start-up companies with dollar signs in their eyes that want to sell you their online password management. In its efforts to simplify your online life – we’ll be charitable and attribute its efforts thus – Apple Inc now wants you to pour all your most sensitive passwords into its iCloud Keychain service.
When first setting up iCloud services on a new Mac, it’s difficult not to be led down this merry path. You’re opted in by default, and presented with a four-field dialog box that expects you to engage the service by tapping in a new PIN code. If you try to sidestep it by pressing Cancel, for instance, a somewhat scary warning tells you that ‘if you don’t create a security code, setting up iCloud Keychain on a new device will require your approval from a different device’. What?
Then, next attempt to sidestep the cloud keyring warns you that ‘you will not be able to use passwords stored in iCloud if you lose all your devices that use iCloud Keychain’.
Apple’s security is in many ways some of the best in the business, but I would not trust it will all my most valuable passwords. And shame on you Apple for leading users to think this is effectively mandatory and a Jolly Good Idea.
So what do you do if you want to keep yourself relatively secure with long and unique passwords for every site and service, but quite rightly are worried about trusting them all to unqualified strangers (aka, password managers and cloudy keychains)?
As the Berkeley researchers point out, and some people have found to their cost, it is too much of a cognitive load to keep them all in your own head. So instead try writing them down, and keep them to hand on a Post-it note stuck to your monitor.
That is of course the absolute antithesis of all traditional security advice given since the computing dark ages. But since practically all online security threats are remote attacks by definition, a pen and paper record is now the best, being entirely unreachable over IP. Just make sure there are no laptops across the room and facing your monitor though, since practically every laptop today has an all-too hackable webcam available to the resourceful hacker...