Dear Linkedin,

Jimmy Hess mysidia at gmail.com
Sat Jun 9 23:09:24 UTC 2012


On 6/9/12, Scott Howard <scott at doc.net.au> wrote:
[snip]
> Security is all about trade-offs.  In this case it's the trade-off between
> storing an excrypted password database on a 3rd party server, v's re-using
> passwords and having (potentially) weaker passwords as a result of not
[snip]
Yes.   Using an encrypted online password vault is a trade-off.

Risks that are unaffected:
   o   A randomly generated password might be more guessable than a
human-created password, if generated by an insecure PRNG, for example,
if the possible generation outcomes for given input parameters can be
predicted through analysis.
   o   A password can easily be stolen by malware on a computer the
password is typed on  that logs keystrokes and mouse clicks  (even a
vault's master password).
   o   A password can easily be stolen if transmitted to a remote site
unencrypted, by a computer on the local or remote LAN with malware
infection  (even a switched LAN).
   o   If either endpoint's SSL certificate (or a CA) is compromised,
a MITM attack can be used to learn the contents of encrypted
communications.
   o   A password can be stolen by malware if stored temporarily at rest or
        temporarily in RAM in an unencrypted format.
   o   A password can be stolen if stored at rest in unencrypted format.
   o   A password can be stolen, even if encrypted, if  the symmetric
encryption
        key can also be stolen.

New risks increased in magnitude:
   o If malware running on a computer is aware of the password vault
application,
      it may be able to maliciously modify the executable code of the
password vault
      application  in memory,   resulting in data compromise.

   o  Your password data is vulnerable to local compromise if your
master pw is guessed or stolen.   (Use a vault with multi-factor
authentication to mitigate).
   o  If password vault data is stolen, the thief has a convenient
list of accounts.   Risk can be reduced by using multiple vaults of
different types for different security levels/use frequency.
   o  If the password vault software fails, DB is corrupted, or the
online password vault service goes offline, you can lose access to
your accounts,  because you don't remember the passwords.

   o  The pass vault is an additional piece of software;  if the
software developers' systems
       are compromised, it might be possible for malicious code to be
inserted in the
       password vault application.
   o  If the password vault software has a bug, the encryption doesn't
work properly, or fails to maintain good security hygene,  all your
passwords may be vulnerable.

For example, if you keep a GPG encrypted list of passwords, and you
create a "temporary plain text file"    when  re-encrypting   to
create a new encrypted list,  passwords are vulnerable to theft during
this process, and afterwards via latent disk analysis techniques.


Examples of Risks mitigated  by online encrypted password vault  VS
shared or similar
passwords  that are memorized:
    o   Reduced risk of loss of access to account,  resulting from
forgetting which
         password was selected for a particular account,  or adverse
password changes
         enforced by  "password setting" or  "mandatory password
change" policies.
    o   No need to use short/guessable passwords (less than 16 characters);
         high-entropy passwords can be chosen which can only be attacked
         by brute force,  and which will take massive amounts of money or time
         to successfully attack.
    o   If the login password to one site is compromised, guessed, or
accidentally
         disclosed by any means;  many of your accounts are
         at increased risk.

Risks eliminated pw vault VS passwords written down on a slip of paper:
    o   No risk of losing the paper,  resulting in account compromise
and loss of access
    o   No risk of a piece of paper being stolen.
    o   No need to use short passwords (less than 32 characters)
         that can easily be written down


--
-JH




More information about the NANOG mailing list