3

I understand the purpose of password managers and the fact that there seem to be a trade-off to accept, but well, I find that trade-off to be unacceptable and I wonder if there's a way to avoid it. A password manager introduces a single point of failure, and that single point of failure is also pretty fragile: it's the user's machine. And we know that once the machine is compromised it can't be trusted anymore, and the damage can potentially affect all the data on that machine, so why should we accept to store all of our credentials on such a fragile single point of failure? I bet at the NSA they don't have password managers that allow access to thousands of passwords from one single computer, do they? There must be some alternative methods to manage passwords or to at least somehow mitigate the single point of failure they introduce.

Many people don't just need to store their own passwords, but also other people's passwords, like for example clients' passwords (for work), or some relatives' passwords (to provide support, etc). Some accounts are accessed daily, some only need to be accessed every once in a while, and there might be accounts in your password manager that you don't even remember having. So why should we accept to put all this at risk? It only takes one infection and hundreds of accounts could be compromised. Every account ever: not only your accounts, but other people's too. It's a recipe for a huge disaster.

You might think that once your machine is compromised you are screwed anyway, so avoiding the single point of failure isn't as important as it may seem, but think about it: for the sake of argument, let's consider the differences between storing all your passwords in a password manager on your computer and storing them on a piece of paper. Let's ignore the fact that the piece of paper introduces other threats, and just focus on the consequences if your computer gets infected. If your machine gets infected and you use a password manager that contains all your passwords, then the attacker can get all of them. But if your machine gets infected and you are just typing passwords from a piece of paper, what can the attacker steal? Only the passwords that you type between the time of the infection and the time you discover the infection. So only some of the passwords will likely be stolen, not all of them. Mitigating the problems related to this single point of failure therefore seems to be possible.

I tried to think of some solutions. I'm not sure if 2FA could really help in case the local machine is compromised, so I'm not sure if online password managers can help more than local ones in this respect. I'm afraid not. A possible solution could then be to use several databases in the password manager, with different passwords, so that even if one master password (and the corresponding database) is stolen, the passwords contained in the other databases will be safe. The different databases could group passwords based on frequency of use, or date of last use, or importance (PayPal account in a different database than StackExchange), or based on ownership (clients' accounts kept separate from mine). However it's not clear what the best way to group passwords is, and it soon gets pretty cumbersome, leading to several strong master passwords to be remembered. Another solution might involve some kind of obfuscation (custom made) added on top of the security by design already provided by the password manager, which I guess would work against most infections (non-targeted attacks). For example, combining obfuscation with multiple databases could be done by generating the password for each database with something like master_password_for_DB = hash(DB_name + supermaster_password), so you wouldn't have to remember a lot of master passwords. Of course this only works because of obscurity, that is, if nobody other than me knows the method. Yet another solution might be to store everything on a separate device set up specifically for password management (like a phone with disabled connectivity), but that too is going to introduce some pretty big problems: typing a strong master password every time on the portable device is harder, and there's no way to copy-paste from it to the computer, so you will probably have to read it (a security weakness) and type it (a hassle).

I seriously don't think I have other ideas at this point.

reed
  • 15,538
  • 6
  • 44
  • 65
  • 2
    Most business grade Password Managers have fine grained permissions. A user generally doesn’t login and have access to all of the passwords (which may be the thousands). They typically only have access to a handful of passwords they have been authorized to access. Additionally, many PW managers have extensive audit logs (who changed what, who saw what, etc). – myron-semack Dec 04 '18 at 01:19
  • Interesting read about this topic: https://www.troyhunt.com/password-managers-dont-have-to-be-perfect-they-just-have-to-be-better-than-not-having-one/ – Kevin Jan 03 '19 at 14:11
  • Also, ``Let's ignore the fact that the piece of paper introduces other threats`` I don't think it is fair to ignore threats that writing it on a piece of paper comes with, while you do focus on a risk with password managers and then suggest writing it down is a good alternative. If you suggest alternatives, you have to take into account the risks of your alternative (losing the paper, always having to keep it on you, others can easily steal your piece of paper, etc.) – Kevin Jan 03 '19 at 14:12
  • Possible duplicate of [How safe are password managers like LastPass?](https://security.stackexchange.com/questions/45170/how-safe-are-password-managers-like-lastpass) – Kevin Jan 03 '19 at 14:16
  • 1
    @KevinVoorn, where did I suggest that writing passwords on paper is a good alternative? I'm not suggesting anything. In fact, I am *asking* for suggestions for a better way of managing passwords to avoid the problems I mentioned. – reed Jan 03 '19 at 14:29
  • I think your question could really gain in clarity by being more concise. – A. Hersean Jan 03 '19 at 17:19
  • @reed Let me clarify: I didn't mean you suggested writing it on paper to be a better alternative, but since you said ``But if your machine gets infected and you are just typing passwords from a piece of paper, what can the attacker steal? Only the passwords that you type between the time of the infection and the time you discover the infection. So only some of the passwords will likely be stolen, not all of them. Mitigating the problems related to this single point of failure therefore seems to be possible.`` you might say it solves the SPOF you suggested, but that is not a fair comparison. – Kevin Jan 03 '19 at 20:37
  • 1
    This is a great question, and one that I personally have not yet found a satisfying answer to (which includes the answers currently on this question). I'm favoring this question, maybe a satisfying answer will pop up in the future. – Heinzi Aug 04 '19 at 15:00
  • Maybe in 20 years we'll have seen many attacks take advantage of this at a large scale, and the conventional wisdom will be that using today's style of password manager is an unacceptable security risk. It's going to take a lot of creativity to come up with something better though. – Drew Nutter Oct 30 '22 at 05:32

4 Answers4

5

I do use a password manager, and the Single Point Of Failure is not the password manager nor its database. I am the SPOF. Let us look at the classical CIA point of view.

Confidentiality

  1. at rest

    In order to access the passwords, you must have the database which is only present in a limited number of devices and know the password. I only assume that if one of the devices holding the password database was compromised, I should notice it and act accordingly by considering all passwords in the database to be compromised and start the process of changing each website's password the next time I log in.

  2. at run time

    I trust the password manager to be correctly implemented. Of course if an evil guy manages to install a key logger on my machine to capture the master password, everything is lost. I just accept that risk.

Integrity

I have never experienced a change in the database. If it ever occurs, I just assume that the symptoms would be lost or bad passwords. In that case, I would just take a new copy from one of the other devices.

Availability

The passwords are available provided one of the devices holding the database is. That is enough for my requirements and can be easily adapted.

IMHO the lowest defense line is still a rubber hose attack targeted at me. That is the reason why I always think that I am the weakest element.

Serge Ballesta
  • 25,952
  • 4
  • 42
  • 84
  • 1
    I understand what you say but the problem is always the same: in point #2 in confidentiality, you say "if an evil guy managers... everything is lost". That is not acceptable, it can't be accepted, and that's the whole point of my question. The use of a typical password manager makes an infection a single point of failure. An infection or an attack is not like an asteroid or the aliens, the probability is definitely not negligible. I don't understand why everybody is ignoring this. Cryptolocker: the mitigation is... backups. Password-manager-stealer: the mitigation is? – reed Jan 03 '19 at 14:45
  • +1 good answer. I made an edit to clarify wording because I had to re-read it several times, hope that's ok. – Mike Ounsworth Jan 03 '19 at 15:17
  • @MikeOunsworth Thank you for the edit. I try hard to write correct English, but often mix French spelling inside English words... And it is indeed more clear that way. – Serge Ballesta Jan 03 '19 at 15:35
  • @reed: what I mean is that I think that the risk of a rubber hose attack is higher than a keylogger on my machine. And anyway, if the machine is compromised without me noticing it, all my passwords will soon be. I do not ignore that threat, I just accept it, because I could not find a better strategy. – Serge Ballesta Jan 03 '19 at 15:43
  • 1
    That's weird, I often hear of malware and infections, but I've never heard of rubber hose used in real life against someone I know. So I consider rubber hose an exceptional attack. By the way, in the meantime, I've actually come up with a possible solution to my problem, a way to manage passwords that does not have any single points of failure (even in case of infection). I still have to perfect it though, and sooner or later I might come back and answer my own question providing all the details of my method. – reed Jan 03 '19 at 16:07
  • I have been playing with computers for more than 30 years, and if I have seen a good number of various malwares, I have never seen one specifically targetted at a password manager. It needs to, because it must combine a hidden keylogger and the capacity to steal the database. It requires hard work to gain less than 100 passwords. I assume that bad guy are as lazy as I am: use what has the higher gain for the lowest cost. And I am pretty sure that attacking **my** password manager, the way it is configured really is not worth it... – Serge Ballesta Jan 03 '19 at 16:51
  • 1
    ... It is much simpler to send tons of phishing emails, and faking business or banking sites has a much higher possible gain. And for more that 40 years, I have lost much more because of physical theft than because of malwares. That is the reason why I feel more concerned by physical theft than malwares. Anyway I just try to follow *best practices* both in real life (lock my door) and IT world (strong passwords for remote accesses, up to date software (including anti malwares) on local machine). But I refuse paranoia in either world. – Serge Ballesta Jan 03 '19 at 16:59
4

Wrong threat - Password managers mitigate weak & reused passwords. The encryption provided on top of them again is to mitigate a different threat than what you are talking about here.

A complete compromise of a system at the root level without a user knowing yes is catastrophic but this isn't the threat the managers have been introduced to address. At that point yes piece of data and interaction of the system is gone.

Encryption of the key database means a low level account or accidental leak of the file isn't catastrophic.

Additionally most of these Password managers now work with MFA such as Yubikeys.

McMatty
  • 3,232
  • 1
  • 8
  • 16
  • The problem is different: the threat I'm talking about is actually introduced by password managers. Without password managers, that threat disappears. – reed Dec 03 '18 at 23:50
  • Its not a single point though - you should be storing the key db offline as well. Or are you talking about the machien being the single point of failure? – McMatty Dec 04 '18 at 00:26
  • The question explains that if the password manager is attacked (for example the machine is infected and malware grabs the DB and master password, which is not unlikely), then as a result complete failure can happen (all accounts are exposed). Without a password manager the damage would not be complete (only a few accounts would be exposed). – reed Dec 04 '18 at 00:39
  • Just added a yubikey reference in the original - so now your malware requires a master passphrase/password and a Yubikey. – McMatty Dec 04 '18 at 01:26
  • As far as I know, 2FA only prevents access by a remote attacker, but doesn't help much if the attacker uses your computer (with malware) to access what they need. – reed Dec 05 '18 at 20:55
1

You're correct, when using a password manager you do have a single point of failure for any passwords stored within it, and there are not many good ways around that. However, it's not as bleak as it seems, because of the following two points:

  1. A password manager doesn't need to be perfect, it just needs to be better than not using one at all.
  2. AviD's rule of usability: "security at the expense of usability, comes at the expense of security."

Using one is better than not using one

The easiest way to get the password for someone's account, is for them to tell it to you. Phishing is the easiest way to do this. You don't need to hack or compromise anything, all you need is a list of email addresses, a few gullible people owning some of those addresses, and access to a server (which can be your own, or one you've hacked, or one you've "rented" from someone else who hacked it). Password managers help guard against phishing attacks by refusing to auto-fill on the wrong site. If you're using a password manager, and it doesn't auto-fill a login page when you expect it to, you should get suspicious.

The next easiest way to get the password to someone's account, is to find or buy their password, using a previous data leak from another account. This only works if the user has the same password, or a password that follows the same pattern. Now be honest: can you really remember 150+ unique username/password combinations, which are completely unrelated with no pattern, no matter how obfuscated?

The vast majority of people who do not use a password manager will re-use passwords or use a common pattern (mY5n34kyp@55w0rd@google, mY5n34kyp@55w0rd@facebook, mY5n34kyp@55w0rd@linkedin, mY5n34kyp@55w0rd@stackoverflow). Sure, your password might look great...but if it's in the list of linkedin passwords your attacker just bought for $50 in bitcoin, it's easy enough to change "linkedin" to "stackoverflow" and start spamming bootleg drug links so that you lose all your imaginary Internet points.

The smart password-manager user, on the other hand, will have a truly unique, randomly generated password for each and every account. No amount of past data breach access or pattern searching or even phishing of unrelated accounts will ever give up even one additional account.

Another common attack uses a data breach from the website itself to figure out your password, hopefully before the site owner notices the breach. Defending against this relies on having a strong password. The more complicated the "uniquification" scheme, the more random extra characters or substitutions, the longer the password, the more special-case sites you need to account for because of conflicting password requirements: the less likely you'll remember, and the more likely you'll give up and just use something simple, compromising your security in another way. A password manager user, on the other hand, can set their password to be as long and strong as the site allows, and can almost certainly outlast the attacker until the site owner notices and resets their password.

Now, as you mention, an unlocked password manager on a malware-infected computer is Very Bad News. But, a malware-infected computer is Bad News all by itself. Any account you actually access before noticing the malware should be considered compromised. Since it is unlikely you'll be able to pinpoint the exact date your computer became infected, you should probably just treat any account you've ever accessed from that computer as compromised. The solution for both is the same: go and change all your passwords. Except in the case of a password manager, you have a convenient list of all the accounts you need to go visit for this task.

Usability

You rightly point out that keeping all your passwords on a sheet of paper or binder is not as vulnerable to a malware attack. But you yourself easily saw the downside: it's not very usable. Just as a person trying to memorize over 100 unique passwords, it's likely you'll eventually get fed up and start taking shortcuts. Things like saving your passwords in a browser, or starting to use weak easily-memorable passwords, or even just tiring of typing 20+ random characters one key at a time and shortening them to 10 lowercase characters, will give you strictly less secure passwords than just using a password manager (accepting the slightly elevated malware risk) would have given you.

And then there's the increased burden of making sure your notebook has secure backup copies in a safe location in case of coffee spills or fires or naughty dogs or whatever might destroy your primary copy.

A password notebook is a decent workaround for the malware issue. So is using multiple password databases as you point out. But if the burden of using these workarounds ever leads you to make security compromises, and for many people it will, remember that you'll get both a pretty decent level of security and a more convenient system just by using a password manager.

Ben
  • 3,896
  • 1
  • 10
  • 22
0

Fragile? This comes across as uninformed FUD or optimizing for unicorn requirements. I've used a known-good, open source, password manager whos db is versioned for several months, backed-up to multiple clouds and does a insane number of rounds of AES-256 with a decent PBKDF and ridiculously long passphrase for around 10 years. GFL breaking into that for less than $5 billion.

2FA is not required and not desirable in my use-case because if I lose everything, I need to be able to start from only what I know... not what I no longer have. YMMV.

It's only a SPOF if one doesn't have a plaintext export backup done every X days with say GPG, should the password manager suddenly spontaneously combust or stop working on the OS. This is doable as a cron if it can launch a window and grab the user's passphrase from them interactively. If someone were really worried, don't use a password manager and use GPG on plain text... just never lose the encrypted private key (ascii armored and saved somewhere safe).

I hope no one was trying to assert or rationalize storing passwords in the clear on systems because it's a far greater risk than the edge-case of millions of people's favorite password manager going tits up, as there's huge social pressure to not do that. Prioritizing relative risks is more vital to not get stuck going down a rabbit-hole who's cure is worse than a hypothetical virtual impossibility. Mitigate with durable redundancy, such as multiple cloud providers (say Tarsnap, AWS Glacier and BackBlaze).. and in multiple formats... pwmgr db and export CSV GPG'ed. If you can't encrypt, backup or read either of those, then you deserve a whack on the head.

dhchdhd
  • 142
  • 6
  • 1
    It doesn't matter how secure your crypto or your password is. Malicious code on your machine can access them all at once anyway, because it will have your database and also the master password that you regularly enter. The probability of ever having malicious code running on a machine is not negligible, therefore the typical password manager becomes a single point of failure. – reed Jan 03 '19 at 14:23
  • @reed "Nothing is perfectly secure so it doesn't matter" is a tiresome, chickenlittle refrain. An infected computer is your problem, not mine. Ephemeral interception on an infected computer (which has bigger problems) has absolutely nothing to do with at-rest confidentiality, durability and integrity of the pw db or the correct functionality of a pw mgr. The. End. – dhchdhd Jan 03 '19 at 14:30
  • 1
    I never even suggested what you claimed I said. An infected computer is a problem for a lot of people, even if you or me were less likely to be infected than the average Joe. My question asks about ways to mitigate the potentially enormous damages of an infection when a password manager is used on the infected machine – reed Jan 03 '19 at 14:56