2

I was reading an infosec user's take on the LastPass data breach and noted something odd in his commentary on another password manager system (emphasis mine)

I have not done a thorough code review, but I have taken a fairly long glance at the code and I am mostly pleased with what I've seen. I'm less thrilled about it being written in a garbage collected language and there are some tradeoffs that are made there, but overall [this password manager] is a solid product.

Why would garbage collection be a problem in a password manager?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Machavity
  • 3,808
  • 1
  • 14
  • 31

1 Answers1

1

I presume he means a language in which garbage collection happens automatically rather than the code explicitly managing the memory and clearing values at intentional times.

When you don't have direct control over items in memory, the chance of data persisting longer than intended and hence being present in a memory dump is greater.

You enter your password. It gets sent to my manager app. The code hashes it (and salts and peppers it or what have you) and stores it. What to do with that value in memory I just received? Ideally delete it instantly. Less ideally, wait for the interpreter to realize I don't need the value anymore and delete it. Meanwhile Johnny Crax is working hard to get my app to bleed or dump the contents of its memory.

Luke Sawczak
  • 650
  • 5
  • 9
  • I read somewhere that such line of thinking is fallacious and a fundamental misunderstanding of what problems password managers are supposed to solve. We should apply binary logic here: Either my computer is or is not compromised. If it is then not even deleting the password from memory instantly will save me - all my passwords should be considered compromised, period, full stop. If my computer is not compromised, then this issue doesn't matter in the slightest. – gaazkam Jan 03 '23 at 15:36
  • Password managers are supposed to solve a wholly different problem. They are supposed to protect me against ***the websites on which I have user accounts*** being compromised, rather than against my computer being compromised. Without a password manager I am forced to use the same password to every website, therefore if a single one gets hacked, attackers instantly gain access to all my accounts across the whole internet. With password managers I may use unique passwords, therefore data leaks from a single website do not hurt my other accounts. – gaazkam Jan 03 '23 at 15:39
  • Conversely, if I don't use a password manager (but instead, for example, store all my passwords in a paper notebook and manually type them every single time) but my computer is compromised then the malware will get access to my passwords as soon as I use them. So, inherently, the use of passwords managers does not weaken or strengthen my vulnerability to my computer being compromised in any way. – gaazkam Jan 03 '23 at 15:42
  • The end of story is the same in all cases: Any use of any password on a compromised computer also makes that password compromised, any use of any password (authenticating with it, putting it into a password manager or even storing it in a plaintext file) on a computer that is not compromised does not make that password compromised. – gaazkam Jan 03 '23 at 15:44
  • OTOH this reasoning may be flawed after all: https://security.stackexchange.com/questions/199435/why-are-passphrases-protecting-gpg-ssh-private-keys-needed – gaazkam Jan 03 '23 at 15:45
  • @gaazkam That's as may be, but I still suspect that this is what the author intended :) – Luke Sawczak Jan 03 '23 at 15:48
  • @gaazkam: The thought that a computer's security status is binary: either compromised completely for all time or not at all is elegant but inadequate. Consider when there's no active compromise, but a passive data disclosure at a future time. Just a few examples: swapfiles, hibernation files, backups, Heartbleed, Spectre. – Ben Voigt Jan 03 '23 at 15:55