interesting discussion today. Apparently some folks at the Blackhat conference are planning to release information about an "exploit" with LastPass, a browser-based password manager. I'll grant them that one of the primary weaknesses, and arguably the only one worth considering, with password managers is their inability to defend against weak master passwords or master passwords that have been compromised.
But that's not really the issue I take with this notion. My problem with this is that services like LastPass' premium (cloud-based) offering, and their browser extension in general, really go counter to the principles of isolation, or "siloing" your data. (This applies to Apples iCloud offerings, too.)
In short: If you concede control, you've lost control.
My advice is two-fold. First, don't use cloud-based password services. It's convenient, certainly, because you can easily share all of your passwords among every device. But by sharing them, by conceding control to a third party, you no longer have control of your passwords. The act of storing your passwords on systems you do not control (like the cloud) increases your attack surface, and all it takes is the compromise (or theft) of a single connected device to lose all of your carefully stored passwords.
Don't do this.
Second, if you're security conscious, you really ought to avoid browser-based password storage extensions. Indeed, you should avoid storing passwords in your browser period. Web browsers aren't like those we knew of 10-15 years ago, when they were relatively lightweight, and did one thing. Modern web browsers are essentially a pseudo-operating system, complete with their own extensions (or apps). While substantial effort has been made to improve security, preventing extensions from reading information they're not authorized to read, the truth is that once you've installed and run third party code you're already exposing your browser to a third party. It's inconvenient to have to load a separate application, copy that password, and paste it into a password field, but it's by and far the most security-conscious option.
It could be argued that password storage in-browser isn't much different from using a specialized application, because if your system is stolen, both of these systems would be presented with the same risk of theft. That's true, but it ignores the extensibility of modern browsers and their greater attack surface. Purpose-built applications with no networking code (except, perhaps, for version-checking) that do one and only one thing are inherently more secure.
Of course, if you have a laptop that's stolen, you have to assume that all of your passwords are already compromised. Any existing sessions you have active on websites, email, etc., will also be compromised. I'd delve into more detail, but I think that's a subject for separate discussion, though it does highlight the importance of risk mitigation. At a very minimum, users of password managers should keep a backup copy of their password archive on a USB drive, external backup, or elsewhere. In many cases, your source archive will remain secure for a short while (if the password cannot easily be brute-forced), and will provide you with enough information to determine which sites you've accessed, stored credentials for, and which will require changes to your old (now-stolen) password(s). With a password manager, the idea isn't so much to eliminate the risk of theft as much as it is to merely delay the would-be thief long enough to change and thus invalidate your stolen credentials.
Obviously, password managers have limited countermeasures at their disposal when physical access is a concern. It's important to be aware of this when selecting one, creating a password repository, and selecting a master password. Strong passwords may make it essentially impossible to break into your password archive (provided there are no known attacks against the key mechanisms used), but I'm reluctant to say that they completely eliminate the possibility. Technology will always be improving, and future advances in areas like quantum cryptography may serve to weaken the overall key space of a given cipher algorithm. No matter how you store your passwords, I think it's important to plan ahead, and be prepared to reset your most important credentials should they be stolen.
TL;DR: Don't use cloud password storage, shy away from browser extensions that do the same thing, don't store your passwords in the browser period, and try to use a stand alone application for password management. Also, keep backups, and plan ahead for contingencies in case your archives are compromised.Statistics: Posted by Zancarius — Mon Sep 14, 2015 11:13 pm
]]>