News Researchers warn of serious password manager flaws

Read more

 

As a data point, I use a Mooltipass Mini. From my understanding of the attacks in question, I'm pretty secure: like the software-based password managers, I can't be attacked in the not-running state ('cos it's physically disconnected from the PC and in my pocket); I can't be attacked in the running-but-locked or running-and-unlocked states (because the "master password" (actually a combination of an encryption key on a smartcard and a four-digit hexadecimal PIN) is entered on the device, not on the PC, and every single request for a password requires me to verify that request by physically interacting with the device).

But it's entirely possible my passwords could be monitored by a keylogger (if I'm using it in the I'm-a-USB-keyboard-honest mode). They may also be accessible in memory when the app is transferring it to the browser, which is the main way I use it and not vulnerable to a keylogger, though I don't believe they hit the clipboard so that shouldn't be an attack vector.

 

That is more secure than a software password safe, yes, and vulnerable only to physical attack (and keyloggers as you type 'em in, obviously, but so is just remembering the passwords.) Less convenient, but more secure.

 

It has two modes of operation. The first is to act as a USB HID: you choose the account on the screen using the little scrollwheel thing, then it types out the username and password for you like it was a USB keyboard. You use that when you're logging in on a phone, tablet, games console, or A. N. Other device that doesn't have any software for it, and it's 100% compatible - but vulnerable to keyloggers.

The second mode of operation is using the bundled software, which is a two-parter: Moolticute, the background app, and a Mooltipass browser extension. That lets the browser request credentials, so when you hit a login page the Mooltipass will automatically bring up the right account and wait for you to press the button to verify the login. It also lets you capture new passwords and save 'em to the Mooltipass. That mode is not vulnerable to a keylogger, because nothing is typed; it's also not vulnerable to clipboard capture, because the username and password never hits the clipboard. The username and password are, however, present in memory at the time they're used - obviously - which means it may still be possible to capture the password you're using. The downside of this mode is that you need to be on a system you can install the software on and using a browser for which there's an extension, and it doesn't help you much if you need to log in to a non-browser application - you'll need to either use the HID mode and have it type the credentials in for you (in which case you're vulnerable to keyloggers) or use Moolticute to copy and paste the password manually (in which case you're vulnerable to clipboard capture.)

There's also a third mode, which you can disable if you prefer: when the Mooltipass is connected to a USB charger or battery, rather than a real USB Host, choosing an account on the Mooltipass will print the username and password to the screen so you can manually type it in yourself - perfect for logging into systems with no available USB ports.

 

Once a year I produce a leaflet with all my personal details on including all my login usernames and passwords, then hire a blimp and scatter them across the land. Shits gonna get hacked, might as well get ahead of the game.