1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News Researchers warn of serious password manager flaws

Discussion in 'Article Discussion' started by bit-tech, 20 Feb 2019.

  1. bit-tech

    bit-tech Supreme Overlord Staff Administrator

    Joined:
    12 Mar 2001
    Posts:
    1,881
    Likes Received:
    34
    Read more
     
  2. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    11,709
    Likes Received:
    1,441
    As a data point, I use a Mooltipass Mini. From my understanding of the attacks in question, I'm pretty secure: like the software-based password managers, I can't be attacked in the not-running state ('cos it's physically disconnected from the PC and in my pocket); I can't be attacked in the running-but-locked or running-and-unlocked states (because the "master password" (actually a combination of an encryption key on a smartcard and a four-digit hexadecimal PIN) is entered on the device, not on the PC, and every single request for a password requires me to verify that request by physically interacting with the device).

    But
    it's entirely possible my passwords could be monitored by a keylogger (if I'm using it in the I'm-a-USB-keyboard-honest mode). They may also be accessible in memory when the app is transferring it to the browser, which is the main way I use it and not vulnerable to a keylogger, though I don't believe they hit the clipboard so that shouldn't be an attack vector.
     
  3. adidan

    adidan Avatar now in stock for xmas 2019

    Joined:
    25 Mar 2009
    Posts:
    12,970
    Likes Received:
    1,185
    Are we at the point where it's now safer just to write passwords on a bit of paper, perhaps in a coded form, and keep them in a locked drawer?

    Probably less likely to get burgled than compromised online.

    You know, old skool.
     
  4. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    11,709
    Likes Received:
    1,441
    That is more secure than a software password safe, yes, and vulnerable only to physical attack (and keyloggers as you type 'em in, obviously, but so is just remembering the passwords.) Less convenient, but more secure.
     
  5. adidan

    adidan Avatar now in stock for xmas 2019

    Joined:
    25 Mar 2009
    Posts:
    12,970
    Likes Received:
    1,185
    I guess that's pretty much the trade off with everything.
     
  6. faugusztin

    faugusztin I *am* the guy with two left hands

    Joined:
    11 Aug 2008
    Posts:
    6,832
    Likes Received:
    245
    Well, if you got something which can go through your RAM or keylog whatever you do, then you are screwed anyway.
     
  7. David

    David RIP Tel

    Joined:
    7 Apr 2009
    Posts:
    12,935
    Likes Received:
    2,038
    I did wonder if the mooltipass transferred the passwords as key presses rather than pasting it into the field.
     
  8. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    11,709
    Likes Received:
    1,441
    It has two modes of operation. The first is to act as a USB HID: you choose the account on the screen using the little scrollwheel thing, then it types out the username and password for you like it was a USB keyboard. You use that when you're logging in on a phone, tablet, games console, or A. N. Other device that doesn't have any software for it, and it's 100% compatible - but vulnerable to keyloggers.

    The second mode of operation is using the bundled software, which is a two-parter: Moolticute, the background app, and a Mooltipass browser extension. That lets the browser request credentials, so when you hit a login page the Mooltipass will automatically bring up the right account and wait for you to press the button to verify the login. It also lets you capture new passwords and save 'em to the Mooltipass. That mode is not vulnerable to a keylogger, because nothing is typed; it's also not vulnerable to clipboard capture, because the username and password never hits the clipboard. The username and password are, however, present in memory at the time they're used - obviously - which means it may still be possible to capture the password you're using. The downside of this mode is that you need to be on a system you can install the software on and using a browser for which there's an extension, and it doesn't help you much if you need to log in to a non-browser application - you'll need to either use the HID mode and have it type the credentials in for you (in which case you're vulnerable to keyloggers) or use Moolticute to copy and paste the password manually (in which case you're vulnerable to clipboard capture.)

    There's also a third mode, which you can disable if you prefer: when the Mooltipass is connected to a USB charger or battery, rather than a real USB Host, choosing an account on the Mooltipass will print the username and password to the screen so you can manually type it in yourself - perfect for logging into systems with no available USB ports.
     
  9. jb0

    jb0 Active Member

    Joined:
    8 Apr 2012
    Posts:
    410
    Likes Received:
    43
    I use a text file on my hard disk.
    I reckon if they gain access to my system's internal storage, I'm screwed either way.
    ...
    I suppose that is less true now than it was when I started this file.
     
  10. pbryanw

    pbryanw Member

    Joined:
    22 Jul 2009
    Posts:
    186
    Likes Received:
    4
    edzieba likes this.
  11. The_Crapman

    The_Crapman Don't phone it's just for fun.

    Joined:
    5 Dec 2011
    Posts:
    3,836
    Likes Received:
    725
    Once a year I produce a leaflet with all my personal details on including all my login usernames and passwords, then hire a blimp and scatter them across the land. Shits gonna get hacked, might as well get ahead of the game.
     
    jb0 likes this.
  12. fix-the-spade

    fix-the-spade Well-Known Member

    Joined:
    4 Jul 2011
    Posts:
    3,392
    Likes Received:
    259
    I have a little notebook with all the account names in, then the first and one or two other characters from the password in. If any bugger wants to break into my house, find the notebook, steal it and then spend time deciphering the passwords from the three letter clues, well they've earned their Google Drive of porn. Assuming I don't notice that the book's missing and change the passwords in the meantime.
     
    adidan likes this.
Tags: Add Tags

Share This Page