Discussion in 'Article Discussion' started by bit-tech, 20 Feb 2019.
As a data point, I use a Mooltipass Mini. From my understanding of the attacks in question, I'm pretty secure: like the software-based password managers, I can't be attacked in the not-running state ('cos it's physically disconnected from the PC and in my pocket); I can't be attacked in the running-but-locked or running-and-unlocked states (because the "master password" (actually a combination of an encryption key on a smartcard and a four-digit hexadecimal PIN) is entered on the device, not on the PC, and every single request for a password requires me to verify that request by physically interacting with the device).
But it's entirely possible my passwords could be monitored by a keylogger (if I'm using it in the I'm-a-USB-keyboard-honest mode). They may also be accessible in memory when the app is transferring it to the browser, which is the main way I use it and not vulnerable to a keylogger, though I don't believe they hit the clipboard so that shouldn't be an attack vector.
Are we at the point where it's now safer just to write passwords on a bit of paper, perhaps in a coded form, and keep them in a locked drawer?
Probably less likely to get burgled than compromised online.
You know, old skool.
That is more secure than a software password safe, yes, and vulnerable only to physical attack (and keyloggers as you type 'em in, obviously, but so is just remembering the passwords.) Less convenient, but more secure.
I guess that's pretty much the trade off with everything.
Well, if you got something which can go through your RAM or keylog whatever you do, then you are screwed anyway.
I did wonder if the mooltipass transferred the passwords as key presses rather than pasting it into the field.
It has two modes of operation. The first is to act as a USB HID: you choose the account on the screen using the little scrollwheel thing, then it types out the username and password for you like it was a USB keyboard. You use that when you're logging in on a phone, tablet, games console, or A. N. Other device that doesn't have any software for it, and it's 100% compatible - but vulnerable to keyloggers.
The second mode of operation is using the bundled software, which is a two-parter: Moolticute, the background app, and a Mooltipass browser extension. That lets the browser request credentials, so when you hit a login page the Mooltipass will automatically bring up the right account and wait for you to press the button to verify the login. It also lets you capture new passwords and save 'em to the Mooltipass. That mode is not vulnerable to a keylogger, because nothing is typed; it's also not vulnerable to clipboard capture, because the username and password never hits the clipboard. The username and password are, however, present in memory at the time they're used - obviously - which means it may still be possible to capture the password you're using. The downside of this mode is that you need to be on a system you can install the software on and using a browser for which there's an extension, and it doesn't help you much if you need to log in to a non-browser application - you'll need to either use the HID mode and have it type the credentials in for you (in which case you're vulnerable to keyloggers) or use Moolticute to copy and paste the password manually (in which case you're vulnerable to clipboard capture.)
There's also a third mode, which you can disable if you prefer: when the Mooltipass is connected to a USB charger or battery, rather than a real USB Host, choosing an account on the Mooltipass will print the username and password to the screen so you can manually type it in yourself - perfect for logging into systems with no available USB ports.
I use a text file on my hard disk.
I reckon if they gain access to my system's internal storage, I'm screwed either way.
I suppose that is less true now than it was when I started this file.
For what it's worth, 1Password has responded to this on their forum:
Jpgoldberg - their head of security (I think) - responded to this in a lengthy post, explaining why it's so hard to fix these vulnerabilities in practice.
Once a year I produce a leaflet with all my personal details on including all my login usernames and passwords, then hire a blimp and scatter them across the land. Shits gonna get hacked, might as well get ahead of the game.
I have a little notebook with all the account names in, then the first and one or two other characters from the password in. If any bugger wants to break into my house, find the notebook, steal it and then spend time deciphering the passwords from the three letter clues, well they've earned their Google Drive of porn. Assuming I don't notice that the book's missing and change the passwords in the meantime.
Separate names with a comma.