1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News Trend Micro Password Manager hit by multiple flaws

Discussion in 'Article Discussion' started by Gareth Halfacree, 12 Jan 2016.

  1. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    13,135
    Likes Received:
    2,244
  2. DragunovHUN

    DragunovHUN I want to change my name but I also don't

    Joined:
    30 Oct 2008
    Posts:
    5,144
    Likes Received:
    181
    I don't use any password managers on principle and I'm amazed that they're as popular as they are. Even if they don't have massive flaws, they're still a huge honey pot that attackers would love to get into. I'd rather have one thing compromised at a time than everything I ever signed up for.
     
  3. fix-the-spade

    fix-the-spade Well-Known Member

    Joined:
    4 Jul 2011
    Posts:
    3,810
    Likes Received:
    371
    I have a notebook with all my passwords and user IDs in it. Totally insecure, but reading it would require entering my office, picking the correct note book from dozens piled around and then knowing which half words and partially blocked out letters corresponded to which account. Good luck to anyone wishing to try.

    Why you'd trust that kind of thing to software...
     
  4. Cerberus90

    Cerberus90 Car Spannerer

    Joined:
    23 Apr 2009
    Posts:
    7,550
    Likes Received:
    138
    +1 to that, you may as well just use one password for everything as use a password manager. I let firefox remember my passwords, but I don't use any of it's syncing stuff so it's all local, also have a text file with all my passwords in it (I had started writing a little encryption app in c++ to encrypt it but got sidetracked by other stuff and it fell by the wayside).
     
  5. Pliqu3011

    Pliqu3011 all flowers in time bend towards the sun

    Joined:
    8 Aug 2009
    Posts:
    2,736
    Likes Received:
    255
    I also keep all of my passwords in a notebook. All of them are >15 characters, but I usually abbreviate them to 1 or 2 letters and a number so I know perfectly which password it is for each account, but someone who finds my notebook can't just type them in and have access to everything. Same for my email addresses and account names.
     
  6. Glix

    Glix Left Thumb Stick in the mud.

    Joined:
    11 May 2010
    Posts:
    318
    Likes Received:
    1
    Don't let Firefox remember your passwords, there are drive by malware out in the wild able to fire off all your saved passwords, probably the same for the other browsers too.

    The problem with keeping a file of saved passwords it's either fiddly to retrieve your passwords or someone watching over the shoulder has just seen your password and where you keep them all.

    It sucks that there isn't an easy solution, everything has pitfalls. :(
     
  7. Cerberus90

    Cerberus90 Car Spannerer

    Joined:
    23 Apr 2009
    Posts:
    7,550
    Likes Received:
    138
    Only people who are going to see is parents and sister, so don't need to worry about people seeing them, :D, greater risk of malware getting it's hands on it, but then I can't remember the last time I got a virus, :D
     
  8. greigaitken

    greigaitken Member

    Joined:
    26 Aug 2009
    Posts:
    409
    Likes Received:
    4
    "I can't remember the last time I got a virus, :D"

    It was working fine until it broke...
     
  9. Measter

    Measter New Member

    Joined:
    2 Feb 2008
    Posts:
    129
    Likes Received:
    4
    I my database having a password + 4 megabyte key file is a little more secure than a single memorised password for everything. Bearing in mind that the password and keyfile need to go through over a million transformations first.

    And as far as I'm aware, AES and SHA-256 haven't been feasibly broken yet.
     
  10. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    13,135
    Likes Received:
    2,244
    The best and most properly secure system I've seen that simultaneously manages to avoid having the user memorise crap, carry a notebook, or stick a pen drive with an encrypted file on it into the system (and good luck logging into something from your smartphone if the latter is the case) is that used by PasswordMaker and similar: have a 'master password' which is hashed then XORed with the domain you're trying to log in to. All you need to remember is the one password, but every site you access gets a unique password. Revocation is an issue, though: if your master password is compromised (or you decide 12345 was a bad idea) then you're going to need to go to every website and change the resultant unique password manually to match your new master password's output. Awkward.

    'Course, if companies would hurry up and implement two-factor authentication none of this would be a problem. I could set up a user account on my server with the username "admin" and the password "password", tell you both of those facts plus the IP of the server, and you still wouldn't be able to log in unless you'd stolen my phone without me noticing. (Checks pocket...)
     
  11. theshadow2001

    theshadow2001 [DELETE] means [DELETE]

    Joined:
    3 May 2012
    Posts:
    5,169
    Likes Received:
    146
    Ah it took me a minute but I get it. The benefit is there is no passwords stored anywhere. Only the algorithm.
     
  12. Xlog

    Xlog Active Member

    Joined:
    16 Dec 2006
    Posts:
    570
    Likes Received:
    40
    Are you sure thats how it works? Because it does not sound very secure - if an attacker can get a single generated password and domain pair then they can recover your master password hash and as this is constant for all domains, they can generate those passwords. The only "protection" is that attacked must know you password generation algorithm.

    Personally, not moving away from KeePass any time soon.
     
  13. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    13,135
    Likes Received:
    2,244
    If t'were a simple XOR, yes, you could take two knows to get the third unknown (i.e. unique password and domain to get the original master password), but it ain't. I was on my phone and simplifying the explanation.

    Here's how PasswordMaker desribes the process:
    If you're using KeePass on Windows, you'd probably benefit from reading about KeeFarce, which allows your password list to be recovered unencrypted from memory...

    Security: it's a process, not a destination.
     
  14. wolfticket

    wolfticket Downwind from the bloodhounds

    Joined:
    19 Apr 2008
    Posts:
    3,009
    Likes Received:
    265
    Touch wood, if you use it correctly, Keepass still seems like the best compromise to me.

    Keefarce is just an example of the rule that if the system itself is compromised you're basically screwed anyway, whatever you use.
     
  15. RedFlames

    RedFlames ...is not a Belgian football team

    Joined:
    23 Apr 2009
    Posts:
    12,055
    Likes Received:
    1,624
    If people want in badly enough they'll find a way, whatever discouragements you have in the way... as long as the discouragements are robust enough that all but the most committed of numpties go 'nope, not worth the effort', you'll be fine.
     
  16. Xlog

    Xlog Active Member

    Joined:
    16 Dec 2006
    Posts:
    570
    Likes Received:
    40
    So basically they are salting your password with domain and then hashing? If thats the case, it still comes to user to have strong master password, otherwise its susceptible to table/bruteforce attack.

    Nothing new, pretty much any software would be susceptible to such attack, including PasswordMaker.
     
  17. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    13,135
    Likes Received:
    2,244
    Not feasible, because you can tailor the settings. Sure, if you run it at defaults you'll need a strong password (although you should have a strong password anyway) to prevent someone just downloading PasswordMaker themselves and guessing your password, but you can choose the length of the output, the character set, even whether or not it is run through varying types of filters. Something as simple as changing the default output length by one single character would throw off a brute-force approach.

    I get your meaning, but that's a very different attack: you can't pull every password out of PasswordMaker's memory, 'cos there aren't any passwords in PasswordMaker's memory.

    (Incidentally, I don't use PasswordMaker. These days I use LastPass for things I don't mind being a little insecure, and KeePassX for stuff like internet banking.)
     
  18. Xlog

    Xlog Active Member

    Joined:
    16 Dec 2006
    Posts:
    570
    Likes Received:
    40
    No, its exactly the same, just in case of passwordmaker attacker is trying to read not decrypted passwords, but their generation setting and your master password, which must still reside <somewhere> in memory. LastPass, KeePassX, etc are also vulnerable to such "attack".
    In either case, this is an overly complicated attack vector, a lot easier/feasible attack would be replacing installed X password manager with modified version which would email attacker all the passwords on its own.

    p.s. I just use mobile signature for stuff where I must provide my true ID :p.
     
  19. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    13,135
    Likes Received:
    2,244
    It's still a very different attack. KeeFarce will get you an output that looks something like this:

    Site1 URL
    Username: bob
    Password: 12345

    Site2 URL
    Username: bob
    Password: 67890

    So on and so forth throughout every site you have an account for stored in KeePass. Instant jackpot: using those, I immediately know where to go and how to get in.

    Same local attack against PasswordMaker:

    Master Password: 12345 (which is only stored in memory when you're actively using it)
    Hashing Algorithm: SHA-256
    L33t Munging: Yes
    Character Set: Hexadecimal
    Length: 16 characters

    That information will let me generate the same unique per-site passwords as you - but for what sites? I don't know where you go or what your username is. Sure, I can take a look at your internet history - but now I'm having to perform a second, unrelated attack before I can actually use the information I got.

    See the difference? In both cases, the software is cracked wide open - but the attack is far more devastating to the KeePass user than the PasswordMaker user.
     
  20. Xlog

    Xlog Active Member

    Joined:
    16 Dec 2006
    Posts:
    570
    Likes Received:
    40
    To be fair, if attacker has sufficient access/privileges to pull off cross application memory injection, then he has pretty much unlimited access to that machine. In such case gathering your login names/ sites you visit is trivial - just copy browsing history or run a keylogger.

    Password generators can be an option/ time savers, but they can also become a major pain in the a** very quickly, even if not directly compromised.

    Don't run password managers on systems you have no control of/ dont run unknown software, especially with admin rights and you should be fine (unless the manager itself has as many holes as a sieve, in that case you are f*****).

    In any case, we got a bit offtopic. I think RedFlames summed up this whole discussion the best.
     

Share This Page