In Learning Tree’s System and Network Security Introduction course we talk about the tradeoff between security and convenience. They’re usually at either end of the seesaw: If one is going to go up, the other has to go down.
For clear examples of this, see the password managers implemented as parts of web browsers and as browser plugins. You can store as many complicated passwords as you want in a password manager, satisfying password complexity rules, frustrating password cracking, and making brute-force attacks impractical, but the tradeoff is that those passwords are stored somewhere.
So of course you should also turn on a master password, so you have to type the one complex password you must remember to unlock the password storage.
Now you’re safe, right? Well, no…
Two studies of password security were presented at the 23rd USENIX Security Symposium in San Diego in late August: “Password Managers: Attacks and Defenses” and “The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers“.
The short version is that we really aren’t secure with password managers built into or plugged into browsers. Chrome seems to be the least bad of the lot, but it has problems. They analyzed Firefox, Chrome, Explorer, Safari, and password manager plugins including 1Password, LastPass, Keeper, KeePass, Norton IdentitySafe, RoboForm, My1login, PasswordBox, and NeedMyPassword.
Both papers come up with excellent ideas. Now if we could just get the developers on board…
Many web pages, about 17% of the Alexa Top 500 websites, serve a login page over HTTP and submit the password over HTTPS, leaving the site vulnerable. But even with well-designed web sites, the browsers and plugins leave the doors open.
All the browsers except Chrome are vulnerable to an attack based on one or more iFrames within a hostile web page. If the password storage is already unlocked, when you load the hostile page the browser will invisibly fill in your username and password for as many sites as the attacker cares to request. The authors propose a rogue wireless router at a coffee shop, although I am always even more skeptical of hotel wireless networks.
Most of the browsers require user intervention to fill the login and password fields when there’s a mix of protocols, but some of the plugins inappropriately automate this process.
They report that requests to fix these security problems have been listed as bugs for both Firefox and Chrome for some time. Maybe these papers will bring the attention and pressure that’s needed to fix this!
Meanwhile, the most cautious yet still practical solution seems to be a stand-alone password manager, from which you copy and paste your logins and passwords into browser fields. Don’t let the browser or its plugins remember any passwords, as they may give them away! Good choices include Password Safe, pwsafe, and Password Gorilla.