SlideShare a Scribd company logo

Evaluating a password manager

Download as PPTX, PDF
E
Evan J Johnson (Not a CISSP)

PasswordsCon BSidesLV 2016. A talk about how to evaluate a password manager. What is really important? What are problems that password managers face?

Internet
1 of 27
Evaluating a password manager Evan Johnson
About Me ● CloudFlare Security Systems Engineer ● Previously an engineer at LastPass ● Wrote passgo (https://github.com/ejcx/passgo) ● On twitter @ejcx_ ● Personal sites: ○ https://ejj.io ○ https://twiinsen.com
Trigger Warning: Talking about Password Managers
What is this talk? ● Define properties that all password managers should have ● Some basic technical details about individual pw managers ● Talk about what matters in a password manager for average people. ● Talk about some details about how technical analysis is done.
Which password managers ● 1Password ● LastPass ● Dashlane ● Keeper ● KeePass ● KeePassX ● PasswordBox (rest in peace) ● Pass ● Excel Spreadsheets
How do (most) password managers work?
Cloud Password Servers ● This component will be missing if the pw manager does not sync. ● Web service of some sort containing encrypted data. ● What other data should be encrypted? Password managers generally do not encrypt everything. ● Security measures, like 2FA usually enforced here.
Core Service, Background Service ● Consume the web services APIs. ● Decrypt sites and persist process after log in. ● Update sites as they change ● Update API as new sites are created
User Application + Background / Browser Integration ● Contains user interface. ● Contains bells and whistles that help users be secure. ● Auto fills passwords
What matters in a password manager!? ● Too much for one slide… ● “What features should all password managers have?” ● “Which features are security critical and need special evaluation?” ● “What are your personal needs in a password manager?”
What features should all password managers have? ● Password generator that can be used to generate different kinds of passwords. ● Duplicate password finder ● Weak password finder ● Good UX for mobile support ● Strong crypto ● Import / Export you should be able to jump ship! ● Amazing mobile UX
The world is mobile now ● Password managers without a mobile component are useless to average folks.
The world is mobile now
The world is mobile now https://github.com/AgileBits/onepassword-app-extension
The world is mobile now
The scary part of mobile password managers ● There are hundreds of mobile password managers with unknown quality. Who knows what they are doing.
What features need security evaluation ● Browser filling logic. ● Integration between browser extension and background extension. ● Password Generator. ● Crypto Primitives. ● HTTP Headers and Transport Security.
How to dive in and look under the hood ● Examine the API ● Examine the Crypto ● Examining the browser extension ● Examining the integration between browser extension and background ● Examining the auto-fill logic
Examining the API 1. chrome://extensions 2. Enable Developer Mode 3. Click “Background.hmt”
Examining the crypto
Examining the browser extension
Examining the browser extension Click on “{}” to unminify
What’s the point of all of this ● I am working on a “password manager scorecard”
Questions ● Any Questions?

Recommended

Password Management
Password ManagementPassword Management
Password Management
Rick Chin
 
Password Management
Password ManagementPassword Management
Password Management
Davon Smart
 
Web site hacking;what does it mean
Web site hacking;what does it meanWeb site hacking;what does it mean
Web site hacking;what does it mean
MetaKave
 
Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net application
ZAIYAUL HAQUE
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive Measures
Shubham Takode
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
SharePointRadi
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
Stormpath
 

Recommended

Password Management
Password ManagementPassword Management
Password Management
Rick Chin
 
Password Management
Password ManagementPassword Management
Password Management
Davon Smart
 
Web site hacking;what does it mean
Web site hacking;what does it meanWeb site hacking;what does it mean
Web site hacking;what does it mean
MetaKave
 
Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net application
ZAIYAUL HAQUE
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive Measures
Shubham Takode
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
SharePointRadi
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
Stormpath
 
Hackers Paradise SQL Injection Attacks
Hackers Paradise SQL Injection AttacksHackers Paradise SQL Injection Attacks
Hackers Paradise SQL Injection Attacks
amiable_indian
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
Nutan Kumar Panda
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
Siddharth Bhattacharya
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana)
Pratimesh Pathak
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Php security common 2011
Php security common 2011Php security common 2011
Php security common 2011
10n Software, LLC
 
Android app security
Android app securityAndroid app security
Android app security
Positive Hack Days
 
Xss 101 by-sai-shanthan
Xss 101 by-sai-shanthanXss 101 by-sai-shanthan
Xss 101 by-sai-shanthan
Raghunath G
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
 
Zenyan
ZenyanZenyan
Zenyan
Eric Matthews
 
Xss preso
Xss presoXss preso
Xss preso
foobarlink4
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security Topics
Shawn Gorrell
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
Ajin Abraham
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
OWASP
 
Brute force
Brute forceBrute force
Brute force
Prajwal Panchmahalkar
 
SSO (Single Sign On/Off)
SSO (Single Sign On/Off)SSO (Single Sign On/Off)
SSO (Single Sign On/Off)
Russel Mahmud
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applications
Satish b
 
AOEconf17: Application Security - Bastian Ike
AOEconf17: Application Security - Bastian IkeAOEconf17: Application Security - Bastian Ike
AOEconf17: Application Security - Bastian Ike
AOE
 
Disclosing password hashing policies
Disclosing password hashing policiesDisclosing password hashing policies
Disclosing password hashing policies
Michal Špaček
 
Password management
Password managementPassword management
Password management
Wilmington University
 
Password Manager: Detailed presentation
Password Manager: Detailed presentationPassword Manager: Detailed presentation
Password Manager: Detailed presentation
Hitachi ID Systems, Inc.
 

More Related Content

What's hot

Xss 101 by-sai-shanthan
Xss 101 by-sai-shanthanXss 101 by-sai-shanthan
Xss 101 by-sai-shanthan
Raghunath G
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
Ajin Abraham
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
OWASP
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applications
Satish b
 

What's hot (19)

Hackers Paradise SQL Injection Attacks
Hackers Paradise SQL Injection AttacksHackers Paradise SQL Injection Attacks
Hackers Paradise SQL Injection Attacks
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana)
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Php security common 2011
Php security common 2011Php security common 2011
Php security common 2011
 
Android app security
Android app securityAndroid app security
Android app security
 
Xss 101 by-sai-shanthan
Xss 101 by-sai-shanthanXss 101 by-sai-shanthan
Xss 101 by-sai-shanthan
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
 
Zenyan
ZenyanZenyan
Zenyan
 
Xss preso
Xss presoXss preso
Xss preso
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security Topics
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
 
Brute force
Brute forceBrute force
Brute force
 
SSO (Single Sign On/Off)
SSO (Single Sign On/Off)SSO (Single Sign On/Off)
SSO (Single Sign On/Off)
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applications
 
AOEconf17: Application Security - Bastian Ike
AOEconf17: Application Security - Bastian IkeAOEconf17: Application Security - Bastian Ike
AOEconf17: Application Security - Bastian Ike
 

Viewers also liked

Viewers also liked (8)

Disclosing password hashing policies
Disclosing password hashing policiesDisclosing password hashing policies
Disclosing password hashing policies
 
Password management
Password managementPassword management
Password management
 
Password Manager: Detailed presentation
Password Manager: Detailed presentationPassword Manager: Detailed presentation
Password Manager: Detailed presentation
 
Dell Password Manager Introduction
Dell Password Manager IntroductionDell Password Manager Introduction
Dell Password Manager Introduction
 
Password Manager
Password ManagerPassword Manager
Password Manager
 
Risk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security ControlsRisk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security Controls
 
Network Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisNetwork Forensics and Practical Packet Analysis
Network Forensics and Practical Packet Analysis
 
Practical Applications of Block Chain Technologies
Practical Applications of Block Chain Technologies Practical Applications of Block Chain Technologies
Practical Applications of Block Chain Technologies
 

Similar to Evaluating a password manager

Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012
Volkan Özçelik
 
Understanding and implementing website security
Understanding and implementing website securityUnderstanding and implementing website security
Understanding and implementing website security
Drew Gorton
 

Similar to Evaluating a password manager (20)

Not my problem - Delegating responsibility to infrastructure
Not my problem - Delegating responsibility to infrastructureNot my problem - Delegating responsibility to infrastructure
Not my problem - Delegating responsibility to infrastructure
 
Protecting Users Against XSS-based Password Manager Abuse
Protecting Users Against XSS-based Password Manager AbuseProtecting Users Against XSS-based Password Manager Abuse
Protecting Users Against XSS-based Password Manager Abuse
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best Practices
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012
 
Understanding and implementing website security
Understanding and implementing website securityUnderstanding and implementing website security
Understanding and implementing website security
 
The Professional Programmer
The Professional ProgrammerThe Professional Programmer
The Professional Programmer
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass Firewalls
 
Node.js basics
Node.js basicsNode.js basics
Node.js basics
 
Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdf
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
 
Front-End Developer's Career Roadmap
Front-End Developer's Career RoadmapFront-End Developer's Career Roadmap
Front-End Developer's Career Roadmap
 
Liferay portals in real projects
Liferay portals in real projectsLiferay portals in real projects
Liferay portals in real projects
 
Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...
Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...
Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...
 
Pentester++
Pentester++Pentester++
Pentester++
 
Gainesville Web Developer Group, Sept 2012
Gainesville Web Developer Group, Sept 2012Gainesville Web Developer Group, Sept 2012
Gainesville Web Developer Group, Sept 2012
 
Viktor Turskyi "Effective NodeJS Application Development"
Viktor Turskyi "Effective NodeJS Application Development"Viktor Turskyi "Effective NodeJS Application Development"
Viktor Turskyi "Effective NodeJS Application Development"
 
Detecting secrets in code committed to gitlab (in real time)
Detecting secrets in code committed to gitlab (in real time)Detecting secrets in code committed to gitlab (in real time)
Detecting secrets in code committed to gitlab (in real time)
 
Searching for the framework of my dreams in node.js ecosystem by Mykyta Semen...
Searching for the framework of my dreams in node.js ecosystem by Mykyta Semen...Searching for the framework of my dreams in node.js ecosystem by Mykyta Semen...
Searching for the framework of my dreams in node.js ecosystem by Mykyta Semen...
 
DDD with Behat
DDD with BehatDDD with Behat
DDD with Behat
 

Recently uploaded

在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
Asmae Rabhi
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
ydyuyu
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Monica Sydney
 

Recently uploaded (20)

APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck Microsoft
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 

Evaluating a password manager

  • 1. Evaluating a password manager Evan Johnson
  • 2. About Me ● CloudFlare Security Systems Engineer ● Previously an engineer at LastPass ● Wrote passgo (https://github.com/ejcx/passgo) ● On twitter @ejcx_ ● Personal sites: ○ https://ejj.io ○ https://twiinsen.com
  • 4. What is this talk? ● Define properties that all password managers should have ● Some basic technical details about individual pw managers ● Talk about what matters in a password manager for average people. ● Talk about some details about how technical analysis is done.
  • 5. Which password managers ● 1Password ● LastPass ● Dashlane ● Keeper ● KeePass ● KeePassX ● PasswordBox (rest in peace) ● Pass ● Excel Spreadsheets
  • 6. How do (most) password managers work?
  • 7.
  • 8. Cloud Password Servers ● This component will be missing if the pw manager does not sync. ● Web service of some sort containing encrypted data. ● What other data should be encrypted? Password managers generally do not encrypt everything. ● Security measures, like 2FA usually enforced here.
  • 9.
  • 10. Core Service, Background Service ● Consume the web services APIs. ● Decrypt sites and persist process after log in. ● Update sites as they change ● Update API as new sites are created
  • 11.
  • 12. User Application + Background / Browser Integration ● Contains user interface. ● Contains bells and whistles that help users be secure. ● Auto fills passwords
  • 13. What matters in a password manager!? ● Too much for one slide… ● “What features should all password managers have?” ● “Which features are security critical and need special evaluation?” ● “What are your personal needs in a password manager?”
  • 14. What features should all password managers have? ● Password generator that can be used to generate different kinds of passwords. ● Duplicate password finder ● Weak password finder ● Good UX for mobile support ● Strong crypto ● Import / Export you should be able to jump ship! ● Amazing mobile UX
  • 15. The world is mobile now ● Password managers without a mobile component are useless to average folks.
  • 16. The world is mobile now
  • 17. The world is mobile now https://github.com/AgileBits/onepassword-app-extension
  • 18. The world is mobile now
  • 19. The scary part of mobile password managers ● There are hundreds of mobile password managers with unknown quality. Who knows what they are doing.
  • 20. What features need security evaluation ● Browser filling logic. ● Integration between browser extension and background extension. ● Password Generator. ● Crypto Primitives. ● HTTP Headers and Transport Security.
  • 21. How to dive in and look under the hood ● Examine the API ● Examine the Crypto ● Examining the browser extension ● Examining the integration between browser extension and background ● Examining the auto-fill logic
  • 22. Examining the API 1. chrome://extensions 2. Enable Developer Mode 3. Click “Background.hmt”
  • 25. Examining the browser extension Click on “{}” to unminify
  • 26. What’s the point of all of this ● I am working on a “password manager scorecard”

Editor's Notes

  1. CloudFlare Security Systems Engineer I wear a lot of different random hats. I’m the company’s appsec person I hunt vulnerabilities and then come up with remediation plans I write code to fix vulnerabilities I build security features and help make sure security products work, aren’t able to side step right around, etc. Wrote all the account management and session stuff on our site. Previously an engineer at LastPass Where I got in to this world of password managers I guess. I would regularly look at how other people’s password managers worked when I was at lastpass and learning what was good what was bad and what needed improvement. Wrote passgo (https://github.com/ejcx/passgo) It’s a command line password manager written in golang. Has modern crypto
  2. Password managers are a really really polarizing topic to people for some reason. This is one of the first things I learned when I was working at LastPass. Everyone on the internet is an expert and should be presenting at BSidesLV but I’m sure the organizers just didn’t have enough speaker slots open. So many people loved lastpass and so many people hated it. Online discussions about anything password manager related generally breaks down in to a bunch of crazy people arguing. I see the polarization with all of the password managers. Some people are “open source fanatics and love Keepass and KeepassX. Some people love their home brew excel spreadsheets. I really want this talk to be constructive, not like these forum arguments, and help people make good security decisions. I feel like people just pick their password managers and then become online zealots without looking at the other possibilities. This talk is meant to be non-biased. I am not going to throw any bad password managers under the bus….YET!!! That is coming soon. We’ll see soon. It’s meant to be super high level and accessible.
  3. This talk is meant for average people. If you’re an at risk journalist or political dissident you have bigger problems. That’s what offline discussion is for. Define properties that all password managers should have to help average folks be more secure Or at least point out the things you might care about Point out some things that I think some password managers are doing that help average people a lot. Some technical details about individual pw managers We will see some basic stuff but nothing super super diving in deep.
  4. This talk is meant to cover pretty much all password management solutions that people use. Most people use one of these probably. 1Password - Apple powerhouse. Great for apple products. LastPass - Windows and Linux people like it. Different security model than 1pass Dashlane - raised a TON of money. 52m is what crunchbase says Keeper - Super popular on mobile KeePass has a confusing ecosystem. KeePassX vs KeePass, is there a difference? Tons of people love keepass citing that it’s “open source” as the reason PasswordBox - (Rest in peace) they have been end of lifed by Intel who bougt them I think in 2014. Pass is a systems password manager but some folks have built a pretty full featured ecosystem around it. It’s a command line password manager but it also has a mobile component and is backed by “git” Except Spreadsheets and Password Journals. The funny story is what is down at the bottom of the list. I added excel spreadsheets because I got in to a slack argument with this person who was saying they had such great security requirements and huge risks that he would never EVER put his passwords into someone else's software. People like him can’t really be helped. Passwords need to be managed. If not because you trust you current system but because you can’t trust sites not to lose it for you. If you are one of these excel spreadsheet people, hopefully this talk will help you see all the stuff you’re missing out on.
  5. This is a fairly generic “design diagram” of how most full featured password managers work. You generally have four components. The server that stores the passwords. The application that consumes the password store and decrypts it all The part of the application that has all the features. For example browser autofill with some password managers is implemented as a browser extension that talks to a client over a websocket. Not part of the browser extension… not sure why I decided it belonged in my chart, but these passwords have to go somewhere. Some password managers might not have all four components, or some of the components might be very tightly coupled and there’s only three.
  6. Okay so first, quickly, the server storing your passwords.
  7. I call it a “cloud password server”. This might be a dropbox server if you’re using 1password, a lastpass server, a github server if you use my password manager. This component obviously won’t exist if the password manager does not sync. Passwords MUST be held encrypted here. This is something that just about all password managers provide but not all password managers encrypt everything. What else should be encrypted here? I don’t think there’s a right answer Two things happen here. Lots of password managers don’t encrypt “username”. Lots of password managers don’t encrypt URLs. Is that Ok? Is it not okay? That’s not for me to answer. Password managers you log in to, you normally will have a large overlap between your login username / email address and your website’s username that you log in with. URLs, I’m not sure here as well. Does it really matter if someone knows that you have an account on a certain website? If you’re a journalist or a political dissident it might really really matter. For regular people probably not in the slightest. For evaluating a password manager. I came up with two tickboxes here that are important. Encrypts passwords Encrypts all site data.
  8. Next is the core service of the password manager.
  9. This is fairly boring. All password managers pretty much do the same thing here, but in lots of different formats. The core service and background service is the persistent process that receives updates from the server, decrypts site information, etc. Sometimes the line between the Application/Core Integration is blurred. This is separate in some password managers in a much more obvious way. 1Password and Dashlane run a client on your desktop and communicate with it over a websocket. The crypto is all implemented here and algorithm choices all matter here.
  10. Next is the integration with the background service that does all the core decryption.
  11. Basically, anything that modifys of uses the decrypted passwords. Autofill The password generation and save flow Detecting password reuse, etc.
  12. “What features should all password managers have?” “Which features are security critical and need special evaluation?” “What are your personal needs in a password manager?”
  13. These are probably the most important features that password managers provide. Password generator that can be used to generate different kinds of passwords. Duplicate password finder Weak password finder Good UX for mobile support Strong crypto Import / Export you should be able to jump ship! Duplicate password finder. Super important to know where you exposed a password when someone gets hacked. Yahoo is investigating a really big breach right now, some article I saw said. Weak password finder. Strong crypto We will talk more about this
  14. My favorite answer to this is mobile support. Strong mobile support. A huge percentage of the world is “mobile first” now. Mobile usability and being able to seamlessly use a password manager in a mobile app or a mobile browser is a huge win for security. More and more stuff is going to be mobile.
  15. I think it’s pretty obvious what happens on mobile at this point.. Some people might argue that “snapchat is not important” but there are a ton of other apps like Uber/Lyft/Dropbox or whatever that I’m going to guess a ton of people only use on mobile. I think a good conference talk would be about researching password trends and whether or not they are weaker than bigger devices. It sucks to create accounts and login on mobile. It SUCKS. In my opinion, mobile password managers make a bigger impact on usability and help with security. It’s so painful typing passwords. Even federated auth is no good because federated in app auth support kind of sucks.
  16. This shows off the agilebits in app integration for iOS. https://github.com/AgileBits/onepassword-app-extension This is more rare for mobile password managers to implement. Keeper, LastPass, 1Password implement this. I’m not going to talk about the Android app integrations in this talk but LastPass, but they exist too. On android, the method for in app fill is different. For ex, LastPass has a bubble pop up to help you fill in, and a lot of other password managers have keyboard integrations to allow easy copy and paste, or fill.
  17. Browser integrations are a must have on mobile as well. Pretty much everyone does mobile integrations of browsers. The important part about all the blabbering I’m doing about why passwords are a big deal on mobile, is it is the case that totally proves the guy I argued with in my slack channel wrong. Arguing on the internet is important you know. He hinted at a software solution he had was not software based. That says to me he either has a notebook or an excel sheet. The people with password journals that they keep at home in a safe cannot compete on mobile. It is so much more work..
  18. Mobile password managers are scary. Type in “password manager” in the apple app store. See just how much junk there is. Average people don’t have the tools they need to make a secure and good choice.
  19. The answer to “what could have big security implications Browser Filling logic Since this is javascript, pretty much everyone has to add in their own crypto primitives. Tons of really big arrays of S Boxes or whatever else.
  20. There are a few usual suspects that people really care about and would like to hunt for bugs in. Look at Javascript as much as you can for learning about the applications. This is really useful. With javascript, all code is open source =].
  21. Here is an example of examining the API for LastPass. For LastPass, PasswordBox, and other extensions that talk directly with the server then you can easily check out the “background page”. Go to chrome://extensions Enable developer mode. It’s a radio button on the top. Click “background.html” or whatever the background page is called. Then you can watch all network transactions. Create a site and you can watch what happens. Apps that do not have their extension talk with a server, have a thick client that talks to the server, like dashlane and 1password. This makes things harder if you are in to bug hunting. 1Password it is obvious what is happening You can see the data that is stored in dropbox. Dashlane could be more interesting. Besides hunting using extensions. Hunting using the website is helpful too. You can see what the server sends to you.
  22. For this I dug in to 1Password since it’s a little harder to dig in to a binary. Pretty much all sites use the same crypto gets used across all password managers. AES-[128|256]-CBC mode Pbkdf2 In this space. There’s a really really big problem that is inherent in password managers. Updating the crypto is hard. It is not easy to flip a switch and move everyone from unauthenticated ciphertexts in AES-CBC to something authenticated. Stick to reversing javascript. It’s a lot easier to reverse javascript than a huge client. For 1password, they provide 1Password.html in case you have access to dropbox.
  23. The autofill logic is a big deal now. I’m not sure why. It might have something to do with this guy.
  24. The autofill logic is in the content script of the browser extension Open up dev tools on the page. Open up “Sources” You can pop open the
  25. I’m working on a password manager scorecard. It isn’t ready yet, but it is a ton of checkboxes just like this EFF scorecard for secure messagers. I’ll publish it probably at the middle of next week (best case). It should help average folks make good password management choices
  26. Anyone have questions?