Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Evaluating a password manager

PasswordsCon BSidesLV 2016. A talk about how to evaluate a password manager. What is really important? What are problems that password managers face?

  • Be the first to comment

  • Be the first to like this

Evaluating a password manager

  1. 1. Evaluating a password manager Evan Johnson
  2. 2. About Me ● CloudFlare Security Systems Engineer ● Previously an engineer at LastPass ● Wrote passgo ( ● On twitter @ejcx_ ● Personal sites: ○ ○
  3. 3. Trigger Warning: Talking about Password Managers
  4. 4. What is this talk? ● Define properties that all password managers should have ● Some basic technical details about individual pw managers ● Talk about what matters in a password manager for average people. ● Talk about some details about how technical analysis is done.
  5. 5. Which password managers ● 1Password ● LastPass ● Dashlane ● Keeper ● KeePass ● KeePassX ● PasswordBox (rest in peace) ● Pass ● Excel Spreadsheets
  6. 6. How do (most) password managers work?
  7. 7. Cloud Password Servers ● This component will be missing if the pw manager does not sync. ● Web service of some sort containing encrypted data. ● What other data should be encrypted? Password managers generally do not encrypt everything. ● Security measures, like 2FA usually enforced here.
  8. 8. Core Service, Background Service ● Consume the web services APIs. ● Decrypt sites and persist process after log in. ● Update sites as they change ● Update API as new sites are created
  9. 9. User Application + Background / Browser Integration ● Contains user interface. ● Contains bells and whistles that help users be secure. ● Auto fills passwords
  10. 10. What matters in a password manager!? ● Too much for one slide… ● “What features should all password managers have?” ● “Which features are security critical and need special evaluation?” ● “What are your personal needs in a password manager?”
  11. 11. What features should all password managers have? ● Password generator that can be used to generate different kinds of passwords. ● Duplicate password finder ● Weak password finder ● Good UX for mobile support ● Strong crypto ● Import / Export you should be able to jump ship! ● Amazing mobile UX
  12. 12. The world is mobile now ● Password managers without a mobile component are useless to average folks.
  13. 13. The world is mobile now
  14. 14. The world is mobile now
  15. 15. The world is mobile now
  16. 16. The scary part of mobile password managers ● There are hundreds of mobile password managers with unknown quality. Who knows what they are doing.
  17. 17. What features need security evaluation ● Browser filling logic. ● Integration between browser extension and background extension. ● Password Generator. ● Crypto Primitives. ● HTTP Headers and Transport Security.
  18. 18. How to dive in and look under the hood ● Examine the API ● Examine the Crypto ● Examining the browser extension ● Examining the integration between browser extension and background ● Examining the auto-fill logic
  19. 19. Examining the API 1. chrome://extensions 2. Enable Developer Mode 3. Click “Background.hmt”
  20. 20. Examining the crypto
  21. 21. Examining the browser extension
  22. 22. Examining the browser extension Click on “{}” to unminify
  23. 23. What’s the point of all of this ● I am working on a “password manager scorecard”
  24. 24. Questions ● Any Questions?