Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Evaluating a password manager

PasswordsCon BSidesLV 2016. A talk about how to evaluate a password manager. What is really important? What are problems that password managers face?

  • Be the first to comment

  • Be the first to like this

Evaluating a password manager

  1. 1. Evaluating a password manager Evan Johnson
  2. 2. About Me ● CloudFlare Security Systems Engineer ● Previously an engineer at LastPass ● Wrote passgo (https://github.com/ejcx/passgo) ● On twitter @ejcx_ ● Personal sites: ○ https://ejj.io ○ https://twiinsen.com
  3. 3. Trigger Warning: Talking about Password Managers
  4. 4. What is this talk? ● Define properties that all password managers should have ● Some basic technical details about individual pw managers ● Talk about what matters in a password manager for average people. ● Talk about some details about how technical analysis is done.
  5. 5. Which password managers ● 1Password ● LastPass ● Dashlane ● Keeper ● KeePass ● KeePassX ● PasswordBox (rest in peace) ● Pass ● Excel Spreadsheets
  6. 6. How do (most) password managers work?
  7. 7. Cloud Password Servers ● This component will be missing if the pw manager does not sync. ● Web service of some sort containing encrypted data. ● What other data should be encrypted? Password managers generally do not encrypt everything. ● Security measures, like 2FA usually enforced here.
  8. 8. Core Service, Background Service ● Consume the web services APIs. ● Decrypt sites and persist process after log in. ● Update sites as they change ● Update API as new sites are created
  9. 9. User Application + Background / Browser Integration ● Contains user interface. ● Contains bells and whistles that help users be secure. ● Auto fills passwords
  10. 10. What matters in a password manager!? ● Too much for one slide… ● “What features should all password managers have?” ● “Which features are security critical and need special evaluation?” ● “What are your personal needs in a password manager?”
  11. 11. What features should all password managers have? ● Password generator that can be used to generate different kinds of passwords. ● Duplicate password finder ● Weak password finder ● Good UX for mobile support ● Strong crypto ● Import / Export you should be able to jump ship! ● Amazing mobile UX
  12. 12. The world is mobile now ● Password managers without a mobile component are useless to average folks.
  13. 13. The world is mobile now
  14. 14. The world is mobile now https://github.com/AgileBits/onepassword-app-extension
  15. 15. The world is mobile now
  16. 16. The scary part of mobile password managers ● There are hundreds of mobile password managers with unknown quality. Who knows what they are doing.
  17. 17. What features need security evaluation ● Browser filling logic. ● Integration between browser extension and background extension. ● Password Generator. ● Crypto Primitives. ● HTTP Headers and Transport Security.
  18. 18. How to dive in and look under the hood ● Examine the API ● Examine the Crypto ● Examining the browser extension ● Examining the integration between browser extension and background ● Examining the auto-fill logic
  19. 19. Examining the API 1. chrome://extensions 2. Enable Developer Mode 3. Click “Background.hmt”
  20. 20. Examining the crypto
  21. 21. Examining the browser extension
  22. 22. Examining the browser extension Click on “{}” to unminify
  23. 23. What’s the point of all of this ● I am working on a “password manager scorecard”
  24. 24. Questions ● Any Questions?

×