undefined | Better HN

0 pointspeterwwillis6y ago0 comments

Evil maid. Cold boot. Memory parsing. Clipboard/key event hooking. Brute force. Dictionary. Autofill hijack.

You can use the first four against typed passwords, but you either need to have malware installed, or your time window has to be very short. All of these can be used against password managers even without malware, and the time window is much longer, often due to crappy password managers not properly protecting against side channels or even cleaning up old memory.

You have the same attacks as with entering a password, plus more you wouldn't have had.

0 comments

2 comments · 1 top-level

kranner6y ago· 1 in thread

My question was specifically about pass, so your point about crappy password managers that don't clean up the clipboard is not relevant.

We can also ignore the attacks that apply to manually entering a password, as my question was about ways in which password managers are less secure compared to manually entered passwords.

What's left?

Brute force: not quite possible with the default GPG key type.

Dictionary: you'd need to guess my complex passphrase to decrypt my secret key (assuming you have access to it), and I can assure you my password if I use pass would be as long and as complex as I can make it, so I'm not sure which dictionary would contain it.

Autofill hijack: I don't use autofill for passwords.

peterwwillisOP6y ago

> Brute force: not quite possible

> Dictionary: you'd need to guess my complex passphrase

Totally doable. You don't brute force the key, you brute force the passphrase that protects the key. Ask five eyes if password-protected GPG keys are impenetrable. A very large computer, smart algorithm, and good sigint can make short work of a "complex" passphrase. The difference between the password manager and memorized passwords is, if you crack the password manager, you have all the keys. If you memorize passwords, they have to intercept each key to compromise it. The most basic attack vector goes from "exfiltrate data one time" to "intercept all logins for a month".

Cold boot and evil maid also work better against someone who unlocks their gpg key for longer than a second, and extra code = extra possibility for bugs.

j / k navigate · click thread line to collapse