undefined | Better HN

0 pointsnecovek1y ago0 comments

Locking is not sufficient: it would need to overwrite the memory where passwords were decrypted to. With virtual memory, this becomes harder.

0 comments

compootr1y ago

What's sufficient depends on your threat model.

Normal dude in a secure office? An auto-locking password manager would suffice.

Someone that should be concerned with passwords in-memory is someone who believes another has full physical access to their computer (and can, say, freeze RAM in nitrogen to extract passwords

My largest concern would be an adversary snatching my phone while my password manager was actively opened

necovekOP1y ago

Locking a password manager and your computer is certainly good enough in many cases. But gaining access to memory might not need the sophistication of using nitrogen (see eg https://en.m.wikipedia.org/wiki/DMA_attack).

supertrope1y ago

https://keepass.info/help/base/security.html#secmemprot

necovekOP1y ago

> On Unix-like systems, KeePass 2.x uses ChaCha20, because Mono does not provide any effective memory protection method.

So only Windows seems to use secure memory protection.

supertrope1y ago

https://keepassxc.org/blog/2019-02-21-memory-security/

1 more reply

freeone30001y ago

But still not particularly hard. mmap has a MMAP_FIXED flag for this particular reason — overwrite the arena you’re decrypting to, and you should be set.

borski1y ago

https://1passwordstatic.com/files/security/1password-white-p...

j / k navigate · click thread line to collapse

0 comments

compootr1y ago

What's sufficient depends on your threat model.

Normal dude in a secure office? An auto-locking password manager would suffice.

Someone that should be concerned with passwords in-memory is someone who believes another has full physical access to their computer (and can, say, freeze RAM in nitrogen to extract passwords

My largest concern would be an adversary snatching my phone while my password manager was actively opened

necovekOP1y ago

supertrope1y ago

https://keepass.info/help/base/security.html#secmemprot

necovekOP1y ago

> On Unix-like systems, KeePass 2.x uses ChaCha20, because Mono does not provide any effective memory protection method.

So only Windows seems to use secure memory protection.

supertrope1y ago

https://keepassxc.org/blog/2019-02-21-memory-security/

1 more reply

freeone30001y ago

But still not particularly hard. mmap has a MMAP_FIXED flag for this particular reason — overwrite the arena you’re decrypting to, and you should be set.

borski1y ago

https://1passwordstatic.com/files/security/1password-white-p...

j / k navigate · click thread line to collapse