Vulnerability of web based password managers (NOT 1Password)
There is some interesting research (referred in a Register article) which has highlighted vulnerabilities in a number of popular web-based password managers. Note 1Password is not affected but the link may be of interest generally.
Stephen
Comments
-
That doesn't sound too good for web-based p.managers. While the report is current June 14, tests actually occurred Aug 2013 and fixed (for one provider at least) in Sept 2013. Seems only one provider has made a comment ... and not until July this year. Other popular web-based managers seem to have not yet mentioned this problem. Concerning how companies seem to like stay quiet in such instances leaving the customer base in the dark.
0 -
It's not surprising that they haven't mentioned it. Doing so earlier would have stolen this report's authors' thunder. I suspect that the authors made their discoveries available to the companies concerned ahead of time to allow them to fix the vulnerabilities on the proviso that they kept quiet about it until their paper was published.
0 -
Ah...
0 -
I saw it mentioned on the Tech Report: http://techreport.com/news/26777/web-based-password-managers-insecure-study-says
Here's the actual research paper: http://devd.me/papers/pwdmgr-usenix14.pdf
0 -
Just wanted to add a quick note here. @Stephen_C is absolutely correct. 1Password is not a web-based password manager and so does not face the kinds of threats discussed in that paper. Different security architectures face different threats.
It is excellent research, and it has led to some very fruitful discussions with the authors, but the kinds of threats discussed in the paper are difficult to defend against. This is one of the reasons why we picked a different security architecture.
I would also add that according to the paper 4 out of 5 of the vendors quickly fixed the particular flaws pointed out. It’s true that many of the flaws were enormous, but it is also true that vendors (well, all but one) responded appropriately and got those fixed before any damage was done. Both the vendors and the researchers should be commended for how they handled that.
One point in the paper is that bookmarklets live in a particularly hostile environment (more so than browser extensions do) and so need many layers of defense. This is one of the reasons why we stopped offering a bookmarklet feature back in 2011:
It’s time to say good-bye to a couple of features that won’t stand up to the anticipated threat environment. One feature, loved by many, is the Login Bookmarklet.
(via “Staying ahead with security” from December 1, 2011)
In 1Password 4, our browser extension does not store user credentials (encrypted or otherwise). Nor does our extension handle people’s 1Password Master Passwords. This way, user data and secrets are kept at a further distance from the hostile environment of a third-party web page.
0 -
@RichardPayne is absolutely correct that the developers did draw attention to their fixes until after the researchers published.
As it happens, four out of the five vendors acted very quickly, but each would not have known when the others fixed things. So it is fully appropriate to wait until everyone has had sufficient opportunity to patch things before disclosing to the public.
I had known that the paper in question was forthcoming because its title has been listed for presentation at the USENIX Security conference, but I had no idea of how severe the bugs found were or which particular web-based password managers were looked at. When the paper was released at the end of last week, I and several other AgileBitters read it immediately. We were only getting a trickle of questions about it, and since it didn't effect 1Password directly, we didn't write about it. All of this changed yesterday (Monday) with the appearance of Dan Goodin's article in Ars Technica.
It is always difficult to judge what will gain public attention. Although the bugs reported (and quickly fixed) were severe, the actual process of researchers analyzing tools, finding problems, and vendors fixing things is a fairly routine process. Anyway, we will have some more to say about what this does (and really doesn't) mean for 1Password.
0 -
This content has been removed.
-
Dan Goodin is very aware of 1Password. I've been a little perplexed at his language in these recent articles.
0