Posted February 20, 2019 Is there a more, techy, explanation of this flaw? Rather than 'the master password occasionally sits in memory' DISCLAIMER Everything i say is my own opinion. So if you disagree with what I post, you are wrong. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted February 20, 2019 Author 2 minutes ago, wANKER said: Is there a more, techy, explanation of this flaw? Rather than 'the master password occasionally sits in memory' You can check out the original report by ISE here: https://www.securityevaluators.com/casestudies/password-manager-hacking/ Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted February 20, 2019 28 minutes ago, solonovamax said: yes, but the cpu does also need to access programs on my hard disk. These are read off the disk. I don't think it would be that hard to do something like that (on the other hand, I can't entirely say for sure, as I don't fully know how they work and/or are coded) It goes CPU > Registers (Like cache) > RAM > Drive. The processor fetches data from this hierarchy if I remember correctly. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted February 20, 2019 45 minutes ago, imreloadin said: Considering this has to do with having the application open in the background so your master password is stored actively in your RAM all you have to do is not use anything with a browser extension and just close out of the application when you're done. I use KeePass and it's not that hard to do, just launch it when I need to enter a password, copy/paste it into the website, and close out of KeePass. Seriously though this is just basic computer usage information, if I type something in it's obviously stored in the RAM of your computer while that application is open. It's not even the LastPass browser extension that's affected, it's the separate "LastPass for Applications" that you download and install on your PC, and is only available to premium users. This: [Out-of-date] Want to learn how to make your own custom Windows 10 image? Desktop: AMD R9 3900X | ASUS ROG Strix X570-F | Radeon RX 5700 XT | EVGA GTX 1080 SC | 32GB Trident Z Neo 3600MHz | 1TB 970 EVO | 256GB 840 EVO | 960GB Corsair Force LE | EVGA G2 850W | Phanteks P400S Laptop: Intel M-5Y10c | Intel HD Graphics | 8GB RAM | 250GB Micron SSD | Asus UX305FA Server 01: Intel Xeon D 1541 | ASRock Rack D1541D4I-2L2T | 32GB Hynix ECC DDR4 | 4x8TB Western Digital HDDs | 32TB Raw 16TB Usable Server 02: Intel i7 7700K | Gigabye Z170N Gaming5 | 16GB Trident Z 3200MHz Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted February 20, 2019 1 hour ago, SansVarnic said: All my passwords are on a secured word document kept in a thumbdrive. Anytime you give up sensitive information to another party you increase your risk of losing control of your stuff. I dont care what kind of promise of security they offer. Call me "old school", but I have mine on tape along with other confidential documents. Then that is kept on my person or in a safe. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted February 20, 2019 At least the cited paper doesn't blow this story up to misleading point like the Forbes article or the OP. Fact 1: everything your computer does goes through RAM. EVERYTHING! There's no way around it. No matter what you type into it, it will at some point be stored in RAM. Fact 2: if someone has access to your unlocked system or gains physical access to your computer's internals, you're doomed and your security is done for good. Fact 3: using encryption doesn't mean you can take a dump at common sense. Accessing the memory addresses of another program requires a lot (!) of privileges, in fact this requires you basically root/admin privileges and in some cases that's not even enough (talking about Kernel-level access). If there's malware installed on your system that was able to run with root/admin privileges, then you screwed yourself over hard - shotgun level hard and afterwards pulling the trigger. The original paper states that attempts were made to sanitize memory entries after use. Some residues somehow stayed behind even after being freed. The question now is: how did this happen. This could have many reasons but to exploit these leaks an attacker needs to have already access to your system. At that point you're already done. You can bet that the developers will look into this and fix the issues by maybe switching frameworks, using different libraries or whatever. This isn't as big as Forbes is trying to make it look like. Use the quote function when answering! Mark people directly if you want an answer from them! Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted February 20, 2019 This is mostly a hard Fake News/Clickbait. If you have READ access to the memory, you can easily just keylog someone's computer. This is interesting for the NSA/CIA/Pick your 3 letter agency, but there'll be some minor upgrades to a few programs to address a weakness. The fact KeePass showed up in their discussions means losing your passwords is the least of your problems. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted February 20, 2019 4 minutes ago, bowrilla said: You can bet that the developers will look into this and fix the issues by maybe switching frameworks, using different libraries or whatever. It's not really possible to fix it: all the passwords in the database are encrypted, so the manager needs to have the key to decrypt them with. Either the manager would have to keep asking for the key every single fricking time you want to access any of the usernames/passwords in the database, or it just has to remain like it is. Can't have it both ways. Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody’s pocket. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted February 20, 2019 1 minute ago, WereCatf said: It's not really possible to fix it: all the passwords in the database are encrypted, so the manager needs to have the key to decrypt them with. Either the manager would have to keep asking for the key every single fricking time you want to access any of the usernames/passwords in the database, or it just has to remain like it is. Can't have it both ways. The issue are memory leaks that persist even after the program was terminated. There were attempts to prevent this but some leaks persist. This can be fixed. Whe your database is unlocked it is unlocked. Most password managers lock themselves after a certain period of time of inactivity. Use the quote function when answering! Mark people directly if you want an answer from them! Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted February 20, 2019 The claim that it's no more secure than a plain text file is very much false. All that was found in the research was that your passwords can sometimes exist in your computer's RAM, which would require administrator privileges for an attacker to extract. That is a valid attack case against a password manager, but that is not remotely the same as having a plaintext file that exists on the file system. The gold standard that the researchers are proposing is that a password is only loaded into memory when needed for autofilling, and it is immediately overwritten with bogus data once the fill is complete. According to the article, LastPass, and several of the other password managers, do attempt to do this, but miss some cases. 1 hour ago, SansVarnic said: All my passwords are on a secured word document kept in a thumbdrive. Anytime you give up sensitive information to another party you increase your risk of losing control of your stuff. I dont care what kind of promise of security they offer. While not insecure, that is less secure against this particular attack than the password managers surveyed in this study, because all of your passwords will be present in memory for the duration that Word is open. I don't know about how Word handles it, but I suspect that the memory isn't scrubbed at all either, and it almost certainly uses fewer than 100,000 iterations of PBKDF2 to convert the password to an encryption key (100,000 iterations is a lot, but that is what LastPass and 1Password use). Moreover, to use your passwords, you will use the clipboard, and any process can read the clipboard and get your password. The point of my post is that while this is an issue that should be addressed, password managers are still significantly better than the alternatives, and many of those alternatives, such as using an encrypted word document, still offer a good level of security. A password manager is still several orders of magnitude better than using the same password or set of passwords everywhere. HTTP/2 203 Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted February 20, 2019 I'm a Last Pass user, not worried at all about this. If someone is managing to pull data from my computer's RAM, I got bigger problems to deal with then that they might get my Last Pass master password! I rate this a 0.5/10 security threat. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted February 20, 2019 4 hours ago, Sauron said: I'm sorry, but having a physical, unencrypted piece of paper with your passwords on it is the single worst and least secure way of remembering them. Using a proper, local password storage solution with adequate cryptography is both secure and convenient. The issue detailed in the article is most definitely not the same as having your passwords in a plain text file and the issue is non existent if you close the password manager when you're done with it - it never crossed my mind to leave it running in the background, and even then at the very least an attacker would require my user password and physical or remote access to my pc to abuse this vulnerability. Uhh hyperbole a little bit. Physical unencrypted piece of paper that is offline and within a location that is, at least in theory, secured, is dramatically less bad or less secure than a number of other methods you could use. Including these programs in their current implementation (at least from non-targeted attacks, which make up the hyper majority of data theft these days). In fact, the requirements for physical access to your computer and physical access to the password locker in both cases are then nearly identical. 25 minutes ago, Chett_Manly said: I'm a Last Pass user, not worried at all about this. If someone is managing to pull data from my computer's RAM, I got bigger problems to deal with then that they might get my Last Pass master password! I rate this a 0.5/10 security threat. It in and of itself it isn't an big issue, but recent vulnerabilities with manipulating speculation (and further seeming to indicate that almost all methods of speculative execution are vulnerable to attack in some way or another) to access other parts of system ram, even without administrative privileges makes it one. With that said. Just through this publicity forcing the companies to address the loophole is a good thing and benefits everyone. Just like most discovered vulnerabilities these days haven't been seen in the wild before they are identified as weaknesses (and hopefully patched as well before that point.) LINK-> Kurald Galain: The Night Eternal Top 5820k, 980ti SLI Build in the World* CPU: i7-5820k // GPU: SLI MSI 980ti Gaming 6G // Cooling: Full Custom WC // Mobo: ASUS X99 Sabertooth // Ram: 32GB Crucial Ballistic Sport // Boot SSD: Samsung 850 EVO 500GB Mass SSD: Crucial M500 960GB // PSU: EVGA Supernova 850G2 // Case: Fractal Design Define S Windowed // OS: Windows 10 // Mouse: Razer Naga Chroma // Keyboard: Corsair k70 Cherry MX Reds Headset: Senn RS185 // Monitor: ASUS PG348Q // Devices: Note 10+ - Surface Book 2 15" LINK-> Ainulindale: Music of the Ainur Prosumer DYI FreeNAS CPU: Xeon E3-1231v3 // Cooling: Noctua L9x65 // Mobo: AsRock E3C224D2I // Ram: 16GB Kingston ECC DDR3-1333 HDDs: 4x HGST Deskstar NAS 3TB // PSU: EVGA 650GQ // Case: Fractal Design Node 304 // OS: FreeNAS Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted February 20, 2019 3 minutes ago, Curufinwe_wins said: Uhh hyperbole a little bit. Physical unencrypted piece of paper that is offline and within a location that is, at least in theory, secured, is dramatically less bad or less secure than a number of other methods you could use. Including these programs in their current implementation (at least from non-targeted attacks, which make up the hyper majority of data theft these days). Right, I suppose posting them on facebook is worse. The piece of paper won't be in a safe though, it will be in your pocket if you want to remember your passwords outside of your house. No, these programs aren't nearly as bad as that. In fact, I'd argue that they're perfectly safe, and this vulnerability is completely negated if you close the password manager when you're done with it. An easy fix is to just remove the background service function. A targeted attack is necessary to exploit it though; you need physical or remote access to the computer with your user account. 7 minutes ago, Curufinwe_wins said: recent vulnerabilities with manipulating speculation (and further seeming to indicate that almost all methods of speculative execution are vulnerable to attack in some way or another) to access other parts of system ram, even without administrative privileges makes it one. Speculative execution vulnerabilities make everything a vulnerability, if you get pwned by specter they could just as well keylog all your passwords (or dump your clipboard if you use that). Don't ask to ask, just ask... please sudo chmod -R 000 /* Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted February 20, 2019 Easy fix: dont be a dumb-ass and install/open anything without thinking, and use noscript and adblock* on your browser.... (* "But that is like stealing and yada yada yada...." I dont care, if ad companies wont return to reality with their practices [no flashing, moving, loud, etc ads] and fix their sh!t security ASAP they deserve to be blocked.) Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted February 20, 2019 5 hours ago, kuddlesworth9419 said: It's called paper and pencil. It's the most secure way or documenting your passwords as far as I care. If you are storing your passwords on your PC you are doing something wrong. Lmao, do you put this paper in a safe? This is actually the worst possible way to record password. Magical Pineapples