I use KeePass and I haven't integrated it into any of the web browsers I use. When I want to log into a site, I don't load it via my web browser's address bar; instead, I Alt-Tab to KeePass, Ctrl-F to find the site/account, Ctrl-C to copy my password, and Ctrl-U to open the site. This takes only a few seconds longer than using a browser extension like LastPass (which I've used to share credentials with family members).
In addition to this being potentially more secure, another benefit is that I can specify that KeePass open certain sites in a non-default web browser. I prefer not to log into some sites/accounts using my primary web browser, and KeePass helps me to avoid this. If I were to use a solution like LastPass for all my password management, I would need to pause and recall which browser I use to log into a site/account. But with KeePass, I just mindlessly Alt-Tab, Ctrl-F, Ctrl-C, and Ctrl-U.
I didn't assert that it was easier, just potentially more secure. Similarly, it's arguably annoying to only access financial accounts (and the email accounts that are associated with the financial accounts) using a dedicated banking computer, but I think that having a banking computer is worth it. Others will disagree.
[Disclosure: I work for AgileBits, makers of 1Password]
One way of characterizing the particular paper is "password managers with browser extensions don't always prevent you from submitting your data to the wrong place."
Systems that rely on the user to copy/paste offer no such protections whatsoever (and so, I suppose, can't fail at them.) So I'm curious about what you may mean by "potentially more secure" in this particular respect. Are you concerned that you might come to rely too heavily on the password manager's anti-phishing mechanisms?
[Note that I fully acknowledge that there may be other security reasons you may wish to keep your password manager out of browser. 1Password and KeePass have different security architectures, development processes, platform support, etc, with their own advantages and disadvantages. People need to figure out which works best for them.]
Not knowing the passwords, and keeping them in a locked database you copy/paste from creates plausible deniability if in a situation where one is beaten with a $5 wrench.
For some people, the risk of disclosure by violence is more a worry than the risk of disclosure by the clipboard.
KeePass also makes a global keyboard shortcut available (Ctrl+Alt+A by default) that will complete login fields based on the active window title. (The mechanics of the text entry and the window title matching are all configurable, though the defaults are usually fine.) Not as slick as auto-filling without user interaction, but better than manually searching for each entry every time.
I've been using this in ubuntu (ctrl-alt-v in keepassx). It covers most of the sites I use, and works with minimal extra effort.
I originally looked at Lastpass, but it seemed 'too' easy. Decryption is done client side via javascript, but what happens if someone hacks into Lastpass's server, and modifies the code to send the user's entered password to their server?
Yes, this. There's also one for chrome. You can set it to have the keepass application pop up a yes/no dialog for every requested password so you will be notified whenever the extention requests the password.
It loses one key benefit though - phishing sites. When Lastpass doesn't fill something in that I expected it to fill in I eyeball the site very carefully to see wtf is going on.
I actually just released an account manager for Chrome, called Waltz. Waltz uses Clef (http://getclef.com) for multi-factor auth, and then submits using preconfigured login URLS - not heuristics like most other password managers.
After a semi-thorough read of the article, I don't believe Waltz falls into any of the security holes mentioned in the article.
This title is hyperbolic linkbait and should probably be changed.
From skimming the paper, the only real flaw that seems broadly applicable is in autofill features which I'm not sure 1Password even has. Those intuitively seem like a bad idea and are easy to disable.
The paper is about how they tricked it. It's pretty bad, but only if you use AutoLogin. (Which they should really call AutoLockout anyway. "Password bad? Let's try 3 more time this millisecond and see if the results are different those times.")
Looks like LastPass really screws up by auto filling forms within emails and submitting them. Which means that I can duplicate the yahoo login page, send it to your yahoo mail and LastPass would fill it up and submit because it's served under yahoo domain.
1Password seems to be just fine according to this paper. It did not fuck up like Lastpass and only live flaw is about subdomain matching, which I actually find useful.
I honestly think for security purposes in general you shouldn't auto fill in a form regardless of the domain and the extension builders should just not build that feature because it exposes issues like this.
What's the alternative? Generate randomized passwords and memorize them all? I have 250+ passwords for different websites, and not a great deal of choice about it. This is certainly way better than the actual likely alternative -- using the same password on all 250+ sites.
1Password's browser extension v4, in contrast, fills in the form only when you press a key combination (⌘-\ on OSX), and has you enter your master password into a dropdown from the OSX Menu Bar, and not inside the browser frame. Pretty snazzy all around.
Aha, I see the distinction now. Thanks. Enough to simply disable autofill in LastPass then? I'm loathe to learn a new system because of such a seemingly small size vulnerability.
LastPass has me enter the master password in a pop up window when I click on the icon from the extension (firefox/chrome), although I suppose that's maybe not as good as an independent application?
I can, not only disable autofill in the Lastpass configuration, but also set to require password reprompt for any of my credentials. I could also individually disable autofill for any credential.
Please should first know how something works before criticizing.
[Disclosure: I work for AgileBits, the makers of 1Password]
In 1Password 4, there is no auto-filling. People can use Ctrl-\ or Cmd-\ to tell 1Password to "fill this page". In versions prior to 4, auto-fill was an option. (I'm not sure which versions had what defaults.)
Everybody needs a few critical passwords that they should memorize and not use shortcuts with. My email and Paypal passwords are very strong; to break them you have to either keylog/shouldersurf/whatever, or else brute force an attack for quite a few characters. Nor will you find joy with alternate ways of getting in, such as security questions. If I used a password manager, its password would be another critical one, but even so I probably wouldn't use it for accessing my other crucial accounts.
A lot of my other accounts can be more easily hacked, but relatively little harm would be done if they were. I think one of my MMO accounts -- to a game I no longer play -- actually was.
Bizarre. I literally submitted this just a few hours ago, about how to use not only a password vault, but also multifactor grid authentication in order to ensure that even if someone stole your password, it would be exceedingly difficult to access your vault.
Non--browser-integrated password managers with 2-factor authentication are one of the best security solutions around right now. Every step away from that costs you security, but probably is still a good ways better than using passwords alone purely from memory.
I am curious, is there a way to do OTPs with offline databases?
I tried poking around with the add-in, but couldn't quite determine whether the implementation could properly protect from replay attacks, most notably whether a copy of the xml file used and the matching old OTP would be enough to unlock a newer database file.
Read the article - each attack it mentions only applies to browser-integrated ones.
If instead you mean "browser-integrated" as in the default "remember my password", well, those are not what this paper discusses and are generally better, though they are still not as desirable as a standalone less-privileged manager.
The idea that the password manager should be separate is practically common sense. Browsers provide more surface are for attack. Browsers are made to share content and work with network data. Ideally, your password manager should never touch the network ever. It has no need to.
[Disclosure: I work for AgileBits, the makers of 1Password]
We need to put the headline and some of the odd generalizations stated in the paper aside, and look at the specific security issues raised. When we do that, we find that 1Password matches or exceeds the "far more secure" built-in form fillers.
If we ignore the title and some odd generalizations, this paper actually spells out how well 1Password avoids various risks when you look at the details.
Readers need to go through section 2 of the paper carefully to see which studied systems do what. The most worrisome of the kinds of flaws that browser-based password managers face (filling things for https://foo.example into http://foo.example and filling for bar.example origin forms on foo.example pages) are things that 1Password handles correctly.
The things that we don't do "right" in their eyes are things that their recommended alternative (built-in browser form fillers) also don't do "right". I'm not sure that the authors have fully thought through would it would even mean to do those "right". But I encourage people to read the paper and decide for themselves whether we've made the correct choices in our handling of subdomains, and whether filling should be tied to a specific page on a site.
What of course does need to be considered are the risks of not using something in the browser. If you are copying and pasting from your password manager to your browser you are far more likely to be tricked by phishing, or cross origin forms than you would be with 1Password.
1Password tries to make it hard for you to fill in your credentials in the wrong place (you have to use copy/paste to manually do it where 1Password refuses to do it automatically), and to the extent that the concerns in the paper are legitimate, there are cases where browser-based fillers may fail to "make it hard" where the should.
Contrast that with the alternative of using copy/paste. Copy/paste offers no protections whatsoever against you filling in credentials to the wrong web form.
It would be foolish to claim that 1Password's phishing prevention mechanisms can't ever been defeated. But with respect to what was tested in this paper, they are the best out there.
Basically you just need to turn off auto-login and auto-fill on all sites, no matter what your password manager is. All of the attacks depended on those two features, from what I could tell from a quick scan of the paper.
How can you set LastPass to globally disable auto-fill and auto-login? I checked again and I couldn't find any options in the extension or vault settings.
I wish iSEC Partners could have added My1Login (https://www.my1login.com) and DashLane (https://www.dashlane.com/) to their research paper so that we could have got deeper insights and comparison. My favorite is DashLane and I am very impress with its data security mechanism. Read https://www.dashlane.com/security page gives DashLane's security model in a nutshell.
This just completely ruins LastPass as an enterprise product, which seems to be a major revenue stream for them. (Unless LP enterprise allows admins the option to globally disable these insecure "features".)
On an unrelated note: I am looking for a password manager that would allow me to assign a system wide shortcut. When the shortcut is pressed, a window would appear where I can search for the password I am looking for (think Alfred or Launchy). Searching for the password and hitting enter would type in the password into whatever field I previously had selected. Something open source would be perfect. I looked, but did not find anything like that. Something that works on OSX and Windows.
[Disclosure: I work for AgileBits, the makers of 1Password]
I didn't come here to engage in sales pitches, but when you specifically ask for a feature introduced in 1Password 4, it is hard for me not to mention it. 1Password Mini lives in the Menubar and does what you wish. There are also options for Alfred and LaunchBar integration.
If you are on GNU/Linux you can use built in tools with PGP (with a little help of bash scripts, and git if you want). I first saw it explained on this blog http://blog.sanctum.geek.nz/linux-crypto-passwords/ and has worked really well for me. Feels more robust and secure than browser password stores, though probably not as convenient but its up to you, convenience or security.
The takeaway here is to turn off auto-fill and auto-login.
You'll still get most of the convenience of the browser extension password manager: a repository of strong passwords that you don't have to remember and can access easily on multiple devices. This is why I use LastPass. I used to use KeePass and even donated to the project, but I wanted more convenience, support in the long run, and never liked the .NET dependency.
I never use password managers. The reason is simple: I don't want to rely on another software. If I had to remember 20 passwords I would and in fact I do carry around 10 different passwords in my head constantly.
I trust my own brain rather more. And if my brain is comprised, what else can you do with all the security we have on our desktop?
Password reuse is a bigger threat than password manager failure.
The old-school method is to use a GPG-encrypted flatfile with your passwords in it.
I generate unique, long, passwords for each site I visit. There are _very_ few of these I can remember. I'll run:
gpg -d passwords.asc | grep siteurl
... (in a terminal) and enter my passphrase. There are other tools which can manage keychains and such, but this is simple, easy, reliable, and portable.
1) Over the years it ends up being much more than 20 passwords. Bank accounts, credit cards, stock trading accounts, web servers, email accounts, IRA accounts, bitcoin passwords/keys, all kinds of work passwords, evernote, etc. I have more than 50 records in KeePass.
2) If you want secure passwords, they must be long (20 characters minimum) and random. Remembering something like that is nearly impossible for me. Once I started using KeePass, I feel way more secure than with my older scheme.
Isn't the solution obvious? Use the password manager to remember a unique password for each site but combine it with something you know. Prepend a password, mix your password in the middle, append it, etc. Problem solved?
I don't think the solution was "obvious" until you mentioned it. What you suggest might not be perfect (I'm not qualified to judge that) but it's certainly a very good idea.
It's so obvious when papers like this are released for publicity. "Instead of reporting small problems we find we should release a paper with a scary sounding title first"
Every example in this paper stems from the issue that these password managers do not respect same origin policy. Sounds like something that's easy to fix for the developers.
Hrm. Seems like a better headline might be "Lastpass has some significant security flaws"? Doesn't really seem applicable to 1Password (not sure about KeePass).
I use Keepass for this. The android port (https://play.google.com/store/apps/details?id=com.android.ke...) works perfectly fine for me, and it looks like there are a few ports for iOS as well. Keepass itself has, of course, long established itself as a solid password manager. And the cost is $0.
Android has two versions of Keepass. Make sure your read the details before you choose which one you want to install. The difference between the two is how/where you store your key file, either on their server or on the local sd card.
In addition to this being potentially more secure, another benefit is that I can specify that KeePass open certain sites in a non-default web browser. I prefer not to log into some sites/accounts using my primary web browser, and KeePass helps me to avoid this. If I were to use a solution like LastPass for all my password management, I would need to pause and recall which browser I use to log into a site/account. But with KeePass, I just mindlessly Alt-Tab, Ctrl-F, Ctrl-C, and Ctrl-U.