The research team’s work outlines an evaluation of password managers against their primary directive of ensuring that stored passwords are only accessed by the authorized user and the website that the password is for. Unfortunately, their evaluation found all five password managers contained flaws in their implementation.
In order to evaluate the password managers, the research team looked at five main attack vectors.
- The password manager must maintain the integrity of the master account and password, making it impossible for an attacker to impersonate a valid user and retrieve credentials.
- The password manager must securely store the list of credentials. The storage mechanism must ensure confidentiality, integrity, and availability of the database. In particular, attackers should not be able to learn, modify, or delete credentials.
- If the password manager provides sharing of credentials between users, then appropriate safeguards must be taken to maintain collaborator security.
- The password manager must not operate in a way which allows user fingerprinting to happen. This would allow multiple, coordinated attacker websites to deduce identity information based on information passed between the websites by the password manager.
In the password managers surveyed, each provided a cloud based implementation that exposed the password store. In some implementations, the cloud-based password store was not encrypted, or data for the password store (usernames and passwords) were sent in the clear to the server in the cloud.
Ohanae does not store passwords in the cloud, or on local devices. Other credential information (domain and username) are stored on the local device, and passed through the cloud (for synchronization with other devices), but is encrypted during transmission and while stored.
Passwords are generated on demand only on authorized devices by a user with the master passphrase. This provides two factor authentication on local devices, and ensures that there is no static store which can be attacked and decrypted.
Finally, the master passphrase is only used, and not transmitted, even between devices of the same user — using Ohanae’s patent pending technology to ensure that sensitive passwords and pass phrases are retained and used only on authorized end devices.
Many of the password managers surveyed used bookmarklet technology to allow web browsers on popular mobile computing platforms (iOS and Android) to directly retrieve credentials from their stores. Due to the untrusted execution environment of bookmarklets, they require special handling to ensure that only secure APIs are called.
Ohanae does not use bookmarklet technology. We use secure browser extensions where available (primarily on our PC and Mac implementations), and rely on user copy and paste for insecure environments (such as most mobile operating systems).
Furthermore, since we only provide username and password to login forms, we do not add any additional data to form submission which would allow any type of fingerprinting operation.
The researchers also mention vulnerability of password managers to phishing attacks. In particular, allowing attacker websites to open dialogs which ask for the password managers username and password. Since the Ohanae application does not run inside the browser, it is easy to differentiate an attacker prompt (in a web UI) from the valid client login prompt.
Finally, at the time of this writing, Ohanae software does not provide a mechanism for sharing passwords between users. However, this feature is part of our product vision and roadmap, and we’ll pay close attention to the UCB research team’s recommendations in this area.
Ohanae believes, as the research team states that “password managers provide tremendous security and usability benefits at minimal deployability costs”, and we appreciate the time and effort the research team has spent to analyze typical attack vectors and the current state of the password manager art.
Ohanae is committed to providing industrial strength security in all three parts of our complete cloud privacy protection offering: securing login credentials, securing data in-motion and at-rest in cloud storage providers, and securely and collaborative sharing data.
No comments:
Post a Comment