I‘ve been thinking about password managers a lot lately. More specifically about what malware could do (and not do) on a compromised machine using a password managers (e.g., 1Password).
I’m no operating systems expert and would love to know how far an program with or without root access could go reading the password managers data. This might differ on different host OS (Linux vs macOS vs Windows).<p>Let us assume a standard master-key plus master-password setup. We also assume a hosted data service by the provider (i.e, they encryptedly store everything, except master-key and master-password).<p>Obviously a malware could access the clipboard and thus get each password copied to the clipboard. But how far does it go? Can we access password in-memory when the vault is unlocked? etc.<p>Can malware access the master-key? Can malware access the master-password? How? Only via keyloggers? Can malware access all passwords when vault is unlocked? Can malware access anything in RAM? What could malware do when sniffing network connections?<p>Thanks for indulging me! Would be great to get some understanding from experts in OS or password managers.
Malware that has root privileges can do anything. Even reading secrets from RAM. You said you're not an operating system expert, but I am one, of sorts. One strategy I have is having a clean install of an OS that has just the bare minimum amount of software installed, which minimizes the chances of running something malicious. No browsing is done, as the browser is the main vector for infection, no matter how hardened the browser is: it's the main route of infection. I also monitor all my traffic with a firewall so I can disallow any connections I deem as suspicious. I also use ClamAV to do routine sweeps of my system for any 'low hanging fruit' that could be lurking there.