Vulnerabilities in Password-Manager Apps

263 点作者 tobijkl大约 8 年前

21 条评论

tptacek大约 8 年前

A theme of this work is vulnerabilities in the "internal browser" some of the mobile password managers provide. Mobile password managers have internal browsers because it's not easy to extend the standard mobile browsers, and password managers want to automate the entry of passwords into form fields.Don't use the internal browser of your password manager, no matter which one you use. There's too much that can go wrong, and the small convenience just isn't worth it.

评论 #13755148 未加载

评论 #13757040 未加载

评论 #13760078 未加载

AdmiralAsshat大约 8 年前

So, all three of the LastPass issues have been fixed, and within two weeks of being reported, to boot:<pre><code> * 2016-08-22 Vulnerability Discovered * 2016-08-24 Vulnerability Reported * 2016-09-06 Vulnerability Fixed</code></pre>

评论 #13755192 未加载

评论 #13755569 未加载

评论 #13757128 未加载

Velox大约 8 年前

One of the 1Password ones (<a href="https://team-sik.org/sik-2016-040/" rel="nofollow">https://team-sik.org/sik-2016-040/</a>) about leaking URLs is marked as fixed, however, that's a little misleading. It's fixed if you use their newer vault format, which has limitations, and is not selected by default when you create a new vault. I wrote this about it a while back: <a href="https://myers.io/2015/10/22/1password-leaks-your-data/" rel="nofollow">https://myers.io/2015/10/22/1password-leaks-your-data/</a>

评论 #13756445 未加载

评论 #13757150 未加载

M_Grey大约 8 年前

This is why I still go to the trouble of PGP encrypting a file with my passwords, rather than relying on a password manager. I keep wanting to switch, but damn it, I just can't bring myself to have that much trust in them.Edit: Thanks for the informative replies, the links, and the advice. I'm going to explore all of my options and re-think this.

评论 #13755081 未加载

评论 #13754910 未加载

评论 #13758874 未加载

评论 #13754948 未加载

评论 #13755144 未加载

评论 #13755022 未加载

评论 #13760389 未加载

kqr2大约 8 年前

Some older papers on security vulnerabilities of password managers:<a href="https://www.schneier.com/blog/archives/2014/09/security_of_pas.html" rel="nofollow">https://www.schneier.com/blog/archives/2014/09/security_of_p...</a>Any thoughts on Bruce Schneier's PasswordSafe password manager?

评论 #13757239 未加载

评论 #13759535 未加载

评论 #13755957 未加载

评论 #13757342 未加载

SeriousM大约 8 年前

What about enpass? That would be very interesting since they also promise to be very secure.

评论 #13755187 未加载

评论 #13754906 未加载

Sir_Cmpwn大约 8 年前

Tangentally related:<a href="https://github.com/SirCmpwn/pass-rotate" rel="nofollow">https://github.com/SirCmpwn/pass-rotate</a>I posted it on here the other day but it didn't go far. It's like youtube-dl but instead of downloading videos it changes your password on various online services. If you get your password compromised by vunlerabilities or whatnot it makes it easy to mass-rotate your passwords. Could use some help adding support for more websites if you're interested.</shameless promo>

toyg大约 8 年前

I looked at the LastPass ones (all for Android) and they look relatively minor. The only real wtf is <a href="https://team-sik.org/sik-2016-022/" rel="nofollow">https://team-sik.org/sik-2016-022/</a> - hardcoding keys should be a big nope. Still, it happens only if you use a PIN rather than your master password; I hope this does not happen in iOS if you use TouchID...?

评论 #13755251 未加载

评论 #13754925 未加载

评论 #13754684 未加载

cjCamel大约 8 年前

Looks like all of the 1Password issues were discovered and fixed last September.

spullara大约 8 年前

I just use iCloud keychain. The third party ones can never be as secure. For non-safari usage a little less convenient but worth it.

评论 #13755357 未加载

评论 #13758076 未加载

bgentry大约 8 年前

Site's down. Text-only cached version at least lets you read some of the content: <a href="http://webcache.googleusercontent.com/search?q=cache:kJ5Zk-7KPswJ:https://team-sik.org/trent_portfolio/password-manager-apps/&num=1&hl=en&gl=us&prmd=ivn&strip=1&vwsrc=0" rel="nofollow">http://webcache.googleusercontent.com/search?q=cache:kJ5Zk-7...</a>

评论 #13754712 未加载

Globz大约 8 年前

We need the same kind of investigation for iOS, this kind of research was so much needed because after all this is where we store all of our entire internet identities, good job!

jquast大约 8 年前

Just my brief experience of 2-3 hours with LastPass today. Broken javascript errors when trying to import. Searched for customer support, couldn't find any! How do I file bugs? Sign up and post to their web forum?I noticed their website is made entirely in php. Not that php is bad, but this is possibly the worst choice for a web platform that holds secrets. At only $12 a year, they probably aren't trying very hard.

评论 #13762947 未加载

评论 #13760190 未加载

JimA大约 8 年前

Anyone seen anything similar on Roboform? Been using them for years but I wonder how much vulnerability testing it has gotten.

circa大约 8 年前

I have moved from LastPass to Dashlane and rarely have issues. Its been fairly solid for me the past year or so. Anyone had issues with Dashlane?

评论 #13758279 未加载

andybak大约 8 年前

Avast are still working on vulnerabilities reported in November 2016. They seem by far the least responsive of the apps mentioned.

jamesdwilson大约 8 年前

<a href="https://ssl.masterpasswordapp.com/" rel="nofollow">https://ssl.masterpasswordapp.com/</a>

no_wizard大约 8 年前

shocked I didn't' see bitwarden in here?I use Bitwarden for some things (lots of testing, nothing serious). Given its OSS nature, i thought it might have had more traction.For reference: <a href="https://github.com/bitwarden" rel="nofollow">https://github.com/bitwarden</a>

chj大约 8 年前

Too bad 1Password doesn't encrypt title and URLs.

tehabe大约 8 年前

Password Safe is missing …

jondubois大约 8 年前

Not surprising. Password manager give you convenience at the expense of security.

评论 #13761462 未加载