Saturday, December 20, 2008

Don't Rely on Password Managers to Keep you Safe on Untrusted Computers

In my previous post on password managers, I concluded that they can help you by "remembering" strong, hard-to-guess passwords for your different online accounts (or for other personal information). Actually, though, I started investigating these programs with a specific need in mind: to find a way to use my private accounts on untrusted computers such as public computers (airports, libraries, cybercafes) or your friend's computer if you aren't sure about the security it has.

In my post "Danger Ahead: Using the Cybercafe," I talked about the dangers of public computers, especially the fact that they can capture what you type including your user names, account numbers, and passwords, then pass that information along to cybercriminals. What good is a cybercafe if I can't trust it enough to log into my email account, for example? I looked into the password managers hoping that they would protect my information on public computers, but unfortunately my conclusion is that they do not. There is a ray of hope in another sort of solution, kyps, which I will mention later.

Can Password Managers Keep you Safe on Untrusted Computers?

Short answer: no. You should not use your personal data on an untrusted computer, even by way of a secure password manager. The kyps approach is more promising, but using your own (clean) computer is still the safest.

Long answer: no, though a password manager might reduce the risk somewhat. The problem in a nutshell is that, in principle, an untrusted computer and do anything with the data that goes through it. Theoretically, for example, someone could design a program from scratch that looks and acts just like Windows but also stores and forwards all personal information to the RBN (Russian Business Network) or other cybercrime center. There is simply no way to make an untrusted computer into a secure one.

Passpack is one of the two online password managers I reviewed. When I asked the company about this issue, this is what they said:

Yes, you're absolutely correct. The decrypted pack is used by (thus temporarily stored in) the javascript DOM. So any application that can access that DOM, can access the information stored in the decrypted pack.

As you noted, local memory is an issue with any program, online or off. Unfortunately, for as much as we can do to protect your account, you need to make sure you are on a clean computer. We have written one post to this effect here:

If I understand correctly, since Passpack stores your data in a single pack which it decrypts on your local computer, not only the passwords you use in a session but all your data is exposed this way, which would be dangerous on an untrusted machine.

Security expert Keith Bergen says,

In order for the passwords to be transmitted they have to pass through memory unencrypted so after they're sent to the other side the site can run a hash (md5, or what ever) against the plain text password to compare it to the hash that it stores. There are a few pieces of software that will look for passwords in memory as that is one of the best places to lift them from. ...

There are methods of stripping out the local SSL cert that your computer uses to initiate the SSL communication with the server and to copy and decode all SSL traffic that is sent to and from your computer. There are many Linux programs that do this and I have heard of some Windows implementations as well.

Bergen goes on to say that the practical implications of these issues are less clear. Even though methods exist to steal you credentials in these ways, we don't know how widespread they are. One thing is sure, though, and that is that the cybercriminals are sophisticated, motivated and bright. If it becomes cost effective for them to steal your identity in this way, then they will. So, although some of these managers may in some cases be better than nothing, their security is not something to, so to speak, put your money on. (And note that they may be worse than nothing as in the case of Passpack).

The author of kyps, Andreas Pashalidis, also discusses the risks of using password managers as well as other methods of trying to make a public computer safe. He points out that malware on the computer might not only capture your passwords, but also corrupt the data on your flash drive (if that's what you use) or infect the drive with malware making it unsafe to use even on your own computer.


In the end, I would not want to use any password manager on an untrusted computer, that is one that I am not reasonably sure is free of malware. In a situation where I had no alternative but to use an untrusted computer (suppose I was dying and stranded in a Somali village with no cell phones but with a cybercafe), I would either type in the credentials by hand or use a password manager, then change them as soon as possible and watch for any suspicious activity. However, there is a better approach, which is kyps, discussed in the next post (or just go there and have a look).

No comments:

Post a Comment