2. About Me
● CloudFlare Security Systems Engineer
● Previously an engineer at LastPass
● Wrote passgo (https://github.com/ejcx/passgo)
● On twitter @ejcx_
● Personal sites:
○ https://ejj.io
○ https://twiinsen.com
4. What is this talk?
● Define properties that all password managers should have
● Some basic technical details about individual pw managers
● Talk about what matters in a password manager for average people.
● Talk about some details about how technical analysis is done.
8. Cloud Password Servers
● This component will be missing if the pw manager does not sync.
● Web service of some sort containing encrypted data.
● What other data should be encrypted? Password managers generally
do not encrypt everything.
● Security measures, like 2FA usually enforced here.
9.
10. Core Service, Background Service
● Consume the web services APIs.
● Decrypt sites and persist process after log in.
● Update sites as they change
● Update API as new sites are created
11.
12. User Application + Background / Browser Integration
● Contains user interface.
● Contains bells and whistles that help users be secure.
● Auto fills passwords
13. What matters in a password manager!?
● Too much for one slide…
● “What features should all password managers have?”
● “Which features are security critical and need special evaluation?”
● “What are your personal needs in a password manager?”
14. What features should all password managers have?
● Password generator that can be used to generate different kinds of
passwords.
● Duplicate password finder
● Weak password finder
● Good UX for mobile support
● Strong crypto
● Import / Export you should be able to jump ship!
● Amazing mobile UX
15. The world is mobile now
● Password managers without a mobile component are useless to
average folks.
19. The scary part of mobile password managers
● There are hundreds of mobile password managers with unknown
quality. Who knows what they are doing.
20. What features need security evaluation
● Browser filling logic.
● Integration between browser extension and background extension.
● Password Generator.
● Crypto Primitives.
● HTTP Headers and Transport Security.
21. How to dive in and look under the hood
● Examine the API
● Examine the Crypto
● Examining the browser extension
● Examining the integration between browser extension and background
● Examining the auto-fill logic
22. Examining the API
1. chrome://extensions
2. Enable Developer Mode
3. Click “Background.hmt”
CloudFlare Security Systems Engineer
I wear a lot of different random hats.
I’m the company’s appsec person
I hunt vulnerabilities and then come up with remediation plans
I write code to fix vulnerabilities
I build security features and help make sure security products work, aren’t able to side step right around, etc.
Wrote all the account management and session stuff on our site.
Previously an engineer at LastPass
Where I got in to this world of password managers I guess.
I would regularly look at how other people’s password managers worked when I was at lastpass and learning what was good what was bad and what needed improvement.
Wrote passgo (https://github.com/ejcx/passgo)
It’s a command line password manager written in golang.
Has modern crypto
Password managers are a really really polarizing topic to people for some reason. This is one of the first things I learned when I was working at LastPass. Everyone on the internet is an expert and should be presenting at BSidesLV but I’m sure the organizers just didn’t have enough speaker slots open.
So many people loved lastpass and so many people hated it. Online discussions about anything password manager related generally breaks down in to a bunch of crazy people arguing.
I see the polarization with all of the password managers. Some people are “open source fanatics and love Keepass and KeepassX. Some people love their home brew excel spreadsheets.
I really want this talk to be constructive, not like these forum arguments, and help people make good security decisions. I feel like people just pick their password managers and then become online zealots without looking at the other possibilities.
This talk is meant to be non-biased. I am not going to throw any bad password managers under the bus….YET!!! That is coming soon. We’ll see soon. It’s meant to be super high level and accessible.
This talk is meant for average people. If you’re an at risk journalist or political dissident you have bigger problems. That’s what offline discussion is for.
Define properties that all password managers should have to help average folks be more secure
Or at least point out the things you might care about
Point out some things that I think some password managers are doing that help average people a lot.
Some technical details about individual pw managers
We will see some basic stuff but nothing super super diving in deep.
This talk is meant to cover pretty much all password management solutions that people use. Most people use one of these probably.
1Password - Apple powerhouse. Great for apple products.
LastPass - Windows and Linux people like it. Different security model than 1pass
Dashlane - raised a TON of money. 52m is what crunchbase says
Keeper - Super popular on mobile
KeePass has a confusing ecosystem. KeePassX vs KeePass, is there a difference? Tons of people love keepass citing that it’s “open source” as the reason
PasswordBox - (Rest in peace) they have been end of lifed by Intel who bougt them I think in 2014.
Pass is a systems password manager but some folks have built a pretty full featured ecosystem around it. It’s a command line password manager but it also has a mobile component and is backed by “git”
Except Spreadsheets and Password Journals.
The funny story is what is down at the bottom of the list.
I added excel spreadsheets because I got in to a slack argument with this person who was saying they had such great security requirements and huge risks that he would never EVER put his passwords into someone else's software.
People like him can’t really be helped. Passwords need to be managed. If not because you trust you current system but because you can’t trust sites not to lose it for you.
If you are one of these excel spreadsheet people, hopefully this talk will help you see all the stuff you’re missing out on.
This is a fairly generic “design diagram” of how most full featured password managers work.
You generally have four components.
The server that stores the passwords.
The application that consumes the password store and decrypts it all
The part of the application that has all the features. For example browser autofill with some password managers is implemented as a browser extension that talks to a client over a websocket.
Not part of the browser extension… not sure why I decided it belonged in my chart, but these passwords have to go somewhere.
Some password managers might not have all four components, or some of the components might be very tightly coupled and there’s only three.
Okay so first, quickly, the server storing your passwords.
I call it a “cloud password server”. This might be a dropbox server if you’re using 1password, a lastpass server, a github server if you use my password manager.
This component obviously won’t exist if the password manager does not sync.
Passwords MUST be held encrypted here. This is something that just about all password managers provide but not all password managers encrypt everything.
What else should be encrypted here? I don’t think there’s a right answer
Two things happen here. Lots of password managers don’t encrypt “username”. Lots of password managers don’t encrypt URLs. Is that Ok? Is it not okay? That’s not for me to answer.
Password managers you log in to, you normally will have a large overlap between your login username / email address and your website’s username that you log in with.
URLs, I’m not sure here as well. Does it really matter if someone knows that you have an account on a certain website? If you’re a journalist or a political dissident it might really really matter. For regular people probably not in the slightest.
For evaluating a password manager. I came up with two tickboxes here that are important.
Encrypts passwords
Encrypts all site data.
Next is the core service of the password manager.
This is fairly boring. All password managers pretty much do the same thing here, but in lots of different formats.
The core service and background service is the persistent process that receives updates from the server, decrypts site information, etc.
Sometimes the line between the Application/Core Integration is blurred. This is separate in some password managers in a much more obvious way. 1Password and Dashlane run a client on your desktop and communicate with it over a websocket.
The crypto is all implemented here and algorithm choices all matter here.
Next is the integration with the background service that does all the core decryption.
Basically, anything that modifys of uses the decrypted passwords.
Autofill
The password generation and save flow
Detecting password reuse, etc.
“What features should all password managers have?”
“Which features are security critical and need special evaluation?”
“What are your personal needs in a password manager?”
These are probably the most important features that password managers provide.
Password generator that can be used to generate different kinds of passwords.
Duplicate password finder
Weak password finder
Good UX for mobile support
Strong crypto
Import / Export you should be able to jump ship!
Duplicate password finder.
Super important to know where you exposed a password when someone gets hacked. Yahoo is investigating a really big breach right now, some article I saw said.
Weak password finder.
Strong crypto
We will talk more about this
My favorite answer to this is mobile support. Strong mobile support.
A huge percentage of the world is “mobile first” now. Mobile usability and being able to seamlessly use a password manager in a mobile app or a mobile browser is a huge win for security. More and more stuff is going to be mobile.
I think it’s pretty obvious what happens on mobile at this point.. Some people might argue that “snapchat is not important” but there are a ton of other apps like Uber/Lyft/Dropbox or whatever that I’m going to guess a ton of people only use on mobile.
I think a good conference talk would be about researching password trends and whether or not they are weaker than bigger devices. It sucks to create accounts and login on mobile. It SUCKS.
In my opinion, mobile password managers make a bigger impact on usability and help with security. It’s so painful typing passwords. Even federated auth is no good because federated in app auth support kind of sucks.
This shows off the agilebits in app integration for iOS.
https://github.com/AgileBits/onepassword-app-extension
This is more rare for mobile password managers to implement. Keeper, LastPass, 1Password implement this. I’m not going to talk about the Android app integrations in this talk but LastPass, but they exist too.
On android, the method for in app fill is different. For ex, LastPass has a bubble pop up to help you fill in, and a lot of other password managers have keyboard integrations to allow easy copy and paste, or fill.
Browser integrations are a must have on mobile as well.
Pretty much everyone does mobile integrations of browsers.
The important part about all the blabbering I’m doing about why passwords are a big deal on mobile, is it is the case that totally proves the guy I argued with in my slack channel wrong. Arguing on the internet is important you know. He hinted at a software solution he had was not software based. That says to me he either has a notebook or an excel sheet. The people with password journals that they keep at home in a safe cannot compete on mobile. It is so much more work..
Mobile password managers are scary.
Type in “password manager” in the apple app store. See just how much junk there is. Average people don’t have the tools they need to make a secure and good choice.
The answer to “what could have big security implications
Browser Filling logic
Since this is javascript, pretty much everyone has to add in their own crypto primitives. Tons of really big arrays of S Boxes or whatever else.
There are a few usual suspects that people really care about and would like to hunt for bugs in.
Look at Javascript as much as you can for learning about the applications. This is really useful. With javascript, all code is open source =].
Here is an example of examining the API for LastPass.
For LastPass, PasswordBox, and other extensions that talk directly with the server then you can easily check out the “background page”.
Go to chrome://extensions
Enable developer mode. It’s a radio button on the top.
Click “background.html” or whatever the background page is called.
Then you can watch all network transactions. Create a site and you can watch what happens.
Apps that do not have their extension talk with a server, have a thick client that talks to the server, like dashlane and 1password. This makes things harder if you are in to bug hunting. 1Password it is obvious what is happening You can see the data that is stored in dropbox. Dashlane could be more interesting.
Besides hunting using extensions. Hunting using the website is helpful too. You can see what the server sends to you.
For this I dug in to 1Password since it’s a little harder to dig in to a binary.
Pretty much all sites use the same crypto gets used across all password managers.
AES-[128|256]-CBC mode
Pbkdf2
In this space. There’s a really really big problem that is inherent in password managers. Updating the crypto is hard. It is not easy to flip a switch and move everyone from unauthenticated ciphertexts in AES-CBC to something authenticated.
Stick to reversing javascript. It’s a lot easier to reverse javascript than a huge client.
For 1password, they provide 1Password.html in case you have access to dropbox.
The autofill logic is a big deal now. I’m not sure why. It might have something to do with this guy.
The autofill logic is in the content script of the browser extension
Open up dev tools on the page.
Open up “Sources”
You can pop open the
I’m working on a password manager scorecard.
It isn’t ready yet, but it is a ton of checkboxes just like this EFF scorecard for secure messagers.
I’ll publish it probably at the middle of next week (best case). It should help average folks make good password management choices