19

I'm a Lastpass user and many times I thought about switching to the Credential Manager, for auto sync and a certain comfort with the windows environment. The only thing that I'm worried about is its security. I heard that it's quite easy for someone to access these credentials once they've gained access to your computer, is it so?

Should I stick with Lastpass and maybe check in future for eventual improvements?

  • 2
    I can tell you that any elevated process can simply fetch your credentials in the store and get them back in plain text. That's about all I can confidently contribute. –  Apr 07 '16 at 14:03
  • 2
    @TechnikEmpire wow well.. better stay far far away from it then –  Apr 07 '16 at 15:19
  • 2
    Indeed. Even still with Windows 10 official universal app documentation, they promote the store as a secure place. It's only "secure" if you trust the users machine and every single process that will ever run on it. In fact there's even a C# library that makes you able to get the plain text values in 10 lines of code or less. The only way I'd use this is if I stored a pre-hashed version of the password instead of the actual password and I only needed to verify the hash locally. –  Apr 07 '16 at 16:19
  • I put it into an answer, because nobody else did. :) –  Apr 09 '16 at 18:10

2 Answers2

16

The Windows Credential Manager is anything but secure. It's "secure" at the user account level, which means that any process that the user ever runs and the user themselves must necessarily be trusted in order to call this system "secure" with a straight face.

The only semi secure way of using the Windows Credential Manager is to store values pre-hashed, then verify those hashes. However, since any elevated process the user runs has full read/write capability on that user's credential store, it simply can't be trusted at all.

Lets think about "secure" in the sense of locking an application locally. Let's take the example of a content filter that locks the settings page to keep the kids from enabling adult content, using the Credential Manager to store custom credentials. The same user, trying to bypass this, can do so easily. A user can visit the Credential Manager in the Control Panel and, though the values show up in asterisks, (*****), they can simply erase the value and replace it. Delete your hash, put in their own they're in.

What's even sillier is that the Control Panel will show asterisks, but if you use code accessing the applicable APIs, you can get the values in plain text. So passwords are not safe, hashes and such you verify to lock something are not safe. It's not safe, it's a piece of garbage and I've struggled for a long time to understand its usefulness, except for Microsoft to apparently have plain text copies of all of your passwords they can sell to the NSA.

Note
I realize there are measures you can take to encrypt contents before storing them, hashing them correctly etc, but my criticism still applies because doing these additional things is creating security, not the Windows Credential Manager. My problem with the Windows Credential Manager is that it advertises that using it through its provided GUI and or API is secure.

  • 5
    You don't need to roll your own protection when using the Credential Manager. Applications should use DPAPI's "additional entropy" parameter when storing secure data such as passwords. This additional entropy is basically a string or master password which should not be stored anywhere. The user must enter this password within the application so that the application can retrieve the decrypted data. Such data in the Credential Manager is secure from rogue processes except key loggers or low level compromise. It's shocking that Internet Explorer doesn't use a master password / additional entropy. – Monstieur Aug 01 '16 at 16:34
  • What's even worse is that Outlook is still using Credential Manager under Generic Credentials if the user opts to remember their login. – alans Jan 19 '18 at 18:58
  • 2
    your answer is not backed with facts, it is written subjectively (with a straight face, etc). User A can access credentials for user A but not for user B. The content of the vault is encrypted but the master keys are supposedly possible to extract when looking at a better answer for a similar question: https://security.stackexchange.com/a/177686 – Yepeekai Jul 08 '19 at 17:34
  • 2
    https://en.wikipedia.org/wiki/Data_Protection_API Everything is encrypted. The security is as good as your account password. – Yepeekai Jul 08 '19 at 17:51
  • 2
    I agree with Yepeekai. If you run an app with elevated privileges it can also install a key logger, malware, erase your entire PC, encrypt your data for ransom, etc. Do not run any app you don't 100% trust as admin. EVER. If you need to run random apps as admin, do it securely inside a VM or container where the app would then have to jump out of the VM to steal your passwords. – Brian D. Jul 24 '19 at 15:12
6

I heard that it's quite easy for someone to access these credentials once they've gained access to your computer, is it so?

It is not so.

Passwords stored in your credential vault are (ultimately) encrypted with your Windows password. In order to access the encrypted credentials, they need to know your password.

  • if someone knows your LastPass password, they can access your stored encrypted passwords
  • if someone knows your Windows password, they can access your stored encrypted passwords

But if someone has gained access to your computer:

  • they cannot access your LastPass passwords (because they're encrypted)
  • they cannot access your Vault passwords (because they're encrypted)

Bonus Reading

Technical details inside the Data Protection API

Ian Boyd
  • 2,125
  • 1
  • 21
  • 13