4

No doubt there are better ways and more secure ways to manage passwords, but I'd like to make an informed decision to determine if this is just too risky.

Briefly, when I receive a "welcome new user" message, I forward that message to myself and include the password. I know, this is basically an electronic version of post-it notes but I have a couple of good reasons for using it. I need your help to see if these are good enough or if these are even valid.

So, the main reasons I think this way may be "ok" are:

  1. The messages are stored only on my local machine. After receiving them, I make sure that all copies are removed from the server.
  2. The (corporate) e-mail system I use is encrypted and "safe"
  3. To gain access to the passwords, a hacker would need to be granted access to my machine which is less likely as it is on a corporate network.
  4. If a hacker did happen to gain access, he would not likely think to look in archived e-mail messages stored on the local machine

So, am I just asking to have all of my passwords compromised? Is there any way to quantify this risk?

Sayan
  • 2,033
  • 1
  • 11
  • 21
Michael J
  • 41
  • 1
  • What do you mean "your email system is encrypted and safe"? Also, why wouldn't an attacker think of looking at your emails or archives? That's pretty interesting stuff, as an attacker I would definitely look there. Also, you remove copies from the server, but you can't make sure they are also removed from backups, disks, snapshots, caches, etc. I wouldn't like my passwords to be sent by email. – reed Sep 14 '18 at 18:22
  • 1
    I think the better question is, why would you use this method, when "real" password managers are: 1) more convenient 2) more user-friendly/easier to use 3) more secure 4) more portable 5) less likely to suffer data loss 6) actually designed for the purpose? You're jumping through hoops to avoid using something that will make your life both easier *and* more secure. – Ben Sep 14 '18 at 18:34

2 Answers2

8
  1. ... I make sure that all copies are removed from the server.

No, you don't. Copies may exist in backups, swapfiles, wear-leveled Flash memory, and elsewhere.

  1. If a hacker did happen to gain access, he would not likely think to look ...

Now he would.

Just use one of the well-reviewed password manager programs. Re-inventing the square wheel is a poor use of your time.

mlp
  • 546
  • 4
  • 8
2

The messages are stored only on my local machine. After receiving them, I make sure that all copies are removed from the server.

Unless GPG/PGP or SSL/TLS is used between email servers. E.g. an email from Outlook being sent to Gmail. Then this would be a huge risk point. However, without E2EE (end-to-end encryption) server A and server B, can still read the emails, as SSL/TLS will only provide endpoint security between the two servers, and not at rest.

The (corporate) e-mail system I use is encrypted and "safe"

This would be fine, except the wording 'corporate'. As I cannot see how E2EE is handled, therefore, I cannot place any trust in ciphers. This has another problem though, does corporate email (server A) encrypt the email so only you can access the email? This means once the email is encrypted, server A and server B (where the email will be received from server A) cannot read the plaintext email contents. The only one capable of decrypting the ciphertext is you, and not any server.

This would be an implementation of PGP.

To gain access to the passwords, a hacker would need to be granted access to my machine which is less likely as it is on a corporate network.

Given no plaintext, or decryptable copies (within a reasonable timeframe) are kept on any servers, this sounds good. However, you must now ensure the emails stored locally can only be accessed by you, and if your machine is compromised, how will you play interference? Encrypting your local email contents could be a viable option here. Mozilla Thunderbird offers 'profile encryption'. However, this only allows Encrypting File System (EFS), which provides it's the only limitation. EFS will need to be your choice. Personally, I would opt for either an encrypted virtual machine (full-disk encryption) or, another user where I would encrypt the user's home directory.

I can foresee another problem though because Thunderbird does not know the message body contains a sensitive password, it may store contents within the cache, swap memory or make temporary files stored within secondary storage (e.g. HDD) - Note this point is mereconjecture and should be acknowledged for all programs.

If a hacker did happen to gain access, he would not likely think to look in archived e-mail messages stored on the local machine

While this could be unlike, I would not want to risk my security on 'hope', especially the idea of 'I hope they will not think of this'.

Is there any way to quantify this risk?

I can break this down into several other points:

  • Is full-disk encryption used?
    • or is user directory encryption used?
  • How easily can the email profile contents be accessed locally?
    • is profile encryption used?
  • How protected are you against spyware?
  • What safeguards do you have against physical access, e.g. Evil Maid Attack?

These are only a few points, more can be added, but these would be major attack vectors to consider. If you are considering an alternative, but want an open source solution, consider KeePassX. If used correctly, it can also be used as a cloud-based password manager.

For further reading, Is sending password to user email secure?

safesploit
  • 1,827
  • 8
  • 18