12

Regarding this: Are passwords in memory?
So does someone have a good idea on how to securely store my passwords? The: "passwords.txt" -> ctrl+c; ctrl+v a passw is not very secure.
I have passwords for various places, and they're very long random chars, which change too often.
Are there any good password manager apps, that can securely show passwords stored in them? (e.g.: really protects me from "bad people" getting passwords from memory?)

LanceBaynes
  • 6,149
  • 11
  • 60
  • 91
  • 1
    Btw, I realized that it is not clear from your question that you're asking about *your own* passwords, for other services, stored on your desktop (or laptop, or whatever) - as opposed to an application / service storing passwords for all registered users. Can you put that clarification in the question (assuming I understood correctly)? – AviD Apr 26 '11 at 18:12

6 Answers6

12

If your "paranoid dial" is turned up all the way to 11, the short answer is "No".

No matter how you store your passwords, there will at some point be a transfer in memory that is a cleartext representation of some authenticator. That "cleartext" may be your ASCII password, or it may be a hash of it, but it will still be enough to independently validate your credentials to the recipient. This is because the authenticator has to be entered in its natural form, before the system can process it for hashing or encryption.

If your concern is about rootkits, malicious debuggers, and similar attacks, there's no method of password management or storage that can keep you totally safe.

The only real mitigation for this vulnerability is to have two-factor authentication, with one factor being a dynamic element of some kind (i.e.: RSA token or "callback" authentication), on everything. This way, no matter what static elements are captured from your memory, an attacker can never re-use your credentials without the dynamic authenticator.

Of course, there's still the possibility of side-channel attacks such as session hijacking and the like, but those are beyond the scope of this question.

For a more practical means of protecting your password, which will cover most defensible vulnerabilities, you're best served to go with a secure password manager such as KeePass or others like it.

Iszi
  • 26,997
  • 18
  • 98
  • 163
11

Greetings, there are plenty of password managers out there that will do what you need.

A popular option is KeePass , which is free and also has the advantage of having apps for a few platforms out there (Windows phone, IOS, Android).

Bushibytes
  • 454
  • 3
  • 4
  • I second KeePass and would also recommend "OI Safe" if you use an android device. – Ormis Apr 26 '11 at 15:31
  • Related to keepassx on Linux and Mac – nealmcb Apr 28 '11 at 22:04
  • But I don't think keepassx (and keepass also?) protects you from apps and web sites that can access your clipboard, as discussed in the question. – nealmcb Apr 28 '11 at 22:08
  • Keepass is a great application and you should definitely use it not only to store your passwords, but also to generate them. Keepass has a configurable password generator (you can choose the length, the special characters to use and so on, and generate very strong passwords. – dSebastien May 03 '11 at 18:52
  • 1
    @nealmcb: Keepassx (not sure about keepass) has an option to clear the password from the clipboard after X seconds: Extras > Settings > Security > Clear clipboard after: XX seconds. – bstpierre Nov 11 '11 at 18:25
2

TOTAL REWRITE: AviD's point was well taken - the first edition was for password storage on the server, not for a user storing his passwords on the client. Here's try #2.

If you're storing passwords for various sites, your application will need to: - Store them securely - Retrieve them accurately

So you can't just salt the passwords, you need a system that will encrypt them. That suggests that you might want to look into applications that are FIPS 140-2 compliant. There's 4 levels of FIPS, but it all focuses on cryptographic devices with key storage capabilities that offer various escalating security features. The lowest end is basic good practices that can be implemented in SW libraries, the upper end is devices that cost lots of money but offer a high confidence in the system's capability to protect itself. For a normal human, I would think FIPS 1 or 2 (the low levels) would be sufficient.

You could either write your own application using a FIPS compliant library (NSS is one, if you happen to be a Java geek), or look for applications that claim FIPS compliance in their crypto implementations.

No matter how you store the passwords, you're going to end up needing a key of some sort to decrypt them. That means you'll have the classic chicken and egg problem - how do you store the key securely so that your passwords are secure? Given that you have lots of passwords grouped in one place, you've increased the security demands on key storage. My thought would be to either memorize the key, or store it in offline storage.

bethlakshmi
  • 11,606
  • 1
  • 27
  • 58
2

Firstly let's get things in perspective: passwords are way too broken to obsess over to this extent. If loss of a password is intolerable then you probably shouldn't be using a password in the first place - look into using one time passwords, two factor authentication, certificate based schemes or similar.

After all, sooner or later you have to type the password into some client which you must trust (might not even be a computer you control, might be keylogged). Someone may see you enter the password. Not only that, but your password is almost certainly also processed and stored in a target system that is completely beyond your control - probably more than one if you reuse passwords across systems as most people do. All of the storage involved is almost certainly more vulnerable and much easier to compromise than the RAM in a trusted device that is under your physical control.

So your password(s) should be regarded as fundamentally disposable and unlikely to remain confidential for an extended period, no matter what you do.

Having said that, passwords aren't going away any time soon, so either use a number of passwords which you can remember yourself (e.g. have a few different passwords or passphrases and use them for sites of different value), or use a password manager or password generator/manager.

frankodwyer
  • 1,907
  • 12
  • 13
1

You properly note not only the danger of storing passwords in plain text, but also of using copy/paste to move them around.

In our question on Is clipboard secure?, Guillaume's answer notes that many apps and web sites have access to your clipboard, and that Password Safe avoids that by letting you drag-and-drop the password to the web page on which you want to enter it. It also quickly wipes the password from memory.

On the other hand, from the Are passwords in memory? answer about keepass, Paperjam says

there's a cut-and-paste mechanism that clears the clipboard after 12 seconds, and it monitors the clipboard to see if there's other processes monitoring it as well. Further, there's an auto-type feature that skips the clipboard altogether.

so keepass may be good also.

nealmcb
  • 20,544
  • 6
  • 69
  • 116
0

It depends on the security and authentication mechanism you are looking for. For a simple case, I would recommend https://www.grc.com/passwords.htm for generating awesome random difficult passwords.

Legolas
  • 563
  • 6
  • 16
  • 2
    Welcome to the site. Your suggestion is good for *generating* passwords, but this question is about *storing* them. Perhaps you could expand your answer to include some solutions for that? – Iszi Apr 26 '11 at 14:27
  • 1
    Sridharan I just want you to know that Steve Gibson is on attrition.org [Have a look!](http://attrition.org/errata/charlatan/steve_gibson/) – KilledKenny Apr 26 '11 at 19:16
  • @Iszi: Apologies! I am just learning how to use StackOverflow. – Legolas Apr 26 '11 at 20:14
  • @WZeberaFFS - Aside from the connection to GRC, I'm not sure exactly what relevancy that comment has to this answer - let alone what actual value it adds to the discussion here. – Iszi Apr 28 '11 at 20:45
  • Note: Never trust a 3rd party on the internet to provide you with passwords. They might be weakly generated, they might decide to seed them maliciously, they might decide to search for sites where they are used and impersonate you.... – AviD Jan 26 '14 at 19:37