8

Summary

I'm a LastPass user, but I have concerns about storing high-value passwords, like my bank password, online. I've read some posts on this topic but still have questions.

Threats

I'm looking for a solution that addresses the following threats (LastPass handles #2 and #3 but not #1):

  1. The attacker gets my encrypted passwords and has enough resources to break my passphrase. The attacker decrypts my online banking password offline, logs in, and steals all my money.
  2. The attacker tricks me into entering my password on a different site than I intend (phising). The attacker gets my online banking password, steals all my money.
  3. One of my high-value accounts gets compromised. The attacker uses my password there to guess passwords to my other high-value accounts.

I have 4-5 online accounts that I consider high-value enough to be worried about these threats.

Questions

First, are there any more important threats that I'm overlooking here?

Second, how can I address these concerns? I was thinking of having a password manager store a random salt for each high-value account, hash this salt with a "master" password, and use it as the real account password (a bit like PwdHash). Neither the real account passwords not the master password would be stored anywhere (encrypted or not). This seems to force the attacker to try their password guesses against the online service, rather than being able to break them offline.

Note that this "master" password, which is used to derive the account passwords is different from the lastpass' "master password/passphrase", which is used to encrypt the stored data.

Does this scheme address the threats above? Any software that implements this for Chrome on Linux?

Community
  • 1
user1020406
  • 81
  • 2
  • 7
    About the bank account passwords, if an attacker has enough resources to brute force a good Keepass master password then he definitely doesn't need your money. ;) –  Feb 02 '15 at 01:02
  • 1
    Wouldn't LastPass's multi-factor authentication prevent #1? – Joe Casadonte Feb 06 '15 at 01:51
  • The threat I have in mind in #1 is somebody breaking in to LastPass systems, stealing encrypted vaults en masse, and then trying to break passphrases offline. – user1020406 Feb 07 '15 at 20:29
  • @user1020406: That's why offline passwords managers like the above mentioned KeePass exists. It can use multi-factor authentication out of the box using a private key on a separate medium than the database + your strong password, everything is open source and all data managed by you. – WhiteWinterWolf Feb 09 '15 at 10:53

2 Answers2

1

1) If you use secure password, most password managers use very secure ciphers, which should not be crackable via brute force, but as dangenet said, we really have to rely on professionals to do their jobs right here

2) Most Managers use domain authentication when working inside your browser, so in this case you should be safer, but of course password manager cannot prevent you from manually copying the password and inserting it yourself

3) use random passwords, and don't reuse them, this is the main threat password managers should prevent.

As proven many times though much easier way to get into account nowadays is social engineering (https://medium.com/@espringe/amazon-s-customer-service-backdoor-be375b3428c4 and many similiar instances). The main risk here isn't on your side and with not reusing passwords, using a secure way to remember them(trusted pswd Managers or your memory) and watching where you enter you passwords, you shouldn´t be at much of a risk

Ladislav Louka
  • 573
  • 3
  • 11
1

I've used both KeePass and LastPass, and I'll share some of the things I found helpful when deciding to use a web-based password manager.

There's a paper by some folks at Berkeley who analyzed various online password managers. This link points you to that paper. LastPass fixed the bookmarklet issue.

For threat #1: A strong master password (read: long and random) should not be crackable, assuming that the password manager developers did their job properly. I have to rely on the crypto pros to make that evaluation.

Now that LastPass has been hacked I guess I'll get to find out if they did.

For threat #2: Phishing threats are very real and can defeat 2FA (see this Brian Krebs piece). I don't see how LastPass avoids the kind of attack Krebs describes. He recommends banking on a live CD to avoid system compromise.

For threat #3: don't re-use passwords.

If your major concern is that someone might get your encrypted password database, then you're somewhat more secure with KeePass or other local solution than with LastPass. However, that's not total protection. If your system gets compromised, or you get phished, local storage doesn't protect you.

The threat I think you're overlooking is this one: do they even need your password to get into your bank, etc? Matt Honan wrote about this.

If there is an easier way into your bank account than brute-forcing your database password, then that's the threat you need to worry about. I hope the links I provided were helpful.

dangenet
  • 11
  • 3