Memory and Swap File Protection: Reforms Password Managers Need To Implement
If you are using passwords in multiple Web services etc., if that one-and-only password gets leaked, your entire Internet identity and access goes out. Even if all the users dealt with passwords strictly, there are many incidents that passwords are leaked due to attacks of services using passwords. In that case too, if you use a common password, other services will be affected immediately.
In order to prevent this and to maintain safety, it is fundamental to set passwords individually for each service. Nonetheless, we humans justify the use of a single password as: ‘It is troublesome to manage multiple passwords, and I can not remember every time’, while in the enterprise: ‘it is hard to share and manage system passwords among employees.’ It is the password manager that can play an active role when it comes to securing people who manages multiple passwords across many services. With a Password Manager, a person can manage passwords of these multiple services in one place, safely store and use them.
In a perfect world, all users using a reputable password manager AKA password vault will live a life happily-ever-after. Unfortunately, we do not live in a perfect world, password managers have a common problem, the very fundamental principle of it containing all the user’s passwords across the board. One wrong thing that can expose the contents of the password vault, and the cat is out-out-of-the-bag.
A case study released by SecurityEvaluators revealed the critical need for password managers to come up with a solution to prevent leakage of passwords while the password database itself is in ‘locked’ status. It is unfortunate, but it is happening, extraction methods that are successful even if the password database is locked is a fact and not fiction.
“We found that in all password managers we examined, trivial secrets extraction was possible from a locked password manager, including the master password in some cases, exposing up to 60 million users that use the password managers in this study to secrets retrieval from an assumed secure locked state,” explained in the report.
The security of the password manager is still highly dependent on the human user, that is a proven fact. Many people still need to understand that no password manager can 100% secure their password database if they continue their bad habit of choosing common words and reused passwords from the past.
SecurityEvaluators want password managers across the board to never record the master password on a configuration file someone stored in the disk or in Windows registry (for Windows PCs) in plain text. The encryption process also needs to be strong enough in order to withstand brute-force attack, of course, this heavily depends on how a user-defined his/her master password. No actual program can strengthen a weak password initially chosen by the users. The study also highlights the need for the password manager to stop storing the master password or any password it stores encrypted on disk to system memory.
In their review of many password managers available in the market today, the group highlights the need for them to be very careful when it comes to the paging file/swap file/virtual memory. Modern versions of Windows, Linux and MacOS use virtual memory extensively even if the PC itself still has a lot of free physical memory available. Virtual memory contains snapshots of data in plain text that the computer is working one while it process threads.
“Keylogging and Clipboard sniffing are known risks and only included for user awareness, that no matter how closely a password manager may adhere to our proposed ‘Security Guarantees’, victims of keylogging or clipboard sniffing malware/methods have no protection. In an unlocked state, all or a majority of secret records should not be extracted into memory. Only a single one, being actively viewed, should be extracted. Also, in an unlocked state, the master password should not be present in either an encrypted or obfuscated form,” added the report.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.