Evaluating a password manager
-
Upload
evan-j-johnson -
Category
Internet
-
view
100 -
download
0
Transcript of Evaluating a password manager
About Me●CloudFlare Security Systems Engineer●Previously an engineer at LastPass●Wrote passgo (https://github.com/ejcx/passgo) ●On twitter @ejcx_●Personal sites:
○https://ejj.io○https://twiinsen.com
What is this talk?●Define properties that all password managers should have●Some basic technical details about individual pw managers●Talk about what matters in a password manager for average
people.●Talk about some details about how technical analysis is done.
Which password managers●1Password●LastPass●Dashlane●Keeper●KeePass●KeePassX●PasswordBox (rest in peace)●Pass●Excel Spreadsheets●Password Journals●...
Cloud Password Servers●This component will be missing if the pw manager does not sync.●Web service of some sort containing encrypted data.●What other data should be encrypted? Password managers
generally do not encrypt everything.●Security measures, like 2FA usually enforced here.
Core Service, Background Service●Consume the web services APIs.●Decrypt sites and persist process after log in.●Update sites as they change●Update API as new sites are created
User Application + Background / Browser Integration
●Contains user interface.●Contains bells and whistles that help users be secure.●Auto fills passwords
What matters in a password manager!?●Too much for one slide…●“What features should all password managers have?”●“Which features are security critical and need special
evaluation?”●“What are your personal needs in a password manager?”
What features should all password managers have?
●Password generator that can be used to generate different kinds of passwords.
●Duplicate password finder●Weak password finder●Good UX for mobile support●Strong crypto●Import / Export you should be able to jump ship!●Amazing mobile UX
The world is mobile nowhttps://github.com/AgileBits/onepassword-app-extension
The scary part of mobile password managers●There are hundreds of mobile password managers with unknown
quality. Who knows what they are doing.
What features need security evaluation●Browser filling logic.●Integration between browser extension and background
extension.●Password Generator.●Crypto Primitives.●HTTP Headers and Transport Security.
How to dive in and look under the hood●Examine the API●Examine the Crypto●Examining the browser extension●Examining the integration between browser extension and
background●Examining the auto-fill logic