PasswordMaker Forums
Firefox/SeaMonkey/Mozilla/Netscape/Flock Browser Extension => Feature Requests / Enhancements => Topic started by: rodengelsman on May 16, 2006, 08:48:44 PM
-
First of all... Thank-you for this wonderful product! Now to make my life complete (well, not complete unless you can supply booze and broads, too)...
This is mentioned briefly in the thread about encrypting the rdf file.
The usage scenario I envision is the following...
The rdf file could be stored on a usb key or floppy (does anyone use those anymore?). You log on to your computer, insert the key, fire up TrueCrypt, supply that password. Then your file is available when you start up Firefox. This is high security; to get access to your files an attacker would need to:
1. Gain physical access to your computer.
2. Hack your logon password.
3. Have physical access to your key.
4. Hack the Truecrypt password.
5. Hack your master password.
I can't memorize dozens of reasonably high-entropy passwords, but I can probably manage to memorize three of them.
--
Rod
-
Hi,
This is pretty easy to do. I can implement it quickly, too, but I'm a little embarrassed to release a new version without the #1 requested feature (http://forums.passwordmaker.org/index.php?showtopic=88) being in that version.
Anyway, expect it shortly.
Tanstaafl, I thought this was in the FRL... but I don't see it. I know it's been requested before. Can you add it along with a vote from randomthot?
thanks,
eric
-
I thought this was in the FRL... but I don't see it. I know it's been requested before. Can you add it along with a vote from randomthot?
thanks,
eric
Done... sorry for the delay - been busy, and we've been getting spammed so much, I think I deleted this email notification by accident when deleting some of the spams...
I think I recall you saying that were already planning on adding this capability when you did the 'Encrypt RDF file' request, so didn't see a need for a separate request, but it does make sense to keep it separate...
-
I think I recall you saying that were already planning on adding this capability when you did the 'Encrypt RDF file' request
Right, but they can be done independently so it's better to break them out.
-
This is mentioned briefly in the thread about encrypting the rdf file.
The usage scenario I envision is the following...
The rdf file could be stored on a usb key or floppy (does anyone use those anymore?). You log on to your computer, insert the key, fire up TrueCrypt, supply that password. Then your file is available when you start up Firefox. This is high security; to get access to your files an attacker would need to:
1. Gain physical access to your computer.
2. Hack your logon password.
3. Have physical access to your key.
4. Hack the Truecrypt password.
5. Hack your master password.
This product seems like a good thing, but I'm still a bit concerned about it's security as currently implemented. You outline a method to get around some of it's shortcomings, but I would take them a step further.
PWM should probably do the following:
1) Allow you to select the config file from anywhere on your computer each time PWM starts up (the config file can have any name; not the obvious passwordmaker.rdf which can be searched for using any search tool), but it will prevent Windows and itself from remembering this location (similar to what TrueCrypt does with it's volumes and Windows MRU lists). This prevents checking the default location for your passwordmaker.rdf file or a search for it.
2) The file should be encrypted with your master password and one or more key files (again similar to TrueCrypt). It should not track the key file locations and it should prevent windows from putting the file in the most recently used file lists.
3) PWM should then read the config file into memory only. This will prevent anyone or another process from copying the decrypted config file.
Until all of this is done it is vulnerable to keyloggers and here's why:
1) If a keylogger gets installed on your system then a copy program would be 10 times easier to install along with it as it only requires normal user privs to copy files, especially ones you created (i.e. the passwordmaker.rdf file)
2) You log in, the keylogger records your master password as you use PWM.
3) The copy program then copies your passwordmaker.rdf file.
4) Pass off the master password and the config file to the hacker
5) The hacker simply configures PWM the same as you per the config file they stole and use your master password to get all your account passwords. They even know all the URL's as that's in the config file too.
Even the TrueCrypt solution posted by randomthot won't work as once he mounts the TrueCrypt volume any process will then be able to also read the files in that volume. It's just another drive; right?
This FAQ seems a bit misleading too as all anyone really needs are the master password and your passwordmaker.rdf file; not the 10 other variables as its all in plain view in the rdf file.
If someone gets my master password, can't he determine all of my generated passwords?
No. There are ten other variables he would need for each account. They are:
* URL
* character set
* which of nine hash algorithms was used
* date counter (if any)
* username (if any)
* password length
* password prefix (if any)
* password suffix (if any)
* which of nine l33t-speak levels was used
* when l33t-speak was applied (if at all)
Probably the most interesting of these is character set because it gives you the flexibility to determine precisely which characters can and can't be included in generated passwords.
Unless I'm misunderstanding things here this seems a little too risky for me yet. Please let me know of any workarounds to this, but if PWM can make these changes it will be a great and complete password manager.
Craig
-
I really don't understand your concern...
If someone compromises your computer to the extent you are describing, then NOTHING can prevent him from getting your secret passwords, REGARDLESS of how you store them.
There is no such thing as 'perfect' security.
-
I really don't understand your concern...
If someone compromises your computer to the extent you are describing, then NOTHING can prevent him from getting your secret passwords, REGARDLESS of how you store them.
There is no such thing as 'perfect' security.
So, you are saying installation of a keylogger will compromise PasswordMaker to the point a 3rd party can determine all your passwords. I'd say you are correct as currently implemented. I also agree that their isn't "perfect" security, but it should be better than this on something as important as a password cache.
If the changes I suggested are made:
1) change the config file to any name you desire (i.e. no default name)
2) use keyfiles along with the master password to encrypt that config file
3) Do not remember or allow windows to track the files in 1) and 2)
4) Only decrypt the config file when reading it (i.e. always encrypted on disk)
then a keylogger or file copier will not be able to determine the passwords in PWM as the master password is not the only thing used to encrypt your config file.
I guess what bothers me the most is that an FAQ outlines how PWM prevents keyloggers from stealing your passwords, but according to your reply that is not the case and I concur. Right now, a keylogger only needs your master password and the passwordmaker.rdf file to determine all passwords tracked in PWM. If PWM becomes popular enough the hackers will write their keyloggers to search the default location or name of that file to copy it and send it along with the master password back to them.
I hope you will reconsider the changes, but I'm sure they are not trivial. But until these changes are made it just too easy to give all your passwords away.
Craig
-
A keylogger is defeated if you use auto-populate.
By the way, you can encrypt passwordmaker.rdf right now with 3rd-party tools like TrueCrypt.
The ability to configure the location of the settings files is coming soon.
-
So, you are saying installation of a keylogger will compromise PasswordMaker to the point a 3rd party can determine all your passwords. I'd say you are correct as currently implemented.
No, thats NOT what I'm saying.
A keylogger, IF combined with a method of stealing your RDF file, COULD be used to this purpose though.
As Eric already pointed out, if you are using auto-populate, the keylogger cannot get your generated password, but it could get your Master password.
I also agree that their isn't "perfect" security, but it should be better than this on something as important as a password cache.
PWM is not a password 'cache'...
If the changes I suggested are made:
1) change the config file to any name you desire (i.e. no default name)
2) use keyfiles along with the master password to encrypt that config file
These are both good ideas, and in fact both have been suggested before, but apparently they never made it to the FRL... I'll add them in a bit...
3) Do not remember or allow windows to track the files in 1) and 2)
Not sure how - or even if - this would be accomplished...
4) Only decrypt the config file when reading it (i.e. always encrypted on disk)
Isn't this the same as this (http://forums.passwordmaker.org/index.php?showtopic=612)?
then a keylogger or file copier will not be able to determine the passwords in PWM as the master password is not the only thing used to encrypt your config file.
As Eric has pointed out, you can already accomplish much of what you want using TrueCrypt or some other 3rd party utility.
I guess what bothers me the most is that an FAQ outlines how PWM prevents keyloggers from stealing your passwords, but according to your reply that is not the case and I concur.
As previously mentioned, it DOES, but only if you use the auto-populate functionality.
-
If PWM becomes popular enough the hackers will write their keyloggers to search the default location or name of that file to copy it and send it along with the master password back to them.
You should realize that in this case almost nothing can help. No matter how much PWM encrypts stuff, hide files and keys, etc. a keylogger can be written to do exactly the same things. Nothing that is based on software can increase security against a keylogger, not on a windows machine, only hardware (like a key card with a private key) could.
If you need more security, be different from the mainstream! Use some extra measures that nobody else uses, and best if you came up with it yourself. If you know programming, change the source code a little, and make your own PWM version.
I am much aware of the shortcomings of PWM, and I'm glad you are too. I also agree that user should be aware of everything that could happen to compromise PWM, but I'm positive that for most users the risk they are taking with PWM is far lower than during the time before they started using PWM. Also due to the fact that PWM is not yet popular enough to be attacked by custom keyloggers.
In my opinion, if we want to take PWM to the next level, especially if we want to publish an IE extension/edition (most internet users still use IE, after all), we should gather all these thoughts, and have a transparent security policy.
-
What is a transparent security policy? You mean something published in writing about the risks?
What is a transparent security policy? You mean something published in writing about the risks?
-
What is a transparent security policy? You mean something published in writing about the risks?
Sort of. With transparent I mean easily to comprehend. It could have something like "best practices" too, as for how to use PWM and what to avoid. Of course higher security means more effort and less comfort, so the policy even could have a few levels of security, and how to achieve them.
And I think this shouldn't be something to write afterwards like a manual, it's better to keep it in mind already while writing the code. I might come up with something as soon as I find the time to write it down, but if anyone else has ideas, I'm always open for suggestions.
-
Ok, added '/filename' to the existing 'Specify drive/path...' request...
Added 'Specify keyfiles for RDF file encryption' FR, with one vote from randomthot...
randomthot, you have 3 more votes...
-
Thibros, if you want to write a security policy for the website, go ahead and we'll post it.
-
A keylogger is defeated if you use auto-populate.
If a keylogger gets your master password and you are using auto-everything, then the hacker already has everything they need except your browser history which is all too easy to get.
By the way, you can encrypt passwordmaker.rdf right now with 3rd-party tools like TrueCrypt.
Can you explain exactly how to configure TrueCrypt to do this as I looked into it and it seems that TrueCrypt creates encrypted volumes which are then mounted like normal hard drives. How can I use it to just encrypt the passwordmaker.rdf until the user is allowed to specify where that file is located?
The ability to configure the location of the settings files is coming soon.
I appreciate the ability to configure the location of the settings file and allowing the user to name it anything they wish would be even better. This would defeat default searches using desktop search engines.
Craig
-
PWM is not a password 'cache'...
In the strictest sense this is true, but saying that it is not a cache is really just semantics isn't it? With a master password and your rdf file they have every password you use, so even though it doesn't "store" the passwords it will regenerate them for anyone knowing the master password and having the rdf file.
3) Do not remember or allow windows to track the files in 1) and 2)
Not sure how - or even if - this would be accomplished...
TrueCrypt does it somehow, so it must be possible. This is necessary if you use keyfiles otherwise you can just search the MRU file lists to find the name of the keyfiles and exploit encrypted volumes/files that are using keyfile encryption.
Isn't this the same as this (http://forums.passwordmaker.org/index.php?showtopic=612)?
It is to a degree, but that thread sounded like nobody could come up with the method of how to encrypt it securely. Using only the master password would be pointless really. I think a combination of the master password and keyfiles would be the best method.
As Eric has pointed out, you can already accomplish much of what you want using TrueCrypt or some other 3rd party utility.
Could you explain how to do this as TrueCrypt requires mounting their encrypted volumes just like a disk drive which means a different path than your default location of the passwordmaker.rdf file.
The issue with TrueCrypt is that you MUST decrypt the entire volume when you mount it and when it's mounted anyone can read data from it (i.e. other users or programs running on the same machine). Granted you can use ACL's to keep others out if they don't have admin privs, but programs running in your account will be able to see anything in that mounted volume.
Having PWM do on-the-fly decryption (i.e. rdf file is never in plain text) will prevent this type of snooping.
As previously mentioned, it DOES, but only if you use the auto-populate functionality.
Perhaps, but browser histories would kill you here. A master password combined with your browser history and auto-everything in PWM would allow a hacker free range to your accounts.
Craig
-
"randomthot & craig,"
Plus anyone else that would like to use this:
Do Custom Accounts for those important sites you need extra security. Use a different MasterPassword for each one and save it in a plain TXT file on a floppy along with what ever other info you wish to save and then only access it when you need that special password. I do NOT use any DEFAULT settings for any account. I used PWM to create my new MasterPassWord with a few additions of my own. That way it is NOT typed but 'Ctrl+C'ed and 'Ctrl+V'ed that way KeyLoggers are nullified.
"I thought I knew that I knew what I thought,
but; now I know what I thought I knew isn't
what I know I think I thought I knew . . ."
Author UnKnown
P.S. Forgot to mention that file is kept on my MemorySticky and is Zipped, also could be password protected by my Zipper (BigSpeedZip).
-
My vote for this FR