PasswordMaker Forums

Firefox/SeaMonkey/Mozilla/Netscape/Flock Browser Extension => Feature Requests / Enhancements => Topic started by: laxeraend on November 25, 2009, 11:54:53 PM

Title: a possible JS technique for better in memory protection of the master password
Post by: laxeraend on November 25, 2009, 11:54:53 PM

Javascript provides a mechanism to restrict function variable access to closures that capture them.  These variables then behave as private fields that can not be read by any external code.  Here's a crude illustration.

var masterPasswordSafe= function()
{
   var masterPass;

   return {
         setMasterPass: function (pass) { masterPass = pass; },
         generateSitePass: function(site) { return ... ;}
       };
}();

masterPasswordSafe is set to the object literal returned by the invocation of the anonymous function.  masterPass can only be read by functions in the masterPasswordSafe literal and none of them return the master password.  The master password can only be set, used to generate passwords but never retrieved even by passwordMaker itself.

If this technique can not be circumvented by extension javascript running in Firefox, and can therefore protect against rogue or compromised (hacked) or vulnerable extensions then I think it's worth using.  Currently I feel uneasy leaving the master pass in memory, though that's exactly how I would like to use passwordMaker.

Title: Re: a possible JS technique for better in memory protection of the master password
Post by: Miquel 'Fire' Burns on November 26, 2009, 01:49:47 AM

For in memory storage, that's a good idea.

Title: Re: a possible JS technique for better in memory protection of the master password
Post by: tanstaafl on November 30, 2009, 10:51:13 AM

So, the question is, is this a simple modification for Passwordmaker as it is now? I understand most if not all development efforts are aimed at Abine, which I have not had time to properly test yet.

Anyone else been using Abine? Comments?

Title: Re: a possible JS technique for better in memory protection of the master password
Post by: Eric H. Jung on December 01, 2009, 10:32:00 PM

Currently, the MPW is stored encrypted in memory if you choose to store it in memory at all. But it's not stored in the manner in which you describe, so it is readable by malware Firefox addons.

You are welcome to submit a patch to PasswordMaker for this concept we'll apply it to the codebase. Thanks for the idea !

Eric

Title: Re: a possible JS technique for better in memory protection of the master password
Post by: saturation on December 09, 2009, 02:31:52 PM

Hello Eric.  Can you clarify?

MPW is stored encrypted, but as coded it potentially can be read by other addons?

If so, I presume the hash used is any of the many good ones you allow users to select, or better?

Title: Re: a possible JS technique for better in memory protection of the master password
Post by: Eric H. Jung on December 10, 2009, 11:58:05 PM

The master password is stored in-memory encrypted, yes. However, another addon can decrypt it if it wants since that addon can access all of the PasswordMaker code as it likes. Once you install malware on your system, whether it's an addon or something else, "all bets are off".

Eric