Author Topic: a possible JS technique for better in memory protection of the master password  (Read 7400 times)

laxeraend

  • Guest
Javascript provides a mechanism to restrict function variable access to closures that capture them.  These variables then behave as private fields that can not be read by any external code.  Here's a crude illustration.

var masterPasswordSafe= function()
{
   var masterPass;

   return {
         setMasterPass: function (pass) { masterPass = pass; },
         generateSitePass: function(site) { return ... ;}
       };
}();

masterPasswordSafe is set to the object literal returned by the invocation of the anonymous function.  masterPass can only be read by functions in the masterPasswordSafe literal and none of them return the master password.  The master password can only be set, used to generate passwords but never retrieved even by passwordMaker itself.

If this technique can not be circumvented by extension javascript running in Firefox, and can therefore protect against rogue or compromised (hacked) or vulnerable extensions then I think it's worth using.  Currently I feel uneasy leaving the master pass in memory, though that's exactly how I would like to use passwordMaker.

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1157
  • Programmer
For in memory storage, that's a good idea.
"I'm not drunk, just sleep deprived."

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
So, the question is, is this a simple modification for Passwordmaker as it is now? I understand most if not all development efforts are aimed at Abine, which I have not had time to properly test yet.

Anyone else been using Abine? Comments?

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Currently, the MPW is stored encrypted in memory if you choose to store it in memory at all. But it's not stored in the manner in which you describe, so it is readable by malware Firefox addons.

You are welcome to submit a patch to PasswordMaker for this concept we'll apply it to the codebase. Thanks for the idea !

Eric

saturation

  • Guest
Hello Eric.  Can you clarify?

MPW is stored encrypted, but as coded it potentially can be read by other addons?

If so, I presume the hash used is any of the many good ones you allow users to select, or better?

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
The master password is stored in-memory encrypted, yes. However, another addon can decrypt it if it wants since that addon can access all of the PasswordMaker code as it likes. Once you install malware on your system, whether it's an addon or something else, "all bets are off".

Eric

PasswordMaker Forums