EvilZone

Hacking and Security => Mobile Hacking => Topic started by: F1n on June 08, 2015, 10:31:52 PM

Title: How safe are password managers?
Post by: F1n on June 08, 2015, 10:31:52 PM

All the major products (1Password, LastPass, KeePass, etc.) encrypt each stored password with some AES/PBKDF2 combo using a master password as a key, then store the data locally or on some server (usually iCloud or Dropbox). Most claim that the master key is never stored, so I guess that means the user needs to enter it anytime they need to use one of these apps, which also perform autofill on most sites via a browser plug-in and can create custom passwords as well. Other than brute forcing the master password or keylogging the phone, I would assume the best/only way to access the manager app would be an exploit in one of these plug-ins, but I don't know if that could get you into the entire app or just the password to a specific website.

Just wondering if anyone's taken a good look at these apps or messed around with them. Please note I'm not asking anyone to do anything, just wondering if an attack on one of these is plausible. Might do a write-up for a class. The amount of information people put on these things is staggering considering it's all behind a single password.

Also, I thought I hastily posted this earlier today on my way out the door, but I may not have gotten it up after all. If I did and someone took it down for whatever reason, my bad.

Title: Re: How safe are password managers?
Post by: horusffs on June 20, 2015, 10:45:28 PM

Well, in my opinion they are all safe.
The only thing that they do is open the document where your passwords are stored. It's like a "hidden" file.
Have you ever tried to RAT someone on computer?

Enviado do meu GT-I9301I através de Tapatalk

Title: Re: How safe are password managers?
Post by: Trogdor on June 24, 2015, 04:18:00 AM

I would only trust a password manager that stores the master password encrypted on the device. I think mostly the security is dependent on whether the data is stored locally or remotely. I would never knowingly store my passwords with some 'cloud' service. Keepass is definitely my favorite manager

Title: Re: How safe are password managers?
Post by: xor on June 24, 2015, 05:27:44 AM

Some password managers are open source.


I modified KeePass and recompiled in our IT department to include a module that automatically e-mails me when someone unlocks the database and copies and pastes an entry.


If someone hosted this on a LAN, or you got access to their personal installation of KeePass, you wouldn't need to know their master password or key, you could just play the waiting game and get notifications of their user/password combinations.


It's not hard to exfiltrate data if you want to.


-- xor

Title: Re: How safe are password managers?
Post by: Trogdor on June 24, 2015, 06:06:12 AM

Haha is it all company data or is there any personal info?

Title: Re: How safe are password managers?
Post by: xor on June 24, 2015, 06:07:18 AM

This stuff on our network is all corporate information.

Title: Re: How safe are password managers?
Post by: Trogdor on June 24, 2015, 06:09:45 AM

Ok because that could be fun  :)