Think your password manager is safe?

GTP

GTP

Well-Known Member
Reaction score
9,834
Location
Adelaide, Australia
Very interesting discussion on Security Now! ep 822 Jun 06, 2021 discussing Tavis Ormandy's discussion on his informal blog regarding the security (or lack thereof) of password managers.
Scary stuff.
 
I use Bitwarden specifically for a reason, and I don't let my browsers save anything for even more... Firefox in particular since anyone with access to my desktop can click a button and READ all the saved passwords in clear text. heck the thing gives you a nice export to CSV function too.

Chrome and Edge are no better... but they don't just cough up the passwords in the clear either.
 
Jeeze I haven't been to Gibsons website since the early Win95 days perhaps Windows 98 days. And the website was dated back then! Looked like it was made in Notepad for Windows 3 users.

....STILL looks the same! LOL.
 
Sky-Knight said:
Firefox in particular since anyone with access to my desktop can click a button and READ all the saved passwords in clear text. heck the thing gives you a nice export to CSV function too.
Click to expand...

Physical security is the first and foremost kind. If you don't have that, nothing else you have matters. And I'm certain you know this.

Making it easy for those who are supposed to have physical access to do things is not "a security hole." Letting those who are random passers-by have physical access is a massive security hole.
 
I'm reading through the transcript of that episode right now. So far, my favorite observation from Mr. Gibson:

Today, we are frantically deploying millions, if not billions, of Internet of Things devices throughout our lives because they are shiny, incredibly inexpensive, and do neat stuff. But there's zero oversight anywhere in the design, implementation, and delivery of these devices. They're cute little time bombs just waiting to go off.

That captures my personal feeling about it in a perfect nutshell. It's the reason I so intensely dislike these things. I'm due to get a new TV soon, and am only looking at "dumb" TVs (and those, via Amazon, since most brick and mortar retailers carry nothing but smart TVs these days).
 
britechguy said:
Physical security is the first and foremost kind. If you don't have that, nothing else you have matters. And I'm certain you know this.

Making it easy for those who are supposed to have physical access to do things is not "a security hole." Letting those who are random passers-by have physical access is a massive security hole.
Click to expand...
Very true, but when you're using cloud exposed remote admin tools... things have to be considered differently. Yes that tool is MFA protected, and my desktop has yet another password. So in theory, the browser having saved logins isn't that big of a deal. BUT, none of the browsers protect that data vault as well as Bitwarden does.
 
Last edited:
@Sky-Knight

But, and even the experts in the podcast state this, there has to be a balance between security and ease of use. They even used the original iPhone of an example of a wonderfully secure device, that let you do practically nothing.

I'm a big fan of, as they state, Extrinsic Password Managers. I don't want any of my stuff stored in a browser, because that's the first and easiest place to start sniffing. Also, people end up using password managers as prosthetic memory, which they should not really be, in my opinion. You should be able to pull up all of your commonly used passwords, which will all be unique, from memory. Password managers are backup, and randomly generated character strings are just awful, awful passwords from a human factors standpoint, and human factors matter. And that's regardless of what other measures are in place. If you can't pull your regularly used passwords out of your head, they're bad passwords. And you, the human user, should be routinely typing them in, not relying on auto form fill-in (which is the very best way to develop recall for same).

There's a lot of excellent, and conflicted, information in that podcast, and that's because there are diametrically opposed needs and wants that are constantly having to be balanced. Another great observation:

. . . security is layered. There's no one layer that's going to fix all of this. . . I don't think we'd ever make a perfect operating system. If you're going to connect to the Internet, you're going to have an attack surface.
~ Leo Laporte, from the podcast Security Now!, Ep. 822, 6/8/2021 at Security Now! Archive
 
  • Like
Reactions: GTP
Barcelona said:
So what's your point?
Click to expand...

Seriously, does there need to be one? I just read it as an expression of mild surprise, since there are very few long-term websites that have not undergone "gussying up," often multiple times, over the course of decades. My follow-up to the original message didn't really mean that I think the style of GRC is actually good.

When I visit GRC I am struck by just how amateurish it appears. Very unpolished. And while I've never expected "slick and shiny," per se, the site seems to be quite literally frozen in time and like it was put together by a high-schooler as far as "look and feel." And, for those in the know, that really doesn't matter. But I am surprised that Mr. Gibson has not consulted a professional web designer if for no other reason than style really can and does matter to "the uninitiated." How a website looks, and how appealing it is to explore, often makes the difference between whether someone landing there for the first time actually digs in. And what he has to say deserves a wider audience that it likely currently gets.
 
  • Like
Reactions: GTP
britechguy said:
Seriously, does there need to be one? I just read it as an expression of mild surprise, since there are very few long-term websites that have not undergone "gussying up," often multiple times, over the course of decades. My follow-up to the original message didn't really mean that I think the style of GRC is actually good.

When I visit GRC I am struck by just how amateurish it appears. Very unpolished. And while I've never expected "slick and shiny," per se, the site seems to be quite literally frozen in time and like it was put together by a high-schooler as far as "look and feel." And, for those in the know, that really doesn't matter. But I am surprised that Mr. Gibson has not consulted a professional web designer if for no other reason than style really can and does matter to "the uninitiated." How a website looks, and how appealing it is to explore, often makes the difference between whether someone landing there for the first time actually digs in. And what he has to say deserves a wider audience that it likely currently gets.
Click to expand...
Fair enough I'll remove the post.
I respect Steve Gibson and always have. His insights are enlightening, entertaining, insightful and professionally delivered by a guy who has forgotten more than most know.
I agree with you that his site could do with a facelift but remember this guy codes in assembly so it would be out of place for him to have a modern looking website.
I didnt mean to offend or disrespect.
 
britechguy said:
I'm due to get a new TV soon, and am only looking at "dumb" TVs
Click to expand...
But why? If you don't want the smart features then just don't turn on WiFi. That's what I do. All my TV's have a computer connected to them so I just use them as dumb monitors. Same thing with smartphones. If you don't want the smartphone to be smart, just don't connect it to WiFi and turn off cellular data. Then all you'll be able to do is call or text.
 
Yeah that website hasn't changed since I started going to school for computers almost 20 years ago. Still a well respect voice for when it comes to Security. I also listen to Leo Laporte every week on TWIT.

I use Bitwarden for Password Manager, I was very late to start using that. But glad I did.
 
britechguy said:
I'm reading through the transcript of that episode right now. So far, my favorite observation from Mr. Gibson:

Today, we are frantically deploying millions, if not billions, of Internet of Things devices throughout our lives because they are shiny, incredibly inexpensive, and do neat stuff. But there's zero oversight anywhere in the design, implementation, and delivery of these devices. They're cute little time bombs just waiting to go off.

That captures my personal feeling about it in a perfect nutshell. It's the reason I so intensely dislike these things. I'm due to get a new TV soon, and am only looking at "dumb" TVs (and those, via Amazon, since most brick and mortar retailers carry nothing but smart TVs these days).
Click to expand...
I don't think it's coincidental that most people I know in the tech industry use as few IoT devices as possible. If any at all. Though I do know a few who accept the risks for the sake of convenience, but even they acknowledge just how risky they are. Seems like every day I see an article about some IoT device being hijacked.
 
cypress said:
Yeah that website hasn't changed since I started going to school for computers almost 20 years ago. Still a well respect voice for when it comes to Security. I also listen to Leo Laporte every week on TWIT.

I use Bitwarden for Password Manager, I was very late to start using that. But glad I did.
Click to expand...
I have been using Bitwarden as well. I am still extremely skeptical of password managers, but I would never go back at this point. I love it too much. But like my above comment, I am aware of the concerns and will accept the risk. It's better than the risk of trying to memorize and subsequently reuse passwords (to me, that is).
 
onduck said:
I have been using Bitwarden as well. I am still extremely skeptical of password managers, but I would never go back at this point. I love it too much. But like my above comment, I am aware of the concerns and will accept the risk. It's better than the risk of trying to memorize and subsequently reuse passwords (to me, that is).
Click to expand...

My bitwarden is wrapped in its own 2FA I use the Duo Mobile client for. I use that client for its 3rd party recovery option that uses an encrypted file with a use once code stored in my Google drive.

So not only do you need to get a password for the manager that I've never used anywhere else... but you need to get that 2FA code too.

AND it's going to email me to let me know someone's in there. Good luck... I defend that thing jealously.
 
Sky-Knight said:
I use Bitwarden specifically for a reason, and I don't let my browsers save anything for even more... Firefox in particular since anyone with access to my desktop can click a button and READ all the saved passwords in clear text. heck the thing gives you a nice export to CSV function too.

Chrome and Edge are no better... but they don't just cough up the passwords in the clear either.
Click to expand...

I'm late to the discussion here but I don't get the Firefox reference vs. Chrome/Edge. All of them keep passwords the same way (click to see each one) and all of them export to CSV. Not sure why the call out on Firefox. It is no different than the rest.
 
Diggs said:
I'm late to the discussion here but I don't get the Firefox reference vs. Chrome/Edge. All of them keep passwords the same way (click to see each one) and all of them export to CSV. Not sure why the call out on Firefox. It is no different than the rest.
Click to expand...
I believe it's because Chrome and Edge will ask for your computer pin/password before they reveal anything, whereas Firefox doesn't. It will just show them. Admittedly I've never tried with Firefox even though it's my primary browser because I have never allowed browsers to save my passwords. I've only used Chrome and Edge to help customers 'find' their lost passwords 😂
 
@Diggs What @onduck said, Firefox just lets anyone that's there just have the stuff. So it's trivial to get the data by simply accessing it after the user is logged in.

My password manager has similar functionality too, I can dump my vault to either CSV, or JSON formatted text files... unencrypted. This is essential functionality. But the key is you cannot do that without logging into my vault. This requires my login and password, as well as a TOTP token or a trusted cookie which is cryptographically tied to a specific browser. Then once you're in the vault if you want to export it you have to put the password in again, while both events trigger an email alert that contains the IP address from where the request came from.

So if you want to read my passwords... you're going to set off a few alarms doing it. The browsers do NONE of this. Firefox particularly so.

That being said I do have passwords in Firefox... I do! I have them in Chrome and New Edge too. They're all useless... but I keep them there. Because if something winds up on this machine. It's a honeypot. Go ahead, steal them... I wish I could say this was my intent but in reality it's just that I've been using this install for far too many years and I'm too lazy to clear it out. ;)
 
onduck said:
I believe it's because Chrome and Edge will ask for your computer pin/password before they reveal anything, whereas Firefox doesn't.
Click to expand...
A primary password can be set in Firefox, which must be entered once per session to unlock the stored credentials. It isn't required by default, but it is unique to each Firefox installation and not tied to any other system password, nor synchronised by Firefox sync.
 
You must log in or register to reply here.

Similar threads

thecomputerguy
Family friends son died unexpectedly and is out of options right?
Replies
15
Views
921
fincoder
fincoder
britechguy
NYT Article: This Agency’s Computers Hold Secrets. Hackers Got In With One Password.
Replies
1
Views
925
Markverhyden
Markverhyden
thecomputerguy
Is Kabuto causing all of these corrupted user profiles?
Replies
5
Views
1K
KrustyTech
KrustyTech
P
Asus RMA debacle
Replies
14
Views
3K
ComputerRepairTech
ComputerRepairTech
frederick
Windows VM on Mac OSX - Your Doomed Network
Replies
3
Views
2K
frederick
frederick
Back
Top