Martín Obiols

Random InfoSec Rants

Password Managers and Threat Modelling in 2019

23 Feb 2019 » passwords, threatmodelling, commentary

This content was originally posted as a Twitter Thread. Copied here for archive purposes. Please, forgive potential typos and the succinct writing style.

sim swapping

Interesting research on the security of several popular password managers, albeit based on a limited Threat Model that does not suit the real issues with password managers in 2019.

Paper assumes local attacker or digital acquisition scenario for a stolen device as the main threat. Long term memory persistence is indeed an issue for master passwords but for particular entries… they most probably will end up leaking from the consuming apps. Local attacker is a pretty rough threat model scenario in most cases. Not really worth protecting against with userland code.

As per the real threats that are not considered in the paper, first, most managers encourage users to use integration plugins that ultimately perform autofill with minimal user interaction on browser and other apps. Here is where most of the historical security issues appeared, in some cases rooted deeply into how the web is designed, without any sort of possible fix other than disabling autofill altogether .

Second, the problem of securely receiving updates to the password manager. On all channels, your passwords are ultimately trusted to the software maintainers. Should the binaries get inadvertently compromised somehow, it’s gameover for all users.

Or worse, what if the official maintainer of a FOSS manager on Google Play suddenly goes bankrupt and needs money? What if he sells ownership to the wrong folks?