dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1991

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

1 recommendation

Kilroy

MVM

Malware attacks Password Managers

Citadel attackers aim to steal victims’ master passwords
said by Ars Technica :
The research found that a configuration file, which attackers use to tailor the Citadel trojan for specific campaigns, had been modified to start up a keylogger when the user opened either Password Safe or KeePass, two open-source password managers.

Buddel
If it ain't broke, don't fix it.
Premium Member
join:2004-03-06
EU

3 recommendations

Buddel

Premium Member

This the reason why my password manager is a sheet of paper.

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

Kilroy

MVM

This is the reason I have two factor authentication for LastPass. I don't even use my password for security on machines I log into normally. That's the easy part to get.

seaman
Premium Member
join:2000-12-08
Seattle, WA

seaman to Kilroy

Premium Member

to Kilroy
Incredibly disappointed to read this but grateful that you posted it.

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

Kilroy

MVM

I know a lot of people here use either Password Safe or KeePass. LastPass is free for computer use and inexpensive, a dollar a month, for portable devices and two factor authentication.
85281231 (banned)
join:2014-02-01

85281231 (banned) to Buddel

Member

to Buddel
said by Buddel:

This the reason why my password manager is a sheet of paper.

I use a little card-file case.

Dustyn
Premium Member
join:2003-02-26
Ontario, CAN

Dustyn to Buddel

Premium Member

to Buddel
Simple sheets of paper are not protected.

NOYB
St. John 3.16
Premium Member
join:2005-12-15
Forest Grove, OR

NOYB

Premium Member

said by Dustyn:

Simple sheets of paper are not protected.


That is a very broad statement that is not completely accurate. And in some cases very far from accurate.

Protected against/from what?

Dustyn
Premium Member
join:2003-02-26
Ontario, CAN
·Carry Telecom
·TekSavvy Cable
Asus GT-AX11000
Technicolor TC4400

Dustyn

Premium Member

Well it was a reply to a rather broad statement in the sense that a piece of paper in itself offers little to no security. Writing down passwords on a piece of paper is not the best idea as it's plainly visible and not encrypted. Plus, do you have a backups of your paper? A single sheet of paper can be easily destroyed or misplaced thus not protected by default.

NOYB
St. John 3.16
Premium Member
join:2005-12-15
Forest Grove, OR

NOYB

Premium Member


Visible to who?

How do you know whether or not it is encrypted?

Paper can be backed up, and stored safely.

Dustyn
Premium Member
join:2003-02-26
Ontario, CAN

Dustyn

Premium Member

That's the point... at the moment we don't know.
It was a very broad statement that I addressed in the form of a very broad reply.

DrStrange
Technically feasible
Premium Member
join:2001-07-23
Bristol, CT

1 edit

1 recommendation

DrStrange to NOYB

Premium Member

to NOYB
I've been known to encrypt things I write down.

NOYB
St. John 3.16
Premium Member
join:2005-12-15
Forest Grove, OR

NOYB to Dustyn

Premium Member

to Dustyn
said by Buddel:

This the reason why my password manager is a sheet of paper.


That is the original statement.

Without any details you leaped to the assumptions that it is not protected (not backed up, not stored securely, is plainly visible, and not encrypted). For which there is no basis from the original statement.
NOYB

NOYB to DrStrange

Premium Member

to DrStrange
said by DrStrange:

I've been know to encrypt things I write down.


Don't know that I can say I've been known for it, but certainly can say I have at the very least obscured things I've written down to the extent it would do no possessor of it any good.

Dustyn
Premium Member
join:2003-02-26
Ontario, CAN

1 recommendation

Dustyn to NOYB

Premium Member

to NOYB
Unless otherwise stated, it is an accurate assessment.
A sheet of paper in itself offers no protection unless otherwise noted.
Unable to break it down to you in any simpler terms.

NOYB
St. John 3.16
Premium Member
join:2005-12-15
Forest Grove, OR

NOYB to Kilroy

Premium Member

to Kilroy

Interesting that this follows shortly after we had a discussion here in this forum about exactly this issue of password managers vulnerability to malware.

This is why I do not include the username nor correct password for financial or sensitive accounts in my password manager.

Some sites, such as Fidelity, have an implementation of remember me feature that keeps the username secure. So for those sites I use that feature for the username.
NOYB

NOYB to Dustyn

Premium Member

to Dustyn
said by Dustyn:

Unless otherwise stated, it is an accurate assessment.


No. It is an assumption.
said by Dustyn:

A sheet of paper in itself offers no protection unless otherwise noted.


Neither does a database. Not even a password manager database. It is not inherently in itself secure, encrypted, backed and inaccessible to unauthorized access. It has to be made so. Same as with paper documents.
said by Dustyn:

Unable to break it down to you in any simpler terms.


No need. You've already over simplified it with your claim that simply being on a piece of paper leaves the information (contents) unprotected.

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

2 recommendations

Blackbird to Kilroy

Premium Member

to Kilroy
Passwords are data. Paper is a storage medium. As with any storage medium, data security is derived only by a process of encryption before the data is applied to the medium or by fully securing the medium after the data is applied. In that regard, data on paper is essentially equivalent to data stored in a computer that is unconnected in any way to a network... that is, it physically limits the universe of unauthorized access attempts. Regarding passwords, if it matters, I keep in only on paper; if it really matters, I encrypt it on paper; if it really, really matters, I lock up or hide the encrypted paper.
applerule
Premium Member
join:2012-12-23
Northeast TN

applerule to Kilroy

Premium Member

to Kilroy
I use KeePass with the secure desktop option on...wonder if that would help "mitigate" this threat, at least against the master key?

I would assume the logger could grab the data from auto-type anyway though...

NOYB
St. John 3.16
Premium Member
join:2005-12-15
Forest Grove, OR

1 edit

NOYB to Blackbird

Premium Member

to Blackbird
said by Blackbird:

Passwords are data. Paper is a storage medium. As with any storage medium, data security is derived only by a process of encryption before the data is applied to the medium or by fully securing the medium after the data is applied. In that regard, data on paper is essentially equivalent to data stored in a computer that is unconnected in any way to a network... that is, it physically limits the universe of unauthorized access attempts.


Exactly. You stated it very well. It's not the storage medium. It's how the contents (data) is stored on the medium (encryption) and how the medium is processed, stored, backed up, etc.

Thanks for chiming in.

Ian1
Premium Member
join:2002-06-18
ON

1 recommendation

Ian1 to Kilroy

Premium Member

to Kilroy
This is about Malware that uses a key-logger. Technically keying it in is the risk point, whether that's into a password manager from memory or a slip of paper into your banking site directly. 2-Factor if you're worried, but up-to-date A/V and not clicking dubious links and phishing e-mails would still seem to be the way to go. No system is perfect.

NOYB
St. John 3.16
Premium Member
join:2005-12-15
Forest Grove, OR

4 edits

NOYB

Premium Member

said by Ian1:

This is about Malware that uses a key-logger.


Yes that is the subject of this thread. But we took a little tangent detour to argue about a paper based password manager not being protected. Presumably simply because it is paper based.
said by Ian1:

Technically keying it in is the risk point, whether that's into a password manager from memory or a slip of paper into your banking site directly.

Malware obtaining the password manager master password could be a more significant issue though due to gaining access to all the users accounts at once in one fell swoop. Of course 2FA for the password manager should be able to prevent this though. Which then still leaves the individual accounts susceptible to the key logger. But at least it is less exposure. One account at a time. In such a case hopefully the malware is found quickly to limit the extent of the breach.

And then there are sites like Fidelity that I believe has a secure remember me feature implementation in which the username is not exposed at the client. So a key logger should only be able to get the password and not the username. So if the username is not in the password manager and the remember me feature is enabled the username should remain unknown to the attacker.

David
Premium Member
join:2002-05-30
Granite City, IL

David to Kilroy

Premium Member

to Kilroy
I use a old windows 3.1 program for mine. most I will do with it is put it inside say dropbox if I need it put to my laptop, or most times I remote into the machine (teamviewer) and view it on the machine at the house. So I never keep the passwords on me.

vaxvms
ferroequine fan
Premium Member
join:2005-03-01
Polar Park

1 recommendation

vaxvms to NOYB

Premium Member

to NOYB
said by NOYB:


Protected against/from what?

The dog ate my password.

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

1 recommendation

sivran to Ian1

Premium Member

to Ian1
said by Ian1:

2-Factor if you're worried, but up-to-date A/V and not clicking dubious links and phishing e-mails would still seem to be the way to go. No system is perfect.

Exactly. Every system has a weakness, and that's why security is practiced in layers.
MaynardKrebs
We did it. We heaved Steve. Yipee.
Premium Member
join:2009-06-17

MaynardKrebs to Blackbird

Premium Member

to Blackbird
And if it really, really, really, really matters your locked-up, encrypted piece of paper is edible rice paper just in case the black helicopters arrive.
Shady Bimmer
Premium Member
join:2001-12-03

Shady Bimmer to applerule

Premium Member

to applerule
said by applerule:

I use KeePass with the secure desktop option on...wonder if that would help "mitigate" this threat, at least against the master key?

I would assume the logger could grab the data from auto-type anyway though...

Yes, enabling/using a secure desktop option to enter the master password would tend to protect against these types of exploits. However it is not a guarantee.

The use of a multi-factor authentication also would help protect against these types of attacks since they would make the password on its own useless.

Dustyn
Premium Member
join:2003-02-26
Ontario, CAN
·Carry Telecom
·TekSavvy Cable
Asus GT-AX11000
Technicolor TC4400

1 edit

Dustyn to NOYB

Premium Member

to NOYB
said by NOYB:

said by Dustyn:

Unless otherwise stated, it is an accurate assessment.


No. It is an assumption.
said by Dustyn:

A sheet of paper in itself offers no protection unless otherwise noted.


Neither does a database. Not even a password manager database. It is not inherently in itself secure, encrypted, backed and inaccessible to unauthorized access. It has to be made so. Same as with paper documents.
said by Dustyn:

Unable to break it down to you in any simpler terms.


No need. You've already over simplified it with your claim that simply being on a piece of paper leaves the information (contents) unprotected.

Nope, it is an accurate assessment based on the information provided in the posting.
said by Buddel:

This the reason why my password manager is a sheet of paper.

My oversimplified claim was an observation based on the "information provided". A sheet of paper in itself offers no security. This is a fact in itself. Whether you agree with it or not is irrelevant. Information on a sheet of paper is unprotected by default. If it's protected by some means, then it should be stated as such.

vaxvms
ferroequine fan
Premium Member
join:2005-03-01
Polar Park

vaxvms

Premium Member

said by Dustyn:

A sheet of paper in itself offers no security. This is a fact in itself. Whether you agree with it or not is irrelevant. Information on a sheet of paper is unprotected by default. If it's protected by some means, then it should be stated as such.

Kinda, but no. You can't make the broad all encompassing statement that a sheet of paper is unprotected. You can't assume that the location of that sheet is in a location that offers no security or lots of security. If I keep a list on a piece of paper in my home or work it could or could not be in a "secure" location.
A computer or pad or phone without a password is more insecure than a sheet of paper.

ASSUME NOTHING.

Majestik
World Traveler
Premium Member
join:2001-05-11
Tulsa, OK

Majestik to Dustyn

Premium Member

to Dustyn
said by Dustyn:

Simple sheets of paper are not protected.

Mine are protected. It's with my important papers I have in a small sealed strong box I've insulated myself with heat resistant material used on jet engines. And this box is bolted in my 600lb Fire proof safe. And that is bolted to floor and inside my walkin closet which is a tornado shelter.
But I can remember my 30 plus character passwords I use daily or weekly.