Paul Moore

Paul Moore


Security consultant, researcher & CISO at Icebook.

Share


Twitter


Kickstarter Password Managers: The good, the iffy and the dangerous.

Paul MoorePaul Moore

Over the last few months, Kickstarter has been awash with password managers.

Unless you're willing to invest and use a ridiculously tiny comments box, it's impossible to comment or ask further questions so others can see their response.

Rather than clutter the comments area, this article will provide a very high-level overview of each product; a summary of why you should/shouldn't use them. Don't forget to bookmark it, as it's likely to be updated frequently.

Gilmo

Kickstarter: https://www.kickstarter.com/projects/gilmo/gilmo-password-manager-the-next-step-in-password-p

Although their Kickstarter campaign wasn't successful, it showed real promise.

Essentially an offline password manager with one crucial difference... it can't be connected to any external devices (PCs, WiFi, Bluetooth or the internet).

Unless this becomes available for purchase, I won't spend too much time on it... but certainly one to keep an eye out for!

Verdict: Good


Kickstarter: https://www.kickstarter.com/projects/everykey/everykey-the-wristband-that-replaces-keys-and-pass

Common sense suggests the wristband would store all your usernames & passwords, but that's not the case at all. Your credentials are actually stored on your PC and encrypted using AES128. This is similar to other password managers, so there's nothing of immediate concern there.

The wristband actually stores the encryption key needed to decrypt your data, as & when it's required. The key is sent over a Bluetooth (LE4) connection, itself encrypted and resilient to replay attacks.

Unfortunately, the team behind the 'Everykey' have given some very questionable responses to some really simple questions.

  • Not willing to share a proof-of-concept plugin for fear of reverse engineering.
  • They don't use a KDF (key derivation function) to generate a cryptographic key (potentially dangerous)
  • They've adopted "security by obscurity" methodology, which never works out well.
  • There doesn't appear to be anyone involved purely with a background in cryptography.
  • At least 14 people have contributed to the security algorithm, none of which are cryptographers.

Most importantly however...

  • When asked to validate their security, they referred to AES as proof they're secure. This demonstrates a lack of understanding and to some extent, their naivety.

I wouldn't call it insecure just yet, but there's no evidence to suggest otherwise.

I cancelled my pledge on 20/11/2014 and cannot post further comments on Kickstarter.

Verdict: Iffy


Kickstarter: https://www.kickstarter.com/projects/339603800/blooky-wireless-bluetooth-password-key

As ideas for password managers go, this is probably one of the worst.

Two critical issues:

  • Uses asymmetric cryptography; unsuitable for password managers... as you shouldn't be exchanging keys with anyone.
  • Stores your private key in the cloud!

This is akin to fitting the pinnacle of security locks to your front door, then handing the keys to someone you don't know. Crazy!

It gets worse...

Blooky helps keep you safe from hackers by putting your valuable personal information back in your hands, not on a cloud server or "honeypot" for hackers to target.

If your usernames & passwords are securely encrypted, it doesn't matter where they're stored. As a 1Password affiliate, I regularly print & distribute my encrypted keychain during demonstrations. Am I concerned? Not even slightly.

Why App-based Password Managers Aren't Secure

Password managers use one password to unlock a "vault" that secures all your personal information. What would happen if someone gained access to your vault? They'd have access to your bank accounts, your social media, what you buy, where you and your family live, and all sorts of other private information.

There's a rookie mistake, if ever I've seen one.

Absolute security is knowing security isn't absolute. Traditional or "app-based" password managers (the good ones at least) mitigate risk. Products like 1Password and LastPass don't store your cryptographic key anywhere, because doing so would dramatically increase the risk of your key being compromised, thus lowering security.

In this context, a symmetric cryptographic key (derived from a user's password) and an asymmetric private key are identical, in that anyone in possession of them can decrypt the data.

For an asymmetric cryptosystem to be of use, they MUST save the key somewhere. It wouldn't be quite as bad if it never left your environment... but in the cloud?!

Graham Cluley hit the nail on the head, when he said:

Don’t call it ‘the cloud’. Call it ‘someone else’s computer’

Although there's no evidence to suggest it is, Blooky_ could also use hybrid cryptosystem, but it's equally inappropriate.

Verdict: Dangerous


Kickstarter: https://www.kickstarter.com/projects/199263837/logmeonce-your-password-manager-secure-usb-and-pho

Issues so far:

  • Hashing & key stretching (PBKDF2 @ 10k) handled in the browser.
  • Cryptographic key sent to LogMeOnce during registration/sign in.
  • Uses ROT13 between the plugin & LogMeOnce's server. Usernames, keys & meta data essentially visible in plain text.

More coming soon...

Verdict: Iffy (so far)

Paul Moore
Author

Paul Moore

Comments