Why Password Managers Aren’t Safe – And Won’t Ever Be
Lately a paper by Zhiwei Li, Warren He, Devdatta Akhawe und Dawn Song from the University of Berkeley has been published which is called The Emperor’s New Password Manager. It reveals that
…in four out of the five password managers we studied, an attacker can learn a user’s credentials for arbitrary websites.
and later in the paper they write
We found critical vulnerabilities in all the password managers and in four password managers, an attacker could steal arbitrary credentials from a user’s account.
I’m not surprised; not at all. IMHO, which I have had since password managers have been invented is: Password managers are evil and cannot ever be really fixed.
Why Password Managers Can’t Be Fixed
There are two main problems with password managers:
1. Nobody is trustworthy.
2. Password managers are for phishers and secret services what is sh*t for flies.
Let me explain. Of course,
You can trust any given password manager maximally as much as you can trust the provider of the password manager.
And all providers are untrustworthy because everybody on the net is untrustworthy. Especially when it comes to password managers.
Even if there would be company XYZ which you trusted fully, how do you make sure that the password manager you download from company XYZ is really the password manager from XYZ? You can bet that there exist a lot of hacked versions on the net.
Not trusting the identity of anybody is common sense these days. But aside of this, there are other problems…
Basically there are three possible types of password managers. Each of them is untrustworthy per se, even without identity theft.
A Commercial Company’s Closed Source Password Manager
- You can bet that the NSA has built backdoors into it.
- And there is a secret law that forbids that the company talks about the backdoors.
- Other secret services are very much trying to find out the backdoors or to put spies into the company to be able to introduce their own backdoors.
An Open Source Password Manager
- The NSA has built backdoors into it.
- Other secret services have built backdoors into it.
- Some bright phisher has built backdoors into it.
- With many eyes, all bugs are shallow, you say. Heartbleed I say. Oh, and Shellshock, of course.
A Password Manager Built by Yourself
This is a site for developers, so building your own password manager may seem like an option. At least, you will be sure that nobody builds backdoors into it.
But are you really savvy of security related programming stuff? I don’t know any programmer who really is. Maybe there are those. Surely there are those. Probably most of them work for the secret services of the world or are gangsters. 😉
If you are one of the really security savvy developers in the world, maybe you can build your own flawless password manager.
But before you start…. answer these questions for yourself:
- How many bugs have you produced already in your career?
Yes, estimate a number.
- With this number in mind, how much do you trust yourself?
Of course, even in spite of the bugs in your own password manager, it will be much more secure than all the others: because nobody knows that it exists, nobody tries to hack it.
The US-CERT stated in a paper (cited from Li et al’s paper)
[A Password Manager] is one of the best ways to keep track of each unique password or passphrase that you have created for your various online accounts without writing them down on a piece of paper and risking that others will see them.
Li et al’s view
While idealized password managers provide a lot of advantages, implementation flaws can negate all the advantages of an idealized
password manager …
Password managers are flawed and cannot ever be fixed.
I won’t ever trust one.
I’ve also written about a kind of a solution to the ‘Evil Password Managers’ problem.