Improve your online security with a Password Manager
By Rainer Wichmann rainer@
la-samhna.de (last update: Jan 27, 2019)It can be a very annoying - or even disturbing - experience, when your passwords get stolen and your online accounts get compromised. Usually, this happens because of one of the following two reasons:
- Phishing:
- You were tricked into typing your username and password into a fake website, e.g. by an email pretending to originate from your bank/email provider/etc. and containing a link to that fake website, or
- Leaked password database(s):
- Someone broke into the computer system of a business organisation you have registered with as customer, and stole their customer database, including passwords. Usually these are stored in encrypted (or rather, hashed, to be precise) form, but having access to the database allows to run password cracking software to recover the original passwords.
In both of these cases, the damage will be much higher if you re-use the same password on multiple sites. Once your password is known, it is a trivial exercise to perform login attempts at all major, well known websites to check whether the same password works there too - such login attempts can be easily automated.
In summary, re-using the same password on multiple sites is a terribly bad idea. On the other hand, it is extremely cumbersome having to remember a different password for every site you are using. This is where a Password Manager can help you.
What is a Password Manager?
A password manager is a software that keeps a - possibly encrypted - record of all your passwords. That means that you only need to remember one password, i.e. the one required to unlock the database of your password manager.
There are two different types of password managers:
- Auto-fill password managers
-
These are applications that will automatically detect username/password fields on a web page, and will fill in the username and password they have on record for this website. An example for an auto-fill password manager is the built-in password manager of Firefox or Chrome.
While auto-fill is undeniably very convenient, it is also inherently dangerous. Web standards are complicated, and the browsers who need to handle them are very complex pieces of software, which inevitably leads to software bugs and unforeseen issues. Some years ago, a whole slew of password stealing attacks against auto-fill password managers have been unveiled at the Usenix Security 2014 conference. And while those security flaws might be fixed meanwhile, the aforementioned complexity of web software makes it quite likely that other serious flaws exist.
For the technically inclined, the references are:
D. Silver, S. Jana, D. Boneh, E. Chen, and C. Jackson Password Managers: Attacks and Defenses
Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song The Emperor's New Password Manager: Security Analysis of Web-based Password Managers - Standalone password managers
-
As the name says, these are standalone applications that do not integrate with the web browser, and thus will not auto-fill any forms. Instead, you have to manually copy & paste the password (and eventually username) into the web form.
Do not use auto-fill password managers for important websites
Because of the risk of security flaws in auto-fill password managers, I would not recommend to use them for any important website (i.e. your bank account, or your email account). Keep in mind that the 'I forgot my password' action offered by most websites will send an email to reset the password, so access to your email implies access to practically all your online accounts!
If you choose to use an auto-fill password manager (e.g. the
Firefox or Chrome built-in one) for websites you deem less
important, then make sure to set a strong master password,
especially on a laptop (these things get easily 'lost'...).
Also, make sure to configure the password manager in such a way that
the auto-fill of passwords requires at least some manual
intervention, e.g. clicking on the password field.
Security settings for the Firefox auto-fill password manager
Set a master password
By default, there is no master password, and all passwords are saved un-encrypted on disk. If your laptop gets stolen, the thief has access to the those passwords. To safeguard them, you may want to set a master password:
- Open the preferences: click the menu icon on the upper right and choose 'Preferences').
- Select 'Privacy & Security', and scroll down to 'Logins & Passwords'.
- Tick the 'Use a master password' option. Firefox will open a dialog for setting the password.
- Once you have set the master password, hand write it on a piece of paper and stow that away in a safe place (NOT your laptop case).
Enforce manual interaction for auto-fill
It is possible, and highly recommended, to make the auto-fill action less automatic by requiring some manual interaction (clicking on the password field in a form to select it). To configure this in Firefox, you need to perform the following steps:
- Type 'about:config' into the address bar and hit 'enter'. A warning will appear that you have to click through.
- You will see a page with lots of configuration options AND a search field at the top. Type 'signon.autofillForms' in the search field to see that configuration item.
- The 'signon.autofillForms' item by default has the value 'true'. Right click on the value and choose 'Toggle' from the popup menu to set it to 'false'.
- Close the tab.
Standalone password managers
This section lists several standalone password managers that are available on Linux (Ubuntu 18.04). Only GUI applications are taken into account.
In the following, a login means login information for a site in the form of a username, the corresponding password, and eventually additional information.
Pasaffe
Pasaffe is written in the Python script language. It uses the Password Safe (version 3) format for its password database, and thus likely is compatible with the Password Safe application (Windows only) by Bruce Schneier.
Pro
- The plain master password is not kept in memory.
- Can generate passwords, but only the length is configurable. You may have to manually insert 'special characters' if a website demands such.
- Logins can be grouped under user-defined groups (called 'Folders').
- For each login, additional information (URL, notes) can be saved.
- There is a function to copy the password to clipboard, and clear the clipboard after a fixed length of time (20 seconds). The password remains invisible during copy & paste.
- Logins are deleted only after a confirmation prompt.
- Can be set to auto-lock after a user-defined length of time.
Contra
- Password generator lacks configurability.
- Imports from a few formats, but not CSV.
Password Gorilla
Password Gorilla is written in the Tk/Tcl script language. Like 'pasaffe' it uses the Password Safe (version 3) format for its password database.
Pro
- Can generate passwords for different password policies used by websites (with/witout letters, numbers, upper-/lowercase, special characters)
- Logins can be grouped under user-defined groups
- For each login, additional information (URL, notes) can be saved.
- There is a function to copy the password to clipboard, and clear the clipboard after a user-defined length of time. The password remains invisible during copy & paste.
- Can be set to auto-lock after a user-defined length of time.
Contra
- The master password remains in process memory while the process is active (even when you lock the database). The location of the password within the memory dump is entirely predictable.
- There is no confirmation prompt when you delete a login (however, you can exit the application without saving your modifications to keep the old password database).
- There is a backup feature which does not do anything useful. When you save the password database, it backs up the new version instead of the previous one.
- Imports only from CSV (Comma Separated Values) databases.
- The project seems more or less unmaintained, judging from the (lack of) activity on the github site.
Keepass2
Keepass2 is a Mono/.NET application. On Linux, it requires Mono to run (and the 'xdotool' package for auto-type, though I would recommend to disable this feature and to not install 'xdotool').
Pro
- Can generate passwords for different password policies used by websites (with/witout letters, numbers, upper-/lowercase, special characters).
- Logins can be grouped under user-defined groups.
- For each login, additional information (URL, notes) can be saved.
- There is a function to copy the password to clipboard, and clear the clipboard after a user-defined length of time. The password remains invisible during copy & paste.
- Can be set to auto-lock after a user-defined length of time.
- Can import from many different formats of other password managers.
- Logins are deleted only after a confirmation prompt.
- Deleted logins can optionally go to a 'Recycle Bin' from where they can be recovered.
- The plain master password is not kept in memory.
- Active development (as of Jan 2019).
Contra
- The 'Perform auto-type' option accessible via right click on a login is not disabled if the option is globally disabled (in Tools -> Options -> Policy). I recommend not to install 'xdotool' (which is required for auto-type on Linux).
- The 'Perform auto-type' option will auto-submit.
- Does not look 'native' on Linux (Windows style fonts and icons).
Gringotts
This is a very basic application to store an arbitrary number of freeform notes ('entries') in an encrypted file. You can write/edit notes, and navigate through the list of notes. I wouldn't rate this a 'real' password manager, but I've added it just to point out the shortcomings.
Pro
- You can attach files to a note (but you can't view them in gringotts, you have to save them un-encrypted and use an external viewer).
- Notes are deleted only after a confirmation prompt.
Contra
- The master password remains in process memory while the process is active (but is erased when you close the database).
- Freeform notes only. This means there are no convenience functions like 'copy password to clipboard'. In particular, it is not possible to copy a password without it being visible.
- Not possible to export to a format compatible with a 'real' password manager (also a consequence of 'freeform only').
- No security function to clear the clipboard after some period of time, or lock the application (or the data file) after some period of inactivity.
- No auto lock available.
QtPass
QTPass is a GUI for the command-line 'pass' password manager. Each logins is a separate file, encrypted by GnuPG, and placed into the directory ~/.password-store/ where they can be grouped under subdirectories. You need to create a gpg key first to make use of pass/QtPass.
Pro
- Can generate passwords for different password policies used by websites (with/witout letters, numbers, upper-/lowercase, special characters).
- Logins can be grouped under user-defined groups (by creating subdirectories in ~/.password-store/).
- For each login, additional information (URL, notes) can be saved.
- There is a function to copy the password to clipboard, and clear the clipboard after a user-defined length of time. The password remains invisible during copy & paste.
- Logins are deleted only after a confirmation prompt.
- Active development (as of Jan 2019).
Contra
There is a bug report in the QtPass bugtracker about <Ctrl-C> not working in the Gnome3 desktop. Thus my problems (see below) might be related to using the Xfce desktop. However, other password managers have no problem with that.
- You need to create a GnuPG key first [i.e. you need a separate application for the key, and you may need the command line ;-)].
- Copy to clipboard does not work, needs to be done manually, by un-hiding and selecting the password before <Ctrl-C>.
- Clipboard autoclear does not work (maybe related to the fact that copy to clipboard needs to be done manually and the app does not know about it (?)).
- No option to lock the app after some timeout (see next point).
- Because the logins are encrypted using GnuPG, and because GnuPG 2.x always uses gpg-agent, the logins remain accessible for anyone who can access the desktop and/or run a command under your UID until you terminate the currently running gpg-agent (gpgconf --kill gpg-agent).
- The use of GnuPG leads to an ambiguity in the interface. The pinentry helper for gpg-agent may offer to 'Save [the password] in password manager'. An unexperienced user may presume this means the QtPass password manager, while in reality it means the Gnome keyring. I.e. ticking this option will make the master password accessible for anyone who can access the desktop and/or run a command under your UID, even after a reboot.
Security analysis / Summary
For a password manager, important security issues would be
- Leaking the master password: a malicious process may
be able to read the memory used by the password manager.
The application should clear the master password from memory as soon as possible. - Shoulder surfing: someone might watch your desktop.
It should be possible to copy&paste passwords while they remain invisible - Revealing passwords by accident: you may do an accidental
paste from clipboard while the password is still in it.
The password manager should clear the clipboard after some (short) length of time. - Unintentional deletion: your passwords are precious, and
sometimes a mouse pointer may slip when you hit a button.
The password manager should delete a login only after a confirmation prompt. - Accidental access: you may forget to
lock your desktop while away from keyboard shortly.
The password manager should have an auto lock timeout.
Pasaffe | Password Gorilla | Keepass2 | Gringotts | QtPass | |
---|---|---|---|---|---|
Version | 0.51 | 1.6.0 beta 1 | 2.38 | 1.2.10 | 1.2.1 |
Master password | cleared | kept | cleared | kept | kept |
copy&paste passwords invisibly | yes | yes | yes | no | no |
clipboard cleared | yes | yes | yes | no | no |
confirm on delete | yes | no | yes | no | yes |
auto lock on timeout | yes | yes | yes | no | no |
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 2.0 Germany License.